But how will a hacker know which country I live in. A VPN provider like Private Internet Access has servers located in more than 48 countries. How will the hacker make a decision? This feature will give some security to our accounts.
4 Likes
Yep, uncrackable!
1 Like
This would surely increase the security of the vault, even if the attacker used a VPN or a proxy!
It would also be really nice if Bitwarden notifies the user through email that someone entered the correct Master Password but could not access the Vault because of its IP address isn’t allowed by this setting, because then, the user would be able to change the compromised master password without having any of its passwords stolen!
I would certainly love to see this feature implemented soon! 
5 Likes
Nobody said it is uncrackable. It just makes it harder for somebody in another country to access our accounts. Let’s say you live in Mexico and somebody from Brazil tried to get into your account. They would be blocked from logging in, even if they have your master password. They would just be told that the login info is incorrect, but the real reason is that they logged in from the wrong country.
9 Likes
What’s stopping them from using a VPN? Country blocking is security theater.
2 Likes
This is pretty important and should be added soon.
In addition to block access from TOR network.
5 Likes
Nothing but that’s not the point. They don’t know what country you’re in so that’s another step they have to take, picking the right VPN to even make an attempt. An unsuccessful attempt should not reveal what country you need to be in.
7 Likes
@Keepasser Yup, agreed.
This is needed, I wouldn’t trust any login attempts from countries I’m not living in or visiting. Chances are, that’s not me.
Please block login attempts based on an user defined list of “allowed” countries.
4 Likes
Would be really nice to see this built in.
1 Like
One of the options in lastpass geo list is to block VPNs… I know that wont work on a private VPN you’ve setup yourself, but they do an OK job of figuring out the endpoints from the commercial VPNs and blocking those if you have that ‘country’ turned on.
6 Likes
Agreed. VPN can defeat this for real threat.
It doesn’t matter if VPNs can defeat this. If you do it the smart way, you still make it harder for people to log into your account and that’s what matters. Let’s say you live in Turkey. How is a bad actor going to know what country to use? Is he going to go through a dozen VPNs to get into my account? Probably not. Is Bitwarden going to TELL the bad actor what country they need to be in to get into my account? Not if they do it right.
2 Likes
Yes, the feature would prevent some attacks, but it would basically prevent untargeted attacks and not directed ones since someone can bypass it using VPN or TOR. Is this a useful feature? Yes. but not as useful as improving Autofill. LastPass is the only password manager who implement this feature that I know of.
There are only 195 countries, a simple script can go through them all in seconds. I could go through them all in a free afternoon manually.
If it’s a targeted attack they would send you an email with a tracking pixel, image, or a link, and when you load that your country location is revealed.
Even easier, see what info you’re leaking online. Check your Facebook, Google your name, if I have your email address this helps to narrow it down even more especially when searching previous breaches.
Funny enough, more than half the people in this thread wanting this feature reuse the same username for everything which helps determine who they are and where they’re from.
This feature is just plain silly; It’s not adding any better protection than what we have now. It’s the very definition of security by obscurity.
4 Likes
Even more to the point, most users of BW probably live in a handful of countries, like the USA or Britain. You might be safer if you live in an obscure country like Turkey, but the majority of users’ locations will be easy to guess.
Again, this is just security theatre. You will add far more protection to your account by adding another digit to your password, statistically speaking.
3 Likes
If Bitwarden isn’t banning users for 24 hours if they get 3-5 password attempts wrong, then we have other things to worry about.
Who is going to know my email? Why would you use an email that people other than your friends know? Most attacks are not targeted. They are random, which is what GeoIP blocking is good at preventing.
This is a good point but that doesn’t mean people who don’t live in the USA shouldn’t get the benefit of such blocking.
2 Likes
To login you need to know the email, and if you know an email, how hard is it than to determine the country of the person? Like on how many social media platforms would you have to do a lookup before you have a pretty good idea?
If you’re using a random email that is not used anywhere else then why do you need geo-blocking? The attacker would never make it to the point of being geo-blocked if they don’t know your email.
Geo-blocking won’t turn on until the server pulls the customer’s settings which would come after they authenticate. If the attacker knows your username and password and is prompted with “Your from a forbidden country” warning when logging in it just confirms the username and password are correct. Now the attacker has 194 countries left to try using proxies which allows them to run through all these countries in seconds.
Your account would be better protected by adding just one extra character to your password or adding 2FA to your account than to use geo-blocking. Adding TOTP 2FA would be better as that has 1,000,000 different combinations of a 6 digit code that change every 30 seconds vs. only 195 static countries to try.
If geo-blocking was so effective then Netflix wouldn’t have the issue of people from other countries viewing content that’s not meant for them. Geo-blocking doesn’t offer any meaningful extra protection to your account compared to things like 2FA we have today.
3 Likes
Emails have tons of domains these days. I can sign up for protonmail.com from anywhere in the world and you wouldn’t know what country it’s from, for example.
I don’t think people who use Bitwarden are likely to leave that many breadcrumbs for people to find about them. I don’t even have a single social media account, for example. The email address I used to sign up for this forum is ephemeral, even.
Because it’s just another layer of protection for me. Why not want something that could potentially protect you, even if you’re unlikely to be found? I’ll take anything Bitwarden can give me to protect my account.
Again, I would hope that Bitwarden does not allow people that many attempts in a matter of seconds. Bitwarden should ban you for 24 hours after 3 bad attempts and should NOT tell you that you’re in the wrong country. That’s enough to throw most people off the trail.
2 Likes