Help regarding PIN?

Is there any risk to using a PIN? Is it any less safe than your regular master Password (I am the sole user of my home computer)

Is the distinction that the master password works on all devices everywhre, but the PIN is tied to my one (home) PC?

Yeah, that’s essentially it. Anyone getting hold of your PIN would also need your physical device.

@RocketMan Welcome to the forum!

The main risk of PIN use is introduced by defining a PIN that is easier to guess than the master password. On a PC or laptop, the “PIN” can actually be a an arbitrary character string (containing upper- and lowercase letters, numbers, and special characters), so you are in complete control over how much or how little entropy (password strength) you give up by choosing a PIN that is shorter or less complex than the master password.

This reduction in password strength does not necessarily increase your net risk, since the attack surface (a vault locally stored on one of your devices) is much smaller than that of the cloud vault and back-end databases, and since the impetus for an attack against your local vault is significantly smaller than for an attack on Bitwarden’s cloud servers — because the value of the latter is orders of magnitude larger. However, to be safe, it is best to use a PIN that has an entropy no lower than 30 bits (e.g., a numeric code consisting of 9 randomly generated digits, or an alphanumeric string consisting of 6 randomly generated characters).

Please note that when you enable Unlock with PIN, you have the option to disable the option Lock with Master Password on Restart (which is enabled by default). If you leave this option enabled, then cracking your PIN requires that an attacker has access to your device when Bitwarden has been left running (since the vault was last locked). If you disable the Lock with Master Password on Restart option, then cracking your PIN still requires access to your device, but Bitwarden does not have to be open, and an attack would still be possible if the device is completely turned off (assuming you are not using whole-disk encryption).


You may find some other helpful information in these related threads:

Many thanks, Dan

And thanks also, GRB

1 Like