I just created ANOTHER test Bitwarden account and this time I set up 2FA on it. But you have a point about Bitwardenīut you are on to something and I'm going to agree with you. And 2FA (even if it's 2FA where you get the codes from Bitwarden). That's why it's so important to have very long, strong and unique passwords on your email accounts. Pretty much anywhere that does not require 2FA. NOTE: They didn't get into Bitwarden at all, didn't delete your Bitwarden account, they just stole another account. So if I use a Gmail account for (say) my Amazon account, and somebody has access to my Gmail account and knows the email account I use for Amazon (probably the same email, and not hard to guess), then they click the "I've forgotten my password" box when they try to log in, get a reset link in email, and they now own your Amazon account. And they don't have access to the account you use for Bitwarden to do that mischief.Ī lot of accounts use an email to reset passwords. If anybody has access to one or more of your email accounts - email accounts that you use for your other various accounts on the internet like bank accounts, Amazon, Netflix, etc. (if they have access to my email) they can't do much damage other than try reset passwords.įorgive me if I digress here and disagree strongly with this. Here is what I wrote earlier (FWIW.) Unauthorized access to your email is bad in itself Ain't gonna happen, in real life, but you know, maybe I'm wrong. Lots of crucial data out there on Bitwarden's servers waiting for somebody extremely clever to figure out how to hack into it. If this weren't possible, and user loses master password to Bitwarden (with or without 2FA), then the account becomes an orphan. And now that I think about it, I'm almost certain that this is precisely why this option exists. If the user loses their master password - which does happen! - this might be the only way for them to secure their account. This is being written AFTER I wrote most of the rest of this response, including the part below where I tested with a new account + 2FA and discovered that you are right: even with 2FA on the Bitwarden account, I was able to delete the account.īut I was just writing my bug report to Bitwarden and it occurred to me that this might actually NOT be a bug at all. For example, if you work with other people and you've ever walked away from your computer with your email account up and accessible, they have if only for a few minutes the access they need to get that delete-account confirmation email from Bitwarden.) POSTSCRIPT: Is this a bug? Maybe not Sorry, you confused me with the phrase "if somebody got my password for my email address." I now understand you to mean "if somebody had access to my email account". But you know, that kind of carelessness can't be helped. Now it's not unthinkable that I would be so stupid that I would actually click that link (without reading what it's about) and then click the second link on the last page (again, without reading the final warning). If YOU went and typed in MY email address, I would get the confirmation email containing the link. You also seem to think it's a vulnerability that allows anybody to delete someone else's account. Presumably if I tried it with my real account, I'd have had to provide a 2FA code as well. I tried it with a free account that didn't have 2FA set up. Seriously?" And NOW, when you click Delete, the deed is done. The linked page warns you "Hey dummy, you're about to wipe your account clean. You then log into your email, find the message they sent you. I get the impression that you think at that point the account gets deleted.īitwarden sends an email to the email address you entered on that form. Presumably you enter your OWN email address. When you go to that link, you enter an email address. Use 2FA on it as as well as your Bitwarden account. Take the security of your email account seriously! Make sure you get push alerts (i.e., gmail on your mobile phone) so that you are notified of security threats. And, unfortunately, a common workflow is when a novice password vault user forgets their master password and has to start over this means you should not require the master password in order to delete the vault. Protecting the vault's associated email is an important responsibility for the vault's owner. I do not feel that Bitwarden should do anything more than they have to protect the vault. Since the email also has security alerts (like failed login attempts), you really want to protect it in any regard. Most major providers such as Google and Microsoft allow you to associate a security token (like a Yubikey) with your email, so that AIN'T NO EFFING WAY someone will take over your email. u/Jon2D again, the right answer here is to bolster the security on your email account. A stranger probably wouldn't delete your vault.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |