this post was submitted on 28 Jan 2025
254 points (96.7% liked)

Technology

61925 readers
2134 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots


founded 2 years ago
MODERATORS
 

Bitwarden users who store their email account credentials within their Bitwarden vaults would have trouble accessing the sent codes if they are unable to log in to their email.

To prevent getting locked out of your vault, be sure you can access the email associated with your Bitwarden account so you can access the emailed codes, or turn on any form of two-step login to not be subject to this process altogether.

top 50 comments
sorted by: hot top controversial new old
[–] eager_eagle 50 points 1 week ago (3 children)

using a password manager without 2FA is insanity, glad they're doing it

[–] Giooschi 37 points 1 week ago (3 children)

Insanity is when you lose or can't access your 2FA device and you're locked out of your account.

[–] [email protected] 33 points 1 week ago (2 children)

That's what recovery codes are for.

[–] Giooschi 18 points 1 week ago (1 children)

Sounds like a second password then.

[–] acosmichippo 24 points 1 week ago (1 children)

...which you keep in a separate secure location in case you lose your 2FA device.

[–] Giooschi 8 points 1 week ago (2 children)

Why can't I keep my password in a secure location then?

[–] acosmichippo 7 points 1 week ago* (last edited 1 week ago) (5 children)

obviously you do but it can be leaked, phished, or hacked in other ways. a second "factor" such as possession of a token device is a safeguard against that.

you can actually read about all this many places online, it's nothing new: https://en.wikipedia.org/wiki/Multi-factor_authentication

load more comments (5 replies)
load more comments (1 replies)
[–] acosmichippo 11 points 1 week ago* (last edited 1 week ago) (5 children)

I can't believe people are arguing about and downvoting this. Especially for a service that holds all of your passwords, it's the highest priority thing for you to secure.

load more comments (5 replies)
[–] [email protected] 8 points 1 week ago* (last edited 1 week ago)

Recovery codes.

[–] eager_eagle 7 points 1 week ago* (last edited 1 week ago)

insanity is also relying on a single 2FA device, ffs

  • Have multiple factors
  • 3-2-1 vault backups
  • Setup emergency access if you have a person you trust
  • Keep at least one device with BW synced at any moment, so you have offline access
[–] 9tr6gyp3 8 points 1 week ago (3 children)

Where do you store your 2FA recovery codes?

[–] [email protected] 16 points 1 week ago (1 children)
[–] 9tr6gyp3 7 points 1 week ago (1 children)

Well thats a good way to lock yourself out of your account!

[–] [email protected] 14 points 1 week ago

Well, not really. Vault is cached on your devices, so if you have it unlocked or available on one of them you can always use it to check your 2FA.

By the way, it was a joke. I also use Aegis as a backup.

[–] acosmichippo 4 points 1 week ago* (last edited 1 week ago) (1 children)

two places:

\1. secure location in your home (physical copy in a safe or a digital copy on an encrypted disk)

\2. in case of a disaster like a home fire where you lose the 2FA device and local backup: in a remote location such as an encrypted file in a cloud service or at a trusted friend/family's house.

[–] 9tr6gyp3 5 points 1 week ago (2 children)

I know the recommendations. Im suggesting that everyone take a look at those practices and be sure to have them implemented.

If you're not printing out the codes on paper and sticking them in a safe deposit box as a remote backup, you're absolutely risking it.

load more comments (2 replies)
[–] [email protected] 3 points 1 week ago* (last edited 1 week ago)

On my home PC. Same with the 2fa export of aegis.

~~"What if you can't access blah"~~

~~There's a limit to interoperability, if you want access to everything everywhere even when you lose access for whatever reason, you will have to concede security.~~

~~You could save a keepass file with secure notes of both the bitwarden 2fa and recovery codes and save it in drive or whatever, you don't need passwords nowadays to access the Google account.~~

~~"But what if I lose access to my phone?"~~

~~Well you are fucked, what else do you want? I guess you could print the recovery keys and store them in a secured box at home.~~

Edit: I read further down that your comment was meant to incite other to actually think and do stuff. Sorry if I came of rude.

load more comments (1 replies)
[–] [email protected] 17 points 1 week ago* (last edited 1 week ago) (4 children)

Shit no. I can't access my Email without 2FA. I can't access my 2FA file without Bitwarden What do I do?

[–] [email protected] 19 points 1 week ago (3 children)

Find a new single point of failure?

load more comments (3 replies)
[–] acosmichippo 4 points 1 week ago* (last edited 1 week ago)

use any other 2FA app for your email so you aren't in a 2FA loop.

[–] [email protected] 4 points 1 week ago

This is one of the reasons my main email is a (unique) password I still memorize, so if my password manager fails catastrophically I can still get in.

load more comments (1 replies)
[–] [email protected] 12 points 1 week ago* (last edited 1 week ago) (3 children)

My problem with this is my email accounts are locked behind bitwarden. Can't login to email without bitwarden. If both my devices get stolen at the same time I'm fucked. I'm not going to pay for premium to enable a emergency contact.

Downloaded bitwardens authenticatior app. Now firefox on my computer is asking for me to press on a security key which I assume is some sort of biometrics my computer doesn't have.

I love 2FA I just don't see how it is supposed to work if you need bitwarden to open your email to get your 2FA code.

Let's say your backpacking through south america and both your devices get robbed. Your ticket home is in your email. What's the solution here? You can't go to a coffee shop and login to your email because its securely locked behind bitwarden. You can't login to bitwarden because you can't access your 2FA from your email.

What am I missing?

[–] [email protected] 14 points 1 week ago (1 children)

Use something else for 2fa not email. I used to use keepass for 2fa on my laptop and phone, but now I'm using ente auth. It's convenient because I can login ente auth anywhere and get a code but the only thing is you'll need to remember 2 passwords which is worth it imo.

[–] [email protected] 2 points 1 week ago (3 children)

So I need a 2FA application? Just seems a little ridiculous as that is what I use email for. So my bw pass is well over 25 chars and I need to have another app that requires an equally strong pass. Just seems a little overkill! Especially changing passwords every year.

[–] acosmichippo 4 points 1 week ago

I'd hardly consider it overkill for protecting literally all of your online passwords.

load more comments (2 replies)
[–] [email protected] 7 points 1 week ago (1 children)

I remember two passwords. My email and my password manager. Oh, and one of my banks.

Locking the key in the vault, or the backup vault, didn't make sense to me. It also made sense for me to have access to one bank even if I lose both "vaults".

[–] [email protected] 5 points 1 week ago

My email pass is over 25 more or less random characters that I change about once a year. That's why I use bitwarden!

[–] [email protected] 3 points 1 week ago

You provided a situation where your phone was robbed and you didn't plan for it so you didn't print the relevant information.

So... Prepare ahead? Go to a relevant office with identification to get access to the relevant tickets again?

"What can I do if all the tools at my disposal to get the relevant information are stolen?" You get fucked. Idk what else to tell you.

[–] [email protected] 7 points 1 week ago* (last edited 1 week ago) (1 children)

This is why I turned on 2FA with Aegis soon as I heard this news. I set them up with two passwords I remember well, and have biometrics set on both apps so fingerprint is all I'll need 9/10 times.

[–] [email protected] 6 points 1 week ago

I did it years ago when they sent me an email suggesting to do exactly that.

[–] CylonBunny 4 points 1 week ago

My email is the only account that isn’t in my password manager. It is by far the most important account because basically all of my other passwords can be changed if someone has my email. My password manager password and my email password are the only 2 I have to remember, and they are both very strong passwords. Remembering 2 strong passwords isn’t much harder than remembering 1 to me.

[–] [email protected] 3 points 1 week ago

I'd say the title would be more precise like "starting February, 2FA will be required for all users" as tth email is also a form of 2FA.

I think it's good, especially when done on the device level, making it that I don't have to use the 2FA part every single time I login, it's a good balance between security and usability

[–] [email protected] 3 points 1 week ago (2 children)

Is it possible to change emails on the account? I haven't found how...

[–] [email protected] 4 points 1 week ago* (last edited 1 week ago) (3 children)

It is possible here I think : https://vault.bitwarden.com/#/login

Edit: after logging in : settings -> my account (if I recall correctly)

The link to this web page is available on the app : settings -> about -> Bitwarden web vault

load more comments (3 replies)
[–] [email protected] 2 points 1 week ago (1 children)

You can also register a MFA app and lock recovery codes in your PC.

This has been announced with enough time, you still have time to download another app like aegis or whatever. This is only for new logins however, you will still have access to bitwarden wherever you are already logged on.

[–] [email protected] 2 points 1 week ago

This is the first I'm hearing of this, but, honestly, I'm all for it. I have Aegis and will add this mfa step, but needed to change email anyway and this was a great reminder of that.

[–] [email protected] 3 points 1 week ago (2 children)

Sorry, basic question here. I'm running vaultwarden, I host my own vault that bitearden apps access. I don't think my vault has a mail server, how fucked am I?

[–] [email protected] 7 points 1 week ago

You're good. Self hosted vaults are not affected by that

[–] [email protected] 2 points 1 week ago

I also host my own vaultwarden and don't have a mail server. I was able to put SMTP settings in vaultwarden so it's able to send the email out.

[–] [email protected] 2 points 1 week ago

@ForgottenFlux I lost one of my pair of hardware keys last week. Waiting for replacement to arrive - #Bitwarden will be the first thing I register it into

load more comments
view more: next ›