I recently fell victim to a robbery where I was compelled to surrender my Android phone(and its password), along with one of my bank passwords for unauthorized transfers—a truly harrowing ordeal, to say the least.
To provide some context, I’m uncertain about the specific vault timeout, but I hadn’t used the Bitwarden app for a minimum of 6 hours prior to the incident, and I had the biometrics login on Bitwarden enabled. Following the theft of my phone, my Google password was altered(likely due to the 2FA SMS), and my device seemed to have gone offline . It took me several hours to regain access to my Google Account, as I had to activate my number on a new device.
In addition, I had some passwords saved in Google, simultaneously with Bitwarden (though never the Bitwarden master key). Given that my phone was offline and unprotected after this incident, it seems prudent to consider changing those passwords, but what about those that are only on Bitwarden? Could also the criminal use my Android password to set up a new biometric profile and gain access to Bitwarden?