Cannot login with correct master password

[skutter-de]

Prerequisites

• I have searched the existing Closed AND Open Issues AND Discussions
• I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.34.3
• Web-vault version: v2025.7.0
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Database type: SQLite
• Database version: 3.50.2
• Uses config.json: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Websocket Check: true
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, ADMIN_TOKEN

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://********************",
  "domain_origin": "*****://********************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.eu",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.eu",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "******************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "**************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "******************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.34.3

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

Nginx Proxy Manager v2.12.4

Host/Server Operating System

Linux

Operating System Version

Red Hat Enterprise Linux 9.6

Clients

Web Vault, Browser Extension

Client Version

Web 2025.7.0, Firefox Extension 2025.8.1

Steps To Reproduce

One user on my server cannot login with the correct master password. We are both 100% sure it's correct, since it was written on a recovery sheet and saved in my vault as a fallback. Login was also tested at setup with the copy of the password in my vault and on the recovery sheet, as well as now. no server settings were modified since the creation of that account

Expected Result

Successful login

Actual Result

Login does not work on. The vault on the already logged in iOS app can still be unlocked with that password.

Logs

vaultwarden-1  | [2025-09-02 12:34:28.883][request][INFO] GET /api/devices/knowndevice
vaultwarden-1  | [2025-09-02 12:34:28.884][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
vaultwarden-1  | [2025-09-02 12:34:30.333][request][INFO] POST /identity/accounts/prelogin
vaultwarden-1  | [2025-09-02 12:34:30.334][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
vaultwarden-1  | [2025-09-02 12:34:30.452][request][INFO] POST /identity/connect/token
vaultwarden-1  | [2025-09-02 12:34:31.177][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: x.x.x.x. Username: [email protected].
vaultwarden-1  | [2025-09-02 12:34:31.178][response][INFO] (login) POST /identity/connect/token => 400 Bad Request

Screenshots or Videos

No response

Additional Context

This is now the second time this has happened

[BlackDex]

Passwords do not change by them self, and also not automatically by the server.

Either someway the database gets corrupted and for some reason only that user is affected, but that would be strange. Or, someone tried the org recovery/emergency contact procedure and changed the password.

There is nothing we can do here, since there is no process which changes the password anywhere in the code that isn't started by someone.

I would suggest to check the logs and see if you can find anything between the last successful login and the point it failed.

[skutter-de]

There is no emergency contact defined, the password wasn't changed and I couldn't find anything in the logs. Is there any way to check the database for integrity?

[abbelyn]

Skutter-de, I don't want to double post here and just realized the last message wasn't the OP. I think my below reply to cvpas may be relevant here too if you still have the server instance.

[cvpas]

I changed my phone and download bitwarden from google play, but I can not login in this app, my password is correct!How can I login in??

[abbelyn]

Try to access the website where your vaultwarden is based at (IE in a browser not the app). I think when the newer app came out it broke connection with the Vaultwarden server. My desktop app and browser extension won't sync currently and in the past this has been due to an update on the bitwarden apps, but that update not having being pushed downstream to vaultwarden just yet.

[ntkrnl32]

I got this error too...
Strange.
And I didn't do anything with my vault.
vwlogs.txt

---

some... details?
all i did before the strange error

{
    "error": "",
    "errorModel": {
        "message": "Username or password is incorrect. Try again",
        "object": "error"
    },
    "error_description": "",
    "exceptionMessage": null,
    "exceptionStackTrace": null,
    "innerExceptionMessage": null,
    "message": "Username or password is incorrect. Try again",
    "object": "error",
    "validationErrors": {
        "": [
            "Username or password is incorrect. Try again"
        ]
    }
}

is sudo reboot on that server

[ntkrnl32]

some updates
i tried to create another account with the same email ([email protected]) without doing anything with the container and it created successfully.
what is going on??

[brandes-pq]

I have a similar problem. I can verify that the master password I am using is correct, since I can use it to successfully unlock my account with both the bitwarden firefox plugin and the bitwarden cli client, but I get the aforementioned error when trying to log into the vaultwarden web interface.

Some details which may be relevant: my master password is more than 40 characters long and consists only of lowercase ascii characters and spaces.

[BlackDex]

Any logs on the Vaultwarden side?
Is the user account still in the database? Check via the /admin Backend Portal.

[brandes-pq]

The server says

[2025-11-20 12:00:06.872][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 172.20.0.1. Username: [email protected].
[2025-11-20 12:00:06.872][response][INFO] (login) POST /identity/connect/token => 400 Bad Request

The failing request is a POST to /identity/connect/token, the payload (redacted) is

scope: api offline_access
client_id: web
deviceType: 10
deviceIdentifier: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
deviceName: firefox
grant_type: password
username: [email protected]
password: XXXXXXXXXXXXXXX (base64-encoded)

The user is shown in the admin panel as "verified".

[brandes-pq]

With log level TRACE and enabled EXTENDED_LOGGING, the only additional info that is logged is the payload of the /identity/connect/token.

[brandes-pq]

I am very sorry for the noise - it turns out I had a typo in the username. So, the login works for me as advertised.

Sorry again, and thanks for an awesome product!