Browser PIN security - AFTER disabling feature

Hi all, just realized today (a bit of a noob) that the PIN feature to unlock BW in browser is not as secure as using a master password every time. I guess the DB gets encrypted with the PIN when it locks, which makes that pretty vulnerable. Question: After I disable the PIN feature, are there remnants of a previously-PIN-locked DB on my computer that could potentially be stolen and then brute-force attacked at the thief’s leisure? Or do any traces of the PIN and the PIN-encrypted database get deleted / erased immediately w/out any traces left? Thanks

The encrypted vault is always encrypted using your account encryption key (which is always the same, no matter how you lock or unlock your vault, unless you deliberately rotate the encryption key).

If you’ve chosen Unlock with PIN and have overridden (disabled) the option to Unlock with master password on browser restart, then the encryption key is encrypted (protected) using your PIN, and the PIN-protected encryption is saved in persistent storage (on disk) on your local device. Thus, someone with access to your device could brute-force the PIN to obtain the account encryption key, after which they can use the account encryption key to decipher the contents of your vault. Getting the necessary data for such an attack would only require copying a single file from your computer (the local vault cache).

If you subsequently re-enable the Unlock with master password on browser restart option, or if you disable Unlock with PIN altogether, then the PIN-protected account encryption key will be deleted from your local vault cache.

However, “deletion” is not always permanent (especially not if your device has an SSD), so it is always possible that someone with access to your device could use data recovery tools to extract some or all of your deleted data (including possibly the old PIN-protected encryption key).

Thanks for that explanation. I do have an SSD, and I had ‘unlock with PIN’ checked as well as ‘unlock with master password on browser restart’. If I understand this correctly, now that I have disabled the PIN option, that means the PIN-encrypted key was deleted, but most likely still recoverable if someone wanted to. How could I go about securing what’s left behind? I suppose a virus or hacker gaining access to the system could also recoup those files just as easily, right?

If Unlock with master password on browser restart was “checked” (:ballot_box_with_check:), then the PIN-protected encryption key would not be written to your SSD by Bitwarden. My understanding is that in this case (which is the default for the Unlock with PIN option), the PIN-protected encryption key is kept in the browser extension’s process memory only. It could possibly end up on your SSD if your device was allowed to hibernate or sleep while the browser was running, or if there was a process crash that generated a .DMP file.

Ok, I see. So, if this is residing in the extension’s process memory, is it actually safer than keeping a vault unlocked for several hours, for example (until the next browser restart, that is)? If I just keep the vault password-unlocked for several hours, is it more vulnerable to attack while it is unlocked? Trying to see if it’s more secure to keep it password-unlocked for any period of time vs having it PIN-locked every 5 minutes, for example. Thanks again, I appreciate all the help.

If my understanding of the implementation is correct, then a PIN-locked vault is definitely safer than a password-unlocked vault. In both cases, there is vulnerability if an attacker has access to the device memory (e.g., via malware). In the case of an unlocked vault that does not use a PIN, all vault secrets are available decrypted in memory, so the hypothetical attacker would immediately get all of your stored passwords and other secrets. In contrast, for the case of a vault that is PIN-locked, the attacker would have to find the PIN-protected encryption key in the memory, and they would have to exfiltrate the encrypted vault data from persistent storage, then they would have to successfully complete a brute-force attack against the PIN-protected key to extract the encryption key, and finally decipher the encrypted vault.

In addition, if you leave your vault unlocked, you also become vulnerable to opportunistic attacks by non-hackers — i.e., anybody who temporarily has access to your device could just peek at the contents of your vault.

Awesome, thank you for the detailed and very clear explanations. I think I’ll go back to enabling PIN (with browser restart password, of course), and just leave the lock interval to shorter periods like 2 or 3 min only.

1 Like