Master password change (using clipboard) went wrong - can't login now

Contacting Bitwarden support directly has been disappointing, to put it mildly. Over 2 weeks and I’m still unable to unlock my vault. However, I can login with my passkey(TouchID via Mac), just not my vault…

MacOS: Sonoma 14.7.4
Android: 14

Bitwarden apps: web browser, Chrome extension, desktop app, and Bitwarden CLI

Other apps: Raycast, Flycut (this will make sense in a bit).

SCENARIO:

Changed my master password via the web browser (chrome), with zero issues. Roughly 30min later, I wanted to amend the new master password with one more digit added to the end. I typed out my new master password, I then proceeded to “copy,” that typed content from the master password field, which was then pasted into the “new password,” field, after which I input one single additional keystroke. I then repeated that process for the second, “confirm new password,” field. I was immediately logged out, which I assume means that the new password matched, and was accepted.
I’ve yet to confirm with anyone from Bitwarden if copying from the “master password,” input field box on the creating a new password webpage, actually copies the contents, OR if that function is disabled. Does anyone know the functionality of copy/pasting on the web browser client?

Why it matters: assuming the “copy,” function is disabled somehow would mean that the contents I pasted into the “new master password,” and “confirm new master password,” were indeed not the “master password,” input and instead the most recent contents in “my clipboard.” Which is why Raycast and Flycut were mentioned earlier…
I have Raycast and Flycut both enabled to keep a history of my clipboard, so I was able to see what was active in my clipboard at the time. Since, I can verify and access the clipboard contents, I’ve tried using all of the potential options in the clipboard history to unlock my vault, by copy and pasting, then adding the same single keystroke I originally added to amend the “new password.”

Finally, does anyone have knowledge or insight into how Raycast or Flycut might be functioning abnormally? Such as adding a random “space,” before or after the pasted contents? I tried all iterations of random “spacing,” options along with all of the potential clipboard options and nothing has worked.

After reading through the posts here I’ve also attempted the following:

• removed and reinstalled: chrome extension, desktop app, android app. (the desktop app was not fully uninstalled, as when initially logging back in my username was already populated (could that be causing any issues?)
• did a hard restart of the browser.
• tried a different browser.
• tried a different computer.

One final question: based on all of the information, could this simply be some sort of glitch due to creating a new master password twice within 30mins? I was also still logged into all of the other clients and apps while doing so. I’ve also yet to tamper with the CLI at all, could uninstalling that be a solve?

Apologies for the longwinded post, but I’m at a loss as to how to proceed.
Thanks in advanced to anyone who made it this far and might be able to offer some insight and assistance!!

I tried the following:

1. typed “123456” into notepad and copied it to my password
2. Pasted with ctrl-V into New Master Password and Confirm fields. In both cases, there were 6 dots, so I suspect it did paste properly.
3. typed 789012 into new master password field, resulting in 12 dots.
4. hilighted the 12 dots and typed ctrl-c
5. switched to notepad and typed ctrl-V. The original 123456 was again pasted into notepad. So, no you can not copy out of the hidden password fields.

Do not have a Mac, so no clue as to how Raycast nor Flycut behave.

image678×234 11 KB

The real concern here is that your are at risk of permanently losing access to your vault. If you do not have a backup, try the following on all your devices until you have success:

1. Put the device into airplane mode or disconnect from the Internet.
2. Open each copy of your vault (deskptop, web extension, etc) to see if you can login to it (hoping it still has the old vault with the old password) and export your vault.

If you can get an export from somewhere, there is much less stress because you can delete/recreate your account if needed.

@jd.bw Welcome to the forum!

So, you have a “login-with-passkey”-passkey? Then maybe you can login to your vault. But just to the web vault / web app at the moment, as “login-with-passkey” is still in Beta.

Do you have an (ideally recent) export of your vault?

About how many vault items do you have in your vault?

Super helpful, thanks for testing the copy/paste functionality. Unfortunately, as this was over two weeks ago, I do not have the ability to put any active device into airplane mode to make an attempt at exporting a backup for my vault. Unless, perhaps an older android would potentially suffice? But the older device has not been used since July 2024, and since then the vault has had a significant amount of additions. Thanks again Den, confirming the copy/paste adds more clarity to solving this, appreciate it.

Thanks! And thanks for the reply!

I do have a “login-with-passkey,” passkey, which in this case is my biometrics/TouchID on my macbook. However, even after successfully using the passkey, the web client still directs me to the “enter master password,” webpage. After reading through the link you provided, it would seem as though one of two things is occurring. 1). the toggle to " Use for vault encryption," was either not selected (which I’m fairly confident it indeed was, as biometrics always worked on the web client, the desktop app, and as the secondary verification when initially opening/engaging with the Chrome extension. or 2). somehow my browser is currently not PRF-capable?
I did do quite a bit of alterations to my privacy and security settings in my browser and on my system. Think I could have disabled PRF somehow?

Thanks again.

The most recent export was over a year ago, and the vault is pretty hefty in terms of items.

Ah, right… Sorry, I forgot that there are also those “without encryption”. (I edited my previous post a bit, regarding that)

Okay… I read through everything again now. As I understand it, you have no BW app still logged in, except the Android device, which was “active” in July 2024.

Your most recent export was over a year ago → so probably a little older than the state of the Android device…

Your “login-with-passkey”-passkey is without encryption.

The unfortunate message now is, if you don’t “find” your changed master password somehow, you have no chance of logging in. In other words, that account is lost. Again, if you don’t find the master password yourself, there is no other way “sneaking in” / circumventing it or whatever…

I think, you should follow @DenBesten 's advice (airplane mode, export…) with your Android device (July 2024…) to hopefully get your most recent export as a basis for building a new Bitwarden account.

(if that export from the Android device works, you might not need the older export)

For the future:

• always make an export before you execute critical actions like changing the master password, the email address, the KDF etc.
• PS: and probably we all learned now, not to execute copy/clipboard actions in the “change master password fields”…
• …

PS: You can delete your old account without being able to login (you just need access to the email address you used for Bitwarden): vault.bitwarden.com/#/recover-delete or vault.bitwarden.eu/#/recover-delete. - Though it doesn’t change much, I probably would wait until you have build up your new account. Don’t want to get your hopes up… but if you think there might be a chance and you have “the nerve for it”, you could wait with the deletion and try it again and again to find the changed master password…

Thanks for the follow up! Two things I wanted to add. My passkey is on my macbook, via iCloud, not a Google passkey even though I’m using Chrome browser. (if that adds any additional information). 2. I do not believe that the passkey was without encryption as using biometrics worked as the sole login method in the past…
Regardless, since it is not working to unlock my vault and I’m assuming there are no known errors with the biometric/passkey functionalities, then I guess next step is attempt to figure out how the copy/paste functionality could have added some strange component or spacing unknowingly…for example, one of the potential password options that was active at the time in my clipboard history had two iterations of the same text; however, when copy and pasting both into a generic text editor, one was recreated with totally different formatting, (font size, and background color, etc)…so perhaps there is something quirky to discover in regards to that as well ?!

Re: future: Yeah, hindsight is a mf…I had multiple devices working at the time and also figured since I have a passkey, an authenticator 2fa app, and access to the email for the account, that I was in no risk of losing access… lesson learned.

Thanks for linking the deletion process, I’m a stubborn bastard and there is no way I’m going to let this go, lol, so I’ll continue to mustering up the nerve. I think at this point since (unless I’m totally missing something obvious) I have everything my clipboard copied and pasted, so I’m going to try and research a way to somehow “crack,” my own vault, by attempting several iterations of each of the things that were in the clipboard at the time…since @DenBesten was able to confirm that the black dots correspond to the number of inputs, and Bitwarden mandates having at least 12 characters as a master password, I am able to narrow the options down to 4 or 5 strings of text. The question remains, where the random spacing could have been input, or some other strange happenings/input could have been entered?? if anyone has any ideas of how best to program something like that, please lmk hahah. Id prefer to not physically type out possible spacing options if possible.

I also, wish there was more assistance from Bitwarden directly as it looks like there are a lot of recent and ongoing changes occurring simultaneously right now, and I’d hate to be an early victim of some yet-to-be-discovered issue(s), so I’m hoping to get more feedback from them as well, and definitely before I threw in the towel and deleted my vault. Thanks again!

Sorry…one thing I forgot to explicitly ask…you don’t suppose that my browser or system settings is forcing me back to the “enter your master password,” page after using my passkey biometrics? Do you think the passkey could be actually working properly, but my comp or the browser is preventing the passkey from properly unlocking the vault?

I would try the airplane-mode export on that Android device. Even a 9 month old backup is better than starting over. If nothing else, it gives you a decent to-do list.

When changing your password, it is possible to also rotate the encryption key. Did you by chance do that seemingly reasonable thing? The Bitwarden help page for that explicitly warns that leaving a device logged in while messing with the encryption can corrupt the vault.

If you do want to start rebuilding a new vault while still hammering away at the old one, consider using an email with plus-addressing (e.g. [email protected]) to create the new one without destroying the old one. Bitwarden’s TOS does limit you to maintaining one free account. Although I can’t imagine anyone would find fault with having two for the duration of a disaster recovery, it is a simple matter of coughing up $10 to stay within the letter of the law.

Regarding PRF, it is necessary for the operating system, the browser, and the web site to all support it. Based on this article, it seems like PRF support in apple products is in its infancy, just like everyone else.

Hmmm… If your “login-with-passkey”-passkey was set up with encryption, then I would assume it should still work (not considering any “sudden / random catastrophes” here)…

(And I hope, you don’t “confuse” the login-passkey with Unlock with Biometrics, because the latter certainly can’t log you in without the master password…)

I’ve no real personal experiences with Mac/iOS etc. - I think your passkey could either be on your MacBook or even “synced” via iCloud KeyChain.

I probably would try with the main different browsers (like Chromium-based, Safari, …) - and all your devices that may “have” that passkey - to log in to the web vault: vault.bitwarden.com or vault.bitwarden.eu

2025-02-28--12-58-47-vivaldi_ZvQAgpKyDa537×611 18.5 KB

Do you remember, where it worked before? (obviously I would try it there first - with all possible “configurations”)

Try logging in with your passkey in Safari. In my experience, either Apple or other browsers have not effectively implemented PRF support to allow passkeys saved in Apple Passwords to decrypt your vault in any browser other than Safari.

Sidenote: I changed the title from “Crickets from Bitwarden support…” to “Master password change (using clipboard) went wrong - can’t login now”, so that others have a better idea what the thread is about.

Thanks for all the input and engagement! Apologies for the delayed response… I had hit the maximum amount of “reply’s,” the forum sets for new users, and then was unable to get back to all of this until now. This was the last message I had attempted before the limit blocked it from posting:

Thanks Den! You bring up a good point, but the UI on the webpage when changing the master password, fortunately give me the proper visual warning to ensure that I did not rotate my encryption key accidentally. I was especially weary of that since I was uncertain of what connections or background processes were still active with the CLI client on my system.

I think rebuilding simultaneously will help alleviate any extra stress and likely help clear my head while attempting to access the old one. Thanks for the recommendation and heads-up with plus-addressing.
I’ll do some research into PRF, as I did not realize it was somewhat new implementation. Appreciate it!

Thanks for the suggestion @Micah_Edelblut Because…the latest Safari attempt, seemingly adds another quirk to this conundrum, and seemingly creates more evidence that some connection/process is malfunctioning between the browser, and the passkey(PRF support) and or in this case TouchID. Because, I’m left with a spinning wheel on the vault login page, but this does not happen on Chrome or Mullvad, and other webpages are functioning properly on Safari just fine.
Any ideas as to why this is happening only on Safari and only on vault.bitwarden.com ?

Thank you for this, I realized that was a poor title after going back through the forums searching for more answers.

Interesting - any errors in the console when you are on this spinning vault page?