How secure is an unlocked vault?

With the browser extension password vault, how secure are the passwords when the vault is unlocked? The reason I ask, is that the default timeout setting is when the browser is closed, but I usually open my browser at the start of the day and not close it until the end of day. That seems like a long time to have my vault open and my unencrypted passwords accessible. Is there an online threat to my passwords when the vault is unlocked?

Short answer

As secure as your computer is

Long answer

With the browser extension password vault, how secure are the passwords when the vault is unlocked?

The passwords you see on your vault are local. If you close your internet connection, you will see that you still have access to your vault. Authentication happens between you and the server (online) when you login (not authenticate).

Your vault is as secured, as the implementation done to protect it plus the browser security and of course your other extensions. If you leave your vault open for the hole day, you mostly need to worry that somebody gains access to your computer.

Is there an online threat to my passwords when the vault is unlocked?

No, in that scene that your vault does not affect your online account when you unlock it. Changes done on your vault will be synchronized with your online account.


My answer is based on:

  • Experience in creating extensions for browsers (Firefox, chrome)
  • Experience in full-stack development & tls encryption
  • Tests done on the browser vault

Hope it helps :slight_smile:

2 Likes

Hi Pulsar, thank you for your response. Yep, I realise the risk associated with someone gaining physical access to my computer when my password vault is open, but since I lock my computer when I step away from the desk, I think I have that one covered.

I also understand that my passwords in my browser extension vault are local. Lets assume I do something stupid and allow malicious software to be installed on my computer. Is it possible, technically, for the software to have access to my unencrypted passwords when my vault is open? I am asking this in an attempt to assess the level of risk associated with having my password vault open all day, and whether I should change my timeout settings.

Personally, I rarely need to use Bitwarden except when setting it up. Most sites leave you logged in and the sites that don’t are high risk any way. Sometimes I go days without having to unlock Bitwarden. I would recommend at least protecting with a pin.

My wife is still in the process of adding all of her accounts. I’m letting her do it organically as she uses the sites. Once she reaches some critical mass, I’m going to have her pin lock it.

Hey Ben86, I will look to using a pin with a short timeout period. Cheers.