Feedback on which is more secure: PIN or 12-hour login

I was hoping to get feedback on which practice would be more secure when using the Google Chrome browser extension:

  1. use a PIN to unlock Bitwarden vault when needed.

  2. configure Bitwarden so Master Password login is required every 12 hours. Once logged in, user doesn’t have to enter Master Password again for 12 hours (unless the browser restarts).

Remember, this is for use in the browser extension, if this makes a difference in the security analysis.

Seems like this may be an :green_apple: vs. :tangerine: comparison.

The answer would depend on a number of factors:

  • What is the entropy difference between the PIN and the master password?

  • In case #1, do you have a time-out setting for locking the vault, and if so, what is the time-out period?

  • In case #1, do you have the option “Lock with master password on browser restart” enabled or disabled?

  • In case #2, are you leaving the vault unlocked when not in use?

  • In case #2, if you are not leaving the vault unlocked, how frequently are you locking the vault?

  • In case #2, if you are not leaving the vault unlocked, are you locking it with the master password or a PIN (or biometrics)?

-huge difference in entropy between PIN and master password

-PIN timeout would be 5 minutes. master password timeout would be 12 hours (absent browser restart)

-lock with master password on browser restart is always enabled in both scenarios

-when master password timeout of 12 hours is used, vault is left unlocked. Computer OS is always screen-locked if person away from computer.

I’m not looking for a definitive answer here, just some feedback/observations on what factors might work to make you choose one over the other and what the security concerns might be for each and what contexts might prefer one over the other.

Still not sure there is enough information to compare your two scenarios, but I think it’s a moot point:

The conventional approach to configuring Bitwarden is to remain logged in all the time, so your second option (logging out after 12 hours) would not be advisable unless you have good reason to go against the flow (i.e., an extraordinary use-case).

Set a short time-out period with a time-out action of “Lock” (e.g., a 5-min period as you propose for your first scenario).

Unlocking with a PIN or biometrics is a popular option, but you should make sure that your PIN is sufficiently strong (e.g., a random numerical PIN with around 9 digits, or a random alphanumeric code with around 6 characters).

If you do set up a PIN or biometrics, do leave the option to “Lock with master password on browser restart” enabled. This will improve the security of your vault, and ensure that you regularly have to use your master password (thereby reducing the risk of forgetting it).