Discussion of Safety vs Risk vs Convenience

AudioPhool · February 26, 2024, 4:16am

For anyone else reading this thread, I just found the following related reply from grb “Best Practices - Log Out or Lock?”:

Best Practices - Log Out or Lock?

It’s pretty simple:

Logging in retrieves a copy of your encrypted vault data from the cloud, stores the encrypted data file (data.json) in persistent storage on your device (e.g., on your hard drive), and automatically proceeds to unlock your vault.

Unlocking reads the data.json file, decrypts its contents, and stores the decrypted vault data in the memory of your device.

Locking clears the (decrypted) vault data from the memory of your device, but leaves the encrypted data.json file in persistent storage on your device.

Logging out clears the memory of your device (same as locking), but also purges the encrypted contents of the data.json file. Thus, your device no longer contains any vault data, either encrypted or decrypted, neither in memory nor on disk.

The majority of users stay logged in all the time, and just lock their vaults when not in use.

AudioPhool · February 26, 2024, 4:21am

And another here: “Assessing Security & Safety vs. Convenience for Log In & PIN Options”

AudioPhool · February 26, 2024, 5:28am

In the above referenced thread: “Assessing Security & Safety vs. Convenience for Log In & PIN Options”, among many good points and questions, the author advised the following:

I had hoped there might be a bit of a white paper or similar on this taking you through the options with some sort of guidance on best practice (likely annoying to do) vs. a couple of levels of convenience & scale of the related risk; but only found the basic info in the FAQs

As such, a Sticky Thread (White Paper if you will) addressing the subject of Safety vs Risk vs Convenience may be prudent to compile.

All of us have differing levels of understanding regarding best security practices when using a password manager. But, it’s assumed that we’re all interested in device and Internet security, because we are choosing to use a password manager.

Setting up a password manager like Bitwarden, has many pros and cons associated with how its done. What I’m seeking is an understanding of the pros and cons of enabling or disabling certain login options when compared to convenience. This is so I can make educated decisions about what is right, or what could go wrong, relative to my specific needs and devices. For example, I believe always logging out and locking the vault would provide optimum security. But as frequently as I’m in and out of my (always at home) PC and its browser(s), doing so would be a distinct inconvenience. The same would NOT be true for an on-the-go laptop – i.e., security is paramount.

So, an education relative to the why’s and how’s of starting and running Bitwarden, would be helpful. For example, what are the downsides of choosing to do “A”, “B” or “C”, when we are using a static (in-home) PC vs a portable PC, vs a cell phone etc. It would be most helpful to couple that, with providing the specifics of how best to log-in and setup Bitwarden relative to:

The device types we own
Our desired security needs (Which could be a tome in and of itself. Because while I have some clues, I admit the differences and downsides between buttoning everything completely down vs some lessening and even more lessening, is pretty questionable – i.e, worst disaster planning case & inconvenience vs some convenience & even more convenience)
What we can expect (upsides/downsides, security wise), when we choose to do “A”, “B”, “C” etc.

(Note: I would consider Multi-factor and 2FactorAuthentication et al. to be topics separate from this one). In fact, in some ways, I understand those better than how best to setup Bitwarden’s logins and logout needs for my particular circumstances – the what could happen if I do “A”, “B”, or “C” etc.)