Best Practices to Prevent Against Browser or Extension Exploits

Undoubtedly a safe approach, but may be overkill for most. If your master password is sufficiently strong (5-7 diceware words), then it is very safe to leave the browser extension logged in, as long as you lock it when not in use.

For the average user, I would take your advice but substitute “log into” → “unlock”, and “log out” → “lock”.


If you feel that you need to reduce your attack surface by completely logging out of the app when it is not in use, then I would probably also recommend the following safeguards:

  • Close the browser (or kill the Bitwarden process) immediately after logging out.

  • Use only on a system that is protected by whole-drive encryption.

  • Disable hibernate and swap files.

  • Immediately delete any .DMP files created by the OS.

  • Periodically run sdelete.