Newbie here, giving Bitwarden a test run to see if it could be a good choice for me.
There is one issue that could be a deal breaker for me:
When I have logged in in Bitwarden—both the desktop application, and the Firefox extension—things work fine.
But every time I have closed FireFox, and then open it again, the Bitwarden extension is locked, asking for the master password again.
I have a habit of frequently closing all open FF windows, and starting a new instance, so this is really annoying.
I can’t understand why it behaves like this, since I still have the desktop application running and open. So Bitwarden should know that it is safe to have the Firefox extension unlocked when starting a new instance of FF.
Password managers like Dahlane will not ask for the master password every time you open Firefox as long as the desktop application is running.
Is this something under consideration, or is there perhaps already a setting for this I have overlooked?
I did go through and checked all the settings.
But that were the settings as presented in the desktop application. I now see that that option is only to be found in the browser app, and the two seem completely invisible to each other.
Ideally I would like to be able to set the auto-lock to either ‘at computer restart’, or to something like the length of a working day, or e.g. 24 hours.
But for now I will set it to the maximum allowed period of 4 hours, that’s a compromise which will make me proceed with the road test.
I experienced that even while I had set the timer to 4 hours, it was not respected, and again I had to unlock Bitwarden every time I restarted Firefox. So some frustration roared it’s ugly head again.
Then I found the culprit was that I had briefly checked out the PIN feature, and then disabled that again.
But, the PIN option pane also has a checkbox for ‘lock with master password on browser restart’.
And even while you have the PIN feature disabled, that—then hidden—setting is overruling the main timer setting.
I think that setting behind PIN shouldn’t have any effect when PIN is disabled?
edit,
It looks like I am experiencing an actual bug here.
I can not get the 4 hour timer to be respected at all anymore.
Bitwarden’s ff plugin will lock every time ff is closed.
Now that you said that, I tried on my Vivaldi (Chromium-based) browser. It happened just like you described: you close the browser and when you open it, voilá, extension blocked again… Really weird at least…
There are no “bitwarden developers”, from what I can tell the entire thing is owned and developed by one heroically overworked dude, Kyle Spearrin.
He looks to be personally responsible for the backend server, all the browser addons, the web vault, the Mac and Windows desktop programs, and he probably admins the forum too. What he probably doesn’t do is sleep.
Guys, from a security aspect what you are requesting doesn’t make sense.
Closing the browser should end any open session through it.
I don’t think I would want someone to be able to unlock BitWarden just by opening the browser on my PC.
It’s already high risk that it remembers the password (so it’s just two clicks to unlock) and boom all your passwords, notes and 2FA tokens are available… Not great…
It defies the point for security, you might as well have a text file on your desktop with all the passwords.
It makes perfect sense for all situations where the pc is not in a public, or easy accessible location.
I think I am able to decide on the risks myself, depending on where I use the computer, and how critical the passwords I have trusted Bitwarden with are.
I come to work. I scan my finger to unlock my computer, then scan my finger to unlock Bitwarden. (Or type in my passphrase, as BW sadly doesn’t support biometrics yet.)
Bitwarden remains unlocked for the entire work day, locking shortly after I leave to go home, ~9 hours later.
Honestly, making the lock timeout configurable and persisting across browser restarts would pretty much fix this problem for me. The max is 4 hours and that’s annoyingly short.
Just tried 1Password and here the browser extension is also logging me out when closing the browser. Although I disabled the setting to lock me out automatically.
May be this is a feature and not a bug in Bitwarden?
It would be better if the browser extensions communicated with the desktop app the same way 1Password does so that I only have to unlock it once to have access to it in all my desktop browsers and the app, etc. I have no problem with the desktop app running a persistent mini version in the system tray or menu bar (Windows or Mac) to facilitate this.
the ideal solution would be to have the desktop app unlock the extension as well. so if the desktop app is unlocked, closing the browser will not lock the extension.
