I use bitwarden mostly via brower extensions on a desktop and laptop, and via the mobile app on the phone.
In the first two cases (desktop/laptop) I have 2FA turned on for some events (time based, browser restart etc.)
What happens after I enter the 2FA totp and master password, and the vault is now accessible to me? Is the entirety of the vault contents now memory-resident in plaintext, so if my computer is rooted, it is game over the moment I enter the 2FA code?
If, as I suspect, the answer is yes (I am able to see all vault contents and even export without needing to enter another TOTP; and note that if I am already rooted the master password is known to an attacker) might the following make sense:
To have, apart from time based lock out and event based lock outs, also a rate based lock out, so that if users ask for more than n passwords in an hour, they have to enter the 2FA totp, for some configurable n?
I am attempting to understand the failure mode better and looking to see if ensuing damage can be mitigated somewhat (by setting n=5, say)
Hello @internetperson - welcome to the forum!
You ask some good questions, and I can try to help. Basically, you are only ever prompted for 2FA when you login to Bitwarden and your encrypted vault is downloaded from the BW server to your local device/client. At that point, the vault remains encrypted on your device until a BW client requests to access an item (e.g., you use the browser extension to autofill credentials on a website). Depending on the operation, some credentials may be copied to the clipboard (which you have the option to set to clear on a schedule), but the remainder of your vault remains encrypted.
If someone gains control of your computer (physically or virtually) while your vault is unlocked, then yes your information is vulnerable, particularly if they know your master password. But the biggest threat would be if someone could control your Bitwarden client while the vault is unlocked, and then they could browse all the information stored in your vault.
Note that you can lock Bitwarden to protect it from being accessed by requiring the master password or a PIN/biometrics to unlock it again, but locking Bitwarden still means that your encrypted vault is stored on your machine. You must logout entirely to purge the encrypted vault. So, if you want the highest level of security, you should always login with your master password and 2FA, retrieve your credentials, and then logout.
There is currently no way to automatically logout of your vault based on the rate of vault access, nor do I think there is any plan to do this.
Feel free to post back if you have further questions. Cheers!
Thank you for the detail – that was very helpful.
TO clarify, as that encrypted vault that is locally stored is encrypted only with the master password, under the assumption of the attacker knowing the master password, does it follow that at point the user is fully pwned?
Meaning as the attacker has the master password, isn’t he able to decrypt the vault regardless of whether the PIN or biometrics are turned on?
If that’s true I would also understand that my suggestion of rate limited turning on of 2FA etc. is a non-starter - the attacker only needs the master password to decrypt and can bypass any control flow that requires 2FA authentication.
Related, why did you guys go for downloading the entire vault? Is it for responsiveness? And is that standard among password managers?
Thank you again for the responsiveness; I am a big supporter of the overall effort.
Glad that was of some help. Regarding the questions you ask, you are correct that if someone controls your computer and they have your master password, they can enter your vault if Bitwarden has been unlocked (no 2FA required). If you are logged out at the time, however, they would also need access to your 2FA.
Merely obtaining the encrypted vault file and master password is not necessarily enough to access the vault - your master password is used to create the key that decrypts your vault, but there are a few steps involved that the client handles, so it is a bit more complicated. And assuming you use a long, unique and unguessable password, the encrypted vault is essentially useless without the password and a means to decrypt it.
Bitwarden uses zero-knowledge, end-to-end encryption to handle all the encryption/decryption on the client-side and storage server-side, which means the Bitwarden servers and the communication channel between your client and the servers will never see your password, and the encrypted vault is what is stored on the server. Assuming you have control of your device, that means your information is very secure. I think most password managers use a somewhat similar system for security purposes, but I can’t think of any other Bitwarden that reveal their source code so that one could verify this for themselves (otherwise, you would have to rely on a third-party audit to certify it).
If you are interested in learning more, there is a wealth of information on the Bitwarden help pages below: