Why YSK: Because if you are like most people, you also store your email’s password in your Bitwarden Vault and not bother remembering it, causing you to potentially get locked out (since you wouldn’t be able to log in to your email to get the verification code, because your email’s password is in the vault itself 👀)
(Imagine leaving your key in your house, lol)
Source: https://bitwarden.com/help/new-device-verification/
Excerpt:
To keep your account safe and secure, in February 2025, Bitwarden will require additional verification for users who do not use two-step login. After entering your Bitwarden master password, you will be prompted to enter a one-time verification code sent to your account email to complete the login process when logging in from a device you have not logged in to previously. For example, if you are logging in to a mobile app or a browser extension that you have used before, you will not receive this prompt.
Good thing I noticed, otherwise I might’ve had a bad time next month 😖
Edit: Updated title to clarify that people who have 2FA are not affected.
I hate this so much. My Bitwarden password is the one thing I know. I’m not confident I could ever learn another password, especially one I barely ever need.
And 2FA? What if my phone breaks? My 2FA recovery codes are in Bitwarden.
Ugh. I have no idea what I’m going to do.
I can tell you what most are going to do. Same password for both the vault and the email provider. Which is counter productive to everything.
Print or write down your recovery codes, and stash them in a safe spot. And don’t store your primary email password in bitwarden either.
With your current setup, you’re one keylogger away from losing all your stuff.
With keyloggers as a malware, the malware could just steals the contents of the vault when you unlock it, even if you have 2FA.
Physical keyloggers are extremely unlikely, since you would be using your devices most of the time, and if your adversary can put a physical keylogger, they probably would also put malware in your computer, again, they’d steal the contents of your vault when you unlock it, 2FA or not.
This is dramatically unlikely for FIDO2 MFA services. It’s possible, but would require the device you’re using to remain connected to both the vault and the attacker infrastructure long enough for the data to be scraped. It happens, but nowhere near as frequently as just stealing the login credentials and using them asynchronously from the origin.
The strawman here would mostly apply to high value targets, which most people aren’t. At the scale of the internet, most cybercriminals are going to pivot to stealing accounts that don’t require additional investment to harvest. It’s simple economics. Having MFA is an essential part of using the internet for anything you actually care about.
Strong passwords are rapidly becoming worthless when we’ve been building ever more powerful compute farms for several decades. What used to take months or even years to crack in 2010 can be done in seconds today. But all of that info neglects that it’s irrelevant because most passwords are lost due to social engineering, malicious software, or the leading cause…… password reuse.
Sure but they still wouldn’t have my email password or recovery codes, which was my point.
Using different apps for password management and for 2fa is good for your security and good for redundancy. If your vault is compromised, you don’t want your OTP info compromised with it. I personally use Aegis.
That said, Aegis is still an Android app and while I have a backup of it’s data, I think I’m still out of luck if my phone breaks until it gets repaired or replaced. I’ve been trying to figure that one out, because it doesn’t seem like there’s a lot of good options with desktop support.
Maybe you could use an Android VM and install Aegis into it
Option 1: Set Email password same as Bitwarden Password (probably not a good idea, but technically an option 😉)
Option 2: Make a Keepass Vault with the same password as Bitwarden, and put your Email password in it. Make sure to backup the keepass vault file to many different Hard Drives, SDDs, and cloud (file is encrypted so its probably safe in cloud)
Option 3: Move every password into Keepass.
Hurry, time is ticking, February is in a few days. (I’m moving to Keepass btw, already have my Email password in Keepass and the vault is backed up)
I’ve never used bit warden, but I migrated from Nordpass to keepass, I currently use a private key for my second form of Authentication so even if my vault is stolen it can’t be decrypted cuz they would need the private key along with it
It’s a stupid simple setup, because I use syncthing to synchronize my Vault across all systems, and I have syncthing set up that way it keeps three or four versions of the Vault active at a time so if I somehow managed to corrupt The Vault I can just use an older version, this way I only have one account that I’m locked out of instead of all accounts.
As for 2fa, yeah I do the same thing as the other guy my 2fa is stored in my vault. I used to use authy for everything, then they decided that it wasn’t secure to have a desktop app, and since I don’t have my phone on me at all times I decided just fuck it and threw it all in one location. It’s less secure but there isn’t a decent desktop 2fa app available that I know of. Technically I could make a seperate keepass vault only for 2fa but that would be a second password to remember
Recovery codes. Take them seriously. Some I trust have them for glass break.