Temporary Master Password

When I chose to start using a password manager, after years of apprehension in doing so, I started with LastPass since it ranked pretty high in my research. Fast-forward to the point where I ditched it 100% in favor of open-source Bitwarden and its smoother, richer features.

The only thing that would be nice to have of all the LP abilities BW doesn’t have (yet) is the ability to issue a one-time temporary master password. I did search the community if this was requested and it was back on post https://community.bitwarden.com/t/ability-to-create-temporary-passwords/4721. It seems to have fizzled out due to the 2fa recommendation. I agree 2fa should be in place but I disagree that is the answer to the purpose of the request. Some unscrupulous person would have my master password period. They’d only need to get my phone or login to Ally (I don’t use it, just an example) and then they have my BW account at their disposal.

By having the temporary password I could login at a cafe, library, or wherever it may be (including 2fa) and not have to worry because the moment I’m done the temp password is useless.

Thanks,

Andrew

Please accept this in the helpful way I am presenting this. If you are worried about someone gaining your password while at a coffee shop or similar, you have larger problems than BW’s password. Reasonable OPSec would preclude such an event via VPN leaving the open wifi closed (on your machines) to everyone but you. Of course U2F with BW would leave a hacker in the dark anyway.

If you are not using a vpn or U2F then you always have the option of taking a few seconds and simply changing the master password immediately when you leave the open wifi. Lots of work though when elimination of snoops is so easy and its 24/7 no matter where you browse.

Thanks for the reply. I agree completely with your response. I don’t fear that situation since I’m smart about my tech amd browsing, nor do I use a coffee shop as my analogy states. It was just a really insightful feature from LP I thought would be good here.

Thanks again.

I’m totally in for this!
This feature would not be only useful when using the public wifi since you can just use a VPN, but it is necessary when accessing the Bitwarden Vault on an untrusted computer, such as a friend’s, which might have a Keylogger (and you never know).

In addition, without this feature of One-Time Login passwords (or Throw-away Passwords), it would be quite pointless to use the Password Generator, since how is one supposed to access the accounts that use randomly generated passwords without exposing one’s Master Password to risk? And if the Master Password gets compromised… all the passwords that are stored in the Vault would be stolen…

Hopefully this feature would be implemented soon, for security’s sake!

I would love this feature, but i doubt it’s even possible on Bitwarden because of the way that master password is used not only for authentication but also for encryption (at least of what i’ve heard) so creating more temporary passwords that would allow access to the vault probably would be impossible with the way everything works now or would be much less secure (?)

I liked this feature on last pass a lot, but then again they also had more recovery options, like reversing back to older master password, which Bitwarden doesn’t have and probably will never have, because of security.

@Reny
Good point!

I totally agree that security should be first in a password manager like Bitwarden. However, there should be ways to add this feature without compromising security. I’m not a programmer, so I’m not sure. We would need Kyle Spearrin @kspearrin or @tgreer to decide on this… Thanks!

I still hope that this feature would get implemented, as long as the Vault’s security isn’t affected!

Thanks for the feature request! This is interesting to think about because as you all have mentioned, doing so with the current architecture of Bitwarden is not possible without some significant modification of the security model (the same reason that our SSO solution is authentication-only and not vault decryption).

@wacoody when you used this for LP, did you have to log in normally and ‘generate’ the ephemeral passwords to use later?

@tgreer,

I had to create a temp account with them to test this real quick because it’s been a long while now since I used them (Bitwarden for the win). The answer to your question is, yes, you do have to sign in and generate the OTPs. It would be horrible if they required you to sign in real-time with the master password to generate the OTP in whatever untrusted/unsavory place you want to use a OTP. Their method of implementation of this workflow seems the most logical to follow to allow this feature. I took the liberty of following through a workflow for you below.

Once signed in, hidden within the menus of LP – “More options” (1) > “Advanced” (2). – there is an option called “one-time passwords” (3). (figure 1)

image1105×1295 85.3 KB

After you make it through the rollercoaster of links, you’ll land on a php page that you can generate, delete, and print your OTPs (figure 2).

image1452×1262 44.4 KB

Each time you generate a OTP, you’re prompted to put in your master password, which makes total sense. Same process for clearing OTPs. Printing, though, just pulls up the browser’s native print function with a basic render of the otp.php page.

So let’s fast-forward to being in some untrusted/unsavory place like an airport, coffee shop, or anywhere you want to use a OTP. On LPs login page, there’s a link to login using a OTP. (figure 3)

image1163×1007 40.4 KB

You’ll be presented with a different login page with the proper form requirements for OTP access. (figure 4)

image1488×1017 58.1 KB

I did this and it took me to my account just as if I had logged in normally.
Going back to the OTP menu, now there are 2 vs 3 OTPs for use, as expected. (figure 5)

image1361×1169 39.9 KB

LP calls these OTPs, but they’re pretty much like backup passwords from other services. I know Google and many other companies use these, and they have their own way of logging in and cycling through these.
Typically, you get 10 prefabricated OTPs/backups you might receive with another service online, so I created 12 OTPs to test the waters slightly to see if you could likely go beyond the typical limit. I presume you can go as many as you like up to some coded ceiling. (figure 6)

image941×1028 26.5 KB

I like the ability to generate as many OTPs/backup passwords as I need because some of the services out there that you either have them right at sign up or whether you you opt-in to get OTP/backups, either way, you get 10, period.

Bitwarden obviously has a 10-fold better website layout so the implementation wouldn’t be as ghastly as LPs, surely. I can see it being an option under say the “Tools” or “Settings” menus. Once the OTPs/backup passwords are generated, then how/when you use them is up to you, but you have the comfort of knowing that you can use a OTP/backup password whenever you need.

While I agree with the thought process and perspective @OpSec had in the intial reply, we can only face the reality that not everyone will, can, wants to, or knows how to use a VPN or a U2F. People are people, yes, and we need to keep flexibility open.

I hope this information helps. I’ll leave my test account open for a few days in case you have any other testing you’d like me to perform.

Andrew

Rock on - thanks for the detail! also LOL @ ghastly…

Thanks again!

Seriously, though, when I decided to start using a password manager and not my brain or Excel (yeah…), LP was one of the top searches so I went with them. Immediately upon use I remember their site being chunky, clunky, and the menu nesting was overpopulated. I get it from a UI (or marketing) standpoint, but from a UX standpoint it’s not the best. Logging back in today to test it further concreted how much I don’t like LP.

Bitwarden has always been clean, simple (simple is good in this case!), and efficient at achieving what I was aiming to do. I have most of my family using BW now and it’s made my life easier not having to remember lots of passwords, or worse, using the same password over because I don’t want to remember lots of passwords (haha).

Thanks for all of you and the BW team’s hard work @tgreer making Bitwarden the best solution out there.

We’re happy to do what we do!

Password management (and security) is something everyone deserves to have access to!

Today I canceled my Bitwarden premium subscription and returned to LastPass just because of this feature!

@tgreer Another good idea would be to use bitwarden mobile app to approve the login in the web extension via fingerprint, I.E you choose to login and the mobile app (which you have previously logged an configured using master password and your 2FA of choice) prompt you to use your fingerprint them send the response back to the browser extension to approve the entry, this way you don`t have to type master password in public places , neither do need to remember (or typewrite) OTP.

This feature is present in Microsoft Authenticator App , allowing you to approve login in your MS account on any browser by using your fingerprint on the phone without typing password or 2fa code.

but entire thing about OTP still an valid option just in case you don`t have your phone near in the moment.

Using LassPass was horrible, I returned my Bitwarden premium subscription and found a cool workaround for this issue if anyone interested, my issue is I want to unlock account from public places using my Windows laptop and I don’t want to type my masterpassword publicly, so I found that Bitwarden have a cool feature which is supporting “Windows Hello” so I used Windows Hello to unlock my Bitwarden desktop application without using any masterpassword!

yet you cant unlock your web vault, Bitwardew main issue in my opinion is that the desktop app is very limited, i cant do all that web vault can do, like creating new folders

also when logging for the first time in a new device you must use the master password, windows hello is only configurable once you did so, and you dont want to leave your account loged in public devices

This does sound useful, I haven’t found myself in a situation where I’ve felt I needed it, but pretty close sometimes.
Where you keep the temp passwords, and how you “type” them on the device you’re trying to use them on without having to literally type out 20 case sensitive characters with specials etc.
I often look up a password on my phone and with there was an easy way (like having my phone act as a bluetooth keyboard to auto-type the credentials) of getting that password onto the computer I’m working on.

I’d need this feature. Not often of course but I have used it with LastPass a handful of times when I was very happy not needing to type my Master password in.

Any update on this being added?

I too loved this feature from LastPass, and this is really needed in Bitwarden.
Please do include it ASAP.

I would love to use these one-time passwords as well as my 2FA for bulletproof access.

What’s been happening with this request anyway?

Surely it doesn’t take 1 year to implement such a feature, because this request initially was started in January 2020…

Bumping this useful feature request! Hope this gets implemented soon!