Sure it looks more modern and a few things are better.
But personaly I HATE the new "copy" button.
With the old version there was a button for each field : one to copy the login, one to copy the password, one to copy the TOTP.
Now there's just a single button that will display a list of options to choose from depending on what you want to copy.
So instead of copying a field with one click, now I need to do one click, go on the right option, and another click.
Even worse: if the account contains only one field, the copy button will still display the list of options, with just one option.
How could nobody think that when the user want to copy something from a list, and this list contains only one item, the right thing to do is to copy this single thing, not ask them what they want to copy...
I don't mind the general visual update. But the change to the copy buttons was a step backwards.
To the bitwarden folks... if I'm opening up the extension 99% of the time it's one of these use cases:
1. I'm creating a login for a new site
2. I'm on a site that doesn't support autofill, and I'm manually copying user/pass/code
3. I'm filling credit card info, and want to select a specific card
Both #2 and #3 got worse with this change. Put the damn copy buttons in the huge amount of whitespace you have for the entry. Don't hide them in an overflow. Put each of the user/pass/2fa buttons in a fixed space, and don't move them.
That being said, I also hated the change that hid the copy buttons, but they have a setting that brings them back.
And search input until it's first rendered is lost now.
Context: I need to input a 2fa code every morning when I start working - previously this was click on Chrome extension, type work, move hand to mouse.
Now it is click, wait wait wait click again wait wait wait wait, click (menu opens finally), click on search input, type work, click on copy 2fa code
Funny how I didn't even think to look for appearance settings.
It looks like an afterthought from them because the label is the only one not translated on the extension.
Anyway, I'm more than happy to have the quick actions back!
1. It's much faster. This alone makes the refresh worth it imo.
2. The edit item / fill item UX is much more consistent than it was. Before, when you search for and click a card it opens the item, but if you click a card because it matches the current domain then it fills the item, to open it instead you have to click the little "open item" button. Even as a long time user I would often misclick because the context changes the behavior of clicking a card and my muscle memory would be the opposite of what I wanted. Now there's a "Fill" button when a card matches the current domain and clicking anywhere else always opens the item. My only critique is that the Fill button could be a bit bigger to so it's easier to click.
I hate the title "Tips for long-time Bitwarden users" like they are seeing us as dumb but whatever.
If I can get my quick buttons back, I'm glad!
That change alone is pushing me to switch password managers.
> Change the default behavior of clicking a vault item
The two-click copy button is absolutely the worst new "feature" they added. That setting should be opt-in by default.
Settings -> Autofill -> Click items to autofill in Vault view
Like, if this change was an accident and slipped through that is bad. If it was approved, it's even worse because as you said, it shows that the person who is in charge of how we, the users, interact with the product day-to-day doesn't understand the product or doesn't take their role seriously.
If you want, I believe you can override the update url in chrome to stop the auto-update process in the future: https://chromeenterprise.google/policies/?policy=ExtensionSe...
Alternatively, at least for chromium browsers - you can download the .crx directly, unzip it (p7zip will do it), and sideload it using the "Developer mode" checkbox on chrome://extensions. Firefox sadly doesn't support this - they'll remove any sideloaded extensions on browser close.
It did lead me to discover my automatic update process wasn't actually rebooting the vaultwarden server.
I mean, you're explicitly choosing to self-host an alternative backend server which isn't affiliated with Bitwarden. You could have used their SaaS, or self-hosted their official backend they provide on GitHub, for free, and which is almost entirely open source (AGPL, they have some small enterprise specific bits such as SSO which are under a commercial license which is still free, just not open source).
But you choose to self-host a random person's project that tries to keep track with Bitwarden APIs and various frontends, on a best effort basis. That's a ton of risk I really wouldn't take with something as sensitive as passwords to everything.
I lost a couple days of new accounts/passwords because this[1] probably happened.
[1] https://github.com/dani-garcia/vaultwarden/discussions/4921
The old one was instant on clicking the shield icon. The new one is slow and flashes a few times before showing me the UI.
Also, the entire field used to be selectable to fill fields. Now I have to aim at the tiny Fill icon and it's even harder to get to the time-based 2FA code.
I get why they've done it but I have never seen any software this slow in my life. Even just displaying the boxes seems like it needs a progress bar.
In the previous version, you'd go Vault -> Search -> [Find Thing] -> Copy Username, but when you de-focused the extension it would return you to the vault home, so yet again you had to do Vault -> Search -> [Find Thing] -> Copy Password.
This one, when it loses focus, it stays exactly where you left it.
w.r.t. a small, split-second one in initial rendering, i'd take it ten times out of ten over what it was for me all these years: immediate ability to key in input, but if you typed at the precisely (im)perfect moment, which was an extremely common occurrence, the extension would bug out and not perform the actual search.
so i'm sitting there for about a whole second wasted for having waited out the threshold to realize that it bugged out yet again and didn't perform my search. then, i would have to either backspace or type in the next character in the query in order to trigger the search; this was often an unpleasant added mental overhead when backspacing would repopulate results that you were trying to filter out.
i'd rather have the split-second delay for every initial render.
At least on safari.
Then Proton CEO made some statements I found offensive, so I re-activated my Bitwarden account, migrated back, and am now learning to love the changes.
The best I've got for tips are:
1. Settings > Appearance > Quick Copy
2. Settings > Appearance > Compact Mode
3. Settings > Appearance > Extension Width > Wide
I still don't love it, but it remains the best of the bunch.
https://old.reddit.com/r/ProtonMail/comments/1i2nz9v/on_poli...
I'm assuming they meant fascist because the CEO is a republican.
As a non-American, it's not my problem but I can see why people would want to distance themselves
I'm very surprised a search didn't turn this up for you, or you're not asking in good faith.
actually pretty anoying.
The thing I despise most among their UI “improvements” is entry click expands the entry now. To fill you have to find that tiny “fill” button and click that.
Bitwarden, return the normal UI back!
The risk of someone stealing my phone is much higher than someone stealing my main password where I live. I intentionally decided not to use 2FA, because that is what makes most sense for my context. I'm ready to take full responsibility for not using 2FA, but now I can't.
On the reddit post announcing this, Bitwarden added a response saying they will provide an opt-out option. It's unclear if this opt-out is temporary or not. It would be a huge step back for their product if 2FA becomes mandatory.
Was easily solved though, got a new SIM card from my network from the local store when I got back and recovered my Authy account via SMS which I can then generate 2FAs for my password app through. Was always a backup method I had up my sleeve. My browser keeps logged in as well so was able to get into most stuff through my PC once I got back.
I feel like your own creativity is limiting you here. There are lots of options to store those backup codes. Including giving them to multiple relatives to keep in a safe place so you can call and ask for it, creating a dedicated email account with no 2fa and email the code there, leave yourself a saved answerphone message with it on so you can dial in and listen, write it in the important info section of your passport so you always have it abroad etc etc...
Any critical procedure needs to be exercised regularly to ensure it's still working. Normal people don't do that with recovery codes.
Of course, that account could also decide to implement mandatory 2FA. Could even be unannounced, just "This login is suspicious, we sent a message to your recovery email to confirm this login"
When they lose it, they lose access to email, and there is no backup plan here. Using bitwarden is far far superior to them using the same password everywhere, but this will drive them back to the same behavior.
That's actually a really good point. My 1Password setup is resilient to device loss because I have multiple registered devices, any of which can spin up a new device with just my master password.
But if you're in a situation where you only ever have one device and lose it, then you can't bootstrap a new registration going from 0 devices to 1.
There's definitely a security/resiliency tension here. Is it desirable to have your password manager protected by just a user-specified password? That can allow you to go from 0 devices to 1, but it also greatly lowers defenses against account compromise. You can have a paper recovery kit, but people will misplace that, if they even create it in the first place. Social attestation could be a decent if imperfect mitigation: if everyone is on the same family group, then maybe the admin or the group can recover access for any one person.
Given that most people are cracked wide open if their password manager is compromised, I do feel it's sensible for a password manager to insist on 2FA, but the email chicken and egg problem is a concern for those migrating, and hopefully they backed up their recovery codes.
It depends on the asset you’re protecting and your threat model.
I have quite a few accounts whose value does not cross a threshold where I care about the risks of email… and my workflows would be enhanced dramatically if I could use it as a second factor.
The reason I can’t is not because of security or anything at all to benefit me, the user. It is because the services themselves need to throw sand in the gears of the bad actors abusing their services.
My email address can't be SIM swapped, my emails aren't transmitted using weak 90s encryption algorithms over the air (and via dubious, largely unauthenticated 80s protocols on the wire), and my mailbox is itself guarded by 2FA.
I abandoned Bitwarden a while ago in favor of Enpass after the 2nd time in 3 weeks that Bitwarden refused to open my LOCAL vault because of a problem with BITWARDEN's servers.
Uh, no.
I hate building a lock-in to the ecosystem though, and have been meaning to look at Enpass.
I mean, I'm pretty tied to Apple in both hardware and service use, but it strikes me as unlikely that Apple's first swing at password management could really rival a purpose-built tool right out of the gate. I do think I'm going to push my thus-far-vault-avoidant wife to use the Apple tool, though.
You do have backups right?
However, despite what the headline says, this 2FA does not appear to be mandatory.
Under the heading: "Who is excluded from this account email-based new device verification?"
> Users who opt-out from their account settings, to which an option will be added, are excluded.
I'm on 1Password and it's basically a 2FA setup there too: to register a device, you need to have the master password (what you know) and the secret key (what you have, randomly generated at vault creation). Losing my phone isn't a big deal because I have 1Password on multiple devices, each with a copy of the secret key, so there's pretty good hedging there.
I also carry a physical Yubikey, which grants me passwordless access to my email account (assuming I know the PIN to unlock the hardware, which I do). That's probably overkill for most people, but that's another layer of hedging too.
Given that only I have my master password I don't see what's wrong with it.
A second factor makes it extremely unlikely that one slip up results in a complete compromise of your vault.
Exactly because of the fire risk, I set a policy for myself that all passwords should be somehow recoverable only from something that I know. However, I don't meet this policy at the moment.
I use Bitwarden 2FA with my phone, but I have backup codes stored in a fireproof safe with my other important documents.
That hopefully would only happen in extremely rare conditions, but that's not a risk everyone would take. Especially in area where losing your home is a very real risk, and you'd be hanging to your data by a string while facing an otherwise already challenging situation.
The 2nd factor is only needed when it's new or occasionally in other cases. I don't know why you say it adds lots of friction, unless you are frequently signing into new devices.
And as a failsafe a printed backup code is pretty important.
This is doubly true because Bitwarden has not been consistent at only asking for 2FA on brand new devices, so it's not even just me that I have to worry about locking the car doors.
Removing the friction of many passwords is the whole reason a password manager is good in the first place!
It seems like every IT person needs this lesson reiterated to them, at least once a year...
At the very least split your providers - no one manager has all my passwords and 2FA codes.
Even without, accidentally getting one password leaked is a lot more likely than two. For whatever reason, shoulder peeking, keylogger, wrong input field, brute forced, and so on.
So what's going to happen? Are they going to cache my location? Or are they storing a cookie on my side? Neither sounds great. Ever hear of a VPN? That's going to make my life easier....
Some more general complaints:
The storage thing is really weird. Did you know it is just stored on their server? So you can't store locally. But the worst part, when you want to retrieve the item then you download it and it just appears in your download folder. This is TERRIBLE and both of these make it absolutely useless. I got to download it when I need it, hope I have internet in that situation, and then delete it after because I'm... storing sensitive information, right?
The new design is just terrible and could only be designed by someone who assumes you never open the panel to fill in the website. Yet... that's the *most common* reason I open that.
Things like this give me concern that those designing the tool aren't thinking about other things. When it comes to security, all the little things matter a lot.
Of course there's frustrating things that I know they have little to no control over, like all the dumb Microsoft logins I'm forced to have and then annotate because I keep logging into the wrong account. But I do like that it integrates with Firefox's relay. The only thing I wish is that it wouldn't name the mask "Generated by Bitwarden." but "the fucking website name" (sure, append "Generated by Bitwarden" but no one cares and this does nothing to help brand recognition, it just makes things confusing).
You can selfhost Bitwarden. There is also an alternative server named vaultwarden.
1. Point your domain's DNS to server
2. Run a reverse proxy with LetsEncrypt integration (Caddy, NGINX Proxy Manager, Traefik, etc)
3. Run the Docker command
passwordstore.org and "git init --bare password-store.git" somewhere on your own network.
Any reverse proxy handles that by default, its no longer a gotcha
I could see this being one of those no-brainer decisions that requires herculean effort to push through all the product politics.
I would love to hear how this change came about and what hurdles needed overcoming from someone in the know.
One of the main reasons to use bitwarden is as a synchronized backup when the system autofill fails, which tends to happen in the same situations this 2fa check will trigger (new devices).
It adds a potential failure mode without meaningfully benefitting my personal security model.
The password to my 2FA app is also in bitwarden. It's actually much more aggressive about session expiry.
This is not a good change for me. This annoys me. I will not be using or considering Bitwarden going forward.
Or wait, I got an even better one; We will go to the house of each person on the planet and destroy their computer--there's you absolute security right there. No BrAiNeR.
I wonder what the product and stakeholders discussed. Were there metrics on how many users they might lose with this?
Rolling out such a significant change with just a few days advance notification shows an incredible level of incompetence.
I hope the companies you work for have security teams to protect the company from your crazy attitudes.
I have a single password I only use for Bitwarden and nothing else. All of my other passwords are randomly generated. How am I gaining security by enabling MFA? If I lose my phone on holiday now, I’m in a position where I can’t log into anything because I won’t be able to log into my email.
Notice that in the archive from earlier today the "Who is excluded from this account email-based new device verification?" section did not have the new fifth bullet point about being able to opt-out:
https://web.archive.org/web/20250128011007/https://bitwarden...
Thought it was worth pointing this out since I've already seen people reply to old comments thinking people didn't read the article without realizing it was later changed.
Accessing a password vault from any arbitrary internet-connected device and browser through the web is also convenient, even if to you or I that serves more as a reminder of how accessible your passwords might become to unauthorized users. Sharing credentials between Bitwarden users is also more convenient.
If you self-host, you can provide those service to friends or family members who don't have your technical aptitude. For teams and businesses, it provides an auditable service with directory integration and other optional enterprise features (SSO, fine-grained access).
All of these are possible without a SaaS, just less convenient to set up. You and I might consider setting up our own personal password management to be a fun and useful project, or at least a trivial time expense compared to the value. When something like Bitwarden provides all of those features and more for $0 to $10/year, even a small time and maintenance burden might not seem worth it to a less technically savvy user.
Then you will not be totally screwed if your password manager does a rug pull against you such what Bitwarden is doing with this change.
This is going to lock out many users. They will not realize this new arbitrary requirement to be able to access the email address. They will lose their existing device. They will get a new device, install Bitwarden, and try to login with their master password, only to find that Bitwarden has moved the goal posts. They will be locked out of everything.
Even if 99.99999% of users would benefit from this change, Bitwarden shouldn't do it because it'll unfairly lock out 0.00001%. If they really want to do this change, then they should have like 2 years of warnings displayed on existing clients, and also have an option to permanently disable any 2FA requirement.
Think of it from the user perspective - now they have to download and use yet another app on their cellphone just to log in.
Yes, I am aware of SMS's vulnerabilities - but the weakest link is always the user.
Or the phone provider's call center employee who gets tricked into helping a bad actor perform a sim swap. I pray you're never in charge of my data.
In general though I have become incredibly sick of mandatory 2FA for every-goddamn-thing. I do use it very often, but it should be my choice and not forced on me. The usual retort is blah blah blah I might understand the trade-offs but normies don't and so forcing it is a net positive, but I'm me — not them, so that usual response is just to tell me that my feelings don't matter.
Since service providers are often legally and even more often practically required to cover losses resulting from account takeovers, it's really not your choice alone.
I discovered much later that they call email “2FA” so her account isn’t actually protected by the hardware keys at all. Like others here, this doesn’t make sense to me since it’s circular.
(and separately, the Yubikey seems to often not work on Android anyway)
Still, I backed up my passwords as soon as I logged into the mobile app, so like some people here say I highly recommend everyone do periodic backups and not be like me (:. I would have lost everything if something did happen to my vault access
Even engineers have trouble noticing or understanding circular dependencies, does Bitwarden, a password manager that tries to cater to this specific target audience really expect them to figure out they're set up to be locked out once they lose their device?
Thankfully Bitwarden warned me about the attempts. For the rest of the customers it's a matter of time before you are a target.