Starting Sep 13, 2021, new Bitbucket users will not be able to use their personal Atlassian account password when using Basic authentication with the Bitbucket API or Git over HTTPS. They will need to use Bitbucket app passwords.

Bitbucket users who created an Atlassian account before September 13, 2021 will be able to use their Atlassian account password to authenticate with the Bitbucket API or Git until March 1, 2022.

Bitbucket previously shared that starting March 1, 2022, users will not be able to use their Atlassian account password to authenticate with the Bitbucket API or Git over HTTPS. They will need to migrate to using app passwords.

In addition, starting September 13, 2021, new Bitbucket users will not be able to use their Atlassian account password to interact with the Bitbucket API or Git over HTTPS, and will need to use app passwords.

Bitbucket users who created an Atlassian account before September 13, 2021 will be able to use their Atlassian account password to authenticate with the Bitbucket API or Git until March 1, 2022.

How to create an app password

To create an app password:

  1. From your profile and settings avatar, select Personal settings.
  2. Select App passwords under Access management.
  3. Select Create app password.
  4. Give the app password a name related to the application that will use the password.
  5. Select the specific access and permissions you want to assign to this application password.
  6. Copy the generated password and either record or paste it into the application you want to give access. The password is only displayed this one time.

More details on app passwords (including usage and revocation) can be found in Bitbucket documentation.

Other functionality affected

OAuth 2.0 Resource Owner Password Credentials Grant flow

It will no longer be possible to perform the OAuth 2 Resource Owner Password Credentials Grant flow, since this requires an Atlassian account password. App developers should use one of our supported OAuth 2.0 flows to obtain access tokens.

Obtaining a Two Step Verification recovery token over SSH

Bitbucket previously allowed a combination of their SSH key and password to retrieve a Two Step Verification (2SV) recovery code. This will no longer be supported. Users with 2SV enabled should visit their personal settings and securely save or write down their recovery codes to avoid a 24 hour lockout in case of a lost or stolen 2SV device.

Deprecating Atlassian account password for Bitbucket API and Git activity