Cannot log in to vault on new devices

[nulano]

Hi. I have just found out that I cannot log in on new devices. I get an "Username or password is incorrect. Try again" error when I try to do so.

The following is working correctly:

• Log in with password on devices where I was already logged in (Android, Chrome extension, Chrome-based browser). I can see in the network tab that it uses a refresh_token to log in.
• Log in with device (using my phone to log in on previously logged in devices).
• Vault export (requests my password and accepts it).
• Other users can log in on new devices without issue.
• Adding a secure note in the web vault automatically pushes it to my phone.

The following is not working:

• Log in on the web vault using private browsing (other users can log in here without issue).
• Log in after reinstalling the chrome extension on a device where I could previously log in.
• Changing KDF or password from a logged-in device (says "Invalid password").
• Viewing 2FA codes (instead of the expected "2FA is not enabled", it says "Invalid password").

I updated to 1.32.0 about 2 weeks ago, and I think I tried logging in with private browsing then, but I'm not sure.
Unfortunately, this also means my Docker logs were wiped at that time.

I have daily backups of my database, so I have run the sqlite3 database '.dump users' command and cannot see any difference for my user except for the updated_at date.
Both users have password_iterations=600000, client_kdf_type=0, client_kdf_iter=600000 in the database.
I have also looked at the devices table to see whether there are any unexpected ones, but the only devices for my account with a created_at date from this year match my phone.

I have also tried the following: Grant Takeover Emergency Access to another user (the one that can log in successfully) with 1 day time period, so that I can attempt to reset my password this way. However, while I can see my account in their Emergency access page, there is no Takeover button there. I assume this will show up after the 1 day period passes?

I'm not sure what else I can check?

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.32.0
• Web-vault version: v2024.6.2b
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Environment settings overridden: false
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.46.0
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": false,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "/data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "/data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "****************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*******************",
  "domain_origin": "*****://*******************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "/data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "*************",
  "invitations_allowed": false,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "warn",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "****",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "/data/rsa_key/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "/data/sends",
  "show_password_hint": true,
  "signups_allowed": false,
  "signups_domains_whitelist": "*********",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": true,
  "smtp_from": "***********************",
  "smtp_from_name": "Bitwarden_RS",
  "smtp_host": "*************",
  "smtp_password": "***",
  "smtp_port": 465,
  "smtp_security": "force_tls",
  "smtp_ssl": false,
  "smtp_timeout": 15,
  "smtp_username": "*********",
  "templates_folder": "/data/templates",
  "tmp_folder": "/data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

[nulano]

Ok, I figured out how to reset my password with Emergency Access.

After adding user B with Takeover access for my account A, I had to then click Confirm again next to the user B entry on the Emergency Access page in my account A. I could then use user B's account to request emergency access and immediately accept it on my account A page. Then, I could finally initiate takeover using user B's account to change my password to the one I had used previously, and I can now log in on other devices again.

But I still have no idea how it broke in the first place...

[nulano]

But I still have no idea how it broke in the first place...

I now think this could have been caused by one of the issues fixed in #5176.