Apparently I can put the entire exact master password in the HINT field? There are no errors shown for this and the system is happy to email you that “hint”? Really?
Please tell me I’ve overlooked a configuration setting.
I’m waffling on allowing email as a 2FA method and this is a huge strike against that. Business email compromise is a big deal these days.
Edit; I just checked this on the paid version of official bitwarden and didn’t get any errors in changing my “hint” to the exact master password. wow.
Well, for one, why would you even try to do that.
And second, that should be something checked by the client side, since the server side does not receive the master password through any call at all.
So this is probably best to be noted at Bitwarden.
Hmm, does not appear there is a admin setting to disable hints either. Going to catch some flack about disabling email 2FA but I just can’t allow it under these circumstances.
Is this in the latest docker image? I see merged in git but I’m not clear on what to look for to see if this made it into the latest docker image. I updated my containers from 2.28.1 to 2022.6.2 as shown in the web GUI and added PASSWORD_HINTS_ALLOWED: “false” to my docker compose, down/up compose, but it still allows password hint emails?
Edit; also added it into the config.json but same results.
Edit2; starting a new vault with this turned on and on a new user if I put something in the hint field I get an error saying hints aren’t allowed.