The title was correct but they appear to have changed the policy since the post was made, likely as a response to feedback.
Notice that in the archive from earlier today the "Who is excluded from this account email-based new device verification?" section did not have the new fifth bullet point about being able to opt-out:
Thought it was worth pointing this out since I've already seen people reply to old comments thinking people didn't read the article without realizing it was later changed.
This is terrible, honestly. One of the reasons I use Bitwarden is to be able to not know all my passwords besides the Bitwarden one. I don't know my email password, so can't use that for 2FA. Same for using my phone number or an authenticator app, if I lose my phone, I would also be locked out of my account.
The risk of someone stealing my phone is much higher than someone stealing my main password where I live. I intentionally decided not to use 2FA, because that is what makes most sense for my context. I'm ready to take full responsibility for not using 2FA, but now I can't.
Agreed. There is no way to rely on the simple model of 'my master password is the single point of failure' now. With any form of 2FA, there is now lockout risk in a way that cannot be mitigated fully. Bitwarden itself recommends printing out a recovery code and storing it in a safe, but what happens if you lose access to that safe? Or if you're traveling and need emergency access to your accounts after your phone gets stolen?
On the reddit post announcing this, Bitwarden added a response saying they will provide an opt-out option. It's unclear if this opt-out is temporary or not. It would be a huge step back for their product if 2FA becomes mandatory.
That actually happened to me a couple years ago. I was in a foreign country, and lost my phone. All I had to do was buy a new cheap phone and login to Bitwarden again. If I had 2FA enabled, I'd be completely screwed.
I have hidden recovery information in a few places on the internet - someone stumbling across it would not know what they are looking at, or what it's for. For example, you can hide the TOTP secret for an authenticator app, but it's useless unless you know what account and service it's for, and the associated master password.
So to mitigate lockout risk, you keep multiple Yubikeys, store recovery codes in multiple physical locations including presumably a fire-proof safe bolted into your home (at your expense), and use obscurity to store the TOTP secret on random places in the internet, presumably relying to external services or a self-hosted solution, which are themselves dependent on regular credit card payments going through.
Okay, I grant that you've reasonably mitigated the lockout risk. But I don't want to do any of this, and is it really reasonable to expect the everyday person to understand or implement all this? What happens in practice is that many users will not realize anything is wrong until they get locked out with no recourse.
This makes it hard for me to recommend Bitwarden to my friends who use typical insecure practices like password reuse or post-it notes.
Security has either been easy and weak, or difficult and strong. It will never change and so you will always have the option of weak security if you dont want to jump through the hoops for the peace of mind.
> my friends who use typical insecure practices like password reuse or post-it notes
IMO people who do those things will never change. Its like the environment, everybody knows what they should be doing but no-one cares enough to do it.
So Bitwarden should offer 2FA for users who want the additional security – they should never force users to enable it. It would be like refusing to save "password" as a password, because it is insecure.
If you have literally no other option than SMS 2FA because of bad support from websites, maybe. Otherwise it's probably one of the worst options (though I suppose unlike using your main number at least it's harder to discover the number for the 2FA phone to attack it with social engineering).
Same here, mine got pickpocketed. My mates laughed at me because they thought I was an idiot not be able to login to my accounts.
Was easily solved though, got a new SIM card from my network from the local store when I got back and recovered my Authy account via SMS which I can then generate 2FAs for my password app through. Was always a backup method I had up my sleeve. My browser keeps logged in as well so was able to get into most stuff through my PC once I got back.
> Bitwarden itself recommends printing out a recovery code and storing it in a safe, but what happens if you lose access to that safe?
I feel like your own creativity is limiting you here. There are lots of options to store those backup codes. Including giving them to multiple relatives to keep in a safe place so you can call and ask for it, creating a dedicated email account with no 2fa and email the code there, leave yourself a saved answerphone message with it on so you can dial in and listen, write it in the important info section of your passport so you always have it abroad etc etc...
It's great that recovery codes exist, but the security model can't rely on them. Unused email accounts get deleted, yubikeys get lost or reset, relatives lose documents, passports get renewed, house fires and car accidents happen, time passes, etc.
Any critical procedure needs to be exercised regularly to ensure it's still working. Normal people don't do that with recovery codes.
All of these things can be mitigated by a little care and attention by yourself.
What you are really saying is you want a way to be able to recover your account thats easy, quick, and you dont need to think about it. Unfortunately strong security will never be any of those things.
It doesn't matter how you want to describe it, keeping recovery keys available is an ongoing maintenance burden that most people aren't going to do perfectly. It's not appropriate to blame users for reasonably foreseeable problems with a fragile system and lock them out of their bank passwords.
> creating a dedicated email account with no 2fa and email the code there
Of course, that account could also decide to implement mandatory 2FA. Could even be unannounced, just "This login is suspicious, we sent a message to your recovery email to confirm this login"
I'm very frustrated about this because for a lot of my family members, their phone is the only computing device they have.
When they lose it, they lose access to email, and there is no backup plan here. Using bitwarden is far far superior to them using the same password everywhere, but this will drive them back to the same behavior.
>I'm very frustrated about this because for a lot of my family members, their phone is the only computing device they have.
That's actually a really good point. My 1Password setup is resilient to device loss because I have multiple registered devices, any of which can spin up a new device with just my master password.
But if you're in a situation where you only ever have one device and lose it, then you can't bootstrap a new registration going from 0 devices to 1.
There's definitely a security/resiliency tension here. Is it desirable to have your password manager protected by just a user-specified password? That can allow you to go from 0 devices to 1, but it also greatly lowers defenses against account compromise. You can have a paper recovery kit, but people will misplace that, if they even create it in the first place. Social attestation could be a decent if imperfect mitigation: if everyone is on the same family group, then maybe the admin or the group can recover access for any one person.
Email is not a good second authentication factor anyway. I have 6 u2f tokens on my high priority digital accounts, as well as printed recovery codes in several places. Only 1-2 tokens ever actually travel with me, the others are kept safely in different locations.
Given that most people are cracked wide open if their password manager is compromised, I do feel it's sensible for a password manager to insist on 2FA, but the email chicken and egg problem is a concern for those migrating, and hopefully they backed up their recovery codes.
Email can be a perfectly good second authentication factor.
It depends on the asset you’re protecting and your threat model.
I have quite a few accounts whose value does not cross a threshold where I care about the risks of email… and my workflows would be enhanced dramatically if I could use it as a second factor.
The reason I can’t is not because of security or anything at all to benefit me, the user. It is because the services themselves need to throw sand in the gears of the bad actors abusing their services.
My email address can't be SIM swapped, my emails aren't transmitted using weak 90s encryption algorithms over the air (and via dubious, largely unauthenticated 80s protocols on the wire), and my mailbox is itself guarded by 2FA.
Same here. I'm very sad about this 2FA thing. Bitwarden was so easy to use, I could always get an access to my accounts with just my secure master password. Does anybody know good alternative?
I solved this issue using pass-otp on my computers in addition to my mobile authentication app. This way my desktop, laptop, and mobile device all have the ability to generate my Bitwarden OTP code.
In addition to your phone, you can also set up to 4 other Webauthn tokens, Yubikeys or FIDO2 devices as well as a printed recovery key. If none of those fall-backs work for you, perhaps switching to a different password manager is best.
I hear you, and I somewhat feel the same. However, a workaround would be to save the TOTP secret safely like a password. I have started treating all my TOTP secrets as my secondary passwords.
I abandoned Bitwarden a while ago in favor of Enpass after the 2nd time in 3 weeks that Bitwarden refused to open my LOCAL vault because of a problem with BITWARDEN's servers.
similar. i switched to Apple Passwords, and pretty much stopped using Chrome except for gmail. I use a multitude of browsers, but I am 99% safari for sites where I need the PWM.
I hate building a lock-in to the ecosystem though, and have been meaning to look at Enpass.
If my irritation with BW had come later I might well have settled on Apple's solution, but I'm already entrenched at Enpass and, like you, don't really want to further enmesh.
I mean, I'm pretty tied to Apple in both hardware and service use, but it strikes me as unlikely that Apple's first swing at password management could really rival a purpose-built tool right out of the gate. I do think I'm going to push my thus-far-vault-avoidant wife to use the Apple tool, though.
I can understand adding some friction to discourage using Bitwarden without 2FA, but requiring it seems very wrongheaded to make it mandatory. I've been using 2FA on Bitwarden for a while and it adds a lot of friction and made me very nervous that if I lost my phone that I'd be locked out of literally every account I have. I mentioned elsewhere (link below) that I have solved this issue for myself, but people shouldn't be required to jump through these hoops and introduce a greater opportunity to lose access to their accounts if they should lose their phone.
And even if F2A wouldn't have ANY downsides, it's still not their fucking business if users want to use it or not. There is a million ways to leak your credentials to a service anyway, and I don't know anything more annoying than when a service tries to protect you from yourself (sometime locking you out of your account while doing so). If a user wants to have no F2A, no backup email, to use qwerty as a password and to write it on a sticky-note attached to a display, it's their right to do so. It's not Bitwarden's (or anyone else's) responsibility.
I agree, and when I first read the headline, my reaction was "Well, I guess it's time to start researching different password managers, because I obviously can't use Bitwarden anymore."
However, despite what the headline says, this 2FA does not appear to be mandatory.
Under the heading: "Who is excluded from this account email-based new device verification?"
> Users who opt-out from their account settings, to which an option will be added, are excluded.
To clarify, this was new information added to the release within the past hour or so, which seems like the company responding to criticism. The original article gave no indication 2FA was anything but mandatory.
Thank you. The title should be changed, really. Following an ancient HN custom I've chosen to get annoyed before reading the article, and the title simply isn't true. In fact, it's exactly what GP suggested, which is a perfectly nice way to implement that. (Unless, of course, one day they get rid of that option as well...)
The title was changed, but it's worth pointing out that they updated the article AFTER criticisms in this thread were already made (the original policy did not say you could opt-out):
It seems like the alternative is to allow anyone with just the master password to get access to your vault. That doesn't seem so great.
I'm on 1Password and it's basically a 2FA setup there too: to register a device, you need to have the master password (what you know) and the secret key (what you have, randomly generated at vault creation). Losing my phone isn't a big deal because I have 1Password on multiple devices, each with a copy of the secret key, so there's pretty good hedging there.
I also carry a physical Yubikey, which grants me passwordless access to my email account (assuming I know the PIN to unlock the hardware, which I do). That's probably overkill for most people, but that's another layer of hedging too.
It's, possibly, not good enough. In case of a fire, if you left all your phones at home, you are screwed.
Exactly because of the fire risk, I set a policy for myself that all passwords should be somehow recoverable only from something that I know. However, I don't meet this policy at the moment.
What if, for example, a piece of software is logging your key presses without your knowledge? You could have the best, most secure password but you're typing it into a complex machine which could be doing any number of things. Don't forget that you're human and make mistakes too so it doesn't necessarily have to be malicious; a bad copy paste into a public forum post could hose you.
A second factor makes it extremely unlikely that one slip up results in a complete compromise of your vault.
I think what you're forgetting is that Bitwarden only has access to my passwords, not any account (that does any important work) itself.
All my high security accounts themselves are protected by 2FA and in some cases 2+ factors (such as my bank).
2FA on a password manager is useless. I'm going to end up entering phone codes multiple times for a single login and that will drive me away from using the password manager.
You don't even need a keylogger for password leakage. You could accidentally type in your password into a logged field because you forgot to press tab or alt-tab to move cursor focus.
2FA for setup doesn't strike me as too onerous. It only happens once per device, after which you're free to rely on just your master password or even biometrics.
Aren't you screwed if you can't get access to your home for whatever reason ?
That hopefully would only happen in extremely rare conditions, but that's not a risk everyone would take. Especially in area where losing your home is a very real risk, and you'd be hanging to your data by a string while facing an otherwise already challenging situation.
You certainly shouldn't rely on just your phone. If you store your 2FA token in Bitwarden, you can use any of your other devices that you have used Bitwarden with recently.
The 2nd factor is only needed when it's new or occasionally in other cases. I don't know why you say it adds lots of friction, unless you are frequently signing into new devices.
And as a failsafe a printed backup code is pretty important.
I understand that in theory storing the 2FA for Bitwarden in Bitwarden itself can work, but I don't know if I can ever bring myself to store the key to the car in the car, even if I pinky promise myself that I'll never lock all the car doors at once.
This is doubly true because Bitwarden has not been consistent at only asking for 2FA on brand new devices, so it's not even just me that I have to worry about locking the car doors.
There is still a ceiling to how secure a password can be which 2FA solutions will generally beat (mainly by the secret not being spread as far when used, such as keyloggers, window focus mishaps, or simply being sent to the server verifying it).
I am not suggesting friction as security, I am suggesting it so that the average user is funneled towards the most secure option, i.e. using 2FA, while allowing experienced users to put in a small amount of effort to disable it.
Because for security (!), I use a very strong and difficult to memorize password, with no backstop if I forget it. I only want to memorize one of those.
Even without, accidentally getting one password leaked is a lot more likely than two. For whatever reason, shoulder peeking, keylogger, wrong input field, brute forced, and so on.
In my mind the email is the second worst 2FA since it's used for registering everywhere on the web and more prone to be compromised. Phone number is the worst.
I like bitwarden, but there are a lot of weird things that make me want to move or find a self-hosted solution. This feature may actually cause me to leave. I actually ended up buying a subscription and then refunding it in less than an hour.
So what's going to happen? Are they going to cache my location? Or are they storing a cookie on my side? Neither sounds great. Ever hear of a VPN? That's going to make my life easier....
Some more general complaints:
The storage thing is really weird. Did you know it is just stored on their server? So you can't store locally. But the worst part, when you want to retrieve the item then you download it and it just appears in your download folder. This is TERRIBLE and both of these make it absolutely useless. I got to download it when I need it, hope I have internet in that situation, and then delete it after because I'm... storing sensitive information, right?
The new design is just terrible and could only be designed by someone who assumes you never open the panel to fill in the website. Yet... that's the *most common* reason I open that.
Things like this give me concern that those designing the tool aren't thinking about other things. When it comes to security, all the little things matter a lot.
Of course there's frustrating things that I know they have little to no control over, like all the dumb Microsoft logins I'm forced to have and then annotate because I keep logging into the wrong account. But I do like that it integrates with Firefox's relay. The only thing I wish is that it wouldn't name the mask "Generated by Bitwarden." but "the fucking website name" (sure, append "Generated by Bitwarden" but no one cares and this does nothing to help brand recognition, it just makes things confusing).
I looked into this a while back and it was quite complicated. If you're used to hosting your own infra, it may not be a big deal, but it's definitely not a simple task for even an advanced desktop user. I ended up choosing KeepassXC, which just uses a dumb file on disk that I sync with Git.
I don't disagree with you, but a lot of people don't understand any of those steps. 3 is the step most people will understand, I think you can understand that LetsEncrypt can be confusing the first time, and well... DNS... that's notorious for people being confused on.
What people consider "advanced user" varies quite a bit and there's a lot of subdomains in computing. (Though maybe the term is also degrading...)
A lot of advanced users don't have servers, and they don't want to expose their desktop or an appliance to the internet. Moreover, are you going to trust your precious password information on a leased server run by Linode or whoever?
On topic, I use Bitwarden, but their changes to the iOS application are very annoying. I've been logged out repeatedly (at least once per week) and it keeps requiring me to input my password, without any way to reduce the overhead. It's so frustrating that I've been considering switching to the native iOS password app; if it was available on Linux, I would bid farewell to Bitwarden.
I had issues with this (new iPhone user and ... well... I'm having fun...)
A problem I had was my encryption settings. Definitely I am a bit overkill[0], but this might be worth checking. I use Argon2 and tried to find the max settings I could use on my iPhone16. Make sure the KDF memory is lower than 256MB. Keep iterations low (<=10) and parallelism not too high (4 seems about right). So do something like 128MB, 8 iterations, 4 parallel and you'll be good. If this reddit post is anywhere near accurate, should cost in the tens of millions of dollars to crack your master passphrase[1]. But users there also are saying they can get higher settings so YMMV. (BTW, these settings should be changed from the bitwarden website)
[0] Philosophy has always been: make it as secure as possible without being meaningfully impactful. Which is always above the standard security levels.
you don't even need to have your DNS turned on or run a reverse proxy - how often are passwords updating? my instance is local network only and the phone, desktop, and chromium extensions sync when I'm at home.
This is my issue with hardware keys too. It's been unclear to me how I have a backup and what's the best way to ensure that that backup is constantly in sync.
Plus, is a website going to support it? So many websites are shifting to OAuth, and making it the __only__ form of authentication. I really don't like this AND they usually only support a very limited set of authorities which is almost exclusively "Google and Apple", so I can't even run my own. The fuck is the "O" mean in "OAuth" then?! (╯°□°)╯︵ ┻━┻ I'm trying to __reduce__ my (meta-)data exposure, not increase it!
Like good god, I don't know if it is a conspiracy or stupidity that's causing all this centralization and I'm not sure there's a meaningful difference. (unintentional or implicit conspiring rather than explicit)
This is Hacker News, surely there's people here that are fighting/pushing back. It's unclear to non-security experts like me how to actually do this besides not use a service (far easier said than done. These choices are often forced upon people)
And you can just self host local only, it's what I do. clients sync at home and don't lose the data when you leave the house. Even updates on one client (ie mobile) will propagate to others
Sure, but then I need to spin up a server, lock everything down, pay money, deal with all that other stuff, and well... this isn't going to work for: my partner, my parents, my friends, my family, and so on.
If anyone works at bitwarden can you get your UI people to stop retheming for the upteenth time and instead make the "detailed view" of any entry read-only by default? Every time I need to access my notes on an entry I'm scared that I'll accidentally typo a letter into my password or a 2fa code or something
I get the desire to make the Bitwarden login more secure, but this is very likely to cause problems for users who don't have their email password memorized. 2FA already carries the burden of needing a backup if you lose your phone. This change means users will need to come up with an alternate way to log in to their email account. I'm not sure it's worth it.
I'm taking this opportunity to Ask HN: what do you think of the new Bitwarden browser extension?
Sure it looks more modern and a few things are better.
But personaly I HATE the new "copy" button.
With the old version there was a button for each field : one to copy the login, one to copy the password, one to copy the TOTP.
Now there's just a single button that will display a list of options to choose from depending on what you want to copy.
So instead of copying a field with one click, now I need to do one click, go on the right option, and another click.
Even worse: if the account contains only one field, the copy button will still display the list of options, with just one option.
How could nobody think that when the user want to copy something from a list, and this list contains only one item, the right thing to do is to copy this single thing, not ask them what they want to copy...
I don't mind the general visual update. But the change to the copy buttons was a step backwards.
To the bitwarden folks... if I'm opening up the extension 99% of the time it's one of these use cases:
1. I'm creating a login for a new site
2. I'm on a site that doesn't support autofill, and I'm manually copying user/pass/code
3. I'm filling credit card info, and want to select a specific card
Both #2 and #3 got worse with this change. Put the damn copy buttons in the huge amount of whitespace you have for the entry. Don't hide them in an overflow. Put each of the user/pass/2fa buttons in a fixed space, and don't move them.
To throw in a second viewpoint: 99% of the time I open the extension, it is to trigger auto-fill. I don't like having my credentials auto-fill on page load, I like to be the one to trigger it.
That being said, I also hated the change that hid the copy buttons, but they have a setting that brings them back.
You may know this, but they introduced a feautre that lets you use Cmd/Ctrl+Shift+L in order to trigger auto-fill. I have disabled autofill on pageload but LOVE this shortcut key.
I'm with you about not wanting the autofill, but I use the key combo mentioned below in nearly 100% of cases.
The vast majority of the time I'm opening the extension popover it's because the key combo failed to autofill (site doesn't support it) and I need to manually copy/paste.
For extra fun - the Key combo is customizable if you don't like ctrl-shift-L
Just hit up chrome://extensions/shortcuts and change the combo to something you'd like.
Yep. If you look at the feedback thread before this version was released, they legitimately did listen to feedback from power users and made changes.
The first beta version had all of these annoying quirks, but then they added a bunch of settings (Compact Mode, Quick Copy Actions, Wide Mode, Disable Animations) that after you change them gives you a solid experience.
Is there a way to get rid of the "Fill" button and make the whole entry do the fill action? That's what it used to be, and I have soo much muscle memory for it. I almost never want to look at an entry.
Nevermind, sibling had the answer: "Settings < Autofill < Click items to autofill from Vault"
I like it! With the width and quick copy options under appearance settings there are no glaring issues, but there are two big benefits:
1. It's much faster. This alone makes the refresh worth it imo.
2. The edit item / fill item UX is much more consistent than it was. Before, when you search for and click a card it opens the item, but if you click a card because it matches the current domain then it fills the item, to open it instead you have to click the little "open item" button. Even as a long time user I would often misclick because the context changes the behavior of clicking a card and my muscle memory would be the opposite of what I wanted. Now there's a "Fill" button when a card matches the current domain and clicking anywhere else always opens the item. My only critique is that the Fill button could be a bit bigger to so it's easier to click.
You probably know this, but I'm just writing it here because it took me a while to figure it out — you can also use the keybinding (Ctrl+Shift+L) to fill in login forms. It works 90% of time, and you don't need to copy anything. It really reduced the number of times I'm interacting with the extension's panel.
Things change. They made sure people could go back to any legacy behavior they personally favored, or not. "Please constantly be trying to improve your product, so change the things I don't like, but don't change anything I do like, even if I still have the option to pick and choose between legacy and updated options". Man, people will bend over backwards to be offended.
I like how it's faster than before but the modern UI design trends are starting to wear on me. If you could have the old theme with the new features that would be good.
The two-click copy button is absolutely the worst new "feature" they added. That setting should be opt-in by default.
I hate how small the "Fill" button is, and how clicking on a card that represents saved credentials is no longer assumed as an intent to fill username/password on the page you're on.
In some cases, it just falls apart when displaying over a text box and doesn't know what to do with itself, and sometimes breaks the UI for me. I keep the desktop copy around for the cases where I don't want to fiddle with the extension.
My personal problem is that I self host and the updated extension just completely fails to connect to my vaultwarden instance. I probably just need to repull the updated docker container, but it's something I would have rather not thought about. But since the extension auto updated I'm forced to think about it.
Interesting - I'm also running self-hosted and didn't have this problem (I think my last image pull was about a month ago, though - so somewhat recent).
Alternatively, at least for chromium browsers - you can download the .crx directly, unzip it (p7zip will do it), and sideload it using the "Developer mode" checkbox on chrome://extensions. Firefox sadly doesn't support this - they'll remove any sideloaded extensions on browser close.
I mean, you're explicitly choosing to self-host an alternative backend server which isn't affiliated with Bitwarden. You could have used their SaaS, or self-hosted their official backend they provide on GitHub, for free, and which is almost entirely open source (AGPL, they have some small enterprise specific bits such as SSO which are under a commercial license which is still free, just not open source).
But you choose to self-host a random person's project that tries to keep track with Bitwarden APIs and various frontends, on a best effort basis. That's a ton of risk I really wouldn't take with something as sensitive as passwords to everything.
Its pretty ok as the offical client caches most stuff, everything is still encrypted, and most of all vaultvarden is miles easier to self host than the offical bitwarden stuff.
For me, it is the double scroll bars in the browser extension. One to scroll in the list of passwords and another to get to the bottom of the extension window. This is even in "compact" mode.
It's been much, much slower to load on click for me now. Surprised others haven't experienced that so wondering if it is some extension conflict. Consistently takes 2-3 seconds to load up after click whereas before was instant-ish.
Related question: is there any way to keep the Bitwarden window open when I’m unfocusing it without popping it out into a separate window? That workflow makes copying logins painfully slow for me.
It wouldn't be so bad if the window closed but at least remembered the entry. I often have the issue where I had to search up an entry (credit card info for example) and then when I reopen the extension window I have to start the search all over again.
I love the fact it remembers what page you were on and leaves it on that page.
In the previous version, you'd go Vault -> Search -> [Find Thing] -> Copy Username, but when you de-focused the extension it would return you to the vault home, so yet again you had to do Vault -> Search -> [Find Thing] -> Copy Password.
This one, when it loses focus, it stays exactly where you left it.
100% this is one of those changes that makes me doubtful of Bitwarden being a well maintained service in perpetuity.
Like, if this change was an accident and slipped through that is bad. If it was approved, it's even worse because as you said, it shows that the person who is in charge of how we, the users, interact with the product day-to-day doesn't understand the product or doesn't take their role seriously.
Of course it's not under Settings -> Appearance where the similar "Show quick copy actions on vault" option is. Why should an option that only affects the UI be in "appearance".
Because it barely changes the appearance at all? The actual effect of that setting is to change the behavior of the button to be autofill. The only visual change is that the small "Fill" button is removed.
These are screenshots from the extension, before and after checking that autofill box. The only visual change is the missing "Fill" button, because now clicking on the item itself preforms the fill action. The rest of the UI looks exactly the same.
Hate it (using the Firefox one). The look is weird, seems to waste space. New copy button sucks. I spent 10 minutes one day not being able to login with a copied password, bit realising it was because I was lacking the second click. Also the new suggested results (when searching) honestly just gets in the way, since the order of the results are not always the same anymore.
The new extension is a lagfest. There's a noticeable 2s latency to every action now. I don't know how something like this makes it to GA. Long ticket: https://github.com/bitwarden/clients/issues/12286
seems there are reports of different sorts of delays in the comments.
w.r.t. a small, split-second one in initial rendering, i'd take it ten times out of ten over what it was for me all these years: immediate ability to key in input, but if you typed at the precisely (im)perfect moment, which was an extremely common occurrence, the extension would bug out and not perform the actual search.
so i'm sitting there for about a whole second wasted for having waited out the threshold to realize that it bugged out yet again and didn't perform my search. then, i would have to either backspace or type in the next character in the query in order to trigger the search; this was often an unpleasant added mental overhead when backspacing would repopulate results that you were trying to filter out.
i'd rather have the split-second delay for every initial render.
Im not a fan of copy button and design as well. Dark mode has huge contrast with outlines and rounded corners are space inefficient. It's like design for small touch screen, not a desktop addon to browser. Take inspiration at uBlock.
It's awful, it's slow, it's hard to use, confusing and they made editing even worse. The old UI also had it's problems but they weren't this bad. I despise these constant UI changes that only make the product worse without any benefits.
I hated it so much I migrated to ProtonPass, deleted my data, and set my account to expire.
Then Proton CEO made some statements I found offensive, so I re-activated my Bitwarden account, migrated back, and am now learning to love the changes.
The best I've got for tips are:
1. Settings > Appearance > Quick Copy
2. Settings > Appearance > Compact Mode
3. Settings > Appearance > Extension Width > Wide
I still don't love it, but it remains the best of the bunch.
I don’t get it, we want anti trust laws right? Democrats as well I assumed? I actually thought they were more of a democrat thing tbh, but now that the republicans want them they are bad? I don’t get it anymore.
Antitrust enforcement, sure, it's a good thing. Pretending that Republicans are better than Democrats in that sense, is not that great. Especially after who attended the inauguration, it's very naive to hope that they will solve "Big Tech abuses" in any way.
Wow republicans are now called fascist? Idk I always thought Schwarzenegger was such a nice example, wise, gentle, kind, funny and republican. Not loving the Trump, sure, but to say such a thing based on how someone votes, man you’re falling low.
Edit ok read the X post, man you guys are losing it if you call that fascist. So divided, you can be either black or white. I feel sorry for you.
Say one thing good about Trump and you’re a fascist, just pretend that all he does is bad. There is no more way of looking at it objectively. No wonder you are so divided over there. I really would stop watching the news. Half your country voted for him. What does it say about you that you view half your country as fascists?
It's probably less about viewing Trump as a fascist and more being afraid of being grouped in with Trump supporters by your in-group. It's a really divided country and there are circles where you could be outed even for expressing neutrality.
Again, I am not American, and would rather avoid the mess that is their politics
I just ddged for “fash”, I mean labeling the CEO of Proton no less, an org that does so much good, that has such a nice vision, can shield people from their state because they believe in their right to privacy. To label such a person a fascist is just unimaginable to me. I find it shocking that so many people just use this super small thing to judge Andy Yen. I’m really shocked. How dare these people put such opinions online? It’s so “140 chars” to define a person. It’s what’s wrong with the internet these days.
The day Bitwarden was VCed I knew there will be a time when I will be desperate to find alternatives. I guess that time is coming closer.
The thing I despise most among their UI “improvements” is entry click expands the entry now. To fill you have to find that tiny “fill” button and click that.
This extension is the only thing on my computer that is slow. I have an M1 Pro and an M1 Max laptop and the new visual refresh has made the extension very slow and a lot less usable.
The old one was instant on clicking the shield icon. The new one is slow and flashes a few times before showing me the UI.
Also, the entire field used to be selectable to fill fields. Now I have to aim at the tiny Fill icon and it's even harder to get to the time-based 2FA code.
I get why they've done it but I have never seen any software this slow in my life. Even just displaying the boxes seems like it needs a progress bar.
The new desktop browser plugin is disgusting even after I went through settings. Won’t reiterate here, one of the worst UIs I’ve ever seen and if I were to choose today, I would not choose bitwarden only because how ugly and unusable it is.
It took me a day to get used to the new UI but now I love it - just goes to show that you’ll can only get UX wrong/UX is hard. It’s good to have both options configurable though!
This one is not too bad since it's only once per device, assuming they define a device by generating some unique value at first login so I really won't have to go through it again despite any updates, changes in network, etc.
In general though I have become incredibly sick of mandatory 2FA for every-goddamn-thing. I do use it very often, but it should be my choice and not forced on me. The usual retort is blah blah blah I might understand the trade-offs but normies don't and so forcing it is a net positive, but I'm me — not them, so that usual response is just to tell me that my feelings don't matter.
Since service providers are often legally and even more often practically required to cover losses resulting from account takeovers, it's really not your choice alone.
I very carefully added 2FA to my wife’s Bitwarden account a while ago. I got her a Yubikey and added mine as well as my backup keys in case one ever got lost.
I discovered much later that they call email “2FA” so her account isn’t actually protected by the hardware keys at all. Like others here, this doesn’t make sense to me since it’s circular.
(and separately, the Yubikey seems to often not work on Android anyway)
X.com is one site where 2FA just doesn’t work for me and had to repeatedly contact them to “unlock” it or so. Finally I had to disable it and if the a/c ever gets taken over I’d let it be.
Yea. This article needs to be updated if that is the case. There isn't even a hint that this is possible. And there are very valid reasons to not turn it on as these comments have shown.
Same here. I have a 77 year old father who has had a stroke who is not going to be able to wrap his head around the notion of 2FA. It's a bridge too far. Not going to happen. He's just going to get confused and give up when faced with crap he doesn't understand (that's literally how it works with him). I've seem him break into tears because he couldn't figure out some mobile phone UX. Kind of heartbreaking to watch that happen. That's what strokes do to people. Stuff like this doesn't help people like that.
I'm thinking the built in browser password manager might be a safer, more usable option for him at this point. It's probably what I'll have to recommend when this inevitably blows up in a few months.
2FA is a hurdle for normal users. I've had to support 2FA for our Google workspace account for some of my non technical colleagues. It's a PITA almost 100% of them needed me to unblock their account at some point. Absolutely terrible UX. Most users aren't compatible with this stuff. That's why all the big companies are pushing for passkeys now. I don't think that actually fixes the problem and just moves it instead.
But I get it. Bitwarden wants to appeal to corporate IT managers so they can sell expensive enterprise licenses because IT managers are most of their paying customers. And for that they need to sacrifice UX. Because IT managers like liability even less than service providers (like Bitwarden). They'll make their users jump through hoops one hundred percent of the time if it reduces their exposure to their mistakes. So sacrificing UX for that is a small sacrifice. But it is a sacrifice that buys ass coverage for Bitwarden and IT managers. At the cost of users.
while we're bitching about the bitwarden UI my pet peeve is that 99% of my accounts use my email as the username but i still have to type it in every time i create a new account. how about having auto-suggest?
Today, I almost had a heart attack cause I couldn't log in into BW Web. Strangely, both mobile and Desktop versions worked fine with the same password... The issue resolved automatically in a few hours, still no idea what this was.
Still, I backed up my passwords as soon as I logged into the mobile app, so like some people here say I highly recommend everyone do periodic backups and not be like me (:. I would have lost everything if something did happen to my vault access
For someone who has only used offline, local password vaults, what is the advantage of a cloud-based solution (for personal use, not enterprise)? I'm interested in their self hosted option, but not sure what the advantages would be over keepass and syncthing.
Convenience and portability for people who don't want to use, or aren't going to learn how to use, anything more complex than an app, browser extension, or website.
Accessing a password vault from any arbitrary internet-connected device and browser through the web is also convenient, even if to you or I that serves more as a reminder of how accessible your passwords might become to unauthorized users. Sharing credentials between Bitwarden users is also more convenient.
If you self-host, you can provide those service to friends or family members who don't have your technical aptitude. For teams and businesses, it provides an auditable service with directory integration and other optional enterprise features (SSO, fine-grained access).
All of these are possible without a SaaS, just less convenient to set up. You and I might consider setting up our own personal password management to be a fun and useful project, or at least a trivial time expense compared to the value. When something like Bitwarden provides all of those features and more for $0 to $10/year, even a small time and maintenance burden might not seem worth it to a less technically savvy user.
The big thing that got me to move off passwordstore to BW (and self-hosted vaultwarden) was sharing passwords with family. The app and browser extensions are nicer, too.
This is why I like generating passwords with a 1 way SHA-256 hash, no need for any storage or encryption and no reliance on some website service being up.
I thought of stopping the subscription after I reported a blocker issue in great detail with multiple emails but they didn’t tell me why it was happening, neither did they share the ticket created or a ticket was created in the first place - in fact they didn’t respond at all, not even to follow ups. UI “improvements” finally did it for me and I stopped paying — also, started taking periodic backups.
still didn't implement showing credential information when searching so that you don't end up with 10 credentials with the same name across folders? shame
Reminder: Dump your password manager database into cleartext backups regularly. Store them on encrypted media (eg. USB stick with FileVault, VeraCrypt, or similar)
Then you will not be totally screwed if your password manager does a rug pull against you such what Bitwarden is doing with this change.
It's a password manager. It must never, under any circumstances, add any additional barriers to getting in that aren't explicitly configured by the user.
This is going to lock out many users. They will not realize this new arbitrary requirement to be able to access the email address. They will lose their existing device. They will get a new device, install Bitwarden, and try to login with their master password, only to find that Bitwarden has moved the goal posts. They will be locked out of everything.
Even if 99.99999% of users would benefit from this change, Bitwarden shouldn't do it because it'll unfairly lock out 0.00001%. If they really want to do this change, then they should have like 2 years of warnings displayed on existing clients, and also have an option to permanently disable any 2FA requirement.
I encourage everyone to update your email address (user login) by adding some novel characters to your email like youremail+bw1234@gmail.com because there are active attacks against Bitwarden right now.
Thankfully Bitwarden warned me about the attempts. For the rest of the customers it's a matter of time before you are a target.
Great example here of HNs ignorance of basic security in this thread. Bitches and moans about companies' data breaches. Bitwarden turns on 2FA by default to kill 99.9% of attacks (you all should be smart enough to be using this already) and y'all are crying about it.
I hope the companies you work for have security teams to protect the company from your crazy attitudes.
The whole point of a password manager is that you can use it to log into things like email.
I have a single password I only use for Bitwarden and nothing else. All of my other passwords are randomly generated. How am I gaining security by enabling MFA? If I lose my phone on holiday now, I’m in a position where I can’t log into anything because I won’t be able to log into my email.
The documentation now says "Users who opt-out from their account settings, to which an option will be added, are excluded" so it appears that there isn't an option yet but that they will add it later.
This is pretty far from a no-brainer to me. The FAQ even has the reason why: "what if I store my email password in bitwarden?"
One of the main reasons to use bitwarden is as a synchronized backup when the system autofill fails, which tends to happen in the same situations this 2fa check will trigger (new devices).
It adds a potential failure mode without meaningfully benefitting my personal security model.
I agree, totally no brainer. Security through making things so annoying that even the guy that is supposed to login, just doesn't any longer. In fact I agree so much with you, we should go even farther. I propose a service where you have to sprinkle some drops of blood in you keyboard every 5 minutes. If you fail to do so, all your accounts will be permanently deleted.
Or wait, I got an even better one; We will go to the house of each person on the planet and destroy their computer--there's you absolute security right there. No BrAiNeR.
Yeah it's interesting because on the one hand you're adding one more step to login. You're adding friction. On the other hand, it's pretty obviously a good security practice.
I wonder what the product and stakeholders discussed. Were there metrics on how many users they might lose with this?
reply