[GH-ISSUE #6526] Password Generator Policy turned off in admin console but policy is still being enforced on all user accounts. #2459

New issue

Closed

opened 2026-03-03 02:18:30 +03:00 by kerem · 5 comments

kerem commented 2026-03-03 02:18:30 +03:00

Owner

Copy link

Originally created by @techytj on GitHub (Dec 4, 2025).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6526

Prerequisites

• I have searched the existing Closed AND Open Issues AND Discussions
• I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.34.3-f9751a0a
• Web-vault version: v2025.7.0
• OS/Arch: linux/x86_64
• Running within a container: false (Base: Not applicable)
• Database type: SQLite
• Database version: 3.50.2
• Uses config.json: true
• Uses a reverse proxy: true
• IP Header check: false (X-Forwarded-For)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Websocket Check: true
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: ADMIN_TOKEN

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": false,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "/opt/vaultwarden/data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "/opt/vaultwarden/data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "********************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*************",
  "domain_origin": "*****://*************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "/opt/vaultwarden/data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 5,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Bit-Vaultwarden Barbour Residence",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_nonce": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "/opt/vaultwarden/data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "/opt/vaultwarden/data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "********************",
  "smtp_from_name": "*************************",
  "smtp_host": "**************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 60,
  "smtp_username": "*******************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://******************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": false,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": true,
  "sso_scopes": "email profile",
  "sso_signups_match_email": true,
  "templates_folder": "/opt/vaultwarden/data/templates",
  "tmp_folder": "/opt/vaultwarden/data/tmp",
  "trash_auto_delete_days": 10,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "/opt/vaultwarden/web-vault",
  "yubico_client_id": "86692",
  "yubico_secret_key": "***",
  "yubico_server": null
}

Vaultwarden Build Version

1.34.3-f9751a0a

Deployment method

Other method

Custom deployment method

installed in proxmox via : bash -c "$(wget -qLO - https://github.com/tteck/Proxmox/raw/main/ct/vaultwarden.sh)"

Reverse Proxy

nginx v2.13.5

Host/Server Operating System

Linux

Operating System Version

Debian V12

Clients

Desktop

Client Version

2025.11.02

Steps To Reproduce

1. login to vaultwarden using admin username / password
2. goto admin console / settings / policies / password generator
3. Turn on, choose appropriate settings, save
4. launch bitwarden desktop app, login, create new login, for password, use password generator.
5. observe policy being enforced an only allowing method chosen from admin console.
6. log out of desktop app
7. go back to step 2 from above
8. turn OFF password generator policy, save
9. launch bitwarden desktop app, login, create new login, for password, use password generator.
10. observe policy is STILL BEING ENFORCED even though it was turned off.

Expected Result

If password generator policy is turned off expect user to be able choose password generation method on new password entries.

Actual Result

last chosen password generator policy method remains in effect when creating new password entries.

Logs

Screenshots or Videos

Additional Context

No response

Originally created by @techytj on GitHub (Dec 4, 2025). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6526 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.3-f9751a0a * Web-vault version: v2025.7.0 * OS/Arch: linux/x86_64 * Running within a container: false (Base: Not applicable) * Database type: SQLite * Database version: 3.50.2 * Uses config.json: true * Uses a reverse proxy: true * IP Header check: false (X-Forwarded-For) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** ADMIN_TOKEN **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": false, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "/opt/vaultwarden/data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "/opt/vaultwarden/data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "********************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*************", "domain_origin": "*****://*************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "/opt/vaultwarden/data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 5, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Bit-Vaultwarden Barbour Residence", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_nonce": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "/opt/vaultwarden/data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "/opt/vaultwarden/data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "********************", "smtp_from_name": "*************************", "smtp_host": "**************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 60, "smtp_username": "*******************", "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "", "sso_authorize_extra_params": "", "sso_callback_path": "*****://******************************************", "sso_client_cache_expiration": 0, "sso_client_id": "", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": false, "sso_master_password_policy": null, "sso_only": false, "sso_pkce": true, "sso_scopes": "email profile", "sso_signups_match_email": true, "templates_folder": "/opt/vaultwarden/data/templates", "tmp_folder": "/opt/vaultwarden/data/tmp", "trash_auto_delete_days": 10, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "/opt/vaultwarden/web-vault", "yubico_client_id": "86692", "yubico_secret_key": "***", "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.34.3-f9751a0a ### Deployment method Other method ### Custom deployment method installed in proxmox via : bash -c "$(wget -qLO - https://github.com/tteck/Proxmox/raw/main/ct/vaultwarden.sh)" ### Reverse Proxy nginx v2.13.5 ### Host/Server Operating System Linux ### Operating System Version Debian V12 ### Clients Desktop ### Client Version 2025.11.02 ### Steps To Reproduce 1. login to vaultwarden using admin username / password 2. goto admin console / settings / policies / password generator 3. Turn on, choose appropriate settings, save 4. launch bitwarden desktop app, login, create new login, for password, use password generator. 5. observe policy being enforced an only allowing method chosen from admin console. 6. log out of desktop app 7. go back to step 2 from above 8. turn OFF password generator policy, save 9. launch bitwarden desktop app, login, create new login, for password, use password generator. 10. observe policy is STILL BEING ENFORCED even though it was turned off. ### Expected Result If password generator policy is turned off expect user to be able choose password generation method on new password entries. ### Actual Result last chosen password generator policy method remains in effect when creating new password entries. ### Logs ```text ``` ### Screenshots or Videos <img width="541" height="677" alt="Image" src="https://github.com/user-attachments/assets/6ce1bd4a-f0f5-41d6-a5a6-c573f8ef1941" /> <img width="625" height="620" alt="Image" src="https://github.com/user-attachments/assets/50bdf915-eb2b-4b2b-a0f6-a1745a8c70c4" /> ### Additional Context _No response_

kerem 2026-03-03 02:18:30 +03:00

• closed this issue
• added the
  question
  bug
  labels

kerem commented 2026-03-03 02:18:31 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Dec 4, 2025):

Did you do a full logout of the desktop app, and logged in again?
Does it happen on other clients also?

<!-- gh-comment-id:3613709346 --> @BlackDex commented on GitHub (Dec 4, 2025): Did you do a full logout of the desktop app, and logged in again? Does it happen on other clients also?

kerem commented 2026-03-03 02:18:31 +03:00

Author

Owner

Copy link

@techytj commented on GitHub (Dec 4, 2025):

Yes.. I did a full logout on desktop client.
This issue occurs on browser extension and webpage as well even after clearing cookies and cache.
Also restarted vaultwarden service.

<!-- gh-comment-id:3613735241 --> @techytj commented on GitHub (Dec 4, 2025): Yes.. I did a full logout on desktop client. This issue occurs on browser extension and webpage as well even after clearing cookies and cache. Also restarted vaultwarden service.

kerem commented 2026-03-03 02:18:31 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Dec 4, 2025):

Thanks for the extra info!

<!-- gh-comment-id:3613739641 --> @BlackDex commented on GitHub (Dec 4, 2025): Thanks for the extra info!

kerem commented 2026-03-03 02:18:32 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Dec 20, 2025):

@techytj, I'm unable to reproduce this in any way, except if the client didn't synced first. Without a fresh sync it keeps the cached data and does not fetches the new policy settings.

So, either there are more organizations that the user you are trying it with which have that policy enabled, or something else strange is going on, but not something I'm able to reproduce with the steps you provided.

<!-- gh-comment-id:3678029196 --> @BlackDex commented on GitHub (Dec 20, 2025): @techytj, I'm unable to reproduce this in any way, except if the client didn't synced first. Without a fresh sync it keeps the cached data and does not fetches the new policy settings. So, either there are more organizations that the user you are trying it with which have that policy enabled, or something else strange is going on, but not something I'm able to reproduce with the steps you provided.

kerem commented 2026-03-03 02:18:32 +03:00

Author

Owner

Copy link

@techytj commented on GitHub (Dec 21, 2025):

You were correct.. I had different password generator policy settings for different organizations whch is what my problem was.
Apologies for wasting your time. Appreciate your looking into this and pointing out the error of my ways.

<!-- gh-comment-id:3678444741 --> @techytj commented on GitHub (Dec 21, 2025): You were correct.. I had different password generator policy settings for different organizations whch is what my problem was. Apologies for wasting your time. Appreciate your looking into this and pointing out the error of my ways.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#2459

No description provided.