The title was correct but they appear to have changed the policy since the post was made, likely as a response to feedback.
Notice that in the archive from earlier today the "Who is excluded from this account email-based new device verification?" section did not have the new fifth bullet point about being able to opt-out:
Thought it was worth pointing this out since I've already seen people reply to old comments thinking people didn't read the article without realizing it was later changed.
This is terrible, honestly. One of the reasons I use Bitwarden is to be able to not know all my passwords besides the Bitwarden one. I don't know my email password, so can't use that for 2FA. Same for using my phone number or an authenticator app, if I lose my phone, I would also be locked out of my account.
The risk of someone stealing my phone is much higher than someone stealing my main password where I live. I intentionally decided not to use 2FA, because that is what makes most sense for my context. I'm ready to take full responsibility for not using 2FA, but now I can't.
Agreed. There is no way to rely on the simple model of 'my master password is the single point of failure' now. With any form of 2FA, there is now lockout risk in a way that cannot be mitigated fully. Bitwarden itself recommends printing out a recovery code and storing it in a safe, but what happens if you lose access to that safe? Or if you're traveling and need emergency access to your accounts after your phone gets stolen?
On the reddit post announcing this, Bitwarden added a response saying they will provide an opt-out option. It's unclear if this opt-out is temporary or not. It would be a huge step back for their product if 2FA becomes mandatory.
That actually happened to me a couple years ago. I was in a foreign country, and lost my phone. All I had to do was buy a new cheap phone and login to Bitwarden again. If I had 2FA enabled, I'd be completely screwed.
I have hidden recovery information in a few places on the internet - someone stumbling across it would not know what they are looking at, or what it's for. For example, you can hide the TOTP secret for an authenticator app, but it's useless unless you know what account and service it's for, and the associated master password.
So to mitigate lockout risk, you keep multiple Yubikeys, store recovery codes in multiple physical locations including presumably a fire-proof safe bolted into your home (at your expense), and use obscurity to store the TOTP secret on random places in the internet, presumably relying to external services or a self-hosted solution, which are themselves dependent on regular credit card payments going through.
Okay, I grant that you've reasonably mitigated the lockout risk. But I don't want to do any of this, and is it really reasonable to expect the everyday person to understand or implement all this? What happens in practice is that many users will not realize anything is wrong until they get locked out with no recourse.
This makes it hard for me to recommend Bitwarden to my friends who use typical insecure practices like password reuse or post-it notes.
Security has either been easy and weak, or difficult and strong. It will never change and so you will always have the option of weak security if you dont want to jump through the hoops for the peace of mind.
> my friends who use typical insecure practices like password reuse or post-it notes
IMO people who do those things will never change. Its like the environment, everybody knows what they should be doing but no-one cares enough to do it.
So Bitwarden should offer 2FA for users who want the additional security – they should never force users to enable it. It would be like refusing to save "password" as a password, because it is insecure.
If you have literally no other option than SMS 2FA because of bad support from websites, maybe. Otherwise it's probably one of the worst options (though I suppose unlike using your main number at least it's harder to discover the number for the 2FA phone to attack it with social engineering).
Same here, mine got pickpocketed. My mates laughed at me because they thought I was an idiot not be able to login to my accounts.
Was easily solved though, got a new SIM card from my network from the local store when I got back and recovered my Authy account via SMS which I can then generate 2FAs for my password app through. Was always a backup method I had up my sleeve. My browser keeps logged in as well so was able to get into most stuff through my PC once I got back.
> Bitwarden itself recommends printing out a recovery code and storing it in a safe, but what happens if you lose access to that safe?
I feel like your own creativity is limiting you here. There are lots of options to store those backup codes. Including giving them to multiple relatives to keep in a safe place so you can call and ask for it, creating a dedicated email account with no 2fa and email the code there, leave yourself a saved answerphone message with it on so you can dial in and listen, write it in the important info section of your passport so you always have it abroad etc etc...
It's great that recovery codes exist, but the security model can't rely on them. Unused email accounts get deleted, yubikeys get lost or reset, relatives lose documents, passports get renewed, house fires and car accidents happen, time passes, etc.
Any critical procedure needs to be exercised regularly to ensure it's still working. Normal people don't do that with recovery codes.
All of these things can be mitigated by a little care and attention by yourself.
What you are really saying is you want a way to be able to recover your account thats easy, quick, and you dont need to think about it. Unfortunately strong security will never be any of those things.
It doesn't matter how you want to describe it, keeping recovery keys available is an ongoing maintenance burden that most people aren't going to do perfectly. It's not appropriate to blame users for reasonably foreseeable problems with a fragile system and lock them out of their bank passwords.
> creating a dedicated email account with no 2fa and email the code there
Of course, that account could also decide to implement mandatory 2FA. Could even be unannounced, just "This login is suspicious, we sent a message to your recovery email to confirm this login"
I'm very frustrated about this because for a lot of my family members, their phone is the only computing device they have.
When they lose it, they lose access to email, and there is no backup plan here. Using bitwarden is far far superior to them using the same password everywhere, but this will drive them back to the same behavior.
>I'm very frustrated about this because for a lot of my family members, their phone is the only computing device they have.
That's actually a really good point. My 1Password setup is resilient to device loss because I have multiple registered devices, any of which can spin up a new device with just my master password.
But if you're in a situation where you only ever have one device and lose it, then you can't bootstrap a new registration going from 0 devices to 1.
There's definitely a security/resiliency tension here. Is it desirable to have your password manager protected by just a user-specified password? That can allow you to go from 0 devices to 1, but it also greatly lowers defenses against account compromise. You can have a paper recovery kit, but people will misplace that, if they even create it in the first place. Social attestation could be a decent if imperfect mitigation: if everyone is on the same family group, then maybe the admin or the group can recover access for any one person.
Email is not a good second authentication factor anyway. I have 6 u2f tokens on my high priority digital accounts, as well as printed recovery codes in several places. Only 1-2 tokens ever actually travel with me, the others are kept safely in different locations.
Given that most people are cracked wide open if their password manager is compromised, I do feel it's sensible for a password manager to insist on 2FA, but the email chicken and egg problem is a concern for those migrating, and hopefully they backed up their recovery codes.
Email can be a perfectly good second authentication factor.
It depends on the asset you’re protecting and your threat model.
I have quite a few accounts whose value does not cross a threshold where I care about the risks of email… and my workflows would be enhanced dramatically if I could use it as a second factor.
The reason I can’t is not because of security or anything at all to benefit me, the user. It is because the services themselves need to throw sand in the gears of the bad actors abusing their services.
My email address can't be SIM swapped, my emails aren't transmitted using weak 90s encryption algorithms over the air (and via dubious, largely unauthenticated 80s protocols on the wire), and my mailbox is itself guarded by 2FA.
Same here. I'm very sad about this 2FA thing. Bitwarden was so easy to use, I could always get an access to my accounts with just my secure master password. Does anybody know good alternative?
I solved this issue using pass-otp on my computers in addition to my mobile authentication app. This way my desktop, laptop, and mobile device all have the ability to generate my Bitwarden OTP code.
In addition to your phone, you can also set up to 4 other Webauthn tokens, Yubikeys or FIDO2 devices as well as a printed recovery key. If none of those fall-backs work for you, perhaps switching to a different password manager is best.
I hear you, and I somewhat feel the same. However, a workaround would be to save the TOTP secret safely like a password. I have started treating all my TOTP secrets as my secondary passwords.
I abandoned Bitwarden a while ago in favor of Enpass after the 2nd time in 3 weeks that Bitwarden refused to open my LOCAL vault because of a problem with BITWARDEN's servers.
similar. i switched to Apple Passwords, and pretty much stopped using Chrome except for gmail. I use a multitude of browsers, but I am 99% safari for sites where I need the PWM.
I hate building a lock-in to the ecosystem though, and have been meaning to look at Enpass.
If my irritation with BW had come later I might well have settled on Apple's solution, but I'm already entrenched at Enpass and, like you, don't really want to further enmesh.
I mean, I'm pretty tied to Apple in both hardware and service use, but it strikes me as unlikely that Apple's first swing at password management could really rival a purpose-built tool right out of the gate. I do think I'm going to push my thus-far-vault-avoidant wife to use the Apple tool, though.
I can understand adding some friction to discourage using Bitwarden without 2FA, but requiring it seems very wrongheaded to make it mandatory. I've been using 2FA on Bitwarden for a while and it adds a lot of friction and made me very nervous that if I lost my phone that I'd be locked out of literally every account I have. I mentioned elsewhere (link below) that I have solved this issue for myself, but people shouldn't be required to jump through these hoops and introduce a greater opportunity to lose access to their accounts if they should lose their phone.
And even if F2A wouldn't have ANY downsides, it's still not their fucking business if users want to use it or not. There is a million ways to leak your credentials to a service anyway, and I don't know anything more annoying than when a service tries to protect you from yourself (sometime locking you out of your account while doing so). If a user wants to have no F2A, no backup email, to use qwerty as a password and to write it on a sticky-note attached to a display, it's their right to do so. It's not Bitwarden's (or anyone else's) responsibility.
I agree, and when I first read the headline, my reaction was "Well, I guess it's time to start researching different password managers, because I obviously can't use Bitwarden anymore."
However, despite what the headline says, this 2FA does not appear to be mandatory.
Under the heading: "Who is excluded from this account email-based new device verification?"
> Users who opt-out from their account settings, to which an option will be added, are excluded.
To clarify, this was new information added to the release within the past hour or so, which seems like the company responding to criticism. The original article gave no indication 2FA was anything but mandatory.
Thank you. The title should be changed, really. Following an ancient HN custom I've chosen to get annoyed before reading the article, and the title simply isn't true. In fact, it's exactly what GP suggested, which is a perfectly nice way to implement that. (Unless, of course, one day they get rid of that option as well...)
The title was changed, but it's worth pointing out that they updated the article AFTER criticisms in this thread were already made (the original policy did not say you could opt-out):
It seems like the alternative is to allow anyone with just the master password to get access to your vault. That doesn't seem so great.
I'm on 1Password and it's basically a 2FA setup there too: to register a device, you need to have the master password (what you know) and the secret key (what you have, randomly generated at vault creation). Losing my phone isn't a big deal because I have 1Password on multiple devices, each with a copy of the secret key, so there's pretty good hedging there.
I also carry a physical Yubikey, which grants me passwordless access to my email account (assuming I know the PIN to unlock the hardware, which I do). That's probably overkill for most people, but that's another layer of hedging too.
It's, possibly, not good enough. In case of a fire, if you left all your phones at home, you are screwed.
Exactly because of the fire risk, I set a policy for myself that all passwords should be somehow recoverable only from something that I know. However, I don't meet this policy at the moment.
What if, for example, a piece of software is logging your key presses without your knowledge? You could have the best, most secure password but you're typing it into a complex machine which could be doing any number of things. Don't forget that you're human and make mistakes too so it doesn't necessarily have to be malicious; a bad copy paste into a public forum post could hose you.
A second factor makes it extremely unlikely that one slip up results in a complete compromise of your vault.
I think what you're forgetting is that Bitwarden only has access to my passwords, not any account (that does any important work) itself.
All my high security accounts themselves are protected by 2FA and in some cases 2+ factors (such as my bank).
2FA on a password manager is useless. I'm going to end up entering phone codes multiple times for a single login and that will drive me away from using the password manager.
You don't even need a keylogger for password leakage. You could accidentally type in your password into a logged field because you forgot to press tab or alt-tab to move cursor focus.
2FA for setup doesn't strike me as too onerous. It only happens once per device, after which you're free to rely on just your master password or even biometrics.
Aren't you screwed if you can't get access to your home for whatever reason ?
That hopefully would only happen in extremely rare conditions, but that's not a risk everyone would take. Especially in area where losing your home is a very real risk, and you'd be hanging to your data by a string while facing an otherwise already challenging situation.
You certainly shouldn't rely on just your phone. If you store your 2FA token in Bitwarden, you can use any of your other devices that you have used Bitwarden with recently.
The 2nd factor is only needed when it's new or occasionally in other cases. I don't know why you say it adds lots of friction, unless you are frequently signing into new devices.
And as a failsafe a printed backup code is pretty important.
I understand that in theory storing the 2FA for Bitwarden in Bitwarden itself can work, but I don't know if I can ever bring myself to store the key to the car in the car, even if I pinky promise myself that I'll never lock all the car doors at once.
This is doubly true because Bitwarden has not been consistent at only asking for 2FA on brand new devices, so it's not even just me that I have to worry about locking the car doors.
There is still a ceiling to how secure a password can be which 2FA solutions will generally beat (mainly by the secret not being spread as far when used, such as keyloggers, window focus mishaps, or simply being sent to the server verifying it).
I am not suggesting friction as security, I am suggesting it so that the average user is funneled towards the most secure option, i.e. using 2FA, while allowing experienced users to put in a small amount of effort to disable it.
Because for security (!), I use a very strong and difficult to memorize password, with no backstop if I forget it. I only want to memorize one of those.
Even without, accidentally getting one password leaked is a lot more likely than two. For whatever reason, shoulder peeking, keylogger, wrong input field, brute forced, and so on.
In my mind the email is the second worst 2FA since it's used for registering everywhere on the web and more prone to be compromised. Phone number is the worst.
I like bitwarden, but there are a lot of weird things that make me want to move or find a self-hosted solution. This feature may actually cause me to leave. I actually ended up buying a subscription and then refunding it in less than an hour.
So what's going to happen? Are they going to cache my location? Or are they storing a cookie on my side? Neither sounds great. Ever hear of a VPN? That's going to make my life easier....
Some more general complaints:
The storage thing is really weird. Did you know it is just stored on their server? So you can't store locally. But the worst part, when you want to retrieve the item then you download it and it just appears in your download folder. This is TERRIBLE and both of these make it absolutely useless. I got to download it when I need it, hope I have internet in that situation, and then delete it after because I'm... storing sensitive information, right?
The new design is just terrible and could only be designed by someone who assumes you never open the panel to fill in the website. Yet... that's the *most common* reason I open that.
Things like this give me concern that those designing the tool aren't thinking about other things. When it comes to security, all the little things matter a lot.
Of course there's frustrating things that I know they have little to no control over, like all the dumb Microsoft logins I'm forced to have and then annotate because I keep logging into the wrong account. But I do like that it integrates with Firefox's relay. The only thing I wish is that it wouldn't name the mask "Generated by Bitwarden." but "the fucking website name" (sure, append "Generated by Bitwarden" but no one cares and this does nothing to help brand recognition, it just makes things confusing).
I looked into this a while back and it was quite complicated. If you're used to hosting your own infra, it may not be a big deal, but it's definitely not a simple task for even an advanced desktop user. I ended up choosing KeepassXC, which just uses a dumb file on disk that I sync with Git.
I don't disagree with you, but a lot of people don't understand any of those steps. 3 is the step most people will understand, I think you can understand that LetsEncrypt can be confusing the first time, and well... DNS... that's notorious for people being confused on.
What people consider "advanced user" varies quite a bit and there's a lot of subdomains in computing. (Though maybe the term is also degrading...)
A lot of advanced users don't have servers, and they don't want to expose their desktop or an appliance to the internet. Moreover, are you going to trust your precious password information on a leased server run by Linode or whoever?
On topic, I use Bitwarden, but their changes to the iOS application are very annoying. I've been logged out repeatedly (at least once per week) and it keeps requiring me to input my password, without any way to reduce the overhead. It's so frustrating that I've been considering switching to the native iOS password app; if it was available on Linux, I would bid farewell to Bitwarden.
I had issues with this (new iPhone user and ... well... I'm having fun...)
A problem I had was my encryption settings. Definitely I am a bit overkill[0], but this might be worth checking. I use Argon2 and tried to find the max settings I could use on my iPhone16. Make sure the KDF memory is lower than 256MB. Keep iterations low (<=10) and parallelism not too high (4 seems about right). So do something like 128MB, 8 iterations, 4 parallel and you'll be good. If this reddit post is anywhere near accurate, should cost in the tens of millions of dollars to crack your master passphrase[1]. But users there also are saying they can get higher settings so YMMV. (BTW, these settings should be changed from the bitwarden website)
[0] Philosophy has always been: make it as secure as possible without being meaningfully impactful. Which is always above the standard security levels.
you don't even need to have your DNS turned on or run a reverse proxy - how often are passwords updating? my instance is local network only and the phone, desktop, and chromium extensions sync when I'm at home.
This is my issue with hardware keys too. It's been unclear to me how I have a backup and what's the best way to ensure that that backup is constantly in sync.
Plus, is a website going to support it? So many websites are shifting to OAuth, and making it the __only__ form of authentication. I really don't like this AND they usually only support a very limited set of authorities which is almost exclusively "Google and Apple", so I can't even run my own. The fuck is the "O" mean in "OAuth" then?! (╯°□°)╯︵ ┻━┻ I'm trying to __reduce__ my (meta-)data exposure, not increase it!
Like good god, I don't know if it is a conspiracy or stupidity that's causing all this centralization and I'm not sure there's a meaningful difference. (unintentional or implicit conspiring rather than explicit)
This is Hacker News, surely there's people here that are fighting/pushing back. It's unclear to non-security experts like me how to actually do this besides not use a service (far easier said than done. These choices are often forced upon people)
And you can just self host local only, it's what I do. clients sync at home and don't lose the data when you leave the house. Even updates on one client (ie mobile) will propagate to others
Sure, but then I need to spin up a server, lock everything down, pay money, deal with all that other stuff, and well... this isn't going to work for: my partner, my parents, my friends, my family, and so on.
If anyone works at bitwarden can you get your UI people to stop retheming for the upteenth time and instead make the "detailed view" of any entry read-only by default? Every time I need to access my notes on an entry I'm scared that I'll accidentally typo a letter into my password or a 2fa code or something
I get the desire to make the Bitwarden login more secure, but this is very likely to cause problems for users who don't have their email password memorized. 2FA already carries the burden of needing a backup if you lose your phone. This change means users will need to come up with an alternate way to log in to their email account. I'm not sure it's worth it.
I'm taking this opportunity to Ask HN: what do you think of the new Bitwarden browser extension?
Sure it looks more modern and a few things are better.
But personaly I HATE the new "copy" button.
With the old version there was a button for each field : one to copy the login, one to copy the password, one to copy the TOTP.
Now there's just a single button that will display a list of options to choose from depending on what you want to copy.
So instead of copying a field with one click, now I need to do one click, go on the right option, and another click.
Even worse: if the account contains only one field, the copy button will still display the list of options, with just one option.
How could nobody think that when the user want to copy something from a list, and this list contains only one item, the right thing to do is to copy this single thing, not ask them what they want to copy...
I don't mind the general visual update. But the change to the copy buttons was a step backwards.
To the bitwarden folks... if I'm opening up the extension 99% of the time it's one of these use cases:
1. I'm creating a login for a new site
2. I'm on a site that doesn't support autofill, and I'm manually copying user/pass/code
3. I'm filling credit card info, and want to select a specific card
Both #2 and #3 got worse with this change. Put the damn copy buttons in the huge amount of whitespace you have for the entry. Don't hide them in an overflow. Put each of the user/pass/2fa buttons in a fixed space, and don't move them.
To throw in a second viewpoint: 99% of the time I open the extension, it is to trigger auto-fill. I don't like having my credentials auto-fill on page load, I like to be the one to trigger it.
That being said, I also hated the change that hid the copy buttons, but they have a setting that brings them back.
You may know this, but they introduced a feautre that lets you use Cmd/Ctrl+Shift+L in order to trigger auto-fill. I have disabled autofill on pageload but LOVE this shortcut key.
I'm with you about not wanting the autofill, but I use the key combo mentioned below in nearly 100% of cases.
The vast majority of the time I'm opening the extension popover it's because the key combo failed to autofill (site doesn't support it) and I need to manually copy/paste.
For extra fun - the Key combo is customizable if you don't like ctrl-shift-L
Just hit up chrome://extensions/shortcuts and change the combo to something you'd like.
Yep. If you look at the feedback thread before this version was released, they legitimately did listen to feedback from power users and made changes.
The first beta version had all of these annoying quirks, but then they added a bunch of settings (Compact Mode, Quick Copy Actions, Wide Mode, Disable Animations) that after you change them gives you a solid experience.
Is there a way to get rid of the "Fill" button and make the whole entry do the fill action? That's what it used to be, and I have soo much muscle memory for it. I almost never want to look at an entry.
Nevermind, sibling had the answer: "Settings < Autofill < Click items to autofill from Vault"
I like it! With the width and quick copy options under appearance settings there are no glaring issues, but there are two big benefits:
1. It's much faster. This alone makes the refresh worth it imo.
2. The edit item / fill item UX is much more consistent than it was. Before, when you search for and click a card it opens the item, but if you click a card because it matches the current domain then it fills the item, to open it instead you have to click the little "open item" button. Even as a long time user I would often misclick because the context changes the behavior of clicking a card and my muscle memory would be the opposite of what I wanted. Now there's a "Fill" button when a card matches the current domain and clicking anywhere else always opens the item. My only critique is that the Fill button could be a bit bigger to so it's easier to click.
You probably know this, but I'm just writing it here because it took me a while to figure it out — you can also use the keybinding (Ctrl+Shift+L) to fill in login forms. It works 90% of time, and you don't need to copy anything. It really reduced the number of times I'm interacting with the extension's panel.
Things change. They made sure people could go back to any legacy behavior they personally favored, or not. "Please constantly be trying to improve your product, so change the things I don't like, but don't change anything I do like, even if I still have the option to pick and choose between legacy and updated options". Man, people will bend over backwards to be offended.
I like how it's faster than before but the modern UI design trends are starting to wear on me. If you could have the old theme with the new features that would be good.
The two-click copy button is absolutely the worst new "feature" they added. That setting should be opt-in by default.
I hate how small the "Fill" button is, and how clicking on a card that represents saved credentials is no longer assumed as an intent to fill username/password on the page you're on.
In some cases, it just falls apart when displaying over a text box and doesn't know what to do with itself, and sometimes breaks the UI for me. I keep the desktop copy around for the cases where I don't want to fiddle with the extension.
My personal problem is that I self host and the updated extension just completely fails to connect to my vaultwarden instance. I probably just need to repull the updated docker container, but it's something I would have rather not thought about. But since the extension auto updated I'm forced to think about it.
Interesting - I'm also running self-hosted and didn't have this problem (I think my last image pull was about a month ago, though - so somewhat recent).
Alternatively, at least for chromium browsers - you can download the .crx directly, unzip it (p7zip will do it), and sideload it using the "Developer mode" checkbox on chrome://extensions. Firefox sadly doesn't support this - they'll remove any sideloaded extensions on browser close.
I mean, you're explicitly choosing to self-host an alternative backend server which isn't affiliated with Bitwarden. You could have used their SaaS, or self-hosted their official backend they provide on GitHub, for free, and which is almost entirely open source (AGPL, they have some small enterprise specific bits such as SSO which are under a commercial license which is still free, just not open source).
But you choose to self-host a random person's project that tries to keep track with Bitwarden APIs and various frontends, on a best effort basis. That's a ton of risk I really wouldn't take with something as sensitive as passwords to everything.
Its pretty ok as the offical client caches most stuff, everything is still encrypted, and most of all vaultvarden is miles easier to self host than the offical bitwarden stuff.
For me, it is the double scroll bars in the browser extension. One to scroll in the list of passwords and another to get to the bottom of the extension window. This is even in "compact" mode.
It's been much, much slower to load on click for me now. Surprised others haven't experienced that so wondering if it is some extension conflict. Consistently takes 2-3 seconds to load up after click whereas before was instant-ish.
Related question: is there any way to keep the Bitwarden window open when I’m unfocusing it without popping it out into a separate window? That workflow makes copying logins painfully slow for me.
It wouldn't be so bad if the window closed but at least remembered the entry. I often have the issue where I had to search up an entry (credit card info for example) and then when I reopen the extension window I have to start the search all over again.
I love the fact it remembers what page you were on and leaves it on that page.
In the previous version, you'd go Vault -> Search -> [Find Thing] -> Copy Username, but when you de-focused the extension it would return you to the vault home, so yet again you had to do Vault -> Search -> [Find Thing] -> Copy Password.
This one, when it loses focus, it stays exactly where you left it.
100% this is one of those changes that makes me doubtful of Bitwarden being a well maintained service in perpetuity.
Like, if this change was an accident and slipped through that is bad. If it was approved, it's even worse because as you said, it shows that the person who is in charge of how we, the users, interact with the product day-to-day doesn't understand the product or doesn't take their role seriously.
Of course it's not under Settings -> Appearance where the similar "Show quick copy actions on vault" option is. Why should an option that only affects the UI be in "appearance".
Because it barely changes the appearance at all? The actual effect of that setting is to change the behavior of the button to be autofill. The only visual change is that the small "Fill" button is removed.
These are screenshots from the extension, before and after checking that autofill box. The only visual change is the missing "Fill" button, because now clicking on the item itself preforms the fill action. The rest of the UI looks exactly the same.
Hate it (using the Firefox one). The look is weird, seems to waste space. New copy button sucks. I spent 10 minutes one day not being able to login with a copied password, bit realising it was because I was lacking the second click. Also the new suggested results (when searching) honestly just gets in the way, since the order of the results are not always the same anymore.
The new extension is a lagfest. There's a noticeable 2s latency to every action now. I don't know how something like this makes it to GA. Long ticket: https://github.com/bitwarden/clients/issues/12286
seems there are reports of different sorts of delays in the comments.
w.r.t. a small, split-second one in initial rendering, i'd take it ten times out of ten over what it was for me all these years: immediate ability to key in input, but if you typed at the precisely (im)perfect moment, which was an extremely common occurrence, the extension would bug out and not perform the actual search.
so i'm sitting there for about a whole second wasted for having waited out the threshold to realize that it bugged out yet again and didn't perform my search. then, i would have to either backspace or type in the next character in the query in order to trigger the search; this was often an unpleasant added mental overhead when backspacing would repopulate results that you were trying to filter out.
i'd rather have the split-second delay for every initial render.
Im not a fan of copy button and design as well. Dark mode has huge contrast with outlines and rounded corners are space inefficient. It's like design for small touch screen, not a desktop addon to browser. Take inspiration at uBlock.
It's awful, it's slow, it's hard to use, confusing and they made editing even worse. The old UI also had it's problems but they weren't this bad. I despise these constant UI changes that only make the product worse without any benefits.
I hated it so much I migrated to ProtonPass, deleted my data, and set my account to expire.
Then Proton CEO made some statements I found offensive, so I re-activated my Bitwarden account, migrated back, and am now learning to love the changes.
The best I've got for tips are:
1. Settings > Appearance > Quick Copy
2. Settings > Appearance > Compact Mode
3. Settings > Appearance > Extension Width > Wide
I still don't love it, but it remains the best of the bunch.
I don’t get it, we want anti trust laws right? Democrats as well I assumed? I actually thought they were more of a democrat thing tbh, but now that the republicans want them they are bad? I don’t get it anymore.
Antitrust enforcement, sure, it's a good thing. Pretending that Republicans are better than Democrats in that sense, is not that great. Especially after who attended the inauguration, it's very naive to hope that they will solve "Big Tech abuses" in any way.
Wow republicans are now called fascist? Idk I always thought Schwarzenegger was such a nice example, wise, gentle, kind, funny and republican. Not loving the Trump, sure, but to say such a thing based on how someone votes, man you’re falling low.
Edit ok read the X post, man you guys are losing it if you call that fascist. So divided, you can be either black or white. I feel sorry for you.
Say one thing good about Trump and you’re a fascist, just pretend that all he does is bad. There is no more way of looking at it objectively. No wonder you are so divided over there. I really would stop watching the news. Half your country voted for him. What does it say about you that you view half your country as fascists?
It's probably less about viewing Trump as a fascist and more being afraid of being grouped in with Trump supporters by your in-group. It's a really divided country and there are circles where you could be outed even for expressing neutrality.
Again, I am not American, and would rather avoid the mess that is their politics
I just ddged for “fash”, I mean labeling the CEO of Proton no less, an org that does so much good, that has such a nice vision, can shield people from their state because they believe in their right to privacy. To label such a person a fascist is just unimaginable to me. I find it shocking that so many people just use this super small thing to judge Andy Yen. I’m really shocked. How dare these people put such opinions online? It’s so “140 chars” to define a person. It’s what’s wrong with the internet these days.
The day Bitwarden was VCed I knew there will be a time when I will be desperate to find alternatives. I guess that time is coming closer.
The thing I despise most among their UI “improvements” is entry click expands the entry now. To fill you have to find that tiny “fill” button and click that.
This extension is the only thing on my computer that is slow. I have an M1 Pro and an M1 Max laptop and the new visual refresh has made the extension very slow and a lot less usable.
The old one was instant on clicking the shield icon. The new one is slow and flashes a few times before showing me the UI.
Also, the entire field used to be selectable to fill fields. Now I have to aim at the tiny Fill icon and it's even harder to get to the time-based 2FA code.
I get why they've done it but I have never seen any software this slow in my life. Even just displaying the boxes seems like it needs a progress bar.
The new desktop browser plugin is disgusting even after I went through settings. Won’t reiterate here, one of the worst UIs I’ve ever seen and if I were to choose today, I would not choose bitwarden only because how ugly and unusable it is.
It took me a day to get used to the new UI but now I love it - just goes to show that you’ll can only get UX wrong/UX is hard. It’s good to have both options configurable though!
This one is not too bad since it's only once per device, assuming they define a device by generating some unique value at first login so I really won't have to go through it again despite any updates, changes in network, etc.
In general though I have become incredibly sick of mandatory 2FA for every-goddamn-thing. I do use it very often, but it should be my choice and not forced on me. The usual retort is blah blah blah I might understand the trade-offs but normies don't and so forcing it is a net positive, but I'm me — not them, so that usual response is just to tell me that my feelings don't matter.
Since service providers are often legally and even more often practically required to cover losses resulting from account takeovers, it's really not your choice alone.
I very carefully added 2FA to my wife’s Bitwarden account a while ago. I got her a Yubikey and added mine as well as my backup keys in case one ever got lost.
I discovered much later that they call email “2FA” so her account isn’t actually protected by the hardware keys at all. Like others here, this doesn’t make sense to me since it’s circular.
(and separately, the Yubikey seems to often not work on Android anyway)
X.com is one site where 2FA just doesn’t work for me and had to repeatedly contact them to “unlock” it or so. Finally I had to disable it and if the a/c ever gets taken over I’d let it be.
Yea. This article needs to be updated if that is the case. There isn't even a hint that this is possible. And there are very valid reasons to not turn it on as these comments have shown.
Same here. I have a 77 year old father who has had a stroke who is not going to be able to wrap his head around the notion of 2FA. It's a bridge too far. Not going to happen. He's just going to get confused and give up when faced with crap he doesn't understand (that's literally how it works with him). I've seem him break into tears because he couldn't figure out some mobile phone UX. Kind of heartbreaking to watch that happen. That's what strokes do to people. Stuff like this doesn't help people like that.
I'm thinking the built in browser password manager might be a safer, more usable option for him at this point. It's probably what I'll have to recommend when this inevitably blows up in a few months.
2FA is a hurdle for normal users. I've had to support 2FA for our Google workspace account for some of my non technical colleagues. It's a PITA almost 100% of them needed me to unblock their account at some point. Absolutely terrible UX. Most users aren't compatible with this stuff. That's why all the big companies are pushing for passkeys now. I don't think that actually fixes the problem and just moves it instead.
But I get it. Bitwarden wants to appeal to corporate IT managers so they can sell expensive enterprise licenses because IT managers are most of their paying customers. And for that they need to sacrifice UX. Because IT managers like liability even less than service providers (like Bitwarden). They'll make their users jump through hoops one hundred percent of the time if it reduces their exposure to their mistakes. So sacrificing UX for that is a small sacrifice. But it is a sacrifice that buys ass coverage for Bitwarden and IT managers. At the cost of users.
while we're bitching about the bitwarden UI my pet peeve is that 99% of my accounts use my email as the username but i still have to type it in every time i create a new account. how about having auto-suggest?
Today, I almost had a heart attack cause I couldn't log in into BW Web. Strangely, both mobile and Desktop versions worked fine with the same password... The issue resolved automatically in a few hours, still no idea what this was.
Still, I backed up my passwords as soon as I logged into the mobile app, so like some people here say I highly recommend everyone do periodic backups and not be like me (:. I would have lost everything if something did happen to my vault access
For someone who has only used offline, local password vaults, what is the advantage of a cloud-based solution (for personal use, not enterprise)? I'm interested in their self hosted option, but not sure what the advantages would be over keepass and syncthing.
Convenience and portability for people who don't want to use, or aren't going to learn how to use, anything more complex than an app, browser extension, or website.
Accessing a password vault from any arbitrary internet-connected device and browser through the web is also convenient, even if to you or I that serves more as a reminder of how accessible your passwords might become to unauthorized users. Sharing credentials between Bitwarden users is also more convenient.
If you self-host, you can provide those service to friends or family members who don't have your technical aptitude. For teams and businesses, it provides an auditable service with directory integration and other optional enterprise features (SSO, fine-grained access).
All of these are possible without a SaaS, just less convenient to set up. You and I might consider setting up our own personal password management to be a fun and useful project, or at least a trivial time expense compared to the value. When something like Bitwarden provides all of those features and more for $0 to $10/year, even a small time and maintenance burden might not seem worth it to a less technically savvy user.
The big thing that got me to move off passwordstore to BW (and self-hosted vaultwarden) was sharing passwords with family. The app and browser extensions are nicer, too.
This is why I like generating passwords with a 1 way SHA-256 hash, no need for any storage or encryption and no reliance on some website service being up.
I thought of stopping the subscription after I reported a blocker issue in great detail with multiple emails but they didn’t tell me why it was happening, neither did they share the ticket created or a ticket was created in the first place - in fact they didn’t respond at all, not even to follow ups. UI “improvements” finally did it for me and I stopped paying — also, started taking periodic backups.
still didn't implement showing credential information when searching so that you don't end up with 10 credentials with the same name across folders? shame
Reminder: Dump your password manager database into cleartext backups regularly. Store them on encrypted media (eg. USB stick with FileVault, VeraCrypt, or similar)
Then you will not be totally screwed if your password manager does a rug pull against you such what Bitwarden is doing with this change.
It's a password manager. It must never, under any circumstances, add any additional barriers to getting in that aren't explicitly configured by the user.
This is going to lock out many users. They will not realize this new arbitrary requirement to be able to access the email address. They will lose their existing device. They will get a new device, install Bitwarden, and try to login with their master password, only to find that Bitwarden has moved the goal posts. They will be locked out of everything.
Even if 99.99999% of users would benefit from this change, Bitwarden shouldn't do it because it'll unfairly lock out 0.00001%. If they really want to do this change, then they should have like 2 years of warnings displayed on existing clients, and also have an option to permanently disable any 2FA requirement.
I encourage everyone to update your email address (user login) by adding some novel characters to your email like youremail+bw1234@gmail.com because there are active attacks against Bitwarden right now.
Thankfully Bitwarden warned me about the attempts. For the rest of the customers it's a matter of time before you are a target.
Great example here of HNs ignorance of basic security in this thread. Bitches and moans about companies' data breaches. Bitwarden turns on 2FA by default to kill 99.9% of attacks (you all should be smart enough to be using this already) and y'all are crying about it.
I hope the companies you work for have security teams to protect the company from your crazy attitudes.
The whole point of a password manager is that you can use it to log into things like email.
I have a single password I only use for Bitwarden and nothing else. All of my other passwords are randomly generated. How am I gaining security by enabling MFA? If I lose my phone on holiday now, I’m in a position where I can’t log into anything because I won’t be able to log into my email.
The documentation now says "Users who opt-out from their account settings, to which an option will be added, are excluded" so it appears that there isn't an option yet but that they will add it later.
This is pretty far from a no-brainer to me. The FAQ even has the reason why: "what if I store my email password in bitwarden?"
One of the main reasons to use bitwarden is as a synchronized backup when the system autofill fails, which tends to happen in the same situations this 2fa check will trigger (new devices).
It adds a potential failure mode without meaningfully benefitting my personal security model.
I agree, totally no brainer. Security through making things so annoying that even the guy that is supposed to login, just doesn't any longer. In fact I agree so much with you, we should go even farther. I propose a service where you have to sprinkle some drops of blood in you keyboard every 5 minutes. If you fail to do so, all your accounts will be permanently deleted.
Or wait, I got an even better one; We will go to the house of each person on the planet and destroy their computer--there's you absolute security right there. No BrAiNeR.
Yeah it's interesting because on the one hand you're adding one more step to login. You're adding friction. On the other hand, it's pretty obviously a good security practice.
I wonder what the product and stakeholders discussed. Were there metrics on how many users they might lose with this?
I just want to point out that the title is wrong. 2FA is on by default, but not mandatory. Dang, can we change the title?
The title was correct but they appear to have changed the policy since the post was made, likely as a response to feedback.
Notice that in the archive from earlier today the "Who is excluded from this account email-based new device verification?" section did not have the new fifth bullet point about being able to opt-out:
https://web.archive.org/web/20250128011007/https://bitwarden...
Thought it was worth pointing this out since I've already seen people reply to old comments thinking people didn't read the article without realizing it was later changed.
Ok, we've done that now. (Submitted title was "Bitwarden introduces mandatory 2FA for new devices".)
This is terrible, honestly. One of the reasons I use Bitwarden is to be able to not know all my passwords besides the Bitwarden one. I don't know my email password, so can't use that for 2FA. Same for using my phone number or an authenticator app, if I lose my phone, I would also be locked out of my account.
The risk of someone stealing my phone is much higher than someone stealing my main password where I live. I intentionally decided not to use 2FA, because that is what makes most sense for my context. I'm ready to take full responsibility for not using 2FA, but now I can't.
Agreed. There is no way to rely on the simple model of 'my master password is the single point of failure' now. With any form of 2FA, there is now lockout risk in a way that cannot be mitigated fully. Bitwarden itself recommends printing out a recovery code and storing it in a safe, but what happens if you lose access to that safe? Or if you're traveling and need emergency access to your accounts after your phone gets stolen?
On the reddit post announcing this, Bitwarden added a response saying they will provide an opt-out option. It's unclear if this opt-out is temporary or not. It would be a huge step back for their product if 2FA becomes mandatory.
That actually happened to me a couple years ago. I was in a foreign country, and lost my phone. All I had to do was buy a new cheap phone and login to Bitwarden again. If I had 2FA enabled, I'd be completely screwed.
I have hidden recovery information in a few places on the internet - someone stumbling across it would not know what they are looking at, or what it's for. For example, you can hide the TOTP secret for an authenticator app, but it's useless unless you know what account and service it's for, and the associated master password.
So to mitigate lockout risk, you keep multiple Yubikeys, store recovery codes in multiple physical locations including presumably a fire-proof safe bolted into your home (at your expense), and use obscurity to store the TOTP secret on random places in the internet, presumably relying to external services or a self-hosted solution, which are themselves dependent on regular credit card payments going through.
Okay, I grant that you've reasonably mitigated the lockout risk. But I don't want to do any of this, and is it really reasonable to expect the everyday person to understand or implement all this? What happens in practice is that many users will not realize anything is wrong until they get locked out with no recourse.
This makes it hard for me to recommend Bitwarden to my friends who use typical insecure practices like password reuse or post-it notes.
> But I don't want to do any of this
Security has either been easy and weak, or difficult and strong. It will never change and so you will always have the option of weak security if you dont want to jump through the hoops for the peace of mind.
> my friends who use typical insecure practices like password reuse or post-it notes
IMO people who do those things will never change. Its like the environment, everybody knows what they should be doing but no-one cares enough to do it.
So Bitwarden should offer 2FA for users who want the additional security – they should never force users to enable it. It would be like refusing to save "password" as a password, because it is insecure.
A better way to mitigate lockout risk is to use a 2FA mule:
https://kozubik.com/items/2famule/
If someone is locked out of their password vault, they are likely also locked out of their email...
If you have literally no other option than SMS 2FA because of bad support from websites, maybe. Otherwise it's probably one of the worst options (though I suppose unlike using your main number at least it's harder to discover the number for the 2FA phone to attack it with social engineering).
Since Bitwarden can directly email 2FA codes, this arguably would be needlessly complicated in this context.
sure, but we shouldn't have to do that if we don't want to. it shouldn't be "mandatory"
Same here, mine got pickpocketed. My mates laughed at me because they thought I was an idiot not be able to login to my accounts.
Was easily solved though, got a new SIM card from my network from the local store when I got back and recovered my Authy account via SMS which I can then generate 2FAs for my password app through. Was always a backup method I had up my sleeve. My browser keeps logged in as well so was able to get into most stuff through my PC once I got back.
> Bitwarden itself recommends printing out a recovery code and storing it in a safe, but what happens if you lose access to that safe?
I feel like your own creativity is limiting you here. There are lots of options to store those backup codes. Including giving them to multiple relatives to keep in a safe place so you can call and ask for it, creating a dedicated email account with no 2fa and email the code there, leave yourself a saved answerphone message with it on so you can dial in and listen, write it in the important info section of your passport so you always have it abroad etc etc...
It's great that recovery codes exist, but the security model can't rely on them. Unused email accounts get deleted, yubikeys get lost or reset, relatives lose documents, passports get renewed, house fires and car accidents happen, time passes, etc.
Any critical procedure needs to be exercised regularly to ensure it's still working. Normal people don't do that with recovery codes.
All of these things can be mitigated by a little care and attention by yourself.
What you are really saying is you want a way to be able to recover your account thats easy, quick, and you dont need to think about it. Unfortunately strong security will never be any of those things.
It doesn't matter how you want to describe it, keeping recovery keys available is an ongoing maintenance burden that most people aren't going to do perfectly. It's not appropriate to blame users for reasonably foreseeable problems with a fragile system and lock them out of their bank passwords.
> creating a dedicated email account with no 2fa and email the code there
Of course, that account could also decide to implement mandatory 2FA. Could even be unannounced, just "This login is suspicious, we sent a message to your recovery email to confirm this login"
I'm very frustrated about this because for a lot of my family members, their phone is the only computing device they have.
When they lose it, they lose access to email, and there is no backup plan here. Using bitwarden is far far superior to them using the same password everywhere, but this will drive them back to the same behavior.
>I'm very frustrated about this because for a lot of my family members, their phone is the only computing device they have.
That's actually a really good point. My 1Password setup is resilient to device loss because I have multiple registered devices, any of which can spin up a new device with just my master password.
But if you're in a situation where you only ever have one device and lose it, then you can't bootstrap a new registration going from 0 devices to 1.
There's definitely a security/resiliency tension here. Is it desirable to have your password manager protected by just a user-specified password? That can allow you to go from 0 devices to 1, but it also greatly lowers defenses against account compromise. You can have a paper recovery kit, but people will misplace that, if they even create it in the first place. Social attestation could be a decent if imperfect mitigation: if everyone is on the same family group, then maybe the admin or the group can recover access for any one person.
Email is not a good second authentication factor anyway. I have 6 u2f tokens on my high priority digital accounts, as well as printed recovery codes in several places. Only 1-2 tokens ever actually travel with me, the others are kept safely in different locations.
Given that most people are cracked wide open if their password manager is compromised, I do feel it's sensible for a password manager to insist on 2FA, but the email chicken and egg problem is a concern for those migrating, and hopefully they backed up their recovery codes.
Email can be a perfectly good second authentication factor.
It depends on the asset you’re protecting and your threat model.
I have quite a few accounts whose value does not cross a threshold where I care about the risks of email… and my workflows would be enhanced dramatically if I could use it as a second factor.
The reason I can’t is not because of security or anything at all to benefit me, the user. It is because the services themselves need to throw sand in the gears of the bad actors abusing their services.
It's much better than SMS in many cases.
My email address can't be SIM swapped, my emails aren't transmitted using weak 90s encryption algorithms over the air (and via dubious, largely unauthenticated 80s protocols on the wire), and my mailbox is itself guarded by 2FA.
This is how I use Bitwarden too, and it's the one thing I definitely don't want 2FA on.
Same here. I'm very sad about this 2FA thing. Bitwarden was so easy to use, I could always get an access to my accounts with just my secure master password. Does anybody know good alternative?
I solved this issue using pass-otp on my computers in addition to my mobile authentication app. This way my desktop, laptop, and mobile device all have the ability to generate my Bitwarden OTP code.
https://github.com/tadfisher/pass-otp
In addition to your phone, you can also set up to 4 other Webauthn tokens, Yubikeys or FIDO2 devices as well as a printed recovery key. If none of those fall-backs work for you, perhaps switching to a different password manager is best.
I hear you, and I somewhat feel the same. However, a workaround would be to save the TOTP secret safely like a password. I have started treating all my TOTP secrets as my secondary passwords.
Bitwarden is the place where I store stuff safely ><. This update is just awful
Same.
I abandoned Bitwarden a while ago in favor of Enpass after the 2nd time in 3 weeks that Bitwarden refused to open my LOCAL vault because of a problem with BITWARDEN's servers.
Uh, no.
How is Enpass's auto fill? Bitwarden has been hit or miss for me on mobile
Good shout on Enpass, I was considering moving to self-hosted Bitwarden but Enpass looks like a better product anyway.
similar. i switched to Apple Passwords, and pretty much stopped using Chrome except for gmail. I use a multitude of browsers, but I am 99% safari for sites where I need the PWM.
I hate building a lock-in to the ecosystem though, and have been meaning to look at Enpass.
If my irritation with BW had come later I might well have settled on Apple's solution, but I'm already entrenched at Enpass and, like you, don't really want to further enmesh.
I mean, I'm pretty tied to Apple in both hardware and service use, but it strikes me as unlikely that Apple's first swing at password management could really rival a purpose-built tool right out of the gate. I do think I'm going to push my thus-far-vault-avoidant wife to use the Apple tool, though.
I can understand adding some friction to discourage using Bitwarden without 2FA, but requiring it seems very wrongheaded to make it mandatory. I've been using 2FA on Bitwarden for a while and it adds a lot of friction and made me very nervous that if I lost my phone that I'd be locked out of literally every account I have. I mentioned elsewhere (link below) that I have solved this issue for myself, but people shouldn't be required to jump through these hoops and introduce a greater opportunity to lose access to their accounts if they should lose their phone.
https://news.ycombinator.com/item?id=42853696
And even if F2A wouldn't have ANY downsides, it's still not their fucking business if users want to use it or not. There is a million ways to leak your credentials to a service anyway, and I don't know anything more annoying than when a service tries to protect you from yourself (sometime locking you out of your account while doing so). If a user wants to have no F2A, no backup email, to use qwerty as a password and to write it on a sticky-note attached to a display, it's their right to do so. It's not Bitwarden's (or anyone else's) responsibility.
I agree, and when I first read the headline, my reaction was "Well, I guess it's time to start researching different password managers, because I obviously can't use Bitwarden anymore."
However, despite what the headline says, this 2FA does not appear to be mandatory.
Under the heading: "Who is excluded from this account email-based new device verification?"
> Users who opt-out from their account settings, to which an option will be added, are excluded.
To clarify, this was new information added to the release within the past hour or so, which seems like the company responding to criticism. The original article gave no indication 2FA was anything but mandatory.
Thank you. The title should be changed, really. Following an ancient HN custom I've chosen to get annoyed before reading the article, and the title simply isn't true. In fact, it's exactly what GP suggested, which is a perfectly nice way to implement that. (Unless, of course, one day they get rid of that option as well...)
The title was changed, but it's worth pointing out that they updated the article AFTER criticisms in this thread were already made (the original policy did not say you could opt-out):
https://news.ycombinator.com/item?id=42859698
It seems like the alternative is to allow anyone with just the master password to get access to your vault. That doesn't seem so great.
I'm on 1Password and it's basically a 2FA setup there too: to register a device, you need to have the master password (what you know) and the secret key (what you have, randomly generated at vault creation). Losing my phone isn't a big deal because I have 1Password on multiple devices, each with a copy of the secret key, so there's pretty good hedging there.
I also carry a physical Yubikey, which grants me passwordless access to my email account (assuming I know the PIN to unlock the hardware, which I do). That's probably overkill for most people, but that's another layer of hedging too.
It's, possibly, not good enough. In case of a fire, if you left all your phones at home, you are screwed.
Exactly because of the fire risk, I set a policy for myself that all passwords should be somehow recoverable only from something that I know. However, I don't meet this policy at the moment.
> It seems like the alternative is to allow anyone with just the master password to get access to your vault. That doesn't seem so great.
Given that only I have my master password I don't see what's wrong with it.
What if, for example, a piece of software is logging your key presses without your knowledge? You could have the best, most secure password but you're typing it into a complex machine which could be doing any number of things. Don't forget that you're human and make mistakes too so it doesn't necessarily have to be malicious; a bad copy paste into a public forum post could hose you.
A second factor makes it extremely unlikely that one slip up results in a complete compromise of your vault.
I think what you're forgetting is that Bitwarden only has access to my passwords, not any account (that does any important work) itself.
All my high security accounts themselves are protected by 2FA and in some cases 2+ factors (such as my bank).
2FA on a password manager is useless. I'm going to end up entering phone codes multiple times for a single login and that will drive me away from using the password manager.
If there is software that is logging my keys it can also likely steal my cookies, in which case they don't even need any of my passwords or 2FA codes.
> What if, for example, a piece of software is logging your key presses...
Even easier: What if someone beats you with a stick until you unlock your password manager?
Security is always a compromise around a lot of assumptions about threat model, usability, etc.
Nudges are a great way to increase overall user security with almost no drawbacks, but ofc ultimately things like this always have to be user choice.
You don't even need a keylogger for password leakage. You could accidentally type in your password into a logged field because you forgot to press tab or alt-tab to move cursor focus.
2FA for setup doesn't strike me as too onerous. It only happens once per device, after which you're free to rely on just your master password or even biometrics.
> very nervous that if I lost my phone that I'd be locked out of literally every account I have
I use Bitwarden 2FA with my phone, but I have backup codes stored in a fireproof safe with my other important documents.
Aren't you screwed if you can't get access to your home for whatever reason ?
That hopefully would only happen in extremely rare conditions, but that's not a risk everyone would take. Especially in area where losing your home is a very real risk, and you'd be hanging to your data by a string while facing an otherwise already challenging situation.
You certainly shouldn't rely on just your phone. If you store your 2FA token in Bitwarden, you can use any of your other devices that you have used Bitwarden with recently.
The 2nd factor is only needed when it's new or occasionally in other cases. I don't know why you say it adds lots of friction, unless you are frequently signing into new devices.
And as a failsafe a printed backup code is pretty important.
I understand that in theory storing the 2FA for Bitwarden in Bitwarden itself can work, but I don't know if I can ever bring myself to store the key to the car in the car, even if I pinky promise myself that I'll never lock all the car doors at once.
This is doubly true because Bitwarden has not been consistent at only asking for 2FA on brand new devices, so it's not even just me that I have to worry about locking the car doors.
I'm so fucking sick of places enforcing that shit. Not all of us have shit passwords.
There is still a ceiling to how secure a password can be which 2FA solutions will generally beat (mainly by the secret not being spread as far when used, such as keyloggers, window focus mishaps, or simply being sent to the server verifying it).
At least they are not 100% head-in-ass sesoority yet and still allow to at least self-host to disable that crap.
Friction is bad security. Simple as that.
Removing the friction of many passwords is the whole reason a password manager is good in the first place!
It seems like every IT person needs this lesson reiterated to them, at least once a year...
I am not suggesting friction as security, I am suggesting it so that the average user is funneled towards the most secure option, i.e. using 2FA, while allowing experienced users to put in a small amount of effort to disable it.
That's not a meaningfully different context, unfortunately.
You don't need your phone. You need access to your email account. This is described in the article.
Like numerous others, my email account password and 2FA codes are in Bitwarden.
I dont understand why people do this - those “bedrock” accounts like bank accounts shouldnt be in your password manager in my opinion.
At the very least split your providers - no one manager has all my passwords and 2FA codes.
Because for security (!), I use a very strong and difficult to memorize password, with no backstop if I forget it. I only want to memorize one of those.
why is this safer than requiring 2 master passwords. at the end an email account is accessible via a password.
Hopefully your email also requires 2FA :)
Even without, accidentally getting one password leaked is a lot more likely than two. For whatever reason, shoulder peeking, keylogger, wrong input field, brute forced, and so on.
yeah so 2 passwords would do the same trick then?
In my mind the email is the second worst 2FA since it's used for registering everywhere on the web and more prone to be compromised. Phone number is the worst.
I like bitwarden, but there are a lot of weird things that make me want to move or find a self-hosted solution. This feature may actually cause me to leave. I actually ended up buying a subscription and then refunding it in less than an hour.
So what's going to happen? Are they going to cache my location? Or are they storing a cookie on my side? Neither sounds great. Ever hear of a VPN? That's going to make my life easier....
Some more general complaints:
The storage thing is really weird. Did you know it is just stored on their server? So you can't store locally. But the worst part, when you want to retrieve the item then you download it and it just appears in your download folder. This is TERRIBLE and both of these make it absolutely useless. I got to download it when I need it, hope I have internet in that situation, and then delete it after because I'm... storing sensitive information, right?
The new design is just terrible and could only be designed by someone who assumes you never open the panel to fill in the website. Yet... that's the *most common* reason I open that.
Things like this give me concern that those designing the tool aren't thinking about other things. When it comes to security, all the little things matter a lot.
Of course there's frustrating things that I know they have little to no control over, like all the dumb Microsoft logins I'm forced to have and then annotate because I keep logging into the wrong account. But I do like that it integrates with Firefox's relay. The only thing I wish is that it wouldn't name the mask "Generated by Bitwarden." but "the fucking website name" (sure, append "Generated by Bitwarden" but no one cares and this does nothing to help brand recognition, it just makes things confusing).
> I like bitwarden, but there are a lot of weird things that make me want to move or find a self-hosted solution.
You can selfhost Bitwarden. There is also an alternative server named vaultwarden.
I looked into this a while back and it was quite complicated. If you're used to hosting your own infra, it may not be a big deal, but it's definitely not a simple task for even an advanced desktop user. I ended up choosing KeepassXC, which just uses a dumb file on disk that I sync with Git.
not to be rude, but vaultwarden setup is fairly straightforward for an advanced user:
1. Point your domain's DNS to server
2. Run a reverse proxy with LetsEncrypt integration (Caddy, NGINX Proxy Manager, Traefik, etc)
3. Run the Docker command
https://github.com/dani-garcia/vaultwarden
I don't disagree with you, but a lot of people don't understand any of those steps. 3 is the step most people will understand, I think you can understand that LetsEncrypt can be confusing the first time, and well... DNS... that's notorious for people being confused on.
What people consider "advanced user" varies quite a bit and there's a lot of subdomains in computing. (Though maybe the term is also degrading...)
> "Point your domain's DNS to server"
A lot of advanced users don't have servers, and they don't want to expose their desktop or an appliance to the internet. Moreover, are you going to trust your precious password information on a leased server run by Linode or whoever?
On topic, I use Bitwarden, but their changes to the iOS application are very annoying. I've been logged out repeatedly (at least once per week) and it keeps requiring me to input my password, without any way to reduce the overhead. It's so frustrating that I've been considering switching to the native iOS password app; if it was available on Linux, I would bid farewell to Bitwarden.
I had issues with this (new iPhone user and ... well... I'm having fun...)
A problem I had was my encryption settings. Definitely I am a bit overkill[0], but this might be worth checking. I use Argon2 and tried to find the max settings I could use on my iPhone16. Make sure the KDF memory is lower than 256MB. Keep iterations low (<=10) and parallelism not too high (4 seems about right). So do something like 128MB, 8 iterations, 4 parallel and you'll be good. If this reddit post is anywhere near accurate, should cost in the tens of millions of dollars to crack your master passphrase[1]. But users there also are saying they can get higher settings so YMMV. (BTW, these settings should be changed from the bitwarden website)
[0] Philosophy has always been: make it as secure as possible without being meaningfully impactful. Which is always above the standard security levels.
[1] https://www.reddit.com/r/Bitwarden/comments/1167rwm/pbkdf2_v...
you don't even need to have your DNS turned on or run a reverse proxy - how often are passwords updating? my instance is local network only and the phone, desktop, and chromium extensions sync when I'm at home.
Plus backups, which you want to ensure are solid for data like this.
This is my issue with hardware keys too. It's been unclear to me how I have a backup and what's the best way to ensure that that backup is constantly in sync.
Plus, is a website going to support it? So many websites are shifting to OAuth, and making it the __only__ form of authentication. I really don't like this AND they usually only support a very limited set of authorities which is almost exclusively "Google and Apple", so I can't even run my own. The fuck is the "O" mean in "OAuth" then?! (╯°□°)╯︵ ┻━┻ I'm trying to __reduce__ my (meta-)data exposure, not increase it!
Like good god, I don't know if it is a conspiracy or stupidity that's causing all this centralization and I'm not sure there's a meaningful difference. (unintentional or implicit conspiring rather than explicit)
This is Hacker News, surely there's people here that are fighting/pushing back. It's unclear to non-security experts like me how to actually do this besides not use a service (far easier said than done. These choices are often forced upon people)
> that make me want to move or find a self-hosted solution.
passwordstore.org and "git init --bare password-store.git" somewhere on your own network.
It’s not that hard to selfhost. Only real gotcha is that you need ssl
> Only real gotcha is that you need ssl
Any reverse proxy handles that by default, its no longer a gotcha
And you can just self host local only, it's what I do. clients sync at home and don't lose the data when you leave the house. Even updates on one client (ie mobile) will propagate to others
Setting up a reverse proxy with ssl is a decent challenge for people new to this
Sure, but then I need to spin up a server, lock everything down, pay money, deal with all that other stuff, and well... this isn't going to work for: my partner, my parents, my friends, my family, and so on.
If anyone works at bitwarden can you get your UI people to stop retheming for the upteenth time and instead make the "detailed view" of any entry read-only by default? Every time I need to access my notes on an entry I'm scared that I'll accidentally typo a letter into my password or a 2fa code or something
strange, since mine is read only be default. I always have to click the edit button on the detail view to make any modifications.
I get the desire to make the Bitwarden login more secure, but this is very likely to cause problems for users who don't have their email password memorized. 2FA already carries the burden of needing a backup if you lose your phone. This change means users will need to come up with an alternate way to log in to their email account. I'm not sure it's worth it.
I'm taking this opportunity to Ask HN: what do you think of the new Bitwarden browser extension?
Sure it looks more modern and a few things are better.
But personaly I HATE the new "copy" button.
With the old version there was a button for each field : one to copy the login, one to copy the password, one to copy the TOTP.
Now there's just a single button that will display a list of options to choose from depending on what you want to copy.
So instead of copying a field with one click, now I need to do one click, go on the right option, and another click.
Even worse: if the account contains only one field, the copy button will still display the list of options, with just one option.
How could nobody think that when the user want to copy something from a list, and this list contains only one item, the right thing to do is to copy this single thing, not ask them what they want to copy...
I want to second this.
I don't mind the general visual update. But the change to the copy buttons was a step backwards.
To the bitwarden folks... if I'm opening up the extension 99% of the time it's one of these use cases:
1. I'm creating a login for a new site
2. I'm on a site that doesn't support autofill, and I'm manually copying user/pass/code
3. I'm filling credit card info, and want to select a specific card
Both #2 and #3 got worse with this change. Put the damn copy buttons in the huge amount of whitespace you have for the entry. Don't hide them in an overflow. Put each of the user/pass/2fa buttons in a fixed space, and don't move them.
To throw in a second viewpoint: 99% of the time I open the extension, it is to trigger auto-fill. I don't like having my credentials auto-fill on page load, I like to be the one to trigger it.
That being said, I also hated the change that hid the copy buttons, but they have a setting that brings them back.
You may know this, but they introduced a feautre that lets you use Cmd/Ctrl+Shift+L in order to trigger auto-fill. I have disabled autofill on pageload but LOVE this shortcut key.
I'm the same as you in how I use Bitwarden.
I'd also like to add that if you keep repeating that shortcut it will cycle through the different logins you have for the current site.
Nice trick. TIL.
I had no idea!! That’s awesome thanks for sharing.
I'd put the success rate for this feature at about 80% for passwords, 30% for address information, and 0% for payment info (maybe intentional?)
I'm with you about not wanting the autofill, but I use the key combo mentioned below in nearly 100% of cases.
The vast majority of the time I'm opening the extension popover it's because the key combo failed to autofill (site doesn't support it) and I need to manually copy/paste.
For extra fun - the Key combo is customizable if you don't like ctrl-shift-L
Just hit up chrome://extensions/shortcuts and change the combo to something you'd like.
Did you look at the Appearance extension settings? They solve this problem for most people. (See elsewhere itt for details.)
Good, I'm not the only one. Fully agree with the UX regression on 2 and 3.
Go to Settings -> Appearance -> "Show quick copy actions on Vault"
Did that, didn't help me much, because another pain point is that the menu takes longer to open on first open.
And search input until it's first rendered is lost now.
Context: I need to input a 2fa code every morning when I start working - previously this was click on Chrome extension, type work, move hand to mouse.
Now it is click, wait wait wait click again wait wait wait wait, click (menu opens finally), click on search input, type work, click on copy 2fa code
Thanks! Also nice to see a width setting and remove animations which improves my experience.
Funny how I didn't even think to look for appearance settings.
Yep. If you look at the feedback thread before this version was released, they legitimately did listen to feedback from power users and made changes.
The first beta version had all of these annoying quirks, but then they added a bunch of settings (Compact Mode, Quick Copy Actions, Wide Mode, Disable Animations) that after you change them gives you a solid experience.
Is there a way to get rid of the "Fill" button and make the whole entry do the fill action? That's what it used to be, and I have soo much muscle memory for it. I almost never want to look at an entry.
Nevermind, sibling had the answer: "Settings < Autofill < Click items to autofill from Vault"
Have to say ... I'm still not a great fan of the new UI, but the QoL settings under the appearance tab do at least make it bearable.
Thank you so much, I hadn't even considered that there might be an option since I'm so used to UI's getting worse over time.
Thanks!
It looks like an afterthought from them because the label is the only one not translated on the extension.
Anyway, I'm more than happy to have the quick actions back!
Thanks!! Really why not make it default :/
Thank you!! I also hated the new copy icon!!
I didn't even try searching for this because nowadays chances are there is no setting for it, but it's so nice to see I was wrong.
Thank you!!!!!!
Omg, thanks!
Wow, you're a life saver!
oh nice! Thanks!!!
Thanks!
holy shit why is this not default
That and "Settings < Autofill < Click items to autofill from Vault" should 100% be default.
I like it! With the width and quick copy options under appearance settings there are no glaring issues, but there are two big benefits:
1. It's much faster. This alone makes the refresh worth it imo.
2. The edit item / fill item UX is much more consistent than it was. Before, when you search for and click a card it opens the item, but if you click a card because it matches the current domain then it fills the item, to open it instead you have to click the little "open item" button. Even as a long time user I would often misclick because the context changes the behavior of clicking a card and my muscle memory would be the opposite of what I wanted. Now there's a "Fill" button when a card matches the current domain and clicking anywhere else always opens the item. My only critique is that the Fill button could be a bit bigger to so it's easier to click.
You probably know this, but I'm just writing it here because it took me a while to figure it out — you can also use the keybinding (Ctrl+Shift+L) to fill in login forms. It works 90% of time, and you don't need to copy anything. It really reduced the number of times I'm interacting with the extension's panel.
Looks like some of these changes can be reverted: https://bitwarden.com/blog/bringing-intuitive-workflows-and-...
Thanks!
I hate the title "Tips for long-time Bitwarden users" like they are seeing us as dumb but whatever.
If I can get my quick buttons back, I'm glad!
Idk to me the title is as neutral as it can get - how else could they word it to not offend you?
"We screwed the powerusers; here's how to get it back while we fix it ... back."
Things change. They made sure people could go back to any legacy behavior they personally favored, or not. "Please constantly be trying to improve your product, so change the things I don't like, but don't change anything I do like, even if I still have the option to pick and choose between legacy and updated options". Man, people will bend over backwards to be offended.
But folders are now stuffed into a small dropdown, leaving All Items as an unorganized mess.
That change alone is pushing me to switch password managers.
Just a handy tip: you can press Ctrl+Shift+L to autofill which also copies the TOTP code (if any) to your clipboard.
I do use this but for some reason it doesn't work in the same way and will fail despite clicking working.
Nice one! Have been annoyed at the new tiny 'fill' button.
I like how it's faster than before but the modern UI design trends are starting to wear on me. If you could have the old theme with the new features that would be good.
The two-click copy button is absolutely the worst new "feature" they added. That setting should be opt-in by default.
I hate how small the "Fill" button is, and how clicking on a card that represents saved credentials is no longer assumed as an intent to fill username/password on the page you're on.
I also hated this change, but there is a setting:
Settings -> Autofill -> Click items to autofill in Vault view
In some cases, it just falls apart when displaying over a text box and doesn't know what to do with itself, and sometimes breaks the UI for me. I keep the desktop copy around for the cases where I don't want to fiddle with the extension.
My personal problem is that I self host and the updated extension just completely fails to connect to my vaultwarden instance. I probably just need to repull the updated docker container, but it's something I would have rather not thought about. But since the extension auto updated I'm forced to think about it.
Interesting - I'm also running self-hosted and didn't have this problem (I think my last image pull was about a month ago, though - so somewhat recent).
If you want, I believe you can override the update url in chrome to stop the auto-update process in the future: https://chromeenterprise.google/policies/?policy=ExtensionSe...
Alternatively, at least for chromium browsers - you can download the .crx directly, unzip it (p7zip will do it), and sideload it using the "Developer mode" checkbox on chrome://extensions. Firefox sadly doesn't support this - they'll remove any sideloaded extensions on browser close.
Yeah, the problem is with clients from January or newer, and vaultwarden versions from before October.
It did lead me to discover my automatic update process wasn't actually rebooting the vaultwarden server.
You can enable the new extension UI when you're using vaultwarden by setting the EXPERIMENTAL_CLIENT_FEATURE_FLAGS=extension-refresh env var. I wrote more about it here: https://forum.cloudron.io/topic/13001/bitwarden-extension-ui...
Be careful about using newer clients with an outdated version of the vaultwarden server.
I lost a couple days of new accounts/passwords because this[1] probably happened.
[1] https://github.com/dani-garcia/vaultwarden/discussions/4921
> something I would have rather not thought about
I mean, you're explicitly choosing to self-host an alternative backend server which isn't affiliated with Bitwarden. You could have used their SaaS, or self-hosted their official backend they provide on GitHub, for free, and which is almost entirely open source (AGPL, they have some small enterprise specific bits such as SSO which are under a commercial license which is still free, just not open source).
But you choose to self-host a random person's project that tries to keep track with Bitwarden APIs and various frontends, on a best effort basis. That's a ton of risk I really wouldn't take with something as sensitive as passwords to everything.
Its pretty ok as the offical client caches most stuff, everything is still encrypted, and most of all vaultvarden is miles easier to self host than the offical bitwarden stuff.
For me, it is the double scroll bars in the browser extension. One to scroll in the list of passwords and another to get to the bottom of the extension window. This is even in "compact" mode.
Interesting, I don't have that, only one scroll bar. I use on Firefox. Do you force some different font or font size on all websites perhaps?
It's been much, much slower to load on click for me now. Surprised others haven't experienced that so wondering if it is some extension conflict. Consistently takes 2-3 seconds to load up after click whereas before was instant-ish.
Not a fan — it feels like an update just for its own sake, I struggle to think of anything that actually improved.
Related question: is there any way to keep the Bitwarden window open when I’m unfocusing it without popping it out into a separate window? That workflow makes copying logins painfully slow for me.
It wouldn't be so bad if the window closed but at least remembered the entry. I often have the issue where I had to search up an entry (credit card info for example) and then when I reopen the extension window I have to start the search all over again.
I didn't like it at first, but once I built up the muscle memory I like it a lot more.
I love the fact it remembers what page you were on and leaves it on that page.
In the previous version, you'd go Vault -> Search -> [Find Thing] -> Copy Username, but when you de-focused the extension it would return you to the vault home, so yet again you had to do Vault -> Search -> [Find Thing] -> Copy Password.
This one, when it loses focus, it stays exactly where you left it.
The teeny tiny "Fill" button is the dumbest thing I have ever seen in a UI overhaul. A total misunderstanding of how their own product is used.
100% this is one of those changes that makes me doubtful of Bitwarden being a well maintained service in perpetuity.
Like, if this change was an accident and slipped through that is bad. If it was approved, it's even worse because as you said, it shows that the person who is in charge of how we, the users, interact with the product day-to-day doesn't understand the product or doesn't take their role seriously.
Settings < Autofill < Click items to autofill from Vault
Of course it's not under Settings -> Appearance where the similar "Show quick copy actions on vault" option is. Why should an option that only affects the UI be in "appearance".
Because it barely changes the appearance at all? The actual effect of that setting is to change the behavior of the button to be autofill. The only visual change is that the small "Fill" button is removed.
It fundamentally changes the appearance of the UI, what are you talking about?
These are screenshots from the extension, before and after checking that autofill box. The only visual change is the missing "Fill" button, because now clicking on the item itself preforms the fill action. The rest of the UI looks exactly the same.
https://imgur.com/a/ji3EAKw
Hate it (using the Firefox one). The look is weird, seems to waste space. New copy button sucks. I spent 10 minutes one day not being able to login with a copied password, bit realising it was because I was lacking the second click. Also the new suggested results (when searching) honestly just gets in the way, since the order of the results are not always the same anymore.
It's bad, it is no longer capable of filling out password fields, I need to copy it manually and then paste it.
Yes, this is my issue too! The new UI is bad, but the bigger issue is it's just much worse at autofill!
The new extension is a lagfest. There's a noticeable 2s latency to every action now. I don't know how something like this makes it to GA. Long ticket: https://github.com/bitwarden/clients/issues/12286
seems there are reports of different sorts of delays in the comments.
w.r.t. a small, split-second one in initial rendering, i'd take it ten times out of ten over what it was for me all these years: immediate ability to key in input, but if you typed at the precisely (im)perfect moment, which was an extremely common occurrence, the extension would bug out and not perform the actual search.
so i'm sitting there for about a whole second wasted for having waited out the threshold to realize that it bugged out yet again and didn't perform my search. then, i would have to either backspace or type in the next character in the query in order to trigger the search; this was often an unpleasant added mental overhead when backspacing would repopulate results that you were trying to filter out.
i'd rather have the split-second delay for every initial render.
If you insert the password using bitwarden browser extension, then the totp token is under cmd-v. Even better.
At least on safari.
Every single change is for the worse. It's kind of insane how they managed to do that, actually.
Im not a fan of copy button and design as well. Dark mode has huge contrast with outlines and rounded corners are space inefficient. It's like design for small touch screen, not a desktop addon to browser. Take inspiration at uBlock.
It's awful, it's slow, it's hard to use, confusing and they made editing even worse. The old UI also had it's problems but they weren't this bad. I despise these constant UI changes that only make the product worse without any benefits.
I just started using it and my co-workers who have been using the old one say it sucks but I honestly have no opinion. It seems to do the job to me.
I don't personally like it but I suspect much of it had to do with me getting used to just clicking once and having to unlearn the habit.
In full agreement the multiple clicks have been annoying. The old UX with multiple contextual buttons was better.
I hated it so much I migrated to ProtonPass, deleted my data, and set my account to expire.
Then Proton CEO made some statements I found offensive, so I re-activated my Bitwarden account, migrated back, and am now learning to love the changes.
The best I've got for tips are:
1. Settings > Appearance > Quick Copy
2. Settings > Appearance > Compact Mode
3. Settings > Appearance > Extension Width > Wide
I still don't love it, but it remains the best of the bunch.
I searched but for the life of me can’t find what “Fash” is, and boy am I curious (as somewhat of a Proton fanboi).
Recently the protonmail founder has come out for republicans on antitrust enforcement - you can view some recent discussion here:
https://old.reddit.com/r/ProtonMail/comments/1i2nz9v/on_poli...
But, that is a good thing right?
I don’t get it, we want anti trust laws right? Democrats as well I assumed? I actually thought they were more of a democrat thing tbh, but now that the republicans want them they are bad? I don’t get it anymore.
Antitrust enforcement, sure, it's a good thing. Pretending that Republicans are better than Democrats in that sense, is not that great. Especially after who attended the inauguration, it's very naive to hope that they will solve "Big Tech abuses" in any way.
https://theintercept.com/2025/01/28/proton-mail-andy-yen-tru...
I'm assuming they meant fascist because the CEO is a republican.
As a non-American, it's not my problem but I can see why people would want to distance themselves
Wow republicans are now called fascist? Idk I always thought Schwarzenegger was such a nice example, wise, gentle, kind, funny and republican. Not loving the Trump, sure, but to say such a thing based on how someone votes, man you’re falling low.
Edit ok read the X post, man you guys are losing it if you call that fascist. So divided, you can be either black or white. I feel sorry for you.
Say one thing good about Trump and you’re a fascist, just pretend that all he does is bad. There is no more way of looking at it objectively. No wonder you are so divided over there. I really would stop watching the news. Half your country voted for him. What does it say about you that you view half your country as fascists?
It's probably less about viewing Trump as a fascist and more being afraid of being grouped in with Trump supporters by your in-group. It's a really divided country and there are circles where you could be outed even for expressing neutrality.
Again, I am not American, and would rather avoid the mess that is their politics
Fascist.
I'm very surprised a search didn't turn this up for you, or you're not asking in good faith.
I use ddg with country set to Netherlands, fash turns up many things, fascist is not among them.
But he's a Republican. Why would a Google search for "fash" clear that up?
I just ddged for “fash”, I mean labeling the CEO of Proton no less, an org that does so much good, that has such a nice vision, can shield people from their state because they believe in their right to privacy. To label such a person a fascist is just unimaginable to me. I find it shocking that so many people just use this super small thing to judge Andy Yen. I’m really shocked. How dare these people put such opinions online? It’s so “140 chars” to define a person. It’s what’s wrong with the internet these days.
Fash is short for fascist. Just going off of the latest news, maybe he came out in defense of Musk or just tweeted in favor of Trump?
fascist
Agreed. I keep clicking copy and thinking it copied when all it did was open the menu
The day Bitwarden was VCed I knew there will be a time when I will be desperate to find alternatives. I guess that time is coming closer.
The thing I despise most among their UI “improvements” is entry click expands the entry now. To fill you have to find that tiny “fill” button and click that.
Same, new copy button just takes more time than previously.
actually pretty anoying.
They are defaults. You can change it under the appearance menu.
It’s horrible. They also updated the iOS app and it’s buggy.
also 2FA with passkey into bitwarden website don't work with the extension. It can't find the passkey.
This extension is the only thing on my computer that is slow. I have an M1 Pro and an M1 Max laptop and the new visual refresh has made the extension very slow and a lot less usable.
The old one was instant on clicking the shield icon. The new one is slow and flashes a few times before showing me the UI.
Also, the entire field used to be selectable to fill fields. Now I have to aim at the tiny Fill icon and it's even harder to get to the time-based 2FA code.
I get why they've done it but I have never seen any software this slow in my life. Even just displaying the boxes seems like it needs a progress bar.
The new desktop browser plugin is disgusting even after I went through settings. Won’t reiterate here, one of the worst UIs I’ve ever seen and if I were to choose today, I would not choose bitwarden only because how ugly and unusable it is.
Bitwarden, return the normal UI back!
Modern design: looks cleaner, is harder to use (more clicks)
It took me a day to get used to the new UI but now I love it - just goes to show that you’ll can only get UX wrong/UX is hard. It’s good to have both options configurable though!
This one is not too bad since it's only once per device, assuming they define a device by generating some unique value at first login so I really won't have to go through it again despite any updates, changes in network, etc.
In general though I have become incredibly sick of mandatory 2FA for every-goddamn-thing. I do use it very often, but it should be my choice and not forced on me. The usual retort is blah blah blah I might understand the trade-offs but normies don't and so forcing it is a net positive, but I'm me — not them, so that usual response is just to tell me that my feelings don't matter.
> but it should be my choice and not forced on me
Since service providers are often legally and even more often practically required to cover losses resulting from account takeovers, it's really not your choice alone.
I very carefully added 2FA to my wife’s Bitwarden account a while ago. I got her a Yubikey and added mine as well as my backup keys in case one ever got lost.
I discovered much later that they call email “2FA” so her account isn’t actually protected by the hardware keys at all. Like others here, this doesn’t make sense to me since it’s circular.
(and separately, the Yubikey seems to often not work on Android anyway)
X.com is one site where 2FA just doesn’t work for me and had to repeatedly contact them to “unlock” it or so. Finally I had to disable it and if the a/c ever gets taken over I’d let it be.
And the "mandatory" part will probably lose them at least one customer (me).
It's not mandatory, it's a default. I asked the help docs team to update the FAQ to include that there is an opt-out option under account settings.
You are using present tense, but there is not an opt-out option right now, and zero reasonably accesible documentation about it exists.
Rolling out such a significant change with just a few days advance notification shows an incredible level of incompetence.
Yea. This article needs to be updated if that is the case. There isn't even a hint that this is possible. And there are very valid reasons to not turn it on as these comments have shown.
instructions on how? I need to walk through family members to do this.
Same here. I have a 77 year old father who has had a stroke who is not going to be able to wrap his head around the notion of 2FA. It's a bridge too far. Not going to happen. He's just going to get confused and give up when faced with crap he doesn't understand (that's literally how it works with him). I've seem him break into tears because he couldn't figure out some mobile phone UX. Kind of heartbreaking to watch that happen. That's what strokes do to people. Stuff like this doesn't help people like that.
I'm thinking the built in browser password manager might be a safer, more usable option for him at this point. It's probably what I'll have to recommend when this inevitably blows up in a few months.
2FA is a hurdle for normal users. I've had to support 2FA for our Google workspace account for some of my non technical colleagues. It's a PITA almost 100% of them needed me to unblock their account at some point. Absolutely terrible UX. Most users aren't compatible with this stuff. That's why all the big companies are pushing for passkeys now. I don't think that actually fixes the problem and just moves it instead.
But I get it. Bitwarden wants to appeal to corporate IT managers so they can sell expensive enterprise licenses because IT managers are most of their paying customers. And for that they need to sacrifice UX. Because IT managers like liability even less than service providers (like Bitwarden). They'll make their users jump through hoops one hundred percent of the time if it reduces their exposure to their mistakes. So sacrificing UX for that is a small sacrifice. But it is a sacrifice that buys ass coverage for Bitwarden and IT managers. At the cost of users.
Although currently Bitwarden Passkey is completely broken on Android.
I switched to other providers because of this.
while we're bitching about the bitwarden UI my pet peeve is that 99% of my accounts use my email as the username but i still have to type it in every time i create a new account. how about having auto-suggest?
I work at Bitwarden and I have that same pet peeve! Let's see if I can get a PR up without causing a UX stir :)
Firefox autocompletes previously entered emails/names/etc. for me, your browser may have the option too.
Today, I almost had a heart attack cause I couldn't log in into BW Web. Strangely, both mobile and Desktop versions worked fine with the same password... The issue resolved automatically in a few hours, still no idea what this was.
Still, I backed up my passwords as soon as I logged into the mobile app, so like some people here say I highly recommend everyone do periodic backups and not be like me (:. I would have lost everything if something did happen to my vault access
This is very bad news
For someone who has only used offline, local password vaults, what is the advantage of a cloud-based solution (for personal use, not enterprise)? I'm interested in their self hosted option, but not sure what the advantages would be over keepass and syncthing.
Convenience and portability for people who don't want to use, or aren't going to learn how to use, anything more complex than an app, browser extension, or website.
Accessing a password vault from any arbitrary internet-connected device and browser through the web is also convenient, even if to you or I that serves more as a reminder of how accessible your passwords might become to unauthorized users. Sharing credentials between Bitwarden users is also more convenient.
If you self-host, you can provide those service to friends or family members who don't have your technical aptitude. For teams and businesses, it provides an auditable service with directory integration and other optional enterprise features (SSO, fine-grained access).
All of these are possible without a SaaS, just less convenient to set up. You and I might consider setting up our own personal password management to be a fun and useful project, or at least a trivial time expense compared to the value. When something like Bitwarden provides all of those features and more for $0 to $10/year, even a small time and maintenance burden might not seem worth it to a less technically savvy user.
The big thing that got me to move off passwordstore to BW (and self-hosted vaultwarden) was sharing passwords with family. The app and browser extensions are nicer, too.
This is why I like generating passwords with a 1 way SHA-256 hash, no need for any storage or encryption and no reliance on some website service being up.
And no way to change your password when it's compromised?
And no way at all to protect yourself against any site you use this scheme on to brute-force your master password without you even being aware of it.
Now add one special character, mix upper and lower case, max 32 characters. This wouldn’t work on even 1% of all websites out there.
I'm paying for Bitwarden now, but after they enforce 2FA, I'll stop.
I thought of stopping the subscription after I reported a blocker issue in great detail with multiple emails but they didn’t tell me why it was happening, neither did they share the ticket created or a ticket was created in the first place - in fact they didn’t respond at all, not even to follow ups. UI “improvements” finally did it for me and I stopped paying — also, started taking periodic backups.
We're enabling it by default, you can opt-out.
Any good alternatives that do not require 2FA ?
I use and like Enpass: https://www.enpass.io/
I'll be moving to Proton Pass.
Yet we still don't have any tags / labels for passwords...
still didn't implement showing credential information when searching so that you don't end up with 10 credentials with the same name across folders? shame
Reminder: Dump your password manager database into cleartext backups regularly. Store them on encrypted media (eg. USB stick with FileVault, VeraCrypt, or similar)
Then you will not be totally screwed if your password manager does a rug pull against you such what Bitwarden is doing with this change.
How is this new policy a rug pull?
It's a password manager. It must never, under any circumstances, add any additional barriers to getting in that aren't explicitly configured by the user.
This is going to lock out many users. They will not realize this new arbitrary requirement to be able to access the email address. They will lose their existing device. They will get a new device, install Bitwarden, and try to login with their master password, only to find that Bitwarden has moved the goal posts. They will be locked out of everything.
Even if 99.99999% of users would benefit from this change, Bitwarden shouldn't do it because it'll unfairly lock out 0.00001%. If they really want to do this change, then they should have like 2 years of warnings displayed on existing clients, and also have an option to permanently disable any 2FA requirement.
I encourage everyone to update your email address (user login) by adding some novel characters to your email like youremail+bw1234@gmail.com because there are active attacks against Bitwarden right now.
Thankfully Bitwarden warned me about the attempts. For the rest of the customers it's a matter of time before you are a target.
Great example here of HNs ignorance of basic security in this thread. Bitches and moans about companies' data breaches. Bitwarden turns on 2FA by default to kill 99.9% of attacks (you all should be smart enough to be using this already) and y'all are crying about it.
I hope the companies you work for have security teams to protect the company from your crazy attitudes.
The whole point of a password manager is that you can use it to log into things like email.
I have a single password I only use for Bitwarden and nothing else. All of my other passwords are randomly generated. How am I gaining security by enabling MFA? If I lose my phone on holiday now, I’m in a position where I can’t log into anything because I won’t be able to log into my email.
My passwords, my choice.
Definitely, but also Bitwarden's choice to not support configurations that will leave the vast majority of unsophisticated users vulnerable.
Hey you did the thing lol https://news.ycombinator.com/item?id=42855416
Why is this news? 2FA is quite basic is it not?
The news is that it is now mandatory.
It's not mandatory, it's a default. I asked the help docs team to update the FAQ to include that there is an opt-out option under account settings.
Where's the option? I don't see it.
The documentation now says "Users who opt-out from their account settings, to which an option will be added, are excluded" so it appears that there isn't an option yet but that they will add it later.
If you want to be truly secure, use a Bitwarden random password for your email and wipe your device!
I didn’t realize it was not required. This is a good change.
I could see this being one of those no-brainer decisions that requires herculean effort to push through all the product politics.
I would love to hear how this change came about and what hurdles needed overcoming from someone in the know.
This is pretty far from a no-brainer to me. The FAQ even has the reason why: "what if I store my email password in bitwarden?"
One of the main reasons to use bitwarden is as a synchronized backup when the system autofill fails, which tends to happen in the same situations this 2fa check will trigger (new devices).
It adds a potential failure mode without meaningfully benefitting my personal security model.
I like how they're like "Oh just use a 2FA app"
The password to my 2FA app is also in bitwarden. It's actually much more aggressive about session expiry.
Also my 2FA app _is_ BitWarden...
This is why I'm seriously considering changing.
That, and I feel like password-filling on Android is awful. Plus, it pops up in DuoLingo when it isn't wanted, and they're silent on the issue.
Seems like it's just time to find some other password manager.
I hate the cumbersomeness of 2FA and am prepared to and take full responsibility for the consequences of not using it.
This is not a good change for me. This annoys me. I will not be using or considering Bitwarden going forward.
I agree, totally no brainer. Security through making things so annoying that even the guy that is supposed to login, just doesn't any longer. In fact I agree so much with you, we should go even farther. I propose a service where you have to sprinkle some drops of blood in you keyboard every 5 minutes. If you fail to do so, all your accounts will be permanently deleted.
Or wait, I got an even better one; We will go to the house of each person on the planet and destroy their computer--there's you absolute security right there. No BrAiNeR.
Yeah it's interesting because on the one hand you're adding one more step to login. You're adding friction. On the other hand, it's pretty obviously a good security practice.
I wonder what the product and stakeholders discussed. Were there metrics on how many users they might lose with this?
this is not a good change.
SMS-based two-way login would be a better way to do 2FA.
Think of it from the user perspective - now they have to download and use yet another app on their cellphone just to log in.
Yes, I am aware of SMS's vulnerabilities - but the weakest link is always the user.
>Yes, I am aware of SMS's vulnerabilities - but the weakest link is always the user
Or the phone provider's call center employee who gets tricked into helping a bad actor perform a sim swap. I pray you're never in charge of my data.
They'd still have to have your vault password.