I’m curious to see what other people do for security of their account and database.
i personally use a 10 word diceware passphrase (maybe overkill? roughly 90 characters total with numbers and symbols added ) and FIDO2 with a yubikey for MFA. Along with KDF settings as Argon2 at max values.
I only use bitwarden on my desktop so mobile limitations aren’t a concern for me.
How do you set yours up?
Sufficiently.
I spend more effort watching for any form of phishing, the most likely attack vector.
To me, “secure” is much more about good operational practices and less about the “technical settings”.
I use the Bitwarden recommended encryption values, updating them as their recommendations evolve, including the use of two-step authentication. And, as per their recommendation, my master password is at least 12 characters (which is ~72-bits or 5.5 dice-words).
I also secure my vault by maintaining an emergency kit and vault exports in at least two physical locations. And yes, my kit does include my recovery code.
I keep all my equipment on vendor-supported operating systems and apply updates (os, app, extensions) shortly after they are released and whenever possible I turn on notifications when updates are available.
As much as possible, I use password-less logins (the current Passkey “pause” not withstanding),TOTP, and use password-manager auto-fill to minimize falling victim to look-alike sites. Passwordl-ess also helps me be OK with relatively short screen-lock timeouts.
This is definitely overkill, unless you believe that someone is currently harvesting your encrypted vault data by packet sniffing etc., and then warehousing said data in the hopes of cracking it using powerful quantum computers some 50 years from now.
My question is, with a 90-character master password, are you typing in the master password every time that you need to use a credential from your Bitwarden vault?
Also, I’m curious what word list you used to generate your diceware passphrase. If it was generated using Bitwarden’s passphrase generator (EFF Long Word List), then the number of characters in your 10-word passphrase should have been closer to 79 than 90 (although it’s theoretically possible that you just happened to select words that were longer than the average word length). If you used Reinhold’s original Diceware list, then your passphrase should have had around 52 characters.
Finally, what is your vault timeout action and vault timeout period? Do you use a PIN or biometrics for unlocking, and if so, are you unlocking with the master password on app or browser restart?