Bitwarden is very user-friendly, but there is one thing I miss and I wanted to ask if I am overlooking something. In the browser extension (I use Firefox), I can set the extension to be locked with a PIN code. There, I can also set “Enter master password when restarting the browser.” For security reasons, I have done this.
Now I realize that I close the browser frequently throughout the day and therefore have to enter the master password again and again. If I don’t select this option, the extension can ALWAYS be opened with the PIN code, even if my computer is stolen and the thief can start it up.
So my question is: Is there a setting somewhere that allows me to use the PIN code during the day when I’m working on the computer and only requires the master password after the computer is restarted?
I agree that not closing the browser is the most convenient thing to do. Also just to let you know, there are at least two more things that can help make things smoother:
If you unlock with Biometrics (via Windows Hello), although you need to keep the Bitwarden desktop app running in the background, unlocking would be “easy” via Windows Hello.
Besides entering the password on browser restart, you can also log out and use “Login with Device,” approving the login with your phone. You may also need to enter the 2FA (which can again be done with Windows Hello via “Passkey” 2FA) if you don’t “remember the device for 30 days.”
I tried that. But when you’ve been working like that for 40 years and often closing the browser, try not doing it anymore …
I had already looked at that. But it’s faster for me to enter the master password than to work with these functions. Maybe the developers will add my request* to their to-do list, because I think I’m not the only one who would love to have this feature.
Thanks for your quick replies.
*In the account security settings under “Unlock with PIN code,” in addition to/as an alternative to the option “Require master password when restarting the browser,” also: “Require master password when restarting the computer.”
Ah… if you weren’t using Firefox, I would have suggested to also “wait” for Unlock with passkeys as a future alternative… Though it probably will come also for Firefox some day, I guess it will come for the Chromium browsers first (like “login with passkey”).
Although I am not a developer, this kind of function requires knowing when the computer is being shut down, hibernated, or restarted, which would necessitate a monitoring app. I don’t feel this feature will be coming anytime soon, given that a running desktop app (to use biometrics) is something people commonly use, which also solves the problem of browser restart without entering the password while maintaining security.
The alternative implementation is detecting a restart after the fact, but this doesn’t address the issue of saving encryption materials protected only by a PIN to storage.
If you use Windows 11 Pro and don’t care about malware (i.e., you make it “impossible” for malware to be on your system), you can potentially: 1) not require a password on restart, 2) use BitLocker with a pre-boot PIN, 3) ensure you have a strong Windows PIN for login, and 4) encrypt your browser/data additionally with Windows EFS (which would require exporting the encryption certificate for keepsake). This would help mitigate some forms of threats, including thieves booting your system or someone who can boot the system but doesn’t know your login PIN.
I must be missing something. Version 2025.12.0 can optionally be unlocked with a PIN. When you set the PIN you also choose to use the PIN instead of the master password on browser restart.
This works in Firefox, MS Edge, Chromium and Chrome; the only browsers I have experience with.
I think I now understand. When you start your PC I assume you are using a password to login to your PC. A pin is not as secure as the master password, but step one is the hacker needs to first access your PC using the PC password.
If your drive is not encrypted (Windows is now installed with encryption by default), they can just take your drive and copy data off it. If your drive is encrypted and protected by TPM, then you are somewhat right that a typical thief will need to find the Windows PIN to log into the machine (some people have autologin for convenience). However, if your attacker is a state actor (or the mafia, etc.), they presumably have the tools (like Cellebrite) that can overcome the login screen and copy the data off your drive anyway. You can protect against this by having Bitlockered drive with pre-boot PIN, which I think is only available on Windows Pro, etc.
If your computer is a desktop at home (not a laptop you carry around), then your more likely attacker will be malware you unwittingly download and install on the machine. In this case, they will be able to copy your encrypted vault protected by a weak Bitwarden PIN. I think this is the case that is usually discussed the most in the context of Bitwarden regarding the option of not requiring the password on restart.
Maybe it helps, if you can implement a limit of entering the PIN (max. 3 times), after that the Masterkey is requierd? The PIN should also be bruteforce resistant!
I think that’s a good solution. I tried entering a wrong PIN five times. After that, I have to enter the master password and, in addition, I am asked for the code from the Bitwarden authenticator. That’s enough for me. Thanks for the tip.
Just make sure not to uncheck (disable) the option “Require master password on browser restart”. If you disable this default security feature, then the 5-attempt limit can easily be defeated by an attacker.
