There are no master password hint limits?

Apparently I can put the entire exact master password in the HINT field? There are no errors shown for this and the system is happy to email you that “hint”? Really?

Please tell me I’ve overlooked a configuration setting.

I’m waffling on allowing email as a 2FA method and this is a huge strike against that. Business email compromise is a big deal these days.

Edit; I just checked this on the paid version of official bitwarden and didn’t get any errors in changing my “hint” to the exact master password. wow.

Well, for one, why would you even try to do that.
And second, that should be something checked by the client side, since the server side does not receive the master password through any call at all.

So this is probably best to be noted at Bitwarden.

1 Like

You know someone’s going to do it.

As the client requests master password in order to change that it seems technically possible.

Hmm, does not appear there is a admin setting to disable hints either. Going to catch some flack about disabling email 2FA but I just can’t allow it under these circumstances.

Yes I found that setting but on a careful reading of the description it’s not what I’m looking for. The tool tip in the admin panel is more clear.

This PR adds an option to disable password hints:

1 Like

Is this in the latest docker image? I see merged in git but I’m not clear on what to look for to see if this made it into the latest docker image. I updated my containers from 2.28.1 to 2022.6.2 as shown in the web GUI and added PASSWORD_HINTS_ALLOWED: “false” to my docker compose, down/up compose, but it still allows password hint emails?

Edit; also added it into the config.json but same results.

Edit2; starting a new vault with this turned on and on a new user if I put something in the hint field I get an error saying hints aren’t allowed.