About PIN unlock security

Hi all,

I’d like to know more about the browser’s extension safety. If a hacker can steal both my password DB and the “token” allowing my browser to only prompt me for a PIN instead of my master password, can he bruteforce all PIN combinations to unlock the vault ?
If so, and I would like to suggest it in another post, it would be good to set up a system that makes you wait exponentially in between each wrong attempt.

Same thing about fingerprint unlocking on the mobile app : if a hacker manages to copy the virtual fingerprint, he can unlock the vault ? Please pardon my noob question but I have no idea how this works

Thanks for reading :slight_smile:

PINs are specific to the device, so you cannot bruteforce bitwarden from the web using the pin. So if a key logger steals your pin, they won’t be able to use it to login on a different device. Keep in mind that you can use a longer pin (I usually use 8 digits) and make sure that that you use a different pin on each device.

I don’t know how the fingerprint is implemented on bitwarden. But I would think the print would be specific to the phone. Iphone for example typically encrypt the fingerprint data and it only exist on the device. I don’t think you can steal it and use it on other phones. Experts often warn against using fingerprints because once stolen, they cannot be changed. However, most fingerprint hacks so far involves trying to fool the fingerprint sensor (such as using a 3d printed finger) rather than stealing the finter print data.