The Bitwarden Blog
3 Tips for Extra Security with Your Bitwarden Account
April 12, 2022
By choosing a password manager, you have an inclination towards security. Congratulations! In this post, we will cover three extra areas for you to enhance your security.
First is going beyond just a strong and unique main password for your Bitwarden account to having a unique email as well. Next, we'll cover a technique called peppering, which allows you to add a few extra characters to passwords that you would like to be super secret. The third technique uses unique random strings as answers to security questions.
- Use a unique email address for your Bitwarden Account
- Get your main master password right first
- Backing up your Bitwarden account
- Using the name+string@domain .com approach
- Using an email alias solution
- Using a business suite
- Changing your email address
- Add a dash of pepper to your passwords
- My dog’s name is m2v++"}#;"$b2X
NOTE: Your Bitwarden account is secured with a combination of your email address and your main Bitwarden password. Follow these directions and backup instructions very carefully if you choose to pursue this option.
Perhaps the most important element of using a password manager is having a strong and unique main password. This means one that is not used anywhere else, one that you can remember, one that you can type - although, once you instrument your password manager with biometrics and PINs, you may not need your main password frequently.
That of course means that you need a way to remember your main master password, should you forget it. Many people benefit from writing their main password down. Other people would never think of writing their main password down because they view it as a security risk. Choose what works for you, but don't forget your main Bitwarden password. For those in the middle, writing it down and putting it in a secure place like a physical safe is a very good idea.
Beyond having a strong and unique main password for Bitwarden you can also have a unique email address. This provides another factor of obscurity if somebody were trying to get into your account.
Don't worry if you signed up with an email you normally use, you can change that email, but you should backup your account first.
The combination of your email and your main Bitwarden password secures your account with end-to-end encryption, so before you change your email you'll want to make a backup of your account. Bitwarden offers unencrypted and encrypted backup options. In this case, choose unencrypted so that you can read your information should you lose access to your account. Bitwarden offers .csv and .json formats with .json having a bit more coverage across item types. An unencrypted .json format is our recommendation in this scenario.
TIP: See our community contributed appendix for extra backup advice.
Understand that an unencrypted file with all of your credentials should be handled with extreme care. One idea is to download the file to a USB key, confirm that you can read it, and when you're finished either erase that USB key or put that USB key in a secure place like a physical safe.
Once you have a backup of your vault, you can consider what email address you will use.
One option for creating email aliases is to use a feature built into most, but not all, email systems. This feature allows you to create a unique email alias by adding a plus symbol and a random string to your existing email address. This email will still go directly to your primary inbox but come in as a different address name. This capability works for Gmail and ProtonMail, an open source encrypted email service. You must test any potential alias you use, and be sure that you can receive emails to that alias, before you change your Bitwarden email.
Another option is to use an email alias service like SimpleLogin, an open source email alias solution. SimpleLogin or other alias services allow you to create completely unique emails that will forward to your primary email account. This provides complete anonymity of your email and can be a very effective way to segment your identity online. Of course, this approach provides even more security from the prior
email@example.com approach since with that one somebody can easily derive your main email. However, if no one knows the string on the end of your email, they are unlikely to be able to use that to get into your account.
A third option for creating and managing lots of email addresses and aliases is to use a business solution such as Google workspace or Microsoft 365. While these are almost always paid plans, according to the Google support site, “You can add up to 30 email aliases for each user at no extra cost.” From the Microsoft documentation site, “You can create up to 400 aliases for a user.” With entry plans starting at $5 to $12 per user per month, these plans can be helpful for some users.
Now that you have a backup you can view of your account, and the email alias you have in mind, you can change your email by going to the web vault at vault.bitwarden.com and selecting Settings.
Note that changing your email address will not change your two-step login. Before changing your email address you should have complete visibility to:
- your two-step login setup for Bitwarden
- your two-step login recovery code for Bitwarden
- backups and recovery codes for your primary authentication mechanism that you use to get into Bitwarden.
Once you have all of that, plus your accessible and verified backup, you can proceed to change your email.
Regardless of which path you choose, adding a unique email address on top of a unique and strong master password for your Bitwarden account will give you an extra layer of security and protection.
People often say, “I don't want to put all of my eggs into one basket” when it comes to password managers. This is a legitimate thought but one that can easily be addressed.
First, you don't have to put everything in a password manager. But then you're really just making your life a little bit more complicated, so that is a trade-off that anyone can choose to make.
Fortunately, techniques exist to let us use a password manager and keep the idea of
not all eggs in a single basket. The main technique is called peppering. With peppering, you add additional characters that only you know to the end of a randomly generated password. This protects for a situation where if someone somehow gains access to your password manager they would still not be able to log in to the account that had a peppered password, unless they also knew the pepper.
Of course, in this situation you are now responsible for your pepper phrase. If that gets lost, you will no longer be able to get into your accounts. However, peppering provides a very useful technique for those who want to add extra security to select accounts.
A third area where a password manager helps provide an additional layer of security is the stereotypical security questions that some websites ask.
You're probably familiar with the simple questions of who is your favorite friend growing up or your favorite painter or favorite food or favorite movie type, all of which rely on information that could, in some situations, already be known beyond yourself.
So when websites use security questions as a mechanism to protect account recovery there is a case to be made that the answers to the questions should also be super secret.
Here we can use our password manager to keep track of all of the security questions that we might answer for a given website.
What's the name of your dog? m2v++"}#;"$b2X What's the name of your childhood friend? HDcoR2ofxWz7iX
There are times when the website might be looking for something more resembling a word. In that case, you could use the Bitwarden passphrase generator to pick a random word from a randomly generated passphrase:
What is the name of your cat? zestfully
Remember that using this technique for account recovery questions means that you must absolutely retain everything regarding the answers to the security questions. This provides another reminder that regardless of a momentary backup for email changes as noted above you also have an ongoing backup strategy for your Bitwarden account. Read this post for 7 Tips to Protect Your Bitwarden Account.
If you are new to Bitwarden, get started with your own account right away.
If you are already a Bitwarden user, you may want to view our Learning Center with training presentations on beginner and advanced topics, or visit our Help Center, which contains technical details on all Bitwarden features.
Backing up your Bitwarden account
These steps are best executed via the web vault at vault.bitwarden.com
Export your personal vault, this is the one under
Tools -> Export Vault
If you are responsible for one or multiple Organizations, go to each Organization and export those individually. These are the ones under
Tools -> Export Vault AFTER you click on each Organization you belong to.
Now go back to your personal vault and find all your attachments and download copies of them: in the Search field put: >+attachments:*
Now you have a complete backup of all of your information.
Back to Blog