I think the Master password hint is not perfect for the cases of some memory loss, amnesia, Alzheimer’s, car accident, etc.
Right now if you forgot your Bitwarden Master password, Bitwarden suggests sending a hint to your email. But presumably, if you don’t remember your Bitwarden Master Password, you won’t remember your email password, so you won’t be able even to get your hint. Especially, if the password from your email was autogenerated and also kept in Bitwarden.
I find such a hypothetical scenario, a single point of failure, which can make your life even harder. Imagine you in the car accident. You lost your memory. You cannot turn on your phone, because after its reboot, fingerprint or FaceID are not enough, it asks for a password, which you forgot. You don’t remember any phone numbers. Maybe they are in Google Contacts, but you cannot log in to it without a password anyway. You cannot access your internet banking etc
You might call me a drama queen, but let’s discuss this very unlikely to happen scenario.
I have a suggestion.
- Let’s add a button after requesting a password hint. I have no access to my email.
- If a customer clicks this button, Bitwarden shows the message Your request to retrieve password hint was registered, please come back in 24 hours
- Bitwarden send an email Somebody requested your password hint which they can retrieve in 24 hours. Click here to cancel that request. Please also ensure that your connection between your master password and master password hint is not obvious for potential hackers
- If the link from the letter was not clicked, then in 24 hours you can be given your master hint
I think 24 hours delay somehow protects from hacking your account. But obviously, it is not a bullet-proof, so another suggestion
- Regularly, let’s say once a month, Bitwarden shows a popup Please ensure you can recover your master password from your master password hint, but ensure that potential hackers won’t be able to get your password from your hint