Bitwarden vault security where remote access is enabled

I have installed Bitwarden (personal subscription) on my (Windows11) company laptop which has remote access enabled for company support. The other day I had an issue and support randomly remoted into my laptop and took control. My concern was that I had unlocked Bitwarden at the time to use it for a web login.
Can the support team access all my (now unlocked) vault, and if so what can I do to ensure that only I have access to my Bitwarden vault passwords ?

@CalvinR Hi!

Yes, of course.

Don’t use Bitwarden on your company’s work device. :wink:

1 Like

They could have accessed your vault while they were connected. Assuming you watched what they were doing, once disconnected they won’t have any access. Now if you observed them opening your vault they could have screen-captured UN and PW info.

Here again, I would never put my own personal account security info into any computer used for work. Use some different PW manager and never, ever, use your work PC for any personal business.

While remoting in, they can access your vault and copy/screen-shot the information one at a time. They can’t export your vault unless they know the Bitwarden’s master password (do you keep the master password in your vault?)

If you are paranoid about your company’s support, you could change the passwords for important accounts. Enable 2FA everywhere so that even if somebody has your passwords, they still can’t access your accounts (unless the TOTP secrets are in Bitwarden too).

The usual recommendation is to not put your personal BW vaults in a computer that you don’t have exclusive control.

Two other considerations:

  • if you unlocked your vault via PIN, then there is local data of your (then locked) vault on the machine, only protected by that PIN → that could theoretically also be accessed or copied - and especially if the PIN is short/weak…
  • if you have your vault unlocked (especially for longer time periods), the vault data is even in the working memory of the machine and could be accessed by any kind of processes (of course this is the case also on private machines, but apart from unwanted malware, on a private machine you are “in control” of what processes you run on that machine)

I agree thats the sensible solution - but I dont have that option as many of the passwords and sites I need to access are for both corporate and private use…

I was hoping for a only install for this user option, where the support team (who are admins) cannot access my app…

The master password is not kept in Bitwarden, But I was hoping for a install only for this user option (in this or the next version of Bitwarden) !

I guess, admins could access the app. As admins, they have that privilege, still.

I’m not an expert here - but maybe two separate Bitwarden accounts, one for “private” and one for “work”, would be a solution here. Possibly with sharing some passwords/accounts you need on both sides via Organizations/Collections. Then at least you wouldn’t expose all of your private accounts by accessing them from “work machines”.

As the Bitwarden apps allow “account switching” or for that matter, login to any Bitwarden account, I guess your suggestion wouldn’t change anything security related here… and the vault would still be in working memory when “unlocked”… the vault would still be locally stored if “locked” via PIN… etc.

PS: And if you log out, the local vault data is deleted. If your app was for “everyone” or “only you” installed - doesn’t change that.

If you don’t trust your company admins, then your only safe option is to have two separate accounts and never login on your company devices with your personal account (the one that contains the items that you want to guarantee that your company admins can not access).

That is not possible to guarantee. At all.

And, by the way, all this applies to any password manager, not only to bitwarden.

Your company admins have (and should have) admin (that means total) access to your company devices.

1 Like