Best Practices - Log Out or Lock?

I am new to BitWarden (LastPass refugee) but with the help of the Community I am getting better. At this point I “know” enough to at least pose these questions:

In my settings there is a Vault Timeout option to either Lock or LogOut. Is one better than the other? Briefly, why? Is anything left open in an unencrypted form (e.g. data.jason)?

When I am quitting BitWarden there is an option to Lock or LogOut. Is one better than the other? Briefly, why? Is anything left open in an unencrypted form (e.g. data.jason)?

From previous postings it seems that if one has locked the vaults but has not logged out, the data.jason file can be copied, so that is why I am trying to understand this better.

Your experience and insights on this will be appreciated.

It’s pretty simple:

• Logging in retrieves a copy of your encrypted vault data from the cloud, stores the encrypted data file (data.json) in persistent storage on your device (e.g., on your hard drive), and automatically proceeds to unlock your vault.

• Unlocking reads the data.json file, decrypts its contents, and stores the decrypted vault data in the memory of your device.

• Locking clears the (decrypted) vault data from the memory of your device, but leaves the encrypted data.json file in persistent storage on your device.

• Logging out clears the memory of your device (same as locking), but also purges the encrypted contents of the data.json file. Thus, your device no longer contains any vault data, either encrypted or decrypted, neither in memory nor on disk.

The majority of users stay logged in all the time, and just lock their vaults when not in use.

Another section I’d like to point out, if you enable Unlock with PIN or Unlock with Biometrics the Unlock is done in a slightly differently.

If you are using a PIN code or biometrics, vault data is re-encrypted when your vault is locked and stored securely on-disk using an encryption key derived from the PIN or your OS’s biometric subsystem. This allows vault data to be stored encrypted while your vault is locked, without requiring your master password to decrypt it.

Just out of curiosity, where is the encrypted .json file stored (e.g. while the chrome extension is locked)?

Hi @hgmike and welcome to the Community!

You can see all the local file locations here:

In Chrome, the vault data are stored in a numbered *.log file, which is located in the following directory if you only use the default profile in Chrome:

 %LocalAppData%\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb

grb - Thank you very much for a very concise and well explained response. Before your response I had some significant uncertainties. After reading your response, you succeeded in making the differences and similarities truly clear. I particularly liked the emphasis you put on encrypted in the locking mode because that was one of my concerns about just locking and not logging out as well.

Thank you, Kent. I haven’t quite had the courage yet to try a PIN or Biometrics, but I can see where your information could be very useful for those times when I need to access the vault on my phone. I generally try to avoid using something so important on my phone, but there are inevitably times when it is necessary. So, you have helped to allay my concerns in that area. Maybe it’s just me, but I feel like PINs are not as secure as I would prefer.

If it’s on a non-mobile device (which allows you to use any characters in your PIN, not just numbers), then the PIN locking is as secure or insecure as you choose. What I mean by that is that the encryption method is the same when using a PIN to unlock as it is when using your master password to unlock, so if you enable the Unlock with PIN option but (hypothetically) make your PIN be the same as your master password, then the security of your local vault will be identical to the security you get by disabling Unlock with PIN (i.e., requiring the master password to unlock). Therefore, you can control exactly how much security to trade for convenience by lowering the PIN length and complexity (relative to your master password).

There is nothing inherently insecure about enabling Unlock with PIN, the only security risk is associated with your decision of how much lower to make the PIN entropy as compared to the master password entropy.

Absolutely not an issue, glad to be of help with the information.

While I do agree generally PINs are weaker than say biometrics on a phone. (Higher chance of say shoulder surfing)

Though IMHO it really depends on your threat model.

• The PIN can really be any combination of alphanumeric and special characters, and so isn’t strictly limited to just numbers as one may think with a PIN. In this way, it can almost be thought of as a secondary local only alternative to the master password, and could be made shorter than your standard Login password.

• It also is limited to 5 attempts before requiring Login again with the account’s master password.

Note

After five failed PIN attempts, the app will automatically log out of your account.

• Though there are some notable concerns one would want to be aware of when considering the PIN option, this is also noted in the Help article.

Note

If you turn off the Lock with master password on restart option, the Bitwarden application may not fully purge sensitive data from application memory when entering a locked state. If you are concerned about your device’s local memory being compromised, you should keep the Lock with master password on restart option turned on.

Warning

Using a PIN can weaken the level of encryption that protects your application’s local vault database. If you are worried about attack vectors that involve your device’s local data being compromised, you may want to reconsider the convenience of using a PIN.

Just a ton more info to dump at you

Depending on where you live though, certain aspects may have better legal protections.
i.e. a master password, and subsequently a PIN is something you know and also could arguably “easily” be forgotten.

Whereas biometrics are considered to be something you are, and could provide for a method of unlock against your will/consent.
Many United States courts have given some fairly differing legal opinions on this topic when presented with cases of this manner, though again it may depend on your locale.

* P.S. This should also not be considered legal advice.

If you have biometrics unlock for your mobile device where your password manager resides it could be argued a PIN may be a better option as it provides a separate method of verification from the device’s unlock.
Though if you are going this far down the rabbit hole, or are a someone who has that level of threat modeling likely the master password is your best option.

Ultimately it comes down to a sliding scale between security and convenience, with Bitwarden trying to land the golden sweet-spot while still providing some user customization for different use-cases.

At the risk of overloading OP with too much information, I would like to point out that the 5-attempt limit is pretty easy to overcome (for example, you can just close and restart the Bitwarden app after every fourth attempt).

Wow!! That is a lot of information, but ALL of it is very useful. I wasn’t aware of the Lock with master password on restart option, so that was an extra and very helpful tip. I am starting to get a sense of what it takes to find the balance between convenience and security.

Due in large part to the very knowledgeable posters on this site.

Thanks to everyone.

Just something that I don’t think has been explicitly stated - locking (and leaving the encrypted vault on disk) gives you the opportunity to unlock and use the vault in the event that the Bitwarden cloud service is down. As others have said, there isn’t much reason to log out rather than lock.

Thank you Cooper. I am now understanding why locking has its advantages. As both grb and Kent have pointed out, there is a balance between convenience and security, and each person must find that balance. With the information that I have gleaned from the postings by the truly knowledgeable posters on this forum, I am starting to get a sense of the analysis that is required to find my specific balance.

Going back to this post, which didn’t look right when I first saw it, but which I haven’t had a chance to do testing on until now…

@cksapp Unfortunately, this is another instance where the Help Center documentation is using language that is inaccurate (or misleading, at best).

When enabling Unlock with PIN, the secrets contained in your vault (and stored in the memory of your device) will not be re-encrypted using a new encryption key (“…derived from the PIN…”). For example, below is an example of an encrypted password, before and after enabling a PIN.

Locking with Master Password:

"password": "2.jT3wtxvaUyH5Kpls+fpo0w==|Vin9S48+eCBHCw67hhwdc4K41wBugrPhvAIS3PLmuBs=|v2TAKU0dfqVnOx6z0B6ltLsD3whxSdKv+CjkpcKSo3c="

Locking with PIN=1234:

"password": "2.jT3wtxvaUyH5Kpls+fpo0w==|Vin9S48+eCBHCw67hhwdc4K41wBugrPhvAIS3PLmuBs=|v2TAKU0dfqVnOx6z0B6ltLsD3whxSdKv+CjkpcKSo3c="

 
Clearly, the same encryption key was used, because the two ciphers are identical. The only thing that changes when you enable a PIN is that the protected symmetric key (i.e., the encrypted version of the account encryption key) is re-calculated using a hashed and stretched version of the PIN as the key instead of a hashed and stretched version of the master password. In the locally cached vault (data.json file), the re-packaged encryption key is stored in the field protectedPin.

Pardon the inside baseball.

I agree that biometrics is preferable to a PIN to mitigate the risk of shoulder surfing or accessing the PIN another way such as keylogging. The OP should have confidence that the encryption and security employed for biometrics by major manufacturers such as Apple, where your biometrics are stored on the phone’s secure enclave hardware, is considered secure. If you are comfortable enough allowing a cloud-based password manager to store your encrypted vault on their servers, you are probably a good candidate to trust biometrics stored on a secure enclave.

Noting that Apple’s new Account Recovery Key increases your Apple account’s security by preventing even Apple from supporting you to regain access to your account if you are locked out. Store that Account Recovery Key printed and safely, like your Bitwarden 2FA Recovery Key and your exported, encrypted Bitwarden vault.

Thanks for this description of logging in/out and locking/unlocking. I’m new to Bitwarden and the community and was rather confused.

There’s one thing that still baffles me though, and that’s autofill. I use Windows 10 on my laptop, with the Chrome browser and Bitwarden extension (so pretty simple). Regardless of whether I’m fully logged out or just locked, autofill still works. Shouldn’t the data be cleared from my device, otherwise Bitwarden isn’t providing any security?

This doesn’t sound right. Can you provide some screenshots (with any sensitive information redacted)? I would suggest the following:

1. While the browser extension is logged in but locked, navigate to a login form on the web (for which you have an account stored in Bitwarden).

2. Screenshot the Bitwarden Browser Extension icon with the lock symbol:
   

3. Open the browser extension (by clicking its icon), and screenshot the Unlock prompt:
   

4. Close the browser extension window without unlocking the vault.

5. Use Ctrl+Shift+L to attempt to auto-fill the login form that is open in your browser.

6. Take screen shots showing the results. If the appearance of the browser extension icon has changed, take another screen shot of the icon.

Thanks for the response. I didn’t realise I could lock via the browser extension. When I do this (as you suggest) it disables the autofill (which is what I want).

But if I leave the browser extension unlocked and just concentrate on the vault, there’s a drop-down list:

BW 1 redacted306×552 17.7 KB

If I select Lock Now, it closes the vault and displays an unlock screen.
(I can’t show you this because as a new user I’m only allowed to embed one picture per post).

Or if I select Log Out instead, it displays a log in screen.
(I can’t show you this because as a new user I’m only allowed to embed one picture per post).

Neither option prevents autofill from working, even though, if I understand your guidance from a while ago, all data should have been purged from my device.

Every instance of Bitwarden (i.e., browser extensions that have been installed on different browsers, or apps installed on different devices, or different types of apps installed on the same device — such as the Desktop app, the Web Vault app, the Browser Extension app, the Command-Line Interface, and the various Mobile apps) all work more or less independently of each other. In particular, each running Bitwarden app process uses its own copy of the encrypted vault cache.

Thus, you can independently lock/unlock or log in/log out every distinct app, without affecting the others. To purge all of the decrypted vault data from process memory, you need to log out of every instance of Bitwarden.

For you convenience, there is a button to Deauthorize All Sessions available from the Account Settings section of the Web Vault app.