[thanzex]

This is absolute nonsense. Bitwarden has worked absolutely perfectly for me until now, their clients work just fine and it's the password manager I always suggest to people around me.

I do both, self-host vaultwarden for a non-profit and have Bitwarden premium for personal use. A short while ago our server got nearly nuked and our Vaultwarden was down for several days, everyone in the org still could access all of our personal and shared passwords just fine, the extension and the clients stored all the necessary data offline and let us work uninterrupted until we restored the service ( ironically, it held the server's cloud provider credentials too ).

I suspect that in case of a complete outage or while not connected to the internet the client will work just fine, but on this instance something got messed up on the autentication/authorization side, so your client tried to authenticate to their server to sync up/do whatever it needs, since the server was not down but experiencing problems it received an error and logged you out.

I would argue this is by design, If the server returns an error while logging in there's probably a good reason, and especially in case of an organization account, you shouldn't have access to the passwords anymore.

You seem to have had major problems, but I assume it's likely your fault. You should not store all the means of accessing an account in a single place, I too store TOTPs on Bitwarden, but that's just for convenience, I have them on my phone Authenticator app too. But most importantly, as the name suggest, recovery codes ( which is what i assume your "temp verification passwords" are ) should be kept safe and in a separate place altogether, preferably printed even.

What you're describing here looks like nothing more than an outage, a thing that literally everyone and their dog experiences, from the non-profit like us to AWS, Microsoft, Google and Cloudflare.

Surely nothing to scream "Avoid at all costs" about.

[cabbagesauce]

> This is absolute nonsense. Bitwarden has worked absolutely perfectly for me until now, their clients work just fine and it's the password manager I always suggest to people around me.

Same for me.

>I suspect that in case of a complete outage or while not connected to the internet the client will work just fine, but on this instance something got messed up on the autentication/authorization side, so your client tried to authenticate to their server to sync up/do whatever it needs, since the server was not down but experiencing problems it received an error and logged you out.

If you're familiar with Bitwarden you're aware there is a Vault lock. When the laptop started and FF was launched, the extension got greyed out immediately. This means there's some sort of preflight init right after browser starts.

This behavior is not documented anywhere on their website in the troubleshooting section. And that was my first attempt to figure out the cause. Next thing was to reinstall the application and check if the problem goes away. And only after that the email to support was dispatched. So, enough effort was put before contacting BW staff. The error message is misleading[0]. So I went on to support forum[1] to learn this problem is recurring. And while I was typing my message, I have seen several messages deleted by the staff. Same happened with mine.

Given all that, where is my fault exactly?

>What you're describing here looks like nothing more than an outage, a thing that literally everyone and their dog experiences, from the non-profit like us to AWS, Microsoft, Google and Cloudflare.

It's an outage that indicated that you can loose access to BW Vault anytime they have an outage, means you can loose offline access even if the docs say otherwise[2]. To me it's false advertising at best given the iPhone's vault was in locked state as well but did not show any operational errors. Current BW users got aware of the incident and can draw conclusions and mitigate risks. I'm speaking for my experience and it's avoid at all costs now.

[0] https://imgur.com/a/y4qYcFL

[1] https://community.bitwarden.com/t/an-error-has-occured-acces...

[2] https://bitwarden.com/help/using-bitwarden-offline/

[thanzex]

> If you're familiar with Bitwarden you're aware there is a Vault lock. When the laptop started and FF was launched, the extension got greyed out immediately. This means there's some sort of preflight init right after browser starts.

Your devices were online and their server reachable but returning erroneous messages, if we have to go based on their forum response "in most cases, your IP is most likely getting flagged by cloud protection services as malicious activity" maybe even because of a third party provider.

> So I went on to support forum[1] to learn this problem is recurring. And while I was typing my message, I have seen several messages deleted by the staff. Same happened with mine.

While I can't speak for this problem, I understand this is frustrating and agree that the staff could have managed the situation differently, but they possibly knew about the outage and were simply de-cluttering the forum from what I imagine were dozens of messages about the same problem popping in at the same time.

> It's an outage that indicated that you can loose access to BW Vault anytime they have an outage, means you can loose offline access even if the docs say otherwise[2].

By definition, during an outage you lose access to the service, whatever it may be. Their docs say nothing about them, they state that while your devices are offline the clients can still be unlocked and used in read-only mode. While this means that in theory the apps could work while their services are not reachable for whatever reason, be it the device being offline or their server being completely down, this was not the case. I agree that they could improve the experience, so that if their services are not working as expected the clients revert to offline mode until the issue is resolved. This however is not an easy problem to manage and could only be an extra bonus feature to their service.

> Given all that, where is my fault exactly?

Sorry, maybe I didn't use the correct language, when I said you were at fault I wasn't of course talking about the outage, but you having issues logging into your accounts because everything is saved in Bitwarden. My point was that while their software is extremely convenient, it should not be the only place that stores all the means of accessing a service. Reading your post at first glance made me think that because of this outage you could not access credentials + TOTPs + recovery codes. but seeing > I'm lucky enough to have the offline access to the storage. I don't know about that anymore

> ...the iPhone's vault was in locked state as well but did not show any operational errors.

Does this mean that the iPhone app was still working or was it locked like the rest?

[dwild]

> This however is not an easy problem to manage and could only be an extra bonus feature to their service.

Extra bonus feature? For me it's pretty obvious it's a necessity. Failover need to be in ALL case offline access.

> My point was that while their software is extremely convenient, it should not be the only place that stores all the means of accessing a service

I can't have an automatic backup done over each new password stored on it. If I need to do it manually each time, it's no longer really a password manager.

[thanzex]

> Extra bonus feature? For me it's pretty obvious it's a necessity. Failover need to be in ALL case offline access.

It sounds simple if put that way, but there's a myriad of things that can go wrong, again, we don't know exactly what was the problem on their end, but I guess it had to do with authentication/authorization/security. It could be difficult to differentiate between a distruption of the service or abuse.

> I can't have an automatic backup done over each new password stored on it. If I need to do it manually each time, it's no longer really a password manager.

I disagree, a password manager is mostly for convenience and added security, although that could be a possibility I'm not talking about storing all the passwords somewhere else ( and thus updating the list every time ). I'm referring to the TOTPs and Recovery codes.

> it should not be the only place that stores all the means of accessing a service

If I were to lose access to Bitwarden right now, sure, I would not be able to use randomly generated passwords stored there, but my 2FA codes would still be with me, same with recovery codes, so that in the event in which I really NEED to access an account I can still do it, with increased friction of course, but I'm not locked out.

[donutshop]

Ageed. OP's language is disrespectful to say the least. If it wasn't for this post I wouldn't have known there was an "outage"