Temporary Master Password

When I chose to start using a password manager, after years of apprehension in doing so, I started with LastPass since it ranked pretty high in my research. Fast-forward to the point where I ditched it 100% in favor of open-source Bitwarden and its smoother, richer features.

The only thing that would be nice to have of all the LP abilities BW doesn’t have (yet) is the ability to issue a one-time temporary master password. I did search the community if this was requested and it was back on post Ability to create temporary passwords. It seems to have fizzled out due to the 2fa recommendation. I agree 2fa should be in place but I disagree that is the answer to the purpose of the request. Some unscrupulous person would have my master password period. They’d only need to get my phone or login to Ally (I don’t use it, just an example) and then they have my BW account at their disposal.

By having the temporary password I could login at a cafe, library, or wherever it may be (including 2fa) and not have to worry because the moment I’m done the temp password is useless.

Thanks,

Andrew

Please accept this in the helpful way I am presenting this. If you are worried about someone gaining your password while at a coffee shop or similar, you have larger problems than BW’s password. Reasonable OPSec would preclude such an event via VPN leaving the open wifi closed (on your machines) to everyone but you. Of course U2F with BW would leave a hacker in the dark anyway.

If you are not using a vpn or U2F then you always have the option of taking a few seconds and simply changing the master password immediately when you leave the open wifi. Lots of work though when elimination of snoops is so easy and its 24/7 no matter where you browse.

1 Like

Thanks for the reply. I agree completely with your response. I don’t fear that situation since I’m smart about my tech amd browsing, nor do I use a coffee shop as my analogy states. It was just a really insightful feature from LP I thought would be good here.

Thanks again.

I’m totally in for this!
This feature would not be only useful when using the public wifi since you can just use a VPN, but it is necessary when accessing the Bitwarden Vault on an untrusted computer, such as a friend’s, which might have a Keylogger (and you never know).

In addition, without this feature of One-Time Login passwords (or Throw-away Passwords), it would be quite pointless to use the Password Generator, since how is one supposed to access the accounts that use randomly generated passwords without exposing one’s Master Password to risk? And if the Master Password gets compromised… all the passwords that are stored in the Vault would be stolen…

Hopefully this feature would be implemented soon, for security’s sake!

1 Like

I would love this feature, but i doubt it’s even possible on Bitwarden because of the way that master password is used not only for authentication but also for encryption (at least of what i’ve heard) so creating more temporary passwords that would allow access to the vault probably would be impossible with the way everything works now or would be much less secure (?)

I liked this feature on last pass a lot, but then again they also had more recovery options, like reversing back to older master password, which Bitwarden doesn’t have and probably will never have, because of security.

1 Like

@Reny
Good point!

I totally agree that security should be first in a password manager like Bitwarden. However, there should be ways to add this feature without compromising security. I’m not a programmer, so I’m not sure. We would need Kyle Spearrin @kspearrin or @tgreer to decide on this… Thanks!

I still hope that this feature would get implemented, as long as the Vault’s security isn’t affected! :grinning:

3 Likes

Thanks for the feature request! This is interesting to think about because as you all have mentioned, doing so with the current architecture of Bitwarden is not possible without some significant modification of the security model (the same reason that our SSO solution is authentication-only and not vault decryption).

@wacoody when you used this for LP, did you have to log in normally and ‘generate’ the ephemeral passwords to use later?

@tgreer,

I had to create a temp account with them to test this real quick because it’s been a long while now since I used them (Bitwarden for the win). The answer to your question is, yes, you do have to sign in and generate the OTPs. It would be horrible if they required you to sign in real-time with the master password to generate the OTP in whatever untrusted/unsavory place you want to use a OTP. Their method of implementation of this workflow seems the most logical to follow to allow this feature. I took the liberty of following through a workflow for you below.

Once signed in, hidden within the menus of LP – “More options” (1) > “Advanced” (2). – there is an option called “one-time passwords” (3). (figure 1)

[figure 1]

After you make it through the rollercoaster of links, you’ll land on a php page that you can generate, delete, and print your OTPs (figure 2).

[figure 2]

Each time you generate a OTP, you’re prompted to put in your master password, which makes total sense. Same process for clearing OTPs. Printing, though, just pulls up the browser’s native print function with a basic render of the otp.php page.

So let’s fast-forward to being in some untrusted/unsavory place like an airport, coffee shop, or anywhere you want to use a OTP. On LPs login page, there’s a link to login using a OTP. (figure 3)

[figure 3]

You’ll be presented with a different login page with the proper form requirements for OTP access. (figure 4)

[figure 4]

I did this and it took me to my account just as if I had logged in normally.
Going back to the OTP menu, now there are 2 vs 3 OTPs for use, as expected. (figure 5)

[figure 5]

LP calls these OTPs, but they’re pretty much like backup passwords from other services. I know Google and many other companies use these, and they have their own way of logging in and cycling through these.
Typically, you get 10 prefabricated OTPs/backups you might receive with another service online, so I created 12 OTPs to test the waters slightly to see if you could likely go beyond the typical limit. I presume you can go as many as you like up to some coded ceiling. (figure 6)

[figure 6]

I like the ability to generate as many OTPs/backup passwords as I need because some of the services out there that you either have them right at sign up or whether you you opt-in to get OTP/backups, either way, you get 10, period.

Bitwarden obviously has a 10-fold better website layout so the implementation wouldn’t be as ghastly as LPs, surely. I can see it being an option under say the “Tools” or “Settings” menus. Once the OTPs/backup passwords are generated, then how/when you use them is up to you, but you have the comfort of knowing that you can use a OTP/backup password whenever you need.

While I agree with the thought process and perspective @OpSec had in the intial reply, we can only face the reality that not everyone will, can, wants to, or knows how to use a VPN or a U2F. People are people, yes, and we need to keep flexibility open.

I hope this information helps. I’ll leave my test account open for a few days in case you have any other testing you’d like me to perform.

Andrew

2 Likes

Rock on - thanks for the detail! also LOL @ ghastly…

Thanks again!

2 Likes

Seriously, though, when I decided to start using a password manager and not my brain or Excel (yeah…), LP was one of the top searches so I went with them. Immediately upon use I remember their site being chunky, clunky, and the menu nesting was overpopulated. I get it from a UI (or marketing) standpoint, but from a UX standpoint it’s not the best. Logging back in today to test it further concreted how much I don’t like LP.

Bitwarden has always been clean, simple (simple is good in this case!), and efficient at achieving what I was aiming to do. I have most of my family using BW now and it’s made my life easier not having to remember lots of passwords, or worse, using the same password over because I don’t want to remember lots of passwords (haha).

Thanks for all of you and the BW team’s hard work @tgreer making Bitwarden the best solution out there.

2 Likes

We’re happy to do what we do!

Password management (and security) is something everyone deserves to have access to!

1 Like