Try the other vault upon login failure

On both the Community and Reddit, we frequently get login failure reports because someone inadvertently is logging into vault.bitwarden.com when their account is actually on vault.bitwarden.eu (or vice-versa).

When someone tries to login to a vault and the account does not exist, it would help to check if the vault exists on the other region and if so automatically switch the app to use the other region.

1 Like

Yeah, or at least a text / sign with the advice, to try the other server region (and that they both are distinct).

Automatic switching of servers could have unintended consequences, but I think that the error message could be made more informative.

Instead of just “Username or password is incorrect”, why not specify “Username or password is invalid on this server” (or even "…invalid on bitwarden.com domain")?

1 Like

I would bet, for most people who are not even aware that there are two distinct server regions, this is still too implicit. (“…invalid on bitwarden.com? What does that mean? What do you want from me now? My account is on Bitwarden.com…”)

A little (general) explanation - like we do regularly - is necessary, I think. My first try would be:

“Username and/or password is incorrect. - There are two distinct Bitwarden server regions (bitwarden.com / bitwarden.eu). If your login fails, also try both server regions.”

(maybe not ideal and a bit simplified - but I wanted it to be short and still “readable”)

Yes, it could cause untended consequences, but that is likely to be limited to only people who have created vaults in both domains, given that one needs access to the corresponding email account. So, the failure mode would be attempting to login to your other account, not to somebody else’s.

If an alert is instead used, I would suggest verbiage along the lines of “[email protected] has an account on vault.bitwarden.com, but not here”.

From my personal experience, the confirmation that a certain account exists is almost never happening with services. From a security standpoint, I guess, no possible attacker should be able to provoke that certain information.

It is available today; try creating an account. It warns that it exists instead of creating a second one with the same username.

Or, validate the password before reporting back :-).

True! :crazy_face:

The full error message currently reads “An error has occurred. Username or password is incorrect. Try again.”

I think it is important to keep error messages as concise as possible, and as relevant as possible to all use-cases. Your concern could be addressed by being more explicit in the “Try again” suggestion.

For example:

“Username or password is invalid on this server. Please correct the entered information or the server selection.”

1 Like

One does not actually need access to the email account to use the email address as a Bitwarden login.

If automatic switching is implemented, one possible attack vector could involve squatting of accounts on one of the two servers using leaked email addresses. From there, one can imagine various scenarios that could create vulnerabilities for certain users.

Even more important to me is “accurate”. In the envisioned case, the message is flat-out-wrong. The username and password are correct; it is the vault that is incorrect.

This seems like the flaw. I see no reason why the same username should be permitted on the two domains unless it can be validated as the same person.

And only vaguely related, I also thing that the email should be required to be validated so we know that the “warnings” have a chance of being delivered.

OTOH, some highly privacy-minded users may prefer to have a Bitwarden account username that cannot be traced or linked to any of their other internet activity.