I am looking for help in completely fully understanding the convenience versus risk ramifications of using the various log in/lock/2FA options and use of Master Password & PINs in the various app types of BW. So would appreciate any guidance from the more experienced or technically skilled members of the community as its my last step before I jump ship completely from 1PW to BW.
Also wanting to understand for these if there is a difference in the risk between a desktop version (in Windows & macOS) vs. extensions (various browsers on both Windows & macOS) vs. the mobile app (specifically iOS as I don’t use Android) for these functions. I do understand with regard to other products like LP (and a couple of others I think) they made the desktop the most robust app followed by mobile apps (I think) and browser extensions were the least secure as the browser environment was supposedly the most secure to start with and desktop considered where the greatest threats were – does BW have similar logic?
So, I’m looking to understand how much the risk or threat level increases if you enable certain convenience issues? I had hoped there might be a bit of a white paper or similar on this taking you through the options with some sort of guidance on best practice (likely annoying to do) vs. a couple of levels of convenience & scale of the related risk; but only found the basic info in the FAQs plus what I could from several threads here (I’ve quoted a few for reference below).
1. On log In to your BW app/vault what is the risk with selecting remember me for your email address?
Does this make it easier in any way for a bad actor who gains access to your device remotely to potentially access the vault data (and is that subject to the other choices below)? If so how (is the email address stored locally encrypted somewhere)? I assume if they physically gain access to your device (remotely or physically), it may increase the risk (possibly dependent on the other choices below)? Also is the risk different depending on whether it’s a Desktop app, Browser Extension, or Mobile app and/or what the O/S is? FWIW I have a unique email address I use only for my Password Manager and nothing else (and via an encrypted mail server/provider), so if this is exposed somewhere it undermines trying to keep it discreet.
2. Remembering the 2FA Authenticator Code for App/Vault Log In is safe?
If I have understood what I‘ve read correctly (from some other posts on the subject) and what I previously knew it’s not essential to force re-entering this 2FA code every time you log on (subject to other choices in this list of questions) and the risk may be acceptable if physical loss of your device likelihood is low; as this only verifies your login and you still need your master password which is also what unlocks the vault? As its main purpose is to stop someone trying to access your vault from a completely new/different device that isn’t one of your regular ones I assume the increased risk is very low for taking the remember a device or browser option? Or is this risk different for a browser extension vs. Desktop or Mobile app? I have been doing 2FA with 1PW for sometime (with the remember device equivalent) but hadn’t thought in depth about all the ramifications until recently planning moving over to BW….
3. Enabling Unlock with PIN?
I’ve read with interest much of the discussion around this in some of the other threads – from what I’ve gathered ‘in theory’ there is not an ‘exponential’ increase in the risk if doing this (although there is presumably some increase) as the master password is stored locally (in memory or encrypted on disk?) for the PIN to access and therefore not accessible remotely (in theory). Is the risk different depending on whether it a desktop app, extension, or mobile app? However, I assume due to the next item below and the known issues PIN use is temporarily a disproportionately increased risk if used (at least in some configurations)?
4. Lock with Master Password on Restart option when using PIN (NOT Vault Timeout)
I will always enable this as want to ensure Master Password is re-entered every time app is accessed for first time (e.g. device restarted, Browser restarted/reopened, etc). But it is mentioned in the thread What do “keyHash”, “encKey”, and “encPrivateKey mean in data.json regarding the desktop app (where the json file doesn’t get deleted when this option is deleted), and looks to be an issue for (some) Browser Extensions (in Chrome at least, albeit for different reason?): Questionable PIN Security - this bug currently leaves the vault exposed on the local device (the Chrome Browser Extension saves vault in persistent local storage after logging out and exiting Chrome (on Github). So this means vault is left on local disc exposed and if vault was copied off the device (or the device stolen, etc) it could then be brute forced relatively easily as it would only be locked not logged out – as only PIN not Master Password is securing it? So right now this function shouldn’t be relied on in the Desktop app nor the Chrome Browser Extension – so perhaps PINs shouldn’t be used at all for now on desktops to be safe? (I am assuming iOS Mobile App is likely fine and this is not an issue for it to use PINs; but other browser extensions on desktop I haven’t seen anything nor had opportunity yet to try and do my own basic testing of any so should assume a possible risk for now?)
5. Vault Time Out – Lock vs. Log Out
I always select a time period for these types of settings (typically in the 1 to 15 mins range depending on the device) – but if using a PIN I would normally aim to select ‘lock’ not ‘log out’ – that’s normally the point of the PIN, right? If master password on restart is enabled for PIN (see above) and working as designed (as opposed to the current known issues linked to above) what resident risks are there from only locking the vault vs. logging out of it. Obviously, it exposes the vault if it somehow gets copied off the device while in that state, but are there any other risks - in theory it should be in memory the whole time its decrypted correct - but what about when its locked? And should this option (if used) be set differently on a mobile device (or portal desktop like a MacBook or Windows Laptop), that is more likely to be ‘physically’ lost or stolen, than a non-portable desktop (like a PC which you are only likely to ‘physically’ lose if you have a major burglary at your location, etc)? e.g. should you always set log out on mobile/laptop regardless vs. using lock on a static desktop?
6. How much risk does downloading the Website Icons really present?
Is this just a minuscule ‘privacy’ (only) risk or is it a meaningful potential security risk? As an aside this I believe could be easily remedied by allowing manually imported unique icons that are stored in the vault (somewhat like 1PW does – see FR Custom icons for items and folders/collections) for example; but in the meantime, what is the view on the risk? And if the icons are cached unencrypted locally as discussed in one thread (Is there any security or privacy issue with the bitwarden web vault retrieving site icons?) does this mean, for now, there is a meaningful security (as opposed to privacy) risk? How much does having these visual indicators of websites empower/assist a bad actor?
Any guidance or technical advice or commentary will be greatly appreciated.