**"I’ve confirmed that simply moving files from to a new offline browser allows unlimited PIN brute-forcing—as long as you haven’t enabled ‘require master password after reboot’. The same vulnerability exists in the desktop client: copying its JSON file to another offline client enables full password extraction using only the PIN, completely offline.%LocalAppData%\Microsoft\Edge\User Data\Default\Local Extension Settings\jbkfoedolllekgbhcbcoahefnbanhhlh
Despite setting an extremely strong master password for security, this flaw forces me to abandon PIN convenience. Could you implement an online PIN attempt restriction feature with these critical safeguards:
Disable PIN entirely in offline mode
Force master password unlock after 5 failed online attempts This solution would restore both security and usability."**
Hardware-bound PINs: PINs must be cryptographically tied to device identifiers
Explicit security warnings: Highlight PIN vulnerability during setup
Online verification: Mandatory cloud handshake after X unlock attempts Current PIN security remains dangerously inadequate without these safeguards."**
but note: either online verification or device binding would suffice—both need not be enforced simultaneously.
This can be accomplished by using Windows Hello PIN (which Bitwarden considers a “biometric”). The advantage of Bitwarden PIN is that it works even in the absence of cryptographic hardware assistance.
Even if using Bitwarden PIN, one can significantly mitigate this risk by enabling inactivity lock on their devices and by keeping devices malware free (perhaps with the aid of some anti-malware software).