Password entered into Bitwarden username field

I accidentally, manually entered my password into the username field when attempting to log into the Bitwarden website. Do I now have to change my password?

Not necessarily. Depends upon what the website does with incorrect logins. It is possible that they log them and who knows how long they keep them.

If it makes you more comfortable, there is no harm in changing your master password. Just make sure to pick something long, strong, and random. And don’t forget to take a backup first and update your emergency sheet afterwards.

1 Like

Did you submit the password as a username, or you just typed it but didn’t submit it?

Every time I saw someone asking a similar question, they ended up changing the master password.

1 Like

@oldandgray Welcome to the forum!

If you progressed from the email entry screen to the password entry screen then the Bitwarden client app would post an API request to which includes the “email” string encoded as Base-64 (which is trivially easy to decode), in the request header X-request-Email. If you then proceed to submit the password entry form, the Bitwarden client app would send out the “email” string in plaintext in API requests that are posted to and

Bitwarden does not maintain logs of this traffic, but perhaps Cloudflare does. And if somebody is sniffing your web traffic, then they would be able to read these strings.

Furthermore, because you would not have been able to submit the username entry form if the entered string doesn’t contain exactly one @ symbol, this suggests to me that your master password is not random, and most likely consists of some word, name, or phrase in which you have substituted the character @ for the letter a (and are likely using similar character substitutions in the rest of your password). Thus if an attacker is able to identify you and execute a targeted attack, the information disclosed in your post would help narrow down the search for your master password.

For all these reasons, it is probably best that you go ahead and change your master password. For your new master password, please use a randomly generated passphrase, consisting of 4 random words or more. If your passphrase has been randomly generated, then performing character substitutions is both unnecessary and counterproductive.

Don’t forget to record your new master password on an Emergency Sheet, and do create a vault backup (an export in the encrypted .json format, specifying the Password-Protected export type in the Web Vault export tool) before changing your master password.


Interesting. Had not thought of that. Master passwords should not contain @ signs (or at least not contain one @ sign) to prevent exactly this failure mode.

Erroring out on setting a master password with exactly one @ sign might be an interesting feature request. Need to sleep on that one.


I created said request. Go vote for it if you think it has value.

1 Like

I’m all out of votes, sadly.

1 Like

Thank you for your help.
I did not have a “@“ symbol in the master password, but I will still change my password.

and do create a vault backup (an export in the encrypted .json format, specifying the Password-Protected export type in the Web Vault export tool) before changing your master password.

I do see the option in settings to ‘Export vault’. Do I just export it to my desktop? After I export it, What do I do with it? Where do I put it?

If that’s the case, then you would not have been able to submit the Username input form (you would just get the error message “Input is not an email address”), so the master password would not have been transmitted from your device.

For this purpose, you can export it to any location of your choosing (e.g., Downloads folder or Desktop), as log as you will be able to find it afterwards. Just hang on to the exported file until after you change your master password, in the off-chance that you experience a technical glitch during the master password change procedure (which might in rare cases cause you to lose access to your account). If you are able to log in again and see all of your vault items after changing the master password, then you don’t need to export file anymore — use Shift+Delete to permanently delete it.

1 Like

Thank you!
When exporting the encrypted .json format file, will I be prompted to create a password to open the file, or will I be using my master password to open it?
(Hopefully, I won’t need to open it).

If you select the “Password Protected” option when you get to the part where you specify Export Type, then you will be asked to specify a password for opening the file. It is best to not re-use your master password for this purpose, but to choose a different passphrase. If you ever need to import the password-protected file, then you will need to enter this file password — so make sure that you’ve written it down.

You may want to review the detailed instructions in the Creating an Export section of this comment from another thread.

1 Like

Thank you very much for all your help!

1 Like