Why YSK: Because if you are like most people, you also store your email’s password in your Bitwarden Vault and not bother remembering it, causing you to potentially get locked out (since you wouldn’t be able to log in to your email to get the verification code, because your email’s password is in the vault itself 👀)
(Imagine leaving your key in your house, lol)
Source: https://bitwarden.com/help/new-device-verification/
Excerpt:
To keep your account safe and secure, in February 2025, Bitwarden will require additional verification for users who do not use two-step login. After entering your Bitwarden master password, you will be prompted to enter a one-time verification code sent to your account email to complete the login process when logging in from a device you have not logged in to previously. For example, if you are logging in to a mobile app or a browser extension that you have used before, you will not receive this prompt.
Good thing I noticed, otherwise I might’ve had a bad time next month 😖
Edit: Updated title to clarify that people who have 2FA are not affected.
This is not the end of the world, some mighty overreaction on the comments. This is why diversity is the answer to security. Multi factor, multi mode, multi device. Something you know, something you have, something you are, etc.
If you have more than one device, like PCs, laptop, phone, in any combination, and you have your access config on all. Then there’s an infinitesimally small chance you’d lose access to your vault.
If you have more than one device
That’s the problem, many people only have one device. (My parents, grandparents, probably aunts and uncles all mostly use their phones, probably doesn’t have a second phone, or even touched a computer for a while, imagine if one of them used Bitwarden)
I personally haven’t used my PC for a while, since I don’t feel like playing games anymore, so most of my time using electronics is mostly doomscrolling Lemmy and watching Youtube (don’t judge). So if my phone happened to break, or if my app got corrupted for some reason and I had to re-download, I could definitely have gotten locked out, but luckily I saw that notice, I have the Email password saved in Keepass, so now that threat is over).
(I know I should’ve backup the vault, but I kinda procrastinated 🙃)
They have different threat models. If they don’t have a PC, they most likely don’t and never will have bitwarden. They’ll let apple or Samsung or Google handle their security for them. In the end, we all accept some level of risks across different threat dimensions. Some people are more lax and some people are more strict. It’s not the end of the world.
I’m getting sick of all this two step verification and code confirmation bullshit. I don’t need my Instagram password stored in a bank vault with 24 hour security. Let me opt out of all this extra security and if it gets breached then blame me for opting out.
I don’t even have two step verification turned on for something and I still needed to check my email for a code and then when logging into the email I needed to check my phone for a second code just so I could access the first code for some bullshit account I hardly ever use. It’s incredibly frustrating.
If I want to go through all that shit for security purposes then I will ask you to go through all those steps. Don’t force me to. Fuck.
It’s because PCI requirements, they offer to store credit card information and PCI compliance now requires that be under a 2FA. Also honestly, you should be using 2FA regardless, make it less annoying by using a proper token Authenticator. Authy is a decent one, avoid Google Authenticator bit Warden also offers a separate program for token Authentication that you can use on your phone.
Tokens are still an extra step but less annoying than having to go check your email for a code. Or you can go the extra mile and purchase something like a yubikey, all you have to do is have it plugged into a computer USB port and it will handle the two-factor for you automatically
I hate this so much. My Bitwarden password is the one thing I know. I’m not confident I could ever learn another password, especially one I barely ever need.
And 2FA? What if my phone breaks? My 2FA recovery codes are in Bitwarden.
Ugh. I have no idea what I’m going to do.
Option 1: Set Email password same as Bitwarden Password (probably not a good idea, but technically an option 😉)
Option 2: Make a Keepass Vault with the same password as Bitwarden, and put your Email password in it. Make sure to backup the keepass vault file to many different Hard Drives, SDDs, and cloud (file is encrypted so its probably safe in cloud)
Option 3: Move every password into Keepass.
Hurry, time is ticking, February is in a few days. (I’m moving to Keepass btw, already have my Email password in Keepass and the vault is backed up)
I’ve never used bit warden, but I migrated from Nordpass to keepass, I currently use a private key for my second form of Authentication so even if my vault is stolen it can’t be decrypted cuz they would need the private key along with it
It’s a stupid simple setup, because I use syncthing to synchronize my Vault across all systems, and I have syncthing set up that way it keeps three or four versions of the Vault active at a time so if I somehow managed to corrupt The Vault I can just use an older version, this way I only have one account that I’m locked out of instead of all accounts.
As for 2fa, yeah I do the same thing as the other guy my 2fa is stored in my vault. I used to use authy for everything, then they decided that it wasn’t secure to have a desktop app, and since I don’t have my phone on me at all times I decided just fuck it and threw it all in one location. It’s less secure but there isn’t a decent desktop 2fa app available that I know of. Technically I could make a seperate keepass vault only for 2fa but that would be a second password to remember
I can tell you what most are going to do. Same password for both the vault and the email provider. Which is counter productive to everything.
Recovery codes. Take them seriously. Some I trust have them for glass break.
Using different apps for password management and for 2fa is good for your security and good for redundancy. If your vault is compromised, you don’t want your OTP info compromised with it. I personally use Aegis.
That said, Aegis is still an Android app and while I have a backup of it’s data, I think I’m still out of luck if my phone breaks until it gets repaired or replaced. I’ve been trying to figure that one out, because it doesn’t seem like there’s a lot of good options with desktop support.
Maybe you could use an Android VM and install Aegis into it
Print or write down your recovery codes, and stash them in a safe spot. And don’t store your primary email password in bitwarden either.
With your current setup, you’re one keylogger away from losing all your stuff.
With your current setup, you’re one keylogger away from losing all your stuff.
With keyloggers as a malware, the malware could just steals the contents of the vault when you unlock it, even if you have 2FA.
Physical keyloggers are extremely unlikely, since you would be using your devices most of the time, and if your adversary can put a physical keylogger, they probably would also put malware in your computer, again, they’d steal the contents of your vault when you unlock it, 2FA or not.
Sure but they still wouldn’t have my email password or recovery codes, which was my point.
This is dramatically unlikely for FIDO2 MFA services. It’s possible, but would require the device you’re using to remain connected to both the vault and the attacker infrastructure long enough for the data to be scraped. It happens, but nowhere near as frequently as just stealing the login credentials and using them asynchronously from the origin.
The strawman here would mostly apply to high value targets, which most people aren’t. At the scale of the internet, most cybercriminals are going to pivot to stealing accounts that don’t require additional investment to harvest. It’s simple economics. Having MFA is an essential part of using the internet for anything you actually care about.
Strong passwords are rapidly becoming worthless when we’ve been building ever more powerful compute farms for several decades. What used to take months or even years to crack in 2010 can be done in seconds today. But all of that info neglects that it’s irrelevant because most passwords are lost due to social engineering, malicious software, or the leading cause…… password reuse.
I don’t see anyone mentioning it, but what if you do forget (or don’t know) your email password? Is there absolutely no way to recover your account? I’m sure there might be some services that are that restrictive, but I’d think that most are recoverable with some extra steps, no? Unless I’m missing something?
I don’t know, they haven’t implemented it yet.
I hope that if enough people started to get locked out, they will reverse or delay it for a few months and give people time to access the vault and make preparations.
Since you are seeing my post, you know this is happeneing, so you should probably change your email password to something memorable.
Or put that in a Keepass vault, and remember the Keepass password, and back up the vault to multiple cloud accounts, multiple Hard Drives / SSDs, etc. (I had this done just before I posted this post)
Or just move entirely to Keepass, like I’m planning to do.
Thanks for the heads up, though this would be less of an issue if you have the email app on your phone or the tab pinned in Firefox.
The real issue is i gotta use another authentication app for my email now, have been using Bitwarden itself for 2fa codes for proton. Definitely can’t use proton pass to 2fa for my proton account.
I don’t even know. Gonna have to find another reputable authenticator app.
Guess I should also check if Bitwarden or proton support physical security keys. Would be pretty bomb proof since my keys are always in my pocket anyway.
Aegis is a good Authenticator app you could consider
Generally, it’s not recommended to keep TOTP and passwords at the same place
Two apps on the same device is still the same place. Same app but on different devices is different places.
Bitwarden supports phys. keys but you have to pay for the premium subscription to use them, which is 10$/year
My email is one of the few passwords I still know without my password manager.
It probably is time for me to rethink that 🤔
100%. Control of someones email is just about the #1 target for someone to breach. It not only gives someone a ton of data about you, its almost always the method companies use to reset passwords. Someone with full access to your email can wreck your day/month/year.
These are basically the same reasons I haven’t turned it over to my password manager.
A weak or reused password is much more dangerous than a secure password manager with mfa enabled.
🤨
…I will be sure to change all of my weak and/or reused passwords.
Thanks for the tip…
If I was in a coma for five years and woke up, I’d still remember my 40-something character password manager password. I should do the same thing for my E-mail.
The amount of people not already using MFA in this thread is too damn high!
I wish that we could use same MFA more often! My bank can get outa here with that texting me a code bullshit. Let me use a rotating key!
100%. It’s crazy that banks haven’t caught up with the times.
Thank-you. Made me check my shit.
Just a reminder that most of us have backups of the vault. It’s not like the apocalypse.
Why would they ever force this?
The purpose of MFA is to:
Mitigate using the same password on multiple sites and one of them has a data breach.
Mitigate the impact of keyloggers/other kinds of malware.
Mitigate the bad security of bad passwords.
Mitigate the password manager’s own data breach.
If you have at least two braincells, you will chose a unique and secure password for your password manager. That’s the point of password managers, that you only have to remember 1 password so it can be unique and strong. Also, a password manager (specially open source) should have almost perfect security, so them being hacked should not be a concern.
The only thing MFA is doing on password managers is to mitigate malware. Which I don’t think is a good justification to force everyone the hassle of MFA.
Fine if the wanna give the option of MFA, but don’t force it on everyone.
I mean, I don’t necessarily oppose it, I just hate how they never gave any notices until like Jan 27, 2025 (according to this article: https://bitwarden.com/blog/adding-more-security-to-bitwarden-user-accounts/ look at the date on it).
They should’ve given at least 3 months notice for such a drastic change like this. I feel like there would be a lot of people getting locked out because they didn’t know about this.
Guess its time to set up a hardware key
I’ll probably move to Keepass, I like to have control over my vault file, probably better than whatever “2fa” they are forcing anyways, since only I know where the vault is at.
Already store the most critical stuff in keepass; use bitwarden for the lower-risk stuff that benefits from the higher convenience factor.
I mean, if they’re forcing 2FA at all, that’s a good thing, but they still have the usual TOTP and hardware key options.
Anyway, I understand why people would want to host their own vault file. Just remember that obfuscation (i.e. being the only one who knows where your vault is) isn’t a viable security method. Removing access to potential thieves is.
For what it’s worth, as of a minute ago the form that’s for sending the email code asks if you have reliable access to the email before sending the code.
But otherwise seems to be a non-issue with any of the software/hardware mfa options it supports. Good to let others know about this though!
This is stupid… Now where would i save my mail password
What if you host via Vaultwarden? Do you have control over it?
Who is excluded from this account email-based new device verification?
The following categories of logins are excluded:
Users who have two-step login set up are excluded.
Users who log in with SSO, a passkey, or with an API key are excluded.
Self-hosted users are excluded.
Users who log in from a device where they have previously logged in are excluded.
Thank God I self host!
Cool ty
something done by many services, sites, and games.
but yea, i get it. the problem of asking someone to login to a service that they (bw) are holding your key for, in order for you to get into where that key is held.
On the other hand, NOT using MFA on an online password manager is just poor opsec.
I understand that perspective, but honesly, for me, the threat of misplacing 2fa is higher than getting hacked.
People are “hacked” all the time in massive breaches. Its accelerating, not getting less likely. Password managers are a huge target, and have been breached in the past.
If youre worried about it, use something like Aegis. Its an mfa app that lets you easily save password protected backups. You can set it up to automatically save a copy to a folder on your phone. Then just copy that file off and store it somewhere safe.
If thats too much work and you dont run syncthing/nextcloud/etc, they also have an option to let it it sync with the google backup service.
The above gives you the best of both worlds : strong security and strong redundancy.
Sorry dude, if keeping your 2fa codes safe is too much to ask then you really shouldn’t be on the internet.
Using a password manager without 2fa is a recipe for disaster, you might as well just use the same password for all your accounts at that point, then you don’t need the inconvenience of a password manager
So, how do you propose I safeguard the 2FA?
Hardware based ones can easily get damaged, or when there’s a fire, completely destory it. I am not rich enough to have a second home. And I can’t affor any “safe deposit boxes”. I don’t have any trusted friends to keep a backup 2FA key at.
Software based ones are same, if you print out the info. And if you store it online, you’re gonna need to encrypt it. And that is gonna be another password.
So all that trouble and its still 1FA (two different passwords is still 1FA).
So, if you want to be helpful, how do I manage 2FA keys without getting myself locked out?
- Use a 2FA app that allows you to export encrypted backup (I use Aegis)
- Make an encrypted backup of your 2FA keys and store that using the 321 rule.
- The 321 rule is 3 copies, 2 different types of media, and 1 copy offsite.
If your 2FA backup is encrypted, you can even store it in Google Drive or wherever, ask a family member to keep a copy, it doesn’t matter if the password is strong.
If you’re extra scared of losing your keys then you can use something like Authy as a last resort, they make it super easy.
I work in cyber forensics and incident response, 2FA and strong passwords can prevent 99% of the shit I see.
Where TOTP is concerned is you enroll multiple devices for redundancy, and there are scratch codes. Plus you’ll eventually be forced to resolve this issue when passkeys become more mainstream.
Happy to help or talk through things if you’d like a hand getting comfortable with MFA 🩵
I don’t like MFA. If the password/passphrase is strong enough, why need MFA? If its software MFA (like an app) a malware that could steal the password would also be capable of stealing the MFA.
If its hardware, one fire in my house, and all the keys are dead. (And I do not want to deal with a safe deposit box or burying the backup hardware keys in the woods somewhere, honestly, I don’t know where I would put the backup keys)
Edit: Lmfao MFA cultists be downvoting 🤣
I’m not even advocating against MFA, I just personally dislike it. Wtf y’all 🤣
Please give MFA another look, it really is better security to use it.
The problems you mentioned: you keep the MFA backups in a password manager.
I know you’re worried about losing access to that password manager, use two different ones, write down your most important several passwords in a locked place, etc. it’s better.
I’m afraid I can’t help you with the ideological problem mate, only the practical one 😅 You’ve got sync or multiple devices, and you’ll have to pick 🤷
