The uri-match-detection.md help page is very useful and detailed, explaining how the various options work. I had a tough time however finding where to access this feature.

I was able to find it in the web vault but had a lot of difficulty finding it behind that gear icon next to the URI in the credential edit page.

Would it make sense to extend this page to mention where users can find this feature?

If so I can probably PR an additional section that talks about where it can be found (maybe with some images showing where the icon is)

Hello,

(I migrated from Lastpass, thank you for this application.)

When using the guide as provided certain symbols are converted to HTML code.

(Following is in code tags so its not parsed.)

Take for example the password: buAg>OajSiar7
It gets converted to: buAg>OajSiar7

This is because the symbol > becomes >

The guide only mentions the HTML code &

For a list, see: https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references#Character_entity_references_in_HTML

IMO you should mention that & isn't the only one which may have to be changed and provide the user perhaps with the full list. Using symbols like these greatly increases entropy.

Suggestion or Edit for: bitwarden.com/help/article/import-from-lastpass/

The first screenshot is fine, but the second one shows the export from BITWARDEN instead of LASTPASS!

@kunalgrover05 commented on Fri Feb 19 2021

I was trying to migrate my data from LastPass -> Bitwarden Free tier, and I got an error: "This organization can only have a maximum of 2 collections".

I found the issue to be very non-descriptive about what is going on, and couldn't find anything on searching about it. The reason for that was LastPass exports the content including a "grouping" field which they determine as the most reasonable bucket for the website, eg: Email / Education etc. This leads to multiple organizations being created which causes the error and stops an import.

Workaround: Simply delete the grouping column and the data will get imported.

Ask: It should be clear what the error means and a workaround should be present in the onboarding help section: https://bitwarden.com/help/article/import-from-lastpass/

@tgreer-bw commented on Fri Feb 19 2021

@fschillingeriv - this and the field text limits would be good to add I think.

@phol commented on Thu Jan 07 2021

Describe the Bug

First of all, I know this is not the proper repository to report this issue on, but thought it was the closest to the actual website.

Right now, the Bitwarden Release Notes page entries are dated as "11/12/2020". To me, as a European, this is confusing: I automatically assume you mean the 11th of December. Only by looking at the previous date (09/30/2020) I can deduct that you used the US notation, but only because the second number is higher than 12. Europeans generally use day-month-year whereas in the US you seem to prefer month-day-year. That can cause confusion in communications and is slightly annoying and confusing when you're not used to this standard.

As this is something you can never do right by choosing either one or another national format, a solution I'd like to suggest is to use ISO 8601 dates instead. E.g.: 2020-11-12 and 2020-09-30.

@tgreer-bw commented on Thu Jan 07 2021

Fair point! We've just adjusted it and it will be fixed in a few minutes.

@phol commented on Thu Jan 07 2021

Awesome, thanks for adjusting this!

Hi,

I was reading the answer to

Q: What are my installation id and installation key used for?

in the FAQ

I was hoping to get some clarity on this point:
Authenticate to push relay servers for push notifications to Bitwarden client applications.

https://www.github.com/bitwarden/help/tree/master/_articles%2Ffaqs%2Fhosting-faqs.md

Kind regards,

I tried installing bitwarden. I do not intend to get any subscription, yet the installer asks for an "installation id" and refuses to continue without it. This seems like a serious oversight!

Hello

sorry for my little english i'm french.

I am currently testing self-hosting to offer the project in my company (250 users).

I carry out numerous tests: self-hosting is extraordinary but you have to make sure you have a backup solution in the event of a crash.

I created 2 self hosting instanances on 2 computers on a different ip address.

I manage to export the mssql database from computer 1

I manage to import mssql database into computer 2

I use this method: https://bitwarden.com/help/article/hosting-faqs/ (from the mssql backup)

it's perfect I am confident to go for a business license.

I observed a problem that I cannot explain:

on computer 1 with my test account I imported the password (from google chrome)

I then deleted the unnecessary ones; I have kept about 100 of 200 (50%) passwords.

still on computer 1: I run an updatedb ./bitwarden.sh (to be sure).
and one
"backup-db.sh" from the container

on computer 2 I can restore the safe but I find 100% of the passwords (even those deleted)

I do not understand why ?

it is not very serious but my desire to understand is great.

Hi,

I understand that the bwdc data-file command could be used to check the absolute path of the data.json file.

The data-file command returns an absolute path to the data.json database file used by the Directory Connector CLI.

https://github.com/bitwarden/help/blame/master/_articles/directory-connector/directory-sync.md#L237

Are there any commands to specify a data-file instead?

Kind regards,

I don’t find the Google URIs that are in the examples all over the place appropriate for a Password Manager that has Privacy as one of it’s selling points. It might scare people away.

As I needed a good example domain, that is also commonly known and uses multiple subdomains (for #158), I propose to switch all examples to https://en.wikipedia.org/

Already posted in /
directory-connector

Getting no response.

Hi

I did do the first method "Include:Group A " but then I have to specify each users under users before they get an invite.

So the second method is (from my understanding) invite all users in the group by using the syntax 'includeGroup:xxxx-xxxx-xxx"

I clicked test - but I was expecting only my test group to appear and the one test user, but the test that run listed all the groups I have in Azure AD.

Is this normal behavior?

Kind Regards,

company.com is a real domain used by an US company. To not accidentally send sensitive data to them I suggest replace every occurrence of it with example.com.
If this idea is accepted I could do a PR.

It is possible to use custom URL for the Yubico OTP Validation Server, but this option is not documented.

@tgreer-bw
You may be aware of this issue but some of the links in the Security FAQ under Table of Contents are broken
Links which are broken

• Master Password Stored Locally?
• Third party scripts, libraries, and services
• Security General (Whitepaper, Audit report, etc.)
• Self-signed Certificate Setup, On-premises/self-hosted
• Web Browser Extension Security/Safety Concern
• Duo MFA / 2FA / Two-step Login Requirement

Thanks

I'm curious as to how the changeMasterPassword and changeEmail functionality works, given that BitWarden shouldn't ever be able to view user encrypted data.

How are the existing items stored in the database updated such that a user can decrypt them using the new master password or email? (In StandardFile/StandardNotes, the client fetches all of the encrypted items, decrypts/re-encrypts them, then sends them all back to the server.)

Hey there,

does bitwarden actually require all these permissions in the image on step 1? I wouldn't expect it to require access to managing applications or devices for example.

https://help.bitwarden.com/article/azure-active-directory/#grant-application-permissions

There is a need for the following articles to help new users get started:

• Setting up 2-step login
• How do I change my master password?
• How do I change my email?
• How do I delete my account?
• How do I export my data?
• How do I import my data from another password manager?

Just an update on this, I wanted to report that these permissions no longer work. The permissions need to include the ones that @kspearrin posted above on May 7th plus Directory.Read.All - Read directory data on both App Permissions and Delegated Permissions. The sync will fail with error “Insufficient privileges to complete the operation”.

Originally posted by @jamieboy05 in #32 (comment)

After doing everything specified in the guide I end up with file chrome_passwords.csv with following contents:

name,url,username,password

Just 1 line. Bitwarden returns error about invalid data provided.

The working way to export my passwords was:

1. Close Chrome
2. Run it with google-chrome-stable --password-store=basic
3. Wait for it to sync (check whether chrome://settings/passwords contains passwords)
4. Close Chrome
5. Run sqlite3 -header -csv -separator "," ~/.config/google-chrome/Default/Login\ Data "SELECT signon_realm AS name,signon_realm AS url,username_value AS username,password_value AS password FROM logins" > ~/Passwords.csv
6. Remove ~/.config/google-chrome/Default/Login Data for security and to un-glitch Chrome sync

OS: Linux Manjaro
Chrome version: Version 63.0.3239.108 (Official Build) (64-bit)

d40a73f introduced a mistake in the regex example. I overlooked it in PR #41.

^https://.*google.com$ should be ^https://\.*google\.com$

A fix for this is available in #160

• What encryption is being used?
• Does bitwarden use a salted hash for login?
• Why should I trust bitwarden with my passwords?
• How is my data securely transmitted and stored on bitwarden servers?
• What happens if bitwarden gets hacked?
• Can bitwarden staff see my passwords?
• Where is my data stored in the cloud?
• Where is my data stored on my computer?
• How do you keep the cloud servers secure?

Hey guys,

I saw your software a while ago and wanted to start using it once you had completed a security audit.

I found this thread and it looked really promising.

On your main site and help site now, you list that is has been audited - which is great!

However on this page the link to the security audit doesn't work...
Might want to get that fixed up - it adds a bit more doubt than I'm sure is warranted or wanted.

Cure53 also does not have the audited published on their site - which would be good for the projects credibility if possible.

Hey guys,

I saw your software a while ago and wanted to start using it once you had completed a security audit.

I found this thread and it looked really promising.

On your main site and help site now, you list that is has been audited - which is great!

However on this page the link to the security audit doesn't work...
Might want to get that fixed up - it adds a bit more doubt than I'm sure is warranted or wanted.

Cure53 also does not have the audited published on their site - which would be good for the projects credibility if possible.

Currently _articles/hosting/backup-on-premise.md writes the following for restoring a backup

You can read more about SQL Server backup restoration at https://docs.microsoft.com/en-us/sql/relational-databases/backup-restore/complete-database-restores-simple-recovery-model/.

This is difficult to follow because it is not bitwarden specific.

Suggestion: Add a new section for restoring a MSSQL database immediately below nightly backup with the following steps.

1. docker exec into mssql container
2. Take note of which backup to restore in the /etc/bitwarden/mssql/backups/ path
3. Run sqlcmd
4. Execute RESTORE DATABASE command in vault database
5. Finish

I can create a PR if this is ok.

Liquid Exception:
Could not find document '_articles/security/what-encryption-is-used.md' in tag 'link'.
Make sure the document exists and the path is correct. in security/can-bitwarden-see-my-passwords.md
jekyll 3.4.0 | Error: Could not find document '_articles/security/what-encryption-is-used.md' in tag 'link'.

I pulled down the latest commits and ran npm install && gulp build && jekyll build && jekyll serve, but the above is what I get.

As of v61 they removed the flag for disabling md-settings please offer another work around.

Thanks,
Israel

Hi,

While reading the CLA for my first contribution (#158), I noticed that this repo is missing a license. I would like to clarify the license first before I can sign the CLA as otherwise normal copyright would apply which is very limiting (ref: https://choosealicense.com/no-permission/).

The "Import your data from Firefox" page states "Since version 57, the Firefox browser no longer provides any password export addons and you will need to use third-party tools." This is no longer true, however — Firefox 59 adds back password export functionality.

Unfortunately, as it stands, the current online version of Bitwarden doesn't import those exported passwords correctly (see issue 831). However, once the new version is up, it'd be good to revise the article entirely and recommend using the official export tool.

For now, it'd be good to mention that while Firefox now supports password exports, there is a bug preventing them to be imported correctly and the open-source password export extension should be used instead.

I deployed bitwarden on my own server, I found out that "Data Breach Report" need to buy an HIBP subscription key, not "Exposed Passwords Report".

So:

{% note %} If you are self-hosting in order to run this report in your instance you will need to buy an HIBP subscription key that will authorize you to make calls to the API. You can find how to purchase this key here{:target="_blank"}.

Once you have the key you will need to go to your ./bwdata/env/golbal.override.env file, edit it and REPLACE the placeholders values for the API key:

globalSettings__hibpApiKey=REPLACE
{% endnote %}

The content above should be in "Data Breach Report", not in "Exposed Passwords Report" of the help/_articles/features/reports.md file

I had a few issues with the help instructions about export/import outlined here: https://help.bitwarden.com/getting-started/import-from-lastpass/.

I'm using Lastpass 3.3.4 on Firefox 52.

Issue 1.
Step 1 of "Export Your Passwords From The LastPass Browser Extension" says to navigate to “More Options” > “Advanced” > “Export” > “LastPass CSV File”. That path only applies on the LP web vault, not the browser extension. Here is the correct path for the browser extension:

Issue 2.
When I follow the instructions under "Export Your Passwords From The LastPass Browser Extension", and then import, I get:

Issue 3.
When I followed the instructions under "Export Your Passwords From The LastPass.com Web Vault", and then import, I get:

I noticed that the data is pasted in a single column of the CSV file.

The problem is in steps 5 and 6 which state:
5. Create a new text file on your desktop called “lastpass_export.csv”.
6. Edit this file, paste your CSV data that was copied from step 4. Save.

The only way this works is if I do the following:

• create a text file
• paste the LP data from the web vault into the text file and save it (.txt extension)
• change the file extension from txt to csv.
  Only then the import works, and the CSV data is in multiple columns. It looks similar to the formatting of how the browser extension exports the file, but it can't be the same because that method didn't work at all.

I'm guessing these issues are the reason some users gave thumbs down on the help page because maybe they could not import their data.

Hi, there is a suggestion for the protection mechanism. Now we need to use Bitwarden after input the main pwd successfully, then we can check the pwd library or autofill a username and pwd. But i think this is not easy to use.
I suggest Bitwarden can change the mechanism:

1. user can use autofill all the time, no need to unlock Bitwarden, but user cannot see the pwd library.
2. user will see the pwd library after input their main pwd.

Suggestion or Edit for: bitwarden.com/help/

Hello,

I'm not sure if this is the proper place to post this. First off, thank you for this great alternative to LP. BW doesn't seem to slow down page loading in Firefox the way LP does.

The autosave feature is essential because it saves a lot of time. While it triggers on most websites, it doesn't trigger on a few. Would it be useful to point these out to the developers? If yes, what is the best way to do this?
e.g. https://store.steampowered.com/login/

Thank you.

Are there plans to internationalize this repository, either by doing a professional translation or by crowd-sourcing it from the community? I'd like to introduce friends and family to Bitwarden, but they don't understand English and the transition would be easier if I could point them to the knowledge base in the appropriate language.

Suggestion or Edit for: bitwarden.com/help/article/custom-fields/

4. Paste the copied element id in the Name field.
5. Specify the desired information to be auto-filled (in the above example, a PIN) in the Value field.

6. Save the Vault item.

The like/dislike widget should be removed from the articles. How do you find what is wrong with the article just by looking at the data from Rating Widget? Not only that, the articles are being updated daily and the buttons do not reset or anything.The number of likes or dislike remain same even after an article has been rewritten or edited. There is no way to know why a user disliked the article. There are some articles with a lot of dislikes, but it is hard to understand why people disliked it.

Some possible solutions:

1. Remove the buttons.
2. If a user dislikes an article, collect feedback from the user by using a form or something.
3. Replace the buttons with Edit on Github, which will allow a user to edit the article directly here.
4. Submit feedback for this article button.
5. Allow users to file an issue if there are problems with the article.
   This is from Microsoft's Documentation.
   

When viewing an identity, I should not be immediately shown the value of the social security number field. Like any other secret field (e.g. the security code within a credit card entry), it should be hidden — unless explicitly made visible — behind dots.

Hi,

One of the Sync Options reads: Overwrite existing organization users based on current sync settings in the Bitwarden Directory Connector Settings tab.
https://github.com/bitwarden/help/blame/master/_articles/directory-connector/directory-sync.md#L77

1. What does this do?
2. Does this only affect the user entry within the organisation or would it affect the user entry in the whole installation?

Thanks,

So, you have created a folder. Then what? No explanation of what to do next.

Build an interactive "whitepaper" app that walks though how bitwarden implements crypto.

WIP: https://help.bitwarden.com/crypto.html

Suggestion or Edit for: bitwarden.com/help/article/public-api/

Either '3600 seconds == 60 minutes == 1hour' or '360 seconds == 6minutes'

Again thanks for bitwarden,

When I try to import LastPass vault, I'm asked by https://vault.bitwarden.com/#/login (a remote site) to enter my master password.

At this point, LastPass intercepts me as well and tries to remember this "login" to the remote site, which is a no-no.

The master password should never be sent over the network, encrypted or not. Even an appearance of it being sent should be avoided at all costs. Entering of master-password in a password manager should always be local to the extension and the URL showing in the URL field mush be local (e.g. chrome://...) accordingly.

Why am I asked to enter my master password when on the remote site?

I should add that this happens after creating an account (locally) and the bitwarden icon showing as white/blue (active).

Looks like there have been a few doc updates, in particular core -> server. Can you publish the changes? Last publish was 12/31/18

Currently, the installation instructions have a note saying All Bitwarden assets will be installed in the ./bwdata directory relative to where the main Bitwarden script resides.

I think that should be extended to recommend which folder one should use, and if applicable if that should be done with a specific user (or if those files should be owned by a specific user)

Hi,

i just found this via extensive googling and almost giving up in your issue tracker:

If you want to ignore the untrusted certificate failure and blindly trust the server (not recommended) you can now set the following in >= 1.30.0

in ./bwdata/env/global.override.env:

globalSettings__mail__smtp__trustServer=true

Then restart with ./bitwarden.sh restart

Originally posted by @kspearrin in bitwarden/server#451 (comment)

I could not find this in the docs anywhere, I guess this option should be added here:

https://help.bitwarden.com/article/install-on-premise/#post-install-environment-configuration

Currently, the bitwarden.help ADO build pipeline is failing due to Jekyll not being found on the build agent.

The pipeline Yaml file needs to be updated to include these dependencies.

The data storage location for Firefox is no longer accurate as presented in:
https://help.bitwarden.com/article/where-is-data-stored-computer/

• Import Your Account Data From KeyPass
• Import Your Account Data From SafeInCloud
• Import Your Account Data From 1Password
• Import Your Account Data From Enpass
• Import Your Account Data From Keeper
• Import Your Account Data From Dashlane
• Import Your Account Data From Padlock
• Import Your Account Data From LastPass
• Import Your Account Data From Sticky Password