Regarding worst case scenario where an email account is compromised or you don’t have access, I personally have individual and organizational vault back-ups in multiple places so that I can spin up a new Bitwarden account at any time.
I also prefer to use a zero knowledge end to end encrypted email service with 2FA enabled, and use securely stored bookmarks in web browser or launch button in Bitwarden to avoid phishing attempts when typing in address incorrectly etc… (most hacks are still phishing based).
My understanding is that using this method, you would not be able to restore attachments, or any other data not included in the .json exports (I’m not certain, but I think password histories and perhaps Sends might be lost, as well). Is this correct, or do you have a work-around?
Also, if you want to use your backup to populate a new vault, it must be an unencrypted export, correct? (as the encryption keys won’t match)
Would you mind explaining this method? How do you secure the storage of your browser bookmarks?
With regards to the feature request discussed in this thread, perhaps a compromise might be to have the passwordless “reset” method immediately disable the vault for a specified time period (1 week? 30 days? User-configurable?) instead of deleting it immediately. During this period, the user should be provided some method for cancelling the “reset”, but this would require some identity authentication method that could not be easily spoofed (perhaps tied to the payment method for subscriptions?). Or perhaps the “reset” should be cancellable only by an emergency contact? In any case, it may be possible to allow for some secure method to undo the “reset” and re-enable the vault; if the vault “reset” is not successfully cancelled by the end of the specified period, only then would the vault actually be deleted.
That is correct, backups don’t currently contain attachments or password history.
Yes you would need to import an unencrypted vault if had to create a new account, so these must be stored securely.
Regarding securely stored bookmarks, I’m just referring to using vetted official bookmarks instead of typing into the search bar each time (prone to spelling errors).
I was horrified when I learned of this “feature/bug” by stumbling upon a convo about it on Reddit. Couldn’t believe I was reading someone saying “never store your master password” in your email because yada, yada, yada.
Anyway, nevermind THAT conversation…for this (again) “feature”, I would agree with you Robert AND go so far as to say you should be able to set your backup contact as Bitwarden’s “double check”.
i.e. If Bitwarden receives an email from your address requesting that you wipe your account…they should be compelled to send you a TEXT asking for confirmation.
Obviously, I base this on the (perhaps misplaced) hope that even though someone MAY have hacked into your email, they don’t ALSO have possession of your phone.
(Am I being a) overly cautious…or, b) acutely naive?)
Your Bitwarden account (e.g., unlocked computer when you step away)
Your Bitwarden master password
Your email account where they could send and receive messages
I understand the concern, but if you are protecting your devices and your logins, it is hard to imagine a scenario where a malicious actor would gain access to all three of the above, or what would motivate them to do so? Maybe a disgruntled partner in a fit of rage? (That’s where account backups are highly encouraged!!)
Yes, but it’s not the snoop-ability of SMS that I’m counting on as security…it’s the physical necessity of the “hacker” being in possession of my phone.
If someone “gains access” to my email account, he may or may not have my phone in his hand.
But, I concede; maybe sending a text message isn’t the best … unless they ask you to provide your “secret word” by return text. (And that could be the usual “favourite vacation destination”…“your grade 3 teacher’s name”…“your oldest cousin’s name”, etc.
I’m STILL trying to figure out…as you’ll see by my other/2nd post…WHY would anyone want to delete your Bitwarden vault? (any reason other than being a dick, that you can think of?)
Actually David this isn’t the case, hence this thread.
As described in https://bitwarden.com/help/forgot-master-password this option currently allows for account deletion without access to the web-vault or the requirement to know the user’s master password.
Though I absolutely agree with you that this highlights the importance of owning your own data and having backups!
I also personally consider email to be highly important in the same vein as a password manager, in that I believe your email should also be something with a unique passphrase that is memorized and not simply something that is randomly generated and stored in a password manager, along with strong 2FA protections.
Email is the key to much of your digital life, even in a case someone gained access to your password manager many sites require email verification for account changes such as email address/password changes.
Just as you don’t want circular backups, you wouldn’t want circular access and authentication.
On the flip side though, I can see the need for someone who would want their information and data purged from Bitwarden’s systems, and for their part Bitwarden has no issue with providing that capability to those who would need it.
Lots of good points here focused around user error but there are also ways to abuse this too-simple deletion mechanism on a mass scale by using flaws or errors in domain and email administration outside of individual user control. Yes users should backup but deletion should also have more guardrails.
My impression is an attacker who can access email streams or storage for a domain, even temporarily, can run a list of all email addresses they find thru the Bitwarden vault delete page, and then fetch resulting confirmation links. There are so many ways for this to happen from registering an expired domain before its admins notice, to exploiting DNS or mail server infrastructure, to BGP hijacking, to compromising the right staff account at a $bigcorp or $mailhost.
These things may seem farfetched but happen daily and I point them out because user error appears not necessary to abuse this deletion function.
Yes, routing, domain, and email infrastructure should be better protected. No it wouldn’t be Bitwarden’s fault if any of this happened. But someone might want to hurt Bitwarden itself by wiping a large number of user vaults. Say a powerful and shady but completely made-up, absolutely fictional company called Notacle wanted to acquire Bitwarden’s tech and corporate clients after depressing its value first. This would be a way to do that.
