Skip to main content

mastodon - Link to source
I understand why they're doing this but if I was okay with Google being able to lock me out of my password manager then I would simply be using Google's password manager already
bitwarden New security feature coming February 2025 Starting later this month, Bitwarden will place additional security to your account. When you log in on a new device, like a new phone or computer, Bitwarden will send a verification code to your email account. You will be prompted for this code to finish logging in. (Learn more)
in reply to mcc

John Francis πŸ‡¨πŸ‡¦πŸ¦«πŸπŸ’ͺ⬆️
mastodon - Link to source
John Francis πŸ‡¨πŸ‡¦πŸ¦«πŸπŸ’ͺ⬆️
I don't use a gmail domain email for Bitwarden. So I can host that email address elsewhere, at some point...sure is inconvenient and difficult to migrate away from all that Google & Android stuff tho...
in reply to mcc

John Francis πŸ‡¨πŸ‡¦πŸ¦«πŸπŸ’ͺ⬆️
mastodon - Link to source
John Francis πŸ‡¨πŸ‡¦πŸ¦«πŸπŸ’ͺ⬆️
I want 3-4 hardware keys as the roots. Keep one out for regular use, the rest distributed in safes. If I lose the safe combination, I can pay a locksmith to open it. I can put a hardware key in a safety deposit box.
Unknown parent

mcc
mastodon - Link to source
mcc
@Walker Right? It's just :|
@Walker
in reply to mcc

Henri
mastodon - Link to source
Henri

New fear unlocked.

Gotta start making backups of my passwords now, I guess.

in reply to Henri

mcc
mastodon - Link to source
mcc
@slyecho I haven't looked into what the emergency options are
@Henri
in reply to mcc

Henri
mastodon - Link to source
Henri

Export .json, .csv, .json (encrypted)

But how to automate it...

Gotta hope that when I need my email password now on a new device that I also have a device handy where I logged in before.

in reply to Henri

Dan Hugo
mastodon - Link to source
Dan Hugo

@slyecho
bitwarden.com/help/cli/

bw login, export…

I use this now and then, similar to pass, which I use often.

I too am dismayed that additional β€œfeatures” get added with a little β€œSurprise!” element to them 🫀

@Henri
in reply to Dan Hugo

mcc
mastodon - Link to source
mcc
@danhugo @slyecho They are at least giving ample advance warning on this one
@Henri @Dan Hugo
in reply to mcc

Dan Hugo
mastodon - Link to source
Dan Hugo

@slyecho

Another blinking light to pay attention to…

I recently switched devices and encountered this, and I was just mentioning the encrypted credentials problem for backups when your credentials are encrypted in the backup so decrypting or accessing the backup…

As long as it keeps my SSN safe from hackers ;-)

@Henri
in reply to mcc

Dan Hugo
mastodon - Link to source
Dan Hugo

@slyecho

Received email notification this morning from Bitwarden regarding new login procedure.

@Henri
in reply to mcc

Gordon Little
glitchsoc - Link to source
Gordon Little
I did see this:
Who is excluded from this account email-based new device verification? The following categories of logins are excluded: . Users who have two-step login set up are excluded. . Users who log in with SSO, a passkey, or with an API key are excluded. . Self-hosted users are excluded. . Users who log in from a device where they have previously logged in are excluded. Β· Users who opt-out from their account settings, to which an option will be added, are excluded (Not recommended).
in reply to Gordon Little

mcc
mastodon - Link to source
mcc

@gord Thank you.

The problem is some form of 2FA does seem like a good idea. I wonder if there's a way to get some of the benefits without adding hard gmail failure points.

@Gordon Little
in reply to mcc

mcc
mastodon - Link to source
mcc

@gord I am considering suggesting as a third option offering a "reverse 2FA" option:

- You attempt to log in
- A 2FA email is sent
- If the email results in "approve", you are let in
- If the email does *not* result in "disapprove" within 24-48 hours, you are let in anyway

This could help with catastrophe scenarios while creating only limited risk of a Problem

@Gordon Little
in reply to mcc

Thibug
mastodon - Link to source
Thibug
@gord isn't it how the emergency access work for BW? When I set it up I'm pretty sure it was how it was setup, maybe minus the approve part before the end of the delay.
@Gordon Little
in reply to mcc

Gordon Little
glitchsoc - Link to source
Gordon Little

That is a good idea.

Now that said, is there a reason you don't want to do regular 2FA through an authenticator app? That seems like a secure enough option. Print off the backup codes and keep them safe in case you lost your device.

in reply to Gordon Little

mcc
mastodon - Link to source
mcc
Bitwarden is my authenticator app
This entry was edited (10 months ago)
in reply to mcc

Gordon Little
glitchsoc - Link to source
Gordon Little
Bitwarden Password Manager can be hooked up to Bitwarden Authenticator to do 2FA, in which case they do not do the email authentication part (if I'm reading all this correctly). The email part is only if you use the password manager without 2FA.
in reply to Gordon Little

mcc
mastodon - Link to source
mcc
@gord okay so i guess then the idea is i never get locked out as long as i still have one remaining device running bitwarden?
@Gordon Little
in reply to mcc

Gordon Little
glitchsoc - Link to source
Gordon Little
When you hook the authenticator app up, you get a bunch of backup codes, you print those off and save them somewhere very safe. Those are your safety net. With those you can lose all your devices and still be OK.
in reply to mcc

D2
mastodon - Link to source
D2
@gord I am concerned about a scenario: email doesn’t get a reply because I don’t notice it. Vacation, or just a ludicrous amt of spam in my inbox.
@Gordon Little
in reply to D2

mcc
mastodon - Link to source
mcc
@cascheranno @gord i am describing a hypothetical opt-in feature. one can set an email client to highlight certain things so they are not missed
@D2 @Gordon Little
in reply to mcc

Man aging with dogs
mastodon - Link to source
Man aging with dogs
Can't you use a physical token, like, say, a Yubikey instead? That'd be much more secure than a flippin' email.
in reply to mcc

Leo RΓ© Jorge
mastodon - Link to source
Leo RΓ© Jorge
I got this and had the same reaction... Wondering what is the 2 step login alternative they offer there... But it's definitely a weird loop to be in if your email password is in bitwarden in the first place
This entry was edited (10 months ago)
in reply to mcc

jcoglan
mastodon - Link to source
jcoglan
I feel very strongly that a credential manager, or really any sort of secure secret store, should not have a dependency on a third party, never mind a completely open-ended third party category like "any user's email provider"
in reply to mcc

Alison
mastodon - Link to source
Alison
my bitwarden points to proton. Seems fine to nee?
Unknown parent

mcc
mastodon - Link to source
mcc
@jantzen ? but isn't bitwarden my TOTP authenticator?
@Leif
in reply to mcc

mcc
mastodon - Link to source
mcc
@jantzen Is your suggestion that I set up Bitwarden to only let me log in on a new device if I TOTP authenticate on a second, existing Bitwarden device?
@Leif
Unknown parent

mcc
mastodon - Link to source
mcc
@shadowfacts @jantzen is it actually true that two programs on my phone is more secure than one program on my phone?
@Harvey Lemmings @Leif
in reply to mcc

Harvey Lemmings
akkoma - Link to source
Harvey Lemmings
in principle, I think you’re supposed to have a separate password manager and TOTP authenticator, since otherwise you’re reducing your two factors to one. I don’t really know how much that matters, or what considerations your threat model makes about a breach of your password manager
in reply to mcc

Emile Snyder
mastodon - Link to source
Emile Snyder

@shadowfacts @jantzen well, in the scenario under discussion (logging in to bitwarden on a new device) isn't their concern that it's currently 0 programs on my phone? All that's needed is my master password.

As I read their announcement, if one has some non-email 2FA set up already, then the new email based 2FA is not required, right?

@Harvey Lemmings @Leif
⇧