Is there any downside to doing this? Obviously I have the password memorized.
I do it for it two reasons:
- To auto fill on the webvault
- To store TOTP when I don’t have access to my U2F key
How would you log in to the web vault with 2FA enabled to get the TOTP key to log in? Already logged in to Bitwarden on another device (mobile?). You’d be running into a chicken-and-the-egg scenario like that. Can’t log in to the web vault because you don’t have your physical key, can’t get the TOTP code to fill because you can’t log in to the web vault. It’d be better to keep the TOTP code in another application like Authy/Google Authenticator.
I have a physical FIDO key. If for whatever reason I lose my phone or get locked out I just need to sign in on a machine that allows me to use the key and renable TOTP on my phone. If I lose both I have that reset pin written down in a safe. I’m just trying to figure out if there are any health hazards im not thinking of.
If the vault is left unlocked and a bad actor looks through it, they could find your master password and unlock at will if 2FA is ever disabled. Also if you reuse that master password anywhere, those services would also become compromised.
If the bad actor gains access through an exploit, they could learn the master password and unlock at a later date, again, if 2FA is disabled.
Also related would be assuming they gain access through one of the above methods and you have e-mail as a 2FA method turned on, they could:
- Search for your e-mail password in the vault and gain access to e-mail
- Attempt a login to the vault and use e-mail as the 2FA method
- Provide the 2FA code from e-mail
- Now has full access to the account
That’s all the downfalls I can think of off the top of my head, but they all require that someone gain access to the vault in some other way first.
1 Like
Thanks for the input. In that case I may just remove the master password from bitwarden but keep the 2FA