Reminder for Bitwarden users: Starting in February, users without two-step login (2FA) enabled will need to enter a verification code sent to their email when logging in from an unrecognized device
-
fushuan@lemm.eereplied to Guest on 29 Jan 2025, 09:56 last edited by
You can also register a MFA app and lock recovery codes in your PC.
This has been announced with enough time, you still have time to download another app like aegis or whatever. This is only for new logins however, you will still have access to bitwarden wherever you are already logged on.
-
fushuan@lemm.eereplied to Guest on 29 Jan 2025, 09:57 last edited by
I did it years ago when they sent me an email suggesting to do exactly that.
-
fedegenerate@lemmynsfw.comreplied to Guest 30 days ago last edited by
Sorry, basic question here. I'm running vaultwarden, I host my own vault that bitearden apps access. I don't think my vault has a mail server, how fucked am I?
-
01189998819991197253@infosec.pubreplied to Guest 30 days ago last edited by
This is the first I'm hearing of this, but, honestly, I'm all for it. I have Aegis and will add this mfa step, but needed to change email anyway and this was a great reminder of that.
-
rob_t_firefly@lemmy.worldreplied to Guest 30 days ago last edited by
I like to just use passwords I know with my brain.
-
frazorth@feddit.ukreplied to Guest 30 days ago last edited by
Thats fine if it works for you.
My comment on all of this was purely that Bitwarden password was a single point of failure.
Now we can shift that single point of failure somewhere else!I'm not sure what the solution is.
-
thunderlegend@sh.itjust.worksreplied to Guest 30 days ago last edited by
You're good. Self hosted vaults are not affected by that
-
livermob@sh.itjust.worksreplied to Guest 30 days ago last edited by
I also host my own vaultwarden and don't have a mail server. I was able to put SMTP settings in vaultwarden so it's able to send the email out.
-
kata1yst@sh.itjust.worksreplied to Guest 30 days ago last edited by
Never underestimate the human capacity for short-sighted laziness.
-
hmmm@sh.itjust.worksreplied to Guest 30 days ago last edited by
Probably my mail
-
xigoi@lemmy.sdf.orgreplied to Guest 30 days ago last edited by
Me losing my devices is much higher on my threat model than someone trying to brute-force my Bitwarden password.
-
umbrella@lemmy.mlreplied to Guest 30 days ago last edited by
shit, why can't i just keep the secondary password instead of relying on notoriously insecure sms, or notoriously privacy invading email?
-
acosmichippo@lemmy.worldreplied to Guest 30 days ago last edited by
because you keep the recovery codes unexposed to the internet, unlike your usual password. Therefore you can have confidence that they haven't been hacked, leaked, or whatever.
-
acosmichippo@lemmy.worldreplied to Guest 30 days ago last edited by
I'd hardly consider it overkill for protecting literally all of your online passwords.
-
acosmichippo@lemmy.worldreplied to Guest 30 days ago last edited by
we've covered this already. that's why recovery codes exist.
-
cylonbunny@lemmy.worldreplied to Guest 30 days ago last edited by
My email is the only account that isn’t in my password manager. It is by far the most important account because basically all of my other passwords can be changed if someone has my email. My password manager password and my email password are the only 2 I have to remember, and they are both very strong passwords. Remembering 2 strong passwords isn’t much harder than remembering 1 to me.
-
ashelyn@lemmy.blahaj.zonereplied to Guest 29 days ago last edited by
This is one of the reasons my main email is a (unique) password I still memorize, so if my password manager fails catastrophically I can still get in.
-
acosmichippo@lemmy.worldreplied to Guest 29 days ago last edited by
use any other 2FA app for your email so you aren't in a 2FA loop?
-
giooschi@lemmy.worldreplied to Guest 29 days ago last edited by
You keep the recovery codes unexposed to the internet or obfuscated in some way, unlike your usual password.
How is a strong password I used exclusively for Bitwarden "exposed to the internet"? I do see the value of this for people that don't care about security and reuse the same password everywhere. In that case you would need something like phishing to expose the 2FA code or the recovery code, just a leak of the email-password combination from another website would not be enough. But what's the point if I'm already using a unique strong password specifically for Bitwarden?
-
exu@feditown.comreplied to Guest 29 days ago last edited by
You only need to enter the 2fa code once on a new device. How often do you switch devices for this to be a significant effort?
48/72