ERROR: Earth.exe has crashed

YSK that Bitwarden will require you to enter verification codes sent to your email before letting you log in, starting February 2025

https://lemmy.dbzer0.com/post/36526637

YSK that Bitwarden will require you to enter verification codes sent to your email before letting you log in, starting February 2025 - Divisions by zero

Why YSK: Because if you are like most people, you also store your email’s password in your Bitwarden Vault and not bother remembering it, causing you to potentially get locked out (since you wouldn’t be able to log in to your email to get the verification code, because your email’s password is in the vault itself 👀) (Imagine leaving your key in your house, lol) Source: https://bitwarden.com/help/new-device-verification/ [https://bitwarden.com/help/new-device-verification/] Excerpt: >To keep your account safe and secure, in February 2025, Bitwarden will require additional verification for users who do not use two-step login. After entering your Bitwarden master password, you will be prompted to enter a one-time verification code sent to your account email to complete the login process when logging in from a device you have not logged in to previously. For example, if you are logging in to a mobile app or a browser extension that you have used before, you will not receive this prompt. Good thing I noticed, otherwise I might’ve had a bad time next month 😖

Jan 28, 2025 at 4:06amWeb
Show threadERROR: Earth.exe has crashedJan 28, 2025

Also, I’m not sure if anyone else get any notice, but in my experience I didn’t even get a notice in my email at all. I just went to the browser page moments ago and saw the notice. I was like “WTF”. I logged in a few days ago on the 22nd and didn’t see that, so this must be recent. Less than 10 days of notice? Wtf Bitwarden?!?

(I don’t currently use 2fa because I have trouble with misplacing 2fa stuff, so I’m more likely to get myself locked out with 2fa, than having someone hack my vault without 2fa.)

Show threadtheredhoodJan 28, 2025
Just use something like ente auth, then you can just login online anytime and get your 2fa codes.
Show threadYarrMatey [she/her] Jan 28, 2025

Are you able to remember a strong password? If you can then you can use something like KeePass, it is an offline password manager (and authenticator) that you can use on your phone and PC and backup the file anyway you want, in storage and the cloud. It is very easy to import and export.

Use the 3-2-1 rule for storing your vault:

Maintain three copies of your data: This includes the original data and at least two copies.

Use two different types of media for storage: Store your data on two distinct forms of media to enhance redundancy.

Keep at least one copy off-site: To ensure data safety, have one backup copy stored in an off-site location, separate from your primary data and on-site backups.

I have a Bitwarden vault for passwords and a KeePass vault for TOTP. I would use at least 2 Yubikeys as well but I’m using degoogled Grapheneos. I hate email and SMS verification for MFA, and my stupid banks only support these two methods.

Show threadm-p{3}Jan 28, 2025
On the other hand, NOT using MFA on an online password manager is just poor opsec.
Show threadERROR: Earth.exe has crashedJan 28, 2025
I understand that perspective, but honesly, for me, the threat of misplacing 2fa is higher than getting hacked.
Show threadmosiacmangoJan 28, 2025

People are “hacked” all the time in massive breaches. Its accelerating, not getting less likely. Password managers are a huge target, and have been breached in the past.

If youre worried about it, use something like Aegis. Its an mfa app that lets you easily save password protected backups. You can set it up to automatically save a copy to a folder on your phone. Then just copy that file off and store it somewhere safe.

If thats too much work and you dont run syncthing/nextcloud/etc, they also have an option to let it it sync with the google backup service.

The above gives you the best of both worlds : strong security and strong redundancy.

Aegis Authenticator | F-Droid - Free and Open Source Android App Repository

Free, secure and open source 2FA app to manage tokens for your online services

Show threadgazbyJan 28, 2025

Where TOTP is concerned is you enroll multiple devices for redundancy, and there are scratch codes. Plus you’ll eventually be forced to resolve this issue when passkeys become more mainstream.

Happy to help or talk through things if you’d like a hand getting comfortable with MFA 🩵

Show threadERROR: Earth.exe has crashedJan 28, 2025

I don’t like MFA. If the password/passphrase is strong enough, why need MFA? If its software MFA (like an app) a malware that could steal the password would also be capable of stealing the MFA.

If its hardware, one fire in my house, and all the keys are dead. (And I do not want to deal with a safe deposit box or burying the backup hardware keys in the woods somewhere, honestly, I don’t know where I would put the backup keys)

Edit: Lmfao MFA cultists be downvoting 🤣

I’m not even advocating against MFA, I just personally dislike it. Wtf y’all 🤣

Show threadgazbyJan 28, 2025
I’m afraid I can’t help you with the ideological problem mate, only the practical one 😅 You’ve got sync or multiple devices, and you’ll have to pick 🤷
Show threadTigerJan 28, 2025

Please give MFA another look, it really is better security to use it.

The problems you mentioned: you keep the MFA backups in a password manager.

I know you’re worried about losing access to that password manager, use two different ones, write down your most important several passwords in a locked place, etc. it’s better.

Show threaddarkstarFeb 13, 2025

Sorry dude, if keeping your 2fa codes safe is too much to ask then you really shouldn’t be on the internet.

Using a password manager without 2fa is a recipe for disaster, you might as well just use the same password for all your accounts at that point, then you don’t need the inconvenience of a password manager

Show threadERROR: Earth.exe has crashedFeb 13, 2025

So, how do you propose I safeguard the 2FA?

Hardware based ones can easily get damaged, or when there’s a fire, completely destory it. I am not rich enough to have a second home. And I can’t affor any “safe deposit boxes”. I don’t have any trusted friends to keep a backup 2FA key at.

Software based ones are same, if you print out the info. And if you store it online, you’re gonna need to encrypt it. And that is gonna be another password.

So all that trouble and its still 1FA (two different passwords is still 1FA).

So, if you want to be helpful, how do I manage 2FA keys without getting myself locked out?

Show threaddarkstarFeb 14, 2025
  • Use a 2FA app that allows you to export encrypted backup (I use Aegis)
  • Make an encrypted backup of your 2FA keys and store that using the 321 rule.
  • The 321 rule is 3 copies, 2 different types of media, and 1 copy offsite.

    • If your 2FA backup is encrypted, you can even store it in Google Drive or wherever, ask a family member to keep a copy, it doesn’t matter if the password is strong.

    If you’re extra scared of losing your keys then you can use something like Authy as a last resort, they make it super easy.

    I work in cyber forensics and incident response, 2FA and strong passwords can prevent 99% of the shit I see.

    Show threadadarzaJan 28, 2025

    something done by many services, sites, and games.

    but yea, i get it. the problem of asking someone to login to a service that they (bw) are holding your key for, in order for you to get into where that key is held.

    Show threadCthuluVoIPJan 28, 2025

    This is a good thing. Any account you care about and don’t want to be accessed by anyone without your consent should have multifactor authentication enabled. Use an app like Google Authenticator or a hardware token like a Yubikey. 2FA through text or email is insecure and easily bypassed.

    Friends don’t let friends raw dog the internet. Don’t be dumb and get your shit stolen. Use MFA everywhere.

    Show thread9tr6gyp3Jan 28, 2025
    Cant wait for someone to use bitwarden to store their bitwarden 2FA codes, thus locking themselves out of their account.
    Show threadBastingCheminaJan 28, 2025

    I’m fine, I use Aegis to store my bitwarden 2FA code. I just need my Aegis password to access it that is stored in … Bitwarden …

    I might not be the sharpest egg in the basket, thanks OP to have made me realize my mistake and I’ll change that.

    Show threaddustyDataJan 28, 2025
    Multi device. If you have more than one device with your vault configured and protected with MFA then the risk of locking yourself out of the account drops logarithmically with each device.
    Show thread9tr6gyp3Jan 28, 2025
    When they turn this one, all your devices will have to reauthenticate simultaneously.
    Show threaddustyDataJan 28, 2025

    Oh dear lord, no. That’s absolutely wrong. Stop panicking and read.

    if you are logging in to a mobile app or a browser extension that you have used before, you will not receive this prompt

    Show threadccunningJan 28, 2025

    My email is one of the few passwords I still know without my password manager.

    It probably is time for me to rethink that 🤔

    Show threadmosiacmangoJan 28, 2025
    100%. Control of someones email is just about the #1 target for someone to breach. It not only gives someone a ton of data about you, its almost always the method companies use to reset passwords. Someone with full access to your email can wreck your day/month/year.
    Show threadccunningJan 28, 2025
    These are basically the same reasons I haven’t turned it over to my password manager.
    Show threadmosiacmangoJan 28, 2025
    A weak or reused password is much more dangerous than a secure password manager with mfa enabled.
    Show threadccunningJan 28, 2025

    🤨

    …I will be sure to change all of my weak and/or reused passwords.

    Thanks for the tip…

    Show threadRaiJan 28, 2025
    If I was in a coma for five years and woke up, I’d still remember my 40-something character password manager password. I should do the same thing for my E-mail.
    Show threadShortstackJan 28, 2025

    Thanks for the heads up, though this would be less of an issue if you have the email app on your phone or the tab pinned in Firefox.

    The real issue is i gotta use another authentication app for my email now, have been using Bitwarden itself for 2fa codes for proton. Definitely can’t use proton pass to 2fa for my proton account.

    I don’t even know. Gonna have to find another reputable authenticator app.

    Guess I should also check if Bitwarden or proton support physical security keys. Would be pretty bomb proof since my keys are always in my pocket anyway.

    Show threadDealBreakerJan 28, 2025

    Aegis is a good Authenticator app you could consider

    Generally, it’s not recommended to keep TOTP and passwords at the same place

    Show threaddustyDataJan 28, 2025
    Two apps on the same device is still the same place. Same app but on different devices is different places.
    Show threadZwiebelJan 28, 2025
    Bitwarden supports phys. keys but you have to pay for the premium subscription to use them, which is 10$/year
    Show threadrecklessengagementJan 28, 2025
    Guess its time to set up a hardware key
    Show threadERROR: Earth.exe has crashedJan 28, 2025
    I’ll probably move to Keepass, I like to have control over my vault file, probably better than whatever “2fa” they are forcing anyways, since only I know where the vault is at.
    Show threadrecklessengagementJan 28, 2025
    Already store the most critical stuff in keepass; use bitwarden for the lower-risk stuff that benefits from the higher convenience factor.
    Show threadTelorandJan 28, 2025

    I mean, if they’re forcing 2FA at all, that’s a good thing, but they still have the usual TOTP and hardware key options.

    Anyway, I understand why people would want to host their own vault file. Just remember that obfuscation (i.e. being the only one who knows where your vault is) isn’t a viable security method. Removing access to potential thieves is.

    Show threadjust some guyJan 28, 2025

    For what it’s worth, as of a minute ago the form that’s for sending the email code asks if you have reliable access to the email before sending the code.

    But otherwise seems to be a non-issue with any of the software/hardware mfa options it supports. Good to let others know about this though!

    Show threadOtherbarryJan 28, 2025

    To be fair your post title does not match their own text

    To keep your account safe and secure, in February 2025, Bitwarden will require additional verification for users who do not use two-step login.

    So it’s not all accounts, just the ones that don’t already have 2FA. Personally I wouldn’t have noticed any changes since I already use 2FA enabled with an authenticator app. But I can see how this might bite you in the ass if you weren’t already using 2FA.

    Interestingly I used to run into a similar issue when using Lastpass. When logging in from other IP addresses they would often do mandatory email 2FA, and of course I couldn’t get into the email account without Lastpass. But it sort of resolved itself since I also have email on my phone so I just had to make sure those Lastpass emails didn’t end up in spam or wherever.

    Show threaddatendefektJan 28, 2025
    PSA: Vaultwarden is easy to self host.
    Show threadBozeKnoflookJan 28, 2025
    I just setup vaultwarden a few days ago for a small group, it’s very simple.
    Show threadtrevor (he/they)Jan 28, 2025
    Absolutely, but this is one of the worst reasons to advocate self-hosting a service. The kinds of people that are upset about higher security standards should not be self-hosting anything.
    Show threadcalcopiritusJan 28, 2025

    Why would they ever force this?

    The purpose of MFA is to:

    Mitigate using the same password on multiple sites and one of them has a data breach.

    Mitigate the impact of keyloggers/other kinds of malware.

    Mitigate the bad security of bad passwords.

    Mitigate the password manager’s own data breach.

    If you have at least two braincells, you will chose a unique and secure password for your password manager. That’s the point of password managers, that you only have to remember 1 password so it can be unique and strong. Also, a password manager (specially open source) should have almost perfect security, so them being hacked should not be a concern.

    The only thing MFA is doing on password managers is to mitigate malware. Which I don’t think is a good justification to force everyone the hassle of MFA.

    Fine if the wanna give the option of MFA, but don’t force it on everyone.

    Show threadERROR: Earth.exe has crashedJan 28, 2025

    I mean, I don’t necessarily oppose it, I just hate how they never gave any notices until like Jan 27, 2025 (according to this article: bitwarden.com/…/adding-more-security-to-bitwarden… look at the date on it).

    They should’ve given at least 3 months notice for such a drastic change like this. I feel like there would be a lot of people getting locked out because they didn’t know about this.

    Adding more security to Bitwarden user accounts | Bitwarden Blog

    Bitwarden is bolstering user account security for logins from unrecognized devices. Learn more about what triggers the new verification process and who is affected.

    Bitwarden
    Show threadasmoranomarJan 28, 2025
    I don’t see anyone mentioning it, but what if you do forget (or don’t know) your email password? Is there absolutely no way to recover your account? I’m sure there might be some services that are that restrictive, but I’d think that most are recoverable with some extra steps, no? Unless I’m missing something?
    Show threadERROR: Earth.exe has crashedJan 28, 2025

    I don’t know, they haven’t implemented it yet.

    I hope that if enough people started to get locked out, they will reverse or delay it for a few months and give people time to access the vault and make preparations.

    Since you are seeing my post, you know this is happeneing, so you should probably change your email password to something memorable.

    Or put that in a Keepass vault, and remember the Keepass password, and back up the vault to multiple cloud accounts, multiple Hard Drives / SSDs, etc. (I had this done just before I posted this post)

    Or just move entirely to Keepass, like I’m planning to do.

    Show threadkatamari_22Jan 28, 2025
    “who do not use two-step login”
    Show threadERROR: Earth.exe has crashedJan 28, 2025

    Enough people that they decided to make this mandatory.

    So, probably a lot.

    Show threadtrevor (he/they)Jan 28, 2025
    They should be using 2FA then. There are at least 3 other multifactor authentication options available. Configure one of them, or you can be affected by the device verification change. Or, you can disable the feature, but without any secondary auth factor, you’re just begging to have your passwords stolen.
    Show threaddeegeeseJan 28, 2025

    How the fuck am I supposed to use 2FA when BW stores my email password?

    This is like them saying giving up and making your email the actual password manager.

    I need a local password manager that just works when everything else is down.

    Show threadtrevor (he/they)Jan 29, 2025

    There are at least three other MFA methods that are not email based, and so no, you don’t have to remember your email password.

    Get an authenticator app. Get an authenticator key. Or hell, go use Duo for free (not recommended). And if none of those do it for you, use your 2FA recovery code. That’s what it exists for.

    And if all else fails, you can still shoot yourself in the foot and opt out of the change, but you’re just begging to have your passwords stolen ¯_(ツ)_/¯

    Show threadZwiebelJan 28, 2025
    This introduces so many failure modes. What if my email provider goes bankrupt, or fucks up their servers, or bans me? Access to my Bitwarden Vault is now dependent on some company’s whims
    Show threadTempermentalAnomalyJan 28, 2025
    This is only for devices you haven’t logged in from before.
    Show threadWaryleJan 28, 2025
    I liked the thought that if I were to lose my phone while traveling, I could just borrow a computer and access all my accounts anyway and not getting very uncomfortably stuck. This is putting me at big risk there.
    Show threadkusivittulaJan 28, 2025
    there will be an option to turn it off, so no worries
    Show threadERROR: Earth.exe has crashedJan 28, 2025

    I mean, you could set up 2FA and save the QR code that you used to set up the 2FA in unencrypted format on some cloud, making it a de facto 1FA. That could be the workaround if you just refuse to use 2FA.

    Or you could just move to Keepass like I’m planning to do.

    Show threadmipadaituJan 28, 2025
    I set up 2FA, took a screenshot of the QR code, printed it out, and stuck it in a fire safe.
    Show threadZwiebelJan 28, 2025

    @OP There will be an option to turn it off, maybe add that to the post

    An option to turn off new device login protection will be available in the web vault account settings

    Show threaddustyDataJan 28, 2025

    This is not the end of the world, some mighty overreaction on the comments. This is why diversity is the answer to security. Multi factor, multi mode, multi device. Something you know, something you have, something you are, etc.

    If you have more than one device, like PCs, laptop, phone, in any combination, and you have your access config on all. Then there’s an infinitesimally small chance you’d lose access to your vault.

    Show threadERROR: Earth.exe has crashedJan 28, 2025

    If you have more than one device

    That’s the problem, many people only have one device. (My parents, grandparents, probably aunts and uncles all mostly use their phones, probably doesn’t have a second phone, or even touched a computer for a while, imagine if one of them used Bitwarden)

    I personally haven’t used my PC for a while, since I don’t feel like playing games anymore, so most of my time using electronics is mostly doomscrolling Lemmy and watching Youtube (don’t judge). So if my phone happened to break, or if my app got corrupted for some reason and I had to re-download, I could definitely have gotten locked out, but luckily I saw that notice, I have the Email password saved in Keepass, so now that threat is over).

    (I know I should’ve backup the vault, but I kinda procrastinated 🙃)

    Show threaddustyDataJan 28, 2025
    They have different threat models. If they don’t have a PC, they most likely don’t and never will have bitwarden. They’ll let apple or Samsung or Google handle their security for them. In the end, we all accept some level of risks across different threat dimensions. Some people are more lax and some people are more strict. It’s not the end of the world.
    Show threadEiriJan 28, 2025

    I hate this so much. My Bitwarden password is the one thing I know. I’m not confident I could ever learn another password, especially one I barely ever need.

    And 2FA? What if my phone breaks? My 2FA recovery codes are in Bitwarden.

    Ugh. I have no idea what I’m going to do.

    Show threadERROR: Earth.exe has crashedJan 28, 2025

    Option 1: Set Email password same as Bitwarden Password (probably not a good idea, but technically an option 😉)

    Option 2: Make a Keepass Vault with the same password as Bitwarden, and put your Email password in it. Make sure to backup the keepass vault file to many different Hard Drives, SDDs, and cloud (file is encrypted so its probably safe in cloud)

    Option 3: Move every password into Keepass.

    Hurry, time is ticking, February is in a few days. (I’m moving to Keepass btw, already have my Email password in Keepass and the vault is backed up)