I accidentally, manually entered my password into the username field when attempting to log into the Bitwarden website. Do I now have to change my password?
Not necessarily. Depends upon what the website does with incorrect logins. It is possible that they log them and who knows how long they keep them.
If it makes you more comfortable, there is no harm in changing your master password. Just make sure to pick something long, strong, and random. And donât forget to take a backup first and update your emergency sheet afterwards.
1 Like
Did you submit the password as a username, or you just typed it but didnât submit it?
Every time I saw someone asking a similar question, they ended up changing the master password.
1 Like
@oldandgray Welcome to the forum!
If you progressed from the email entry screen to the password entry screen then the Bitwarden client app would post an API request to https://vault.bitwarden.com/api/devices/knowndevice which includes the âemailâ string encoded as Base-64 (which is trivially easy to decode), in the request header X-request-Email. If you then proceed to submit the password entry form, the Bitwarden client app would send out the âemailâ string in plaintext in API requests that are posted to https://vault.bitwarden.com/identity/accounts/prelogin and https://vault.bitwarden.com/identity/connect/token.
Bitwarden does not maintain logs of this traffic, but perhaps Cloudflare does. And if somebody is sniffing your web traffic, then they would be able to read these strings.
Furthermore, because you would not have been able to submit the username entry form if the entered string doesnât contain exactly one @ symbol, this suggests to me that your master password is not random, and most likely consists of some word, name, or phrase in which you have substituted the character @ for the letter a (and are likely using similar character substitutions in the rest of your password). Thus if an attacker is able to identify you and execute a targeted attack, the information disclosed in your post would help narrow down the search for your master password.
For all these reasons, it is probably best that you go ahead and change your master password. For your new master password, please use a randomly generated passphrase, consisting of 4 random words or more. If your passphrase has been randomly generated, then performing character substitutions is both unnecessary and counterproductive.
Donât forget to record your new master password on an Emergency Sheet, and do create a vault backup (an export in the encrypted .json format, specifying the Password-Protected export type in the Web Vault export tool) before changing your master password.
2 Likes
Interesting. Had not thought of that. Master passwords should not contain @ signs (or at least not contain one @ sign) to prevent exactly this failure mode.
Erroring out on setting a master password with exactly one @ sign might be an interesting feature request. Need to sleep on that one.
2 Likes
I created said request. Go vote for it if you think it has value.
1 Like
Iâm all out of votes, sadly.
1 Like
Thank you for your help.
I did not have a â@â symbol in the master password, but I will still change my password.
and do create a vault backup (an export in the encrypted .json format, specifying the Password-Protected export type in the Web Vault export tool) before changing your master password.
I do see the option in settings to âExport vaultâ. Do I just export it to my desktop? After I export it, What do I do with it? Where do I put it?
If thatâs the case, then you would not have been able to submit the Username input form (you would just get the error message âInput is not an email addressâ), so the master password would not have been transmitted from your device.
For this purpose, you can export it to any location of your choosing (e.g., Downloads folder or Desktop), as log as you will be able to find it afterwards. Just hang on to the exported file until after you change your master password, in the off-chance that you experience a technical glitch during the master password change procedure (which might in rare cases cause you to lose access to your account). If you are able to log in again and see all of your vault items after changing the master password, then you donât need to export file anymore â use Shift+Delete to permanently delete it.
1 Like
Thank you!
When exporting the encrypted .json format file, will I be prompted to create a password to open the file, or will I be using my master password to open it?
(Hopefully, I wonât need to open it).
Thanks
If you select the âPassword Protectedâ option when you get to the part where you specify Export Type, then you will be asked to specify a password for opening the file. It is best to not re-use your master password for this purpose, but to choose a different passphrase. If you ever need to import the password-protected file, then you will need to enter this file password â so make sure that youâve written it down.
You may want to review the detailed instructions in the Creating an Export section of this comment from another thread.
1 Like
Thank you very much for all your help!
1 Like