starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-26 01:35:54 +03:00
Code Issues 39 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #945] Unable to disable the password hint #671

New issue
Closed
opened 2026-03-03 02:02:00 +03:00 by kerem · 8 comments
kerem commented 2026-03-03 02:02:00 +03:00
Owner
Copy link

Originally created by @eana on GitHub (Apr 2, 2020).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/945

Subject of the issue

Unable to disable the password hint.

Your environment

  • Bitwarden_rs version: 1.14.1
  • Install method: nginx as reverse proxy and docker-compose to start bitwarden and mysql
  • Clients used: Firefox/Chrome/Chromium
  • Reverse proxy and version: nginx/1.14.2
  • Version of mysql/postgresql: mariadb/server:10.4
  • Other relevant information:
    • because the environment variables are being overridden by the config file I also set "show_password_hint": false in config.json file

Steps to reproduce

  1. Add the following environment vars in the docker-compose.yml file
SHOW_PASSWORD_HINT: 'false'
  1. Edit config.json file and set "show_password_hint": false
  2. Start the bitwarden
    docker-compose -f docker-compose.yml up -d
  3. Check the env var and the config file inside the container:
$ env | grep "SHOW_PASSWORD_HINT"
SHOW_PASSWORD_HINT=false

$ docker exec -it bitwarden-server grep "show_password_hint" /data/config.json
  "show_password_hint": false,

Expected behaviour

Using the "Get master password hint" feature should be disabled.

Actual behaviour

Using the "Get master password hint" sends an email with the password hint.

Relevant logs

Originally created by @eana on GitHub (Apr 2, 2020). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/945 ### Subject of the issue Unable to disable the password hint. ### Your environment * Bitwarden_rs version: 1.14.1 * Install method: nginx as reverse proxy and docker-compose to start bitwarden and mysql * Clients used: Firefox/Chrome/Chromium * Reverse proxy and version: nginx/1.14.2 * Version of mysql/postgresql: mariadb/server:10.4 * Other relevant information: - because the environment variables are being overridden by the config file I also set `"show_password_hint": false` in `config.json` file ### Steps to reproduce 1. Add the following environment vars in the `docker-compose.yml` file ``` SHOW_PASSWORD_HINT: 'false' ``` 2. Edit `config.json` file and set `"show_password_hint": false` 3. Start the bitwarden `docker-compose -f docker-compose.yml up -d` 4. Check the env var and the config file inside the container: ``` $ env | grep "SHOW_PASSWORD_HINT" SHOW_PASSWORD_HINT=false ``` ``` $ docker exec -it bitwarden-server grep "show_password_hint" /data/config.json "show_password_hint": false, ``` ### Expected behaviour Using the "Get master password hint" feature should be disabled. ### Actual behaviour Using the "Get master password hint" sends an email with the password hint. ### Relevant logs
kerem closed this issue 2026-03-03 02:02:00 +03:00
kerem commented 2026-03-03 02:02:02 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Apr 2, 2020):

Hmmm, this is a bit wierd indeed.
That setting will only work if you have e-mail disabled.

I Think we need to add an extra option in this case.

  • DISABLE_PASSWORD_HINT which defaults to false.
    This would disable password hint entirely.
  • EMAIL_PASSWORD_HINT which defaults to true.
    This would allow e-mailing the password hints when e-mail is verified.
  • SHOW_PASSWORD_HINT which defaults to true.
    This would show the password hint in the error message on the top right.

And it should maybe also only sent out an e-mail when the e-mail address is verified maybe.
@dani-garcia What do you think?

<!-- gh-comment-id:607849099 --> @BlackDex commented on GitHub (Apr 2, 2020): Hmmm, this is a bit wierd indeed. That setting will only work if you have e-mail disabled. I Think we need to add an extra option in this case. * DISABLE_PASSWORD_HINT which defaults to false. This would disable password hint entirely. * EMAIL_PASSWORD_HINT which defaults to true. This would allow e-mailing the password hints when e-mail is verified. * SHOW_PASSWORD_HINT which defaults to true. This would show the password hint in the error message on the top right. And it should maybe also only sent out an e-mail when the e-mail address is verified maybe. @dani-garcia What do you think?
kerem commented 2026-03-03 02:02:02 +03:00
Author
Owner
Copy link

@dani-garcia commented on GitHub (Apr 2, 2020):

The setting was only meant to not display the password hint to everyone who requested it, because there's no other way to show it with email disabled, but at the same time it's not very secure to just show it like that.

I'm not sure what's the point of disabling it when the email is configured correctly? I'd rather not add extra options that don't have a useful purpose, we already have a lot of them as it is.

<!-- gh-comment-id:607853140 --> @dani-garcia commented on GitHub (Apr 2, 2020): The setting was only meant to not display the password hint to everyone who requested it, because there's no other way to show it with email disabled, but at the same time it's not very secure to just show it like that. I'm not sure what's the point of disabling it when the email is configured correctly? I'd rather not add extra options that don't have a useful purpose, we already have a lot of them as it is.
kerem commented 2026-03-03 02:02:02 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Apr 2, 2020):

Ah indeed. I do agree with that.
If we would add that it will also differ a bit to much from upstream.

Then @eana, i would suggest to modify the e-mail templates if really do not want this to be sent out.
You can probably copy the "pw_hint_none.*" files over the "pw_hint_some.*" files and you are done.

<!-- gh-comment-id:607858031 --> @BlackDex commented on GitHub (Apr 2, 2020): Ah indeed. I do agree with that. If we would add that it will also differ a bit to much from upstream. Then @eana, i would suggest to modify the e-mail templates if really do not want this to be sent out. You can probably copy the "pw_hint_none.\*" files over the "pw_hint_some.\*" files and you are done.
kerem commented 2026-03-03 02:02:02 +03:00
Author
Owner
Copy link

@eana commented on GitHub (Apr 2, 2020):

@dani-garcia @BlackDex I am evaluating bitwarden now, so I don't know it inside out yet, so, please bear with me here for a bit. Copying the pw_hint_none.* files over the pw_hint_some.* files will still send the email, right?

I see a use case where you want to keep the email configured but have the password hint disabled as in no emails sent.

I want my bitwarden instance to be publicly available and to get email notifications when a new login is performed (maybe use email verification as a two-step login along with authy... I don't know, I haven't decided yet). But I don't want to put my email server at risk by having the password hint enabled.

Of course, I can have fail2ban in front of bitwarden to prevent this kind of abuse, but I still think it would be really nice to be able to to disable the password hint while having the email configured.

<!-- gh-comment-id:607937836 --> @eana commented on GitHub (Apr 2, 2020): @dani-garcia @BlackDex I am evaluating bitwarden now, so I don't know it inside out yet, so, please bear with me here for a bit. Copying the `pw_hint_none.*` files over the `pw_hint_some.*` files will still send the email, right? I see a use case where you want to keep the email configured but have the password hint disabled as in no emails sent. I want my bitwarden instance to be publicly available and to get email notifications when a new login is performed (maybe use email verification as a two-step login along with authy... I don't know, I haven't decided yet). But I don't want to put my email server at risk by having the password hint enabled. Of course, I can have fail2ban in front of bitwarden to prevent this kind of abuse, but I still think it would be really nice to be able to to disable the password hint while having the email configured.
kerem commented 2026-03-03 02:02:02 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Apr 3, 2020):

Why would having password hints sent by e-mail be a security risk for your e-mail server?
It would be the same risk as having authentication e-mails sent out.

Fail2Ban is good for stopping brute force login attempts.
I would always enable that for any environment where i need to have logins or chances of people trying to hack or whatever.

<!-- gh-comment-id:608315000 --> @BlackDex commented on GitHub (Apr 3, 2020): Why would having password hints sent by e-mail be a security risk for your e-mail server? It would be the same risk as having authentication e-mails sent out. Fail2Ban is good for stopping brute force login attempts. I would always enable that for any environment where i need to have logins or chances of people trying to hack or whatever.
kerem commented 2026-03-03 02:02:02 +03:00
Author
Owner
Copy link

@eana commented on GitHub (Apr 3, 2020):

I think my example was poorly worded, not clear and generated some confusion, I am sorry. I will try to explain the use case again.

One way to hurt you would be to flood your email servers with password emails. If bitwarden is publicly available anyone can actually abuse the password hint functionality. I can have a bot to send hint emails every second or whatever. The risk for my email server is to have the emails piling up in the queue, which means disk IO, CPU and memory load. So, not a risk in the sense of getting hacked per se, but more in the sense of possibly getting the server unnecessarily loaded and flooding the destination mailbox.

(Of course, fail2ban is gonna be deployed regardless)

<!-- gh-comment-id:608360204 --> @eana commented on GitHub (Apr 3, 2020): I think my example was poorly worded, not clear and generated some confusion, I am sorry. I will try to explain the use case again. One way to hurt you would be to flood your email servers with password emails. If bitwarden is publicly available anyone can actually abuse the password hint functionality. I can have a bot to send hint emails every second or whatever. The risk for my email server is to have the emails piling up in the queue, which means disk IO, CPU and memory load. So, not a risk in the sense of getting hacked per se, but more in the sense of possibly getting the server unnecessarily loaded and flooding the destination mailbox. (Of course, fail2ban is gonna be deployed regardless)
kerem commented 2026-03-03 02:02:02 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Apr 3, 2020):

I can do the same by just spamming your e-mail server it self from the outside.
Or by just requesting multiple pages on the public available bitwarden (or any other service i can find on the same IP).
These items i think belong more to the security/firewalling in front of any application accessible from the public internet.
Most reverse proxies have some form of rate limiting to prevent or lower attacks like this.
You can also choose to install a separate postfix which does some outgoing rate limiting which then forwards it to the main mail server.

Trying to built-in items like this is i think a bit out of scope for this project. And where other tools are better designed for and is there main goal, like nginx or haproxy etc..

<!-- gh-comment-id:608424073 --> @BlackDex commented on GitHub (Apr 3, 2020): I can do the same by just spamming your e-mail server it self from the outside. Or by just requesting multiple pages on the public available bitwarden (or any other service i can find on the same IP). These items i think belong more to the security/firewalling in front of any application accessible from the public internet. Most reverse proxies have some form of rate limiting to prevent or lower attacks like this. You can also choose to install a separate postfix which does some outgoing rate limiting which then forwards it to the main mail server. Trying to built-in items like this is i think a bit out of scope for this project. And where other tools are better designed for and is there main goal, like nginx or haproxy etc..
kerem commented 2026-03-03 02:02:03 +03:00
Author
Owner
Copy link

@eana commented on GitHub (Apr 16, 2020):

It is not really the same thing, but I can understand the diverging too much from the upstream argument.

<!-- gh-comment-id:614502620 --> @eana commented on GitHub (Apr 16, 2020): It is not really the same thing, but I can understand the diverging too much from the upstream argument.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
revert-7033-patch-1
cached-config-operations
test_dylint
1.35.8
1.35.7
1.35.6
1.35.5
1.35.4
1.35.3
1.35.2
1.35.1
1.35.0
1.34.3
1.34.2
1.34.1
1.34.0
1.33.2
1.33.1
1.33.0
1.32.7
1.32.6
1.32.5
1.32.4
1.32.3
1.32.2
1.32.1
1.32.0
1.31.0
1.30.5
1.30.4
1.30.3
1.30.2
1.30.1
1.30.0
1.29.2
1.29.1
1.29.0
1.28.1
1.28.0
1.27.0
1.26.0
1.25.2
1.25.1
1.25.0
1.24.0
1.23.1
1.23.0
1.22.2
1.22.1
1.22.0
1.21.0
1.20.0
1.19.0
1.18.0
1.17.0
1.16.3
1.16.2
1.16.1
1.16.0
1.15.1
1.15.0
1.14.2
1.14.1
1.14
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.1
1.9.0
1.8.0
1.7.0
1.6.1
1.6.0
1.5.0
1.4.0
1.3.0
1.2.0
1.1.0
1.0.0
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
Labels
Clear labels   
SSO

   
Third party

   
better for forum

   
bug

   
bug

   
documentation

   
duplicate

   
enhancement

   
future Vault

   
future Vault

   
future Vault

   
good first issue

   
help wanted

   
low priority

   
notes

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
troubleshooting

   
wontfix
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vaultwarden#671
No description provided.