Temporary Master Password

Would be nice to see this (voted)!
Also, Lastpass doesn’t allow the creation of OTPs inside the mobile app, which is a bit frustrating (I think you can’t even see your pre-generated OTPs in the app either). So, if you happen to implement this feature, please make it accessible inside the mobile app as well - both generating and seeing OTPs.

This is one of the features that kept me on LastPass for so long but now I’m all-in with BitWarden. I travel a lot and my usage scenario assumes that all of my personal devices will be stolen or lost, thus requiring me to use a PC at an internet cafe. I have to assume that anything I use has a keylogger. Right now changing my master password with each login is the only way to stay safe.

Could it be enough to use the “on screen virtual keyboard” to counter the keylogger?

Thanks!

Possibly, but I believe that software exists that can record mouse clicks as well. If I could boot my own OS and reduce the threat to only hardware keyloggers then an on-screen virtual keyboard would be a solution.

Could something like this in portable version be useful?

Thanks!

Add the feature of one-time account passwords as LastPass has.
https://support.logmeininc.com/lastpass/help/what-is-the-difference-between-a-one-time-password-and-a-recovery-one-time-password

In LastPass you make a list of these and use them when logging in to unknown computers so that your master password is never key logged, etc.

They can still be used with 2 FA for security

Wouldn’t this be possible without changing bitwarden architecture if it is done similar to the Emergency Access?

If you create temporary passwords it could encrypt your master password using the created temporary password (maybe combined with another key from the server) that encrypted master password is stored alongside your account on the server.

So if you want to log in with the temporary password the master password could be decrypted (locally) and used to log in. I guess also lastpass uses something along that way because if you could decrypt the vault without the master password it would mean it is not really end-to-end encrypted, right?

@Gaurav @wacoody @tgreer @FOSS_Lover @Nat @dh024

Hello awesome Bitwarden community!

I hope to help everyone, I have this idea here! Can the temporary master password be a pre-defined item type?

1. My goal here is to hypothesize a possible implementation. So I apologize if what I said is wrong. So guys, I might be saying something wrong, feel free to correct me!
2. I hope to contribute in some way to this resource. I find this feature interesting, perhaps this feature is part of the ‘Add more pre-defined item types’. It’s very likely that from what I’ve read, it may be a pre-defined item.
3. So I thought about this: - It would be interesting for the temporary master password to be a predefined item type - because we can use it without any problems and it wouldn’t bring any trivial changes to Bitwarden.
4. I believe a temporary master password is a temporary, unstructured data type. Believing this, I think an ideal alternative to implement this is to use a database like Mongob. Databases like Mongob allow for unstructured data and temporary data - maybe that’s possible, feasible to think about - in terms of a possible implementation as I mentioned before.
5. Perhaps mongodb might be interesting because there are features natively, internally in mongodb that might not require any trivial changes in Bitwarden and might make this feature viable. For example there is a possibility in mongodb to delete certain data for a time you set - as the temporary master passwords in my opinion are temporary data and unstructured data and are a predefined item type - this is possible with mongodb.
6. Preset item can be generated automatically.

user interface - ui/ux

image730×340 60.9 KB

Image Description

1. You check your Bitwarden account which devices you use the most.
2. After that, you create a pre-defined item called a temporary master password. This predefined item is associated with the device that is most used.
3. After saving the item in the vault, you click on the item again and view the code which is the temporary master password that you release from your device without necessarily having a master password.
4. It is not necessary to memorize anything, just 1 or 2 numbers that will be used for the knowledge check. Example: “Enter a letter or number that you know is part of the temporary master password.” Or maybe to authenticate the temporary master password it would be interesting to use some biometrics, for example - it can be approved by fingerprint or simply by clicking ‘accept’ in your mobile app for unlocking or maybe enter pin and second factor - would be a good idea.
5. Another simplified idea, every time you log in to Bitwarden, a temporary master password is generated that you can use for just 1 device on the free plan and for more devices on the paid plan.
6. In other words, you will need to have access to Bitwarden beforehand in order to use the temporary master password. The password I would access would just be a predefined item that you only have time for.

reference

• Integrated Authenticator | Bitwarden

Well its good to see that people are taking their time here to suggest possible ideas to implement this feature . I really can’t say at this moment whether i would prefer this feature or not.

But one thing i want to bring to the notice of the mods is that the feature requests -“Sign-in using QR code” , “Unlock with yubikey alone” and “Temporary master password” are made with intention of solving the same problem.
These requests primarily are aimed at solving the problem of "people feeling insecure about entering their master password at a public place" which could be a legit problem for people who think are more susceptible to this.
For keeping community more productive and ensuring that users requests and the mods responses don’t go wasted over debating it in 3 separate threads , they should be either merged or cross linked to ensure that their is some real progress and merit to the discussion.
Thanks.
Edit : in short i feel there is one problem and users have suggested 3 different ways of solving it , so it might as well be considered one for reaching a solution quickly.

1. Thanks for your comment @Gaurav ;D
2. I hope to help the community
3. Your idea of ​​putting all these posts together would be a good starting point.
4. Can we merge all these subjects into a single topic, @dh024 or @bw-admin ? how suggest @Gaurav?
5. I would be happy to help.

I’m new here, but have been using BW for about a year. This thread interested me as I like the idea of One Time Passwords. I remembered that my email service (fastmail.fm) at one point offered OTPs, but with added security (they don’t any more - no idea why). This is from their historic blog entry:

For extra security, you can also specify a “base password” when you create a OTP set. When you do that, you have to enter both the base password (something you know) and the OTP password (something you have) to login. This ensures that even if you loose the piece of paper with one-time passwords on it, it can’t be used.
SMS-able password set
Similar to the OTP password set, but rather than generating a set of one-time passwords to print out, it generates a new OTP to send to your mobile phone via SMS.
To initiate the SMS, you have to specify a “base password”, and when you use that password on the login screen it will send you an SMS with the one-time password to use to actually login.

The base password option was something I actually used, not often but quite reassuring. Having a paper list that lets anyone finding it straight into your account was daft then and is daft now.
Anyway, that’s my two-penneth… please add it into the melting pot when the threads are combined.

Hi @anon15241427 - I think there are enough differences between these three feature requests, as well as a substantial number of votes for each, that they should remain separate. However, I have added a staff notice at the top of each thread that cross-references each of the related posts. Cheers!

We want to have the ability to use a one-time equivalent of the master password so that if the one time password is captured on the compromised public machine, it will do the adversary no good.

Unlike everyone else - I use(d) this LastPass feature as a backup for users.

Vacation brain is a real thing - my uses will go on vacation and forget all their passwords. Having these One-Time Single Use passwords were/are great as a recovery option for vault access.

You can’t change the master password with them -but you can fully export the vault, wipe the account and import the vault into the fresh account.

Without a feature like One-Time passwords - I’m hesitant to train non technical users on using BW - There’s no escape hatch for them.

This is a real issue I see with FIDO(2) going forward - normal people are HORRIBLE about backups - what are the chances they will have have multiple FIDO keys? Companies are going to have to have a solution for this. Though I have no clue what it would be.

Interesting idea with the base password - but it defeats what I consider the primary purpose of the one use password - keyloggers.

I do appreciate what you’re saying about the list of passwords printed that can be lost. that’s why I make sure the list is nothing but the passwords - no other indications of what the list is for. No indication of what my username is, etc.

I was about to request this feature but I saw this one. Sometimes I want to log in to Bitwarden to copy a secure note I stored to use a password using my work computer which I don’t trust with my personal secrets. This feature would be very helpful and I’ve seen other password managers provide it. Please implement this feature.

Just to add a perspective on the utility of this feature request:

If you are accessing (logging in to) your Bitwarden account on an untrusted device, then spyware running on that device would not only have access to the typed login credentials, but would also be able to read the full decrypted contents of your vault from the device memory, and steal session cookies (which allow an attacker to log in to your account without providing any password or 2FA). Thus, unless you believe that spyware running on the untrusted device is only listening to keystrokes but for some reason is refraining from stealing any session cookies or any information that is available in process memory, then the one-time password will not really offer meaningful protection.

Furthermore, as already noted, enabling two-step login for your Bitwarden account is already a viable defense against info-stealers that are restricted to only logging keyboard inputs (e.g., hardware keyloggers).

You are right to be concerned about loss-of-access to the vault. Brain farts are a very real thing. Fortunately, there is a solution available today, an Emergency Sheet. You might consider helping your users create one as part of the training you supply.

This is the biggest factor leading me to syncable passkeys, which is what Bitwarden implements. One can have just a few device-bound authenticators (yubikey, fingerprint, face-id, PINs, etc.) to get into the vault, and then an unlimited amount in the vault which can be backed up.