The idea of an increasing wait time after each failed attempt is a good idea. Maybe authorise three attempts without wait time and then begin with one minute after the third attempt. And then, send an e-mail to the owner to prevent him.
Maybe it could be enought. But maybe the blocking function could still be useful as an option. As an option it could be unset in the case of an attack like the one you describe.
If you are a premium member and setup U2F you are as safe as can be. I don’t care if someone tries a million times. Even if they “hit” my password (they never will) nothing will happen without the physical key. Just a thought!
Yes, sure, the U2F is a very safe security feature. But actually I find it somewath tedious to use. Thus I would prefer to have the maximum possible security even without U2F. And adding a blocking function for faulty login attemps doesn’t produce any inconvenient.
By the way, if I was using U2F, I would like to use it only for some peculiar web sites and not for every one that is registered in my vault. Is this an existing possibility ? If not, it would be a nice feature to add.
My response to U2F is to open your vault. Regarding specific sites I decide whether or not to enable U2F/2FA on each site. Some sites still don’t even offer TOTP or SMS (stone age thinking).
So on my linux laptop I leave a U2F chip (nano) inserted in one spare USB A slot. When BW asks for my credential I simply tap the chip and I am in. Very easy.
On my Android I have BW logged in but locked and set for a PIN. The “bad guy” gets 5 guesses and then BW logs out automatically. At that point they would need my U2F NFC to log into BW on the phone. This has never happened to me in a couple of years using BW. My four digit BW PIN is used in no other place so they are NOT going to guess it in only 5 attempts.
Would this model help you to feel secure? It sure does for me.
I didn’t understood U2F was only to be used to unlock the vault. I though U2F would be necessary to unlock every single use of a password in Bitwarden. So I learnt something.
Your model is very interesting. Thanks for sharing. It would certainly make me feel safe regarding the login attempts that a black hat could make on the vault. But it would’nt be suitable for me for two reasons. First, I would’nt be confortable with the idea of leaving the U2F chip inserted in my desktop. This is not the intended use; the computer with the chip could be stolen by a burglar. Secondly, the security advantage that U2F would offer to me is not balanced with the complication it brings.
The solution where Bitwarden would block access to the vault, to faulty login attempts, would be perfect for me, as it would be both very easy and very reassuring.
Thank you for some kind comments. Of course for most users a U2F chip left inserted in a laptop is a no go. In my case I am retired and my laptop is either sitting on my home office desk while I am in the house, or the laptop is in my gun safe when I am gone. When I am mobile (Android example) I carry my NFC U2F element to use when needed. I just renewed my Premium membership. This is absolutely the best 10 bucks I spend all year!
There should still be settings for timeouts after failed login attempts, as not everyone wants to use U2F or similar devices and as it is always possible to lose such a device. It is a relatively basic feature available on other password managers and on many websites. I’m amazed this thread is 3 years old and has no comments from the Bitwarden team. Let’s make this a priority!