How can I access my Bitwarden passwords on computers I don't completely trust?

I’m currently travelling without a personal, private computer: between my friend and I we only have one laptop we’re sharing, with one user per person.

I trust this computer enough to log into the services I need, but not enough to log into Bitwarden: all my passwords are stored with it and if someone gained access to my Bitwarden they could destroy my whole online life easily.

However I need to access my passwords quite frequently and they’re long and hard to type. I’ve been sending them from my phone to this computer one by one, but this process is quite annoying, especially when you need to do it several times each day.

Is there any better way to have access to my passwords on devices I can’t fully trust?

I can think of various solutions, but as far as I know none is supported nor easy to achieve. For instance:

  • It’d be neat if I could see all my logins, but had to ask for permission (to my phone) in order to access the credentials.

  • It’d be cool if I could choose from my phone which passwords to share with my Bitwarden on my friend’s laptop. It may be possible to do this using a second account, organizations and collections, but this solution isn’t really feasible with the current version of Bitwarden: there’s no interface to ease this process and some passwords already belong to different organizations.

Can you think of any other feasible way to easily access my passwords on my friend’s laptop without exposing my whole Bitwarden vault?

1 Like

Hello @peoro - welcome to the Bitwarden community forums!

You pose a very good question, and I will add my personal opinion, FWIW. Personally, if you don’t trust a computer, then there is absolutely no safe way to enter credentials, either with a password manager or manually. It does not matter if your passwords are auto-filled (pasted), manually typed, or auto-typed into things like web forms, there is always a possibility that, purposefully or inadvertently, software such as spyware or malware could have been installed to monitor your activity, like your inputted passwords.

If you have a sub-set of passwords that you feel comfortable using under this heightened risk scenario, your best bet might be to create a CSV-format export of your vault, delete the items that you wish to exclude, and copy your remaining credentials to another vault or even a stand-alone password manager on the other computer (something like Keepass comes to mind). That will at least minimize your risk by limiting exposure to select credentials that are non-critical.

If you have a paid Premium account on Bitwarden, you are entitled to a free account as well - in which case, you could actually maintain two separate vaults - one for lower-risk items and one for your more sensitive credentials. Soon, all Bitwarden clients will allow you to have multiple vaults open at once and you can easily switch between them, making this ‘partitioned approach’ quite feasible. And then you could login to just the low-risk vault on computers you trust less.

I hope those suggestions help! Cheers.

1 Like

I have an idea for this scenario, but I have not tested it. If one creates a bootable USB drive and installs the portable desktop client on this USB, then it would be possible to boot into this environment to use Bitwarden while bypassing any malware running in the operating system of the laptop.

I would welcome discussion of this idea.

I’m afraid that this isn’t a general, definitive solution. Once the laptop is compromised it’s hard to regain control. A hardware keylogger would be enough to steal your master password and vault. Or even just via software, someone could replace my friend’s reboot command/button with a fullscreen program which pretends to reboot, then boots my pendrive into a VM meant to steal my password.

For my personal case your solution should work though. I trust my friend and doubt anyone is putting a major effort into stealing my passwords specifically. I’m not sure how convenient it would be to have an OS per person, but it might be they best way to go.

Of course. But there’s a huge difference between losing my password/cookie for a handful of services, and losing my entire Bitwarden vault with hundreds of login credentials and personal information.

I’m willing to use my password even if there’s a 90% probability of losing it.
I’m not willing to risk losing my whole Bitwarden vault with just 0.1% probability.

The more I rely on Bitwarden, the less I’m inclined to use it.

Your suggestion to export a subset of logins to a CSV is much more practical than what I’ve been doing, but it’s less secure too.
If someone steals the spreadsheet, they’ll gain my credentials to a large amount of not-too-important services.
With the current approach of manually fetching passwords individually when needed, if you gain access to my system right now, you’ll only be able to steal the passwords I input in the future and the sessions/cookies for the services I already logged in to.

Sharing some passwords between my vault and a lower-security one could be a good solution, especially if it were possible to move passwords back and forth easily.

Here’s another idea:

  • Create a free organization under your current account
  • Create another free Bitwarden account and join that organization
  • Move some credentials to the organization.
  • Use that free account to access your data.

I think you misunderstood. I meant export a subset of credentials that you are willing to take a risk with and then import them into another vault or password manager. You would securely delete the CSV file after that.