Bitwarden is a beloved password supervisor for good purpose—it’s feature-rich and its paid subscriptions price naked pennies ($10/yr). The service can also be proactive about regularly strengthening safety for its customers.
Right here’s the most recent safety replace for cloud-hosted private accounts: Beginning in February, should you don’t have two-factor authentication enabled, a affirmation code will likely be despatched to your e-mail tackle when logging in from unrecognized gadgets. It have to be entered to approve the sign-in try.
In its announcement of the brand new function, Bitwarden says a unrecognized machine is any beforehand not used to log in, one the place the Bitwarden app was uninstalled or one which had its Bitwarden login cookies wiped. The service will deal with all of those situations as new gadgets, forcing this verification step.
On the entire, this modification is nice—if somebody guesses your password, your vault is protected towards intrusion. However one massive hazard exists with this new layer of safety, and Bitwarden particularly calls it out.
Bitwarden’s instance screenshot of the upcoming verification verify when logging in on a brand new (or “new”) machine.
Bitwarden
Must you retailer your e-mail credentials in your Bitwarden account, you may by chance lock your self out of each your e-mail and your password supervisor, with little to no recourse. How? Should you’re accessing your Bitwarden account to log into your e-mail tackle and it sends the verification code to your e-mail tackle, you don’t have any method of accessing both website.
This potential doomsday state of affairs isn’t restricted to Bitwarden, both—there are different password managers that insert an extra affirmation step for unrecognized gadgets.
Fortunately, there’s a simple answer. You may merely memorize your e-mail password individually from that of your password supervisor.
Alternatively, for Bitwarden particularly, this new safety process could be bypassed should you log into your account with a passkey or allow 2FA. It isn’t relevant to customers who login through SSO, an API key, or self-host their vault.
Should you haven’t already began utilizing passkeys or 2FA, you actually ought to—whether or not or not you employ Bitwarden. This model of restricted verification verify isn’t as sturdy as both of these two protections, and never all password managers ship them out. At minimal, in case you have a weak password securing your vault, improve it ASAP. A password supervisor can attempt to assist save us from ourselves, however it’s by no means a assure.
Additional studying: The very best password managers we’ve examined
