Good evening everyone, I apologize if I’m posting in the wrong place. I need some advice on whether my Bitwarden account is secure. Some time ago, my Gmail account was involved in a data breach. Since then, I’ve become a bit paranoid, so I decided to move everything to a new email address and close the compromised one. I chose an email service that uses two 64-character passwords + f2a and aliases. To protect all my data, I’ve adopted this strategy:
I back up the Bitwarden JSON file to two hard drives not connected to my PC.
I back up my Bitwarden credentials in paper format (two copies, stored in two different locations).
I back up to a text file on two hard drives not connected to my PC.
I back up my Authy backup password in paper format (two copies, stored in two different locations). I back up to a text file on two hard drives that aren’t connected to my PC.
To access the password manager, I use a 64-character password, which I also save twice, on paper and in a text file on both hard drives, and on a USB stick that I insert into my PC at startup.
I’d also like to use an alias as my email address. Do you think my strategy is adequate for security purposes, or do you recommend something else? Thanks.
Ps I apologize because I’m new and didn’t know how to set tags
I will start by saying that your Bitwarden account is secure from the risk of compromise if all of the following conditions hold true:
You installed Bitwarden apps and extensions only from bitwarden.com or from official app stores run by Apple, Microsoft, Mozilla, or similar reputable organizations.
You never registered, configured, or in any way accessed your Bitwarden account from a compromised device (which requires disciplined online habits and strong, up-to-date malware defenses).
The devices on which you use Bitwarden are physically secured to prevent any device access by any other individual.
Your Bitwarden master password is random, generated with the aid of a cryptographically secure pseudo-random number generator (CSPRNG) or a true entropy source (e.g., dice rolls), sufficiently long for the generated password to have at least a quadrillion (1015) possible random permutations.
Your Bitwarden master password is never used for any purpose other than logging in to your Bitwarden account.
Your Bitwarden master password is kept private and confidential (never disclosed to others), and not entered in an unsecure environment (i.e., when there is a risk of being observed). This includes being mindful of (and avoiding) phishing and social engineering attacks.
You keep all of your Bitwarden apps and extensions locked when not actively being used, and unlock using biometrics or using your master password.
Hi, thanks for the reply, yes, I installed the Bitwarden chrome extension from the Chrome store, the password is random and generated with a software, 64 characters uppercase, lowercase, numbers and special characters and is used ONLY to access Bitwarden and is kept private, the only doubt is that I logged in from a PC where Gmail account was compromised but I use the following extensions for security: McAfee Antivirus Premium, McAfee Web Advisor, Ublock Origin and Kaspersky Anti Ransomware.
If the Gmail account compromise was accomplished using a malware on your PC, then your new master password may already be compromised. However, if your Gmail account had a non-random or non-unique password, then it is possible that the account was compromised remotely via a credential-stuffing attack.
This is serious overkill, and having an unnecessarily long and complex master password will increase the risk that you forget it, store it in unsecure locations, and/or begin using unsafe habits to avoid having to type the master password.
To facilitate memorization and manual typing, is it recommended to use a randomly generated passphrase as your master password. It is generally sufficient to use a passphrase consisting of four randomly generated words (e.g., mama-rifling-obtain-legged). If you are concerned with future quantum computing attacks using “Harvest Now Decrypt Later” tactics, then you could go to an 8-word passphrase (e.g., eats-straining-liver-footman-slam-enduring-unskilled-legwork), which would be similar in length to your current password, while being much easier to use; to memorize an 8-word passphrase, it is recommended to divide it into two halves and separately memorize each 4-word half.
No, the compromise occurred through a Canva data breach, I changed all the passwords for the various logins and I also changed my email, Bitwarden was not compromised because I have 2FA everywhere , as regards the 64-character access password I save it, as I said in the initial post, on 2 paper copies, on 2 hard drives disconnected from the PC and on a pendrive that I connect when I need to access Bitwarden,ah, the email I use for bitwarden is not the compromised gmail account.
And how do you enter it into the login form? Do you use a secure app (which doesn’t use telemetry, like Microsoft apps, etc.) to view the password, and manually type it into the password field, or do you copy & paste (exposing your master password to the system clipboard, which is vulnerable to leaking information)?
Any process that is running on your computer can read the contents of your clipboard — this is how pasting works (an app reads the clipboard contents and transfers the information into the app). It is important to know that processes have the ability to read your clipboard data at any time, not just when the app is active in the foreground and not just when you trigger a paste action (using keyboard shortcuts like Ctrl+V, or other methods).
In fact, many common apps are known to routinely scrape the contents of your clipboard, as a way of collecting more information about its users. A few years back, there was an uproar when new safeguards in iOS 14 exposed clipboard snooping by many popular apps. There is no reason to believe that such corporate data collection practices have ended (especially not on non-iOS devices that lack warning systems for clipboard snooping).
Thus, even if you have no malware on your PC, various apps may incidentally collect copies of your master password from your clipboard, and store this information for marketing purposes in databases on their own (or third-party) servers. We have no idea about the security of such databases, and I would be very nervous if I thought some third-party marketing company was storing a copy of my master password in plaintext on some server that may be vulnerable to a breach (not unlike the Canva breach).
As long is it is randomly generated, you could use either a random character string or a random passphrase — passphrases are preferred when it comes to the master password, because they are easier to memorize and to type.
I would suggest making your master password a random passphrase, and recording the master password on 2–3 securely stored emergency sheets (paper), along with your 2FA reset code and your Bitwarden account email address (and the password to that email account).
The single best thing you can do is to generally keep your vault locked (or logged out). An unlocked vault is just sitting around waiting for your device to be compromised.
There are two separate concepts, login and unlock (what’s the difference?). Both are considered equivalently secure because in both cases your vault is encrypted and encryption is the foundation of vault secuity.
unlock with biometrics (windows hello, faceid, etc.)
Personally, I keep my vault logged in but locked on my devices and then use unlock with biometrics because it is convenient enough that I don’t mind frequent unlocks.
Thanks for the reply, so it would be a good idea to buy a fingerprint reader that can be connected via USB to my PC? I access Bitwarden ONLY from my PC.
I have biometrics (fingerprint reader, camera) on my Windows machines. It’s one of the most outstanding features of Windows 10/11 for managing secrets that Windows Hello can handle. I would recommend it to anyone who can afford it (around $20 for a Chinese fingerprint reader, $40 for a Kensington model).
The fingerprint reader/camera is backed by the Windows Hello PIN, which cannot be turned off. You can always use the PIN for authentication.
I am not making a recommendation, but I want to mention that I am using a Chinese metallic case model that has worked well enough for almost 3 years with no signs of breaking. The reviews on the Kensington models (except the desktop version, which was around USD $70) don’t seem to be much better; people have varied experiences with the devices and customer service when there is a problem.
I had seen the Kensington version (59 euro) because it also has the base, I don’t want a simple button pen drive to place behind the PC because I have a desktop PC
I think that is the Kensington model I saw with mostly good reviews, better than all the pen drive versions. Probably a solid choice. You may want to compare that to a Logitech Windows Hello-compatible camera, which may be around USD $10 more expensive. I’m uncomfortable with having a camera pointing at me all the time (and using a cover seems totally inconvenient for biometric authentication), but boy, it WAS convenient.
