Reminder for Bitwarden users: Starting in February, users without two-step login (2FA) enabled will need to enter a verification code sent to their email when logging in from an unrecognized device
-
[email protected]replied to [email protected] last edited by
Never underestimate the human capacity for short-sighted laziness.
-
[email protected]replied to [email protected] last edited by
Probably my mail
-
[email protected]replied to [email protected] last edited by
Me losing my devices is much higher on my threat model than someone trying to brute-force my Bitwarden password.
-
[email protected]replied to [email protected] last edited by
shit, why can't i just keep the secondary password instead of relying on notoriously insecure sms, or notoriously privacy invading email?
-
[email protected]replied to [email protected] last edited by
because you keep the recovery codes unexposed to the internet, unlike your usual password. Therefore you can have confidence that they haven't been hacked, leaked, or whatever.
-
[email protected]replied to [email protected] last edited by
I'd hardly consider it overkill for protecting literally all of your online passwords.
-
[email protected]replied to [email protected] last edited by
we've covered this already. that's why recovery codes exist.
-
[email protected]replied to [email protected] last edited by
My email is the only account that isn’t in my password manager. It is by far the most important account because basically all of my other passwords can be changed if someone has my email. My password manager password and my email password are the only 2 I have to remember, and they are both very strong passwords. Remembering 2 strong passwords isn’t much harder than remembering 1 to me.
-
[email protected]replied to [email protected] last edited by
This is one of the reasons my main email is a (unique) password I still memorize, so if my password manager fails catastrophically I can still get in.
-
[email protected]replied to [email protected] last edited by
use any other 2FA app for your email so you aren't in a 2FA loop?
-
[email protected]replied to [email protected] last edited by
You keep the recovery codes unexposed to the internet or obfuscated in some way, unlike your usual password.
How is a strong password I used exclusively for Bitwarden "exposed to the internet"? I do see the value of this for people that don't care about security and reuse the same password everywhere. In that case you would need something like phishing to expose the 2FA code or the recovery code, just a leak of the email-password combination from another website would not be enough. But what's the point if I'm already using a unique strong password specifically for Bitwarden?
-
[email protected]replied to [email protected] last edited by
You only need to enter the 2fa code once on a new device. How often do you switch devices for this to be a significant effort?
-
[email protected]replied to [email protected] last edited by
This is being purposefully obtuse. Choosing to force users to memorize a recovery code increases the likelihood of lock outs.
There is a real risk of account lockout, especially for those of us who travel frequently. Lockouts are a significant risk when you need to carry all your belongings and devices.
There are also some of us who also think about what happens to us when we are incapacitated and a loved one needs access to our passwords. In a situation, it's important to balance security vs expediency to access critical information. This new policy disrupts that.
At the very least, I wish Bitwarden would have given us more time to force this policy. I have to scramble to make changes to my estate planning documents and get in contact with my lawyer to change my advanced healthcare directives.
-
[email protected]replied to [email protected] last edited by
I understand this change by Bitwarden, but I wish they gave us the option to turn this off or at least given us more time before forcing this on us.
There's a lot of comments talking about how this increases security, which is true. But it also increases the risk of account lockout. This is especially true in two scenarios: traveling and incapacitation.
Traveling - for those of us who travel frequently, we carry all of our belongings with us. This makes us particularly vulnerable to account lockouts. We can't securely store backup devices or documents in easily accessible locations. We can't easily rely on trusted friends or family because they are so far away. Also, internet accounts are more likely to lock us out anyway because we are logging in from a different country, which is suspicious behavior.
Incapacitation - god forbid, if there comes a time when we are permanently or temporarily incapacitation, it becomes important for our loved ones to access accounts. When we are in the hospital, it's important that our loved ones get access to our personal accounts. I personally have advanced directives and have worked with an estate lawyer to make sure that my Bitwarden account becomes available. I also have instructions for immediate trusted family on how to access my vault if I were ever in the hospital. With this short notice, I need to scramble to get all of that updated and provide a way for them to access the account without my 2FA devices.
The above scenarios are based off of my real experience. These are real and likely risks that I have to account for. Security is not just making sure that outside bad actors CANNOT gain access, but it also means that the right people CAN get access at the right time.
What am I going to do? I'm weighing my options.
- I believe the self-hosted version of Bitwarden does not require this. This comes with its own set of risks though.
- Pay for premium, which comes with lockout support - I need to see if this can take care of both use scenarios above.
- Turn on 2FA and memorize the recovery code. While viable, since I will only use the recovery code once, I'm likely to forget it.
- Change the email to a non-2FA email address, only used by Bitwarden, with a strong but easily memorable password. This email must allow access from foreign countries without lockout (gmail is out). I'm actually strongly considering this.
-
[email protected]replied to [email protected] last edited by
I rebuild my OS sometimes three times a year.
-
[email protected]replied to [email protected] last edited by
The other option for traveling that might be better is use Keepass with the file stored on your phone, that way no internet is needed and there's no chance of lockout from your password DB.
-
[email protected]replied to [email protected] last edited by
I have another 2FA app (Aegis) with the same keys added for my email and any other critical stuff.
-
[email protected]replied to [email protected] last edited by
I'd say the title would be more precise like "starting February, 2FA will be required for all users" as tth email is also a form of 2FA.
I think it's good, especially when done on the device level, making it that I don't have to use the 2FA part every single time I login, it's a good balance between security and usability
-
[email protected]replied to [email protected] last edited by
Choosing to force users to memorize a recovery code
now who's being purposefully obtuse.
-
[email protected]replied to [email protected] last edited by
Fuck Bitwarden.
They gave 3 days of notice.
Absolute shitshow.Use Keepass, minimize your reliance on cloud. The "cloud" is just someone elses computer.
