Why not? Then add VPN blocking too (ala Netflix)?
It is worse than that for a hacker - they don’t know “WHY” they were locked out, just that they were. My LastPass experience was that it locked me out, I’d go “huh?” and eventually see the email from them when I started down the password reset route.
1 Like
That’s how it should be. No info given to the password cracker, all info about the incident given to the user. They should be told that somebody from another country has their master password but Geoblocking blocked that attempt anyway and to change the password as soon as possible.
1 Like
I am a security researcher and I’d been using LastPass from 2009 until 2018. I also used the GeoLocation function on LastPass before. Currently, I am using Bitwarden, KeepassXC, Keepass 2, and Authy on Backbox Linux.
I think should answer some of the issues being mentioned above.
As for the MITM part, @tgreer already answered the same issue here on this thread.
Your real passwords in the Bitwarden app or browser won’t be sent to the server. Only the modified (hashed/encrypted) version of your password will be sent, not your real password.
Should your internet connection is being intercepted by a man-in-the-middle, he will see only the modified/encrypted version of your password and not your real password.
You can test that at home by using the Chrome/Brave browser. Just follow this video:
@Keepasser
Keepass and Lastpass have security flaws in the past. For example, a report found a vulnerability that affected several major password managers (1Password, Dashlane, KeePass, and LastPass), potentially leaving your master password exposed in clear text in computer memory.
But that applied to Windows 10 users so if you are on Linux you should be fine.
You can read the full report here and the news on Forbes here.
For the list of the best password managers, you can check out this list: Best Password Managers in 2024 (Only 5 Passed Our Tests)
They can do that. I browsed a hacking forum in the darknet where the hackers sell emails, passwords, Facebook data, user’s location in that forum.
This is how they can do it:
- Users exposed their location, password, email on social sites like Facebook. Even if they don’t expose their location, Facebook will log their real IP and that will expose their real country.
- Then, the Facebook website was breached/hacked. Lots of data from Facebook, including countries and emails are exposed and sold in the darknet.
- Once the hacker gets your info, like your email, location, country, etc, they can use those to hack your other accounts, including your email account and the password manager account. Even if you turned on the Geolocation blocking, they can use a VPN to bypass that, because they have your country/location information anyway.
- For your information, hackers don’t use their real IP to hack, because it is illegal. If they use their real IP, the authorities can easily trace them down. They would use proxies, TOR, VPN etc to hack.
Some of you might not know this, but Facebook was breached many times in the past. Gmail, Twitter, Dropbox, and many others were also breached in the past.
List of all known data breaches here: List of data breaches - Wikipedia
Facebook data breach news here.
You can try this tool: https://breachchecker.com
That website will expose when and where your email was exposed.
Bitwarden app also has a function where it can detect a breached password. Enter any password in the app/vault and then click the checkmark icon.
- Use a separate email only for security and password manager. Like Tutanota Mail, Protonmail.
- If you need to register multiple websites, you can use email forwarding like simplelogin.io and anonaddy. Use these services to create email aliases and then forward the emails to your real inbox. You can use email aliases to replace your real email on Facebook, Youtube etc.
- Use unique usernames for forums, social sites etc.
- Use unique passwords and store those credentials in a password manager.
- Lock your password manager account with a strong password.
- You can use 2FA, but make sure that you don’t lose the app/device. I highly recommend using 2FA app on a laptop like Authy. I am not a fan of the 2FA app on smartphone.
- Always monitor your main email should someone tries to hack into your BW account. If someone log into your BW account from a new device, you should receive an email.
But, you can get the same by turning on Bitwarden 2FA via email. Also, if that hacker already had your Lastpass email, the first thing he would do is to hack your email. That will save himself the time because most people are not using password manager anyway. He can also reset your LastPass password by hacking your email.
If you need this function badly, you can pay $10/year for Premium. Bitwarden already has that feature, but for premium users.
See the pricing here: Bitwarden Password Manager Pricing & Plans | Bitwarden
See the list of 2FA logins here: Two-step Login via FIDO2 WebAuthn | Bitwarden Help Center
Many people do not know this, but KeepassXC has the 2FA function, known as TOTP and you can integrate it with any online account that you want.
You can set up 2FA with KeepassXC by following this instruction.
Once you set up the 2FA with KeepassXC, you can copy the Keepass database file (KDBX) into a pen drive and then use it anywhere.
If you are on Windows and want to use KeepassXC anywhere on a Windows PC, you can install KeepassXC Portable.
If you are on Linux and want to run KeepassXC anywhere on Linux computers, you can use the App image program.
3 Likes
The fact that only encrypted data is sent to the client and decryption takes place only on the client device, that is no protection against a MITM attack. Why? Because a MITM can inject javascript code to decrypt the vault contents. Watch the demo! (And then become worried!)
OTP is a weak protocol because it relies upon the user to determine whether the site they are visiting is valid. And this is wide open to user error - phishing or spear-phishing attacks etc. (And also local network attack and rerouting of traffic.) U2F solves this by only sending authentication information to the verified provider, meaning that even if the user is tricked into entering their master password on a bogus site, U2F will not surrender the 2nd factor autentication code.
I find it staggering that password managers in the 21st century, whilst securing our most valuable data, do not all support latest, most secure authentication methods. Incidentally BW is not the worst. At least BW support U2F on some platforms. LastPass do not support it at all (apart from via Duo) and leave users wide open to MITM attacks.
And BTW, I pay for Premium. U2F is not supported on Android, so you get a text or email in middle of the night and half asleep you panic, pick up your phone, login and enter your authentication code and bam, you are toast.
EDIT: I realize now my video is not above. Please refer to the information and video link here:
Its an extra step, now you need to know a correct login, and country, while also guessing the password. For added bonus an option to restrict/block known proxy/vpn/hosting providers.
1 Like
Or just use an appropriate password so that it can’t be guessed within your lifetime. Plus, Bitwarden already offers two-step logins for that extra layer of security, which offers far more protection on your account than a Geo-IP “guess” ever could.
The tools are there already if you just understand how to use them, in my opinion.
3 Likes
As I mentioned earlier in this threa:
the following Password Managers offer some sort of IP restrictions:
LastPass, 1Password, Zoho Vault, ManageEngine, RoboForm, One Identity.The security benefits are clearly substantial when so many companies have adopted these policies.
This remains very relevant.
1 Like
Great suggestion!
However, we need to be very careful to only allow access from another country when traveling or moving permanently. Allowing simultaneous access from two countries would make it a useless feature.
One idea for giving access would be to specify a date range in which to allow access from another country. Changing these dates should only be done from the country where you have permanent access to the account or via biometric recognition.
Watch out for VPNs 
1 Like
Geolocking would be a very nice option to have.
It can be bypassed if there are no other methods to protect it, like via VPN as many others said, but that can be prevented too.
If Bitwarden can recognize VPN IP addresses like many other companies do, for example streaming services, or debrid sites like Alldebrid, it will prevent misuse of VPN services. Even better for security, add an option for VPN services, let’s say allow Proton but block rest of them. This won’t affect corporate VPN apps because their domains and IP addresses are different.
Also, it would be helpful to get an option to add trusted IP addresses.
As for travelling abroad, Bitwarden can put an option to emergency contact person to update allowed country / IP list temporarily. Making it temporary can prevent misuse of the function.
You seem incapable of grasping the fact that some people really do have appropriate password policies and 2 step login, AND would like geo blocking because it adds another hurdle for would be attackers to navigate. Potentially allowing you more time to react.
That you see no value in it, we understand. You’ve said so about 5 times already.
3 Likes
Bumping this up.
Still want this.
This seems like a nice suggestion, but I can see how it could easily be spoofed with a VPN so that it looks like the person is logging into your vault from your home country. That wouldn’t offer a great deal of protection.
This is a long thread so I don’t know if this has been suggested already;
Businesses subscribed to Microsoft 365 may achieve Geo restrictions for Bitwarden by setting up SSO, and also setting up Location and/or Risk based conditional access policies within Azure AD.
Unfortunately you will need MS Azure AD P1 or MS365 Business Premium licencing at minimum.
With MS365 Bus Prem, MS Endpoint Management, and Bitwarden SSO properly setup and enforced, you’ll also be able to prevent signin from any device other than a business owned/managed device, regardless of geolocation. You’ll also be able to block access via managed devices if they become “higher risk”, by windows updates failing or anti-malware being disabled for example.
As others have pointed out, georestrictions can be easily thwarted by a VPN. Businesses subscribed to Azure AD P2 licences also gain access to risk based conditional access policies. These can assist with blocking access to machines connected to VPNs, but are not bullet proof either.
All of that said, I appreciate the above is completely unfeasible for consumers, and potentially smaller businesses. MS365 business and enterprise licencing is not cheap. The time and costs to setup all of the above will be significant for a business who does not have any of it in place already.
I agree some sort of GeoIP filtering should be made a feature that is native to Bitwarden.
Note: I administer MS365 products extensively in my line of work. I’m not a Microsoft employee and am not receiving any sort of kickback incentive etc for “advertising” MS365 products.
1 Like
I’m a former LastPass user who switched to Bitwarden because of the open source status. I noticed LastPass already offers this and it’s a such a relief knowing fewer people can access my account.
1 Like
I’d love to see this. If not regions, allow specific IP addresses?
This would effectively give me 3SV, as a potential hacker would have to a. know my password, b. have my Yubikey (or trick me into clicking a Duo notification) AND c. be on my home network, or manage to extract a VPN profile from my laptop.
Here’s a concept of what it coud look like
2 Likes
IP restriction is pseudo security, because IP addresses can easily be spoofed. To me this shows that Bitwarden is driven by tech people who knows the game, and not by marketing people like Lastpass. I am a former user of lastpass, and left them years back after their breach number…I don’t remember which one actually.
As far as I’m aware, you can’t “spoof” someone’s IP address unless you’ve managed to exploit one of the reverse proxy servers that lead to Bitwarden’s upstream code, or you somehow get access to the network infrastructure (by, say, obtaining VPN access into a home network like @foxt has said as an example above) that has the IP address assigned to. So I don’t understand how that could be pseudo-security.
(EDIT: unless, of course, the allowlist includes a country-level IP block. Then “spoofing” is as simple as masquerading behind a VPN. But there are two problems with this assumption: 1) just because this is possible doesn’t mean all users will do it – some users will set up a very specific allowlist so that spoofing isn’t trivial, and 2) the attacker still needs to know what block was whitelisted. Was it several countries? A country? A province? A certain IP block that the user’s home network router gets DHCP leases from? And in that order, more and more harder to figure out and “spoof” properly, almost bordering on impossible for the latter IP blocks.)
Also, you can find many software that implement IP range allow/blocklists, like nginx. So please explain how nginx is not driven by “tech people who know their game”, when this very community forum and the infra that Bitwarden runs certainly include nginx somewhere.
And honestly, setting aside the “is it pseudo” security or not argument, I feel like Bitwarden might lose out on enterprise customers by not considering this feature request. Business customers regularly have compliance requirements they have to tick off, and blocking IP ranges could certainly well be one that is needed by a certain organization/company. Especially if said org has an entire IP block assigned to their network that they can then point Bitwarden to and say “okay, you’re only allowed to authenticate users that are on this IP block.” “Spoofing” that isn’t doable unless you get network access somehow, and again, even if you did, it’s another layer you need to get through to.
1 Like
You are free to have your own opinion about this topic, I am not trying to convince you.
To me IP address restriction is from a time when perimeter security was the center of security, it wont cut it anymore - data encryption and authentication matters and that will give you the protection you need.
IP restriction has a place, but I would not invest here, and I am happy that Bitwarden does not fall for this, and instead spend their investment money on e.g. passkeys.