A question about the master password vs. the Bitwarden generated password

I’ve never used a password manager before, so I’m still trying to figure out how Bitwarden works (before I download it). Here is my question:

Say, for example, I’m trying to login to my credit card account. Would I type my master password into the credit card account password field? Or would I go into my Bitwarden vault and get the password that it has generated for my credit card account and THEN use THAT password to put into the credit card account password field?

I would appreciate any help with my question.

Your master password is only ever used to login to your Bitwarden vault. The vault contains all the login credentials for the various sites you use, e.g. your credit card provider.

danmullen, I want to be clear about how to specifically use Bitwarden. So, if I begin using the Bitwarden password manager, all I would need to do is type my master password into whatever website password field I am trying to login to (for example, a credit card provider)? Or is it required I pull the Bitwarden generated password out of the vault and then put THAT password into the website password field?

I just want to be clear exactly what I will be typing into whatever website password field i am trying to login into.

You should NEVER type your master password in anything else then Bitwarden, I repeat NEVER.

If you want to login to you creditcard company the easiest way is to use the Bitwaren browser extension and use that to auto type the correct specific password (and username) for the CC company website.

3 Likes

Plus, you can use the BW browser extension as collection of bookmarks:

  1. open and unlock the extension
  2. in-there, search for your bank name
  3. click the “open link” icon ss200419_180033 (it will open in a new tab)
  4. use your shortcut to trigger auto-fill

When attempt to fill in credit card value in Android App (it never success), Bitwarden will prompt for re-enter master password, normally it should prompt for PIN code. Only happened with auto fill card request but never with auto fill login.

Think of Bitwarden as a vault where you keep all of your password. Let’s say you have a password for a bank, a password for your internet, etc. Your safe is protected by master password. Let’s say you want to log on to a site you would use the master password to open the vault so that you can get the password to log into the site.

In most cases, your scenario would work like this:

  1. You Open your browser. You use your master password to log into the bitwarden (or you can set up a pin so you don’t have to type it in).
  2. You go to your credit card website, which brings up the login screen.
  3. You click on the bitwarden icon, which will fill in your login from the vault, assuming that you have setup the entry in the vault.

If you use a phone, the principle is similar

  1. You open a phone, which should have bitwarden activated.
  2. You go to an app or website and is prompted with a logon.
  3. Usually, there is a drop down you can select on screen, which will fill in the user name and password, You may be prompted by a pin or biometric depending on how you setup bitwarden.

Your master password should be fairly long and hard to guess. I would use some sort of sentence that only you would know. To make things similar, I would setup pin or biometric login to avoid typing in the master password. My password is long enough that it’s annoying to type in.

Never forget your master password. Save a copy somewhere on paper or USB drive offline. If you lose your master password there is usually no recovery.

1 Like

I have setup/enabled Bitwarden App to use PIN but very often it prompt for my master password instead of my PIN if I bring up the App for credit card filling or first time I use the app in the morning, is this a normal behavior or bugs?

Depends on your setup, When you added the pin, did you uncheck “Lock with master password on browser restart”. If you did, it will prompt you for master password on startup.

Cannot remember, just reset the PIN and answer No for “Lock with master password on browser restart”.

For others reading this a good approach is to use random words in a passphrase, something like Fright-Volatile-Vulgar-Stealth-4 see https://correcthorse.pw/ and several other similar sites.

A passphrase like that is easy for most to remember, after a few uses, but difficult for attackers to break.

Someone mentioned earlier in this thread to set up a pin login to avoid typing in the master password. I am confused by this rationale. A pin is generally fairly short, correct? Wouldn’t this defeat the purpose of making it very hard for someone to get into your password manager? In other words, wouldn’t it be easier for someone to figure out your pin number than it would be for them to figure out a long password?

Am I just not understanding the purpose of a “pin login”? I would appreciate it if someone can explain the advantage of a short pin login over a long password.

A pin is meant to be a device specific logon for a specific device. Instead of using a master password to login, you would use a pin. The reason to use the pin is that it would be easier to type than a really long master password. So if you follow best practice, the pin on your computer will be different than the one on your phone. Every device will have a different PIN.

Using a pin is also meant to protect you against keylogger type malware. Let’s say a malware is installed on your machine (usually through infect app or bad email links). The hacker will see you type the master password over and over again and figure out it’s your master password. They will then use it to hack your bitwarden account. Let’s say you are typing a PIN over and over again and they decide to use that PIN. The PIN is specific to your device, so it won’t work.

Just make sure you use a long pin. I typically use a 8 character one.

If you enter the wrong PIN 5 times Bitwarden reverts back to your master password. So your PIN could be 4 digits, it’s not possible to guess all possibilities in 5 tries.

Also, the PIN never leaves your device so you still need to remember your master password.

Typically a PIN is used on a phone. It can be a pain to type a long password on one, so people set a PIN (after they have typed the long password in once (and done 2FA if they have it turned on), after which they use the PIN (until such time as they need to use the password again, perhaps after a new version of the software is installed and things are somewhat reset (can’t remember if this is the case or not though)).

This is a decision people make on a balance of risk and convenience. Bear in mind that if a phone is stolen the attacker will typically have to break one PIN to get onto the phone and another PIN to access Bitwarden. I imagine most will reset the phone rather than trying them repeatedly (after they try 9999 or whatever they think is the most common).

This is why it is good to have different settings on different devices and applications. Someone may well not want to set a PIN on the Web Vault and they can do this in Bitwarden.

1 Like

Keep in mind that PIN is used in conjunction with your device’s locking. It was not meant to be the first line of device, so the hacker will need to break through your phone’s security first. For maximum protection, you would do something like this:

  1. Lock your device using something like Biometric or a PIN.
  2. Lock you password manager using a different pin.
  3. Lock your 2FA using a different PIN. Better yet if it’s on another device.

Now to login, they would need to break your phone, then your pin for password which will only give them 5 tries before reverting to master password. They will hack 2FA to get in and if it’s not your phone, they will also need to acquire the phone and then break through a different set of security. This should be sufficient protection unless you are targeted by some sort of government agency or if someone is pointing a gun to your head asking you to unlock everything.

1 Like