[EDIT: This is likely solved. Leaving the post up for posterity. I think the setting I needed was “Lock with master password on restart”, which only shows up when you turn off the PIN and turn it back on again. Ideally this checkbox would be put with the other security settings.]
Hi there,
I recently had a close call with some malware, and it made me realise how vulnerable the master password system is to key logging.
Insecure though it may be, I would actually prefer to only have a PIN on trusted devices. Maybe there is a way to do this, but I don’t know what it is. I’m not sure if it my device restarting or sleeping that triggers a master password prompt, but it seems to happen all the time.
I would prefer not to do 2FA, even though there is suitable support for 3rd party authenticator apps. The master pass is also a hassle to type in every time and this would add to that.
Essentially: I want both a timeout for the PIN to show up, but never a condition where the master pass is required.
Is there no other way to secure the desktop app?
If an attacker acquires your master password using a keylogger, your Bitwarden account would still be protected by 2FA.
However, your focus on keyloggers may be distracting you from the real threats. If malware gets installed on your device, your unencrypted vault contents can be extracted from process memory or sleepimage files. Furthermore, malware can access your harddrive contents, including your encrypted vault and the PIN-protected encryption key that is saved if you disable the option to Unlock with master password on restart option; assuming that your PIN has significantly less entropy than your master password, the PIN-protected encryption key can be cracked, and the resulting encryption key can be used to decipher the exfiltrated vault. Session cookies can also be stolen and used by the attacker to authenticate themselves to Bitwarden’s servers, impersonating you.
The bottom line is that you should focus your efforts on protecting your device from malware, and not assume that keyloggers are the main threat posed by malware.
The other thing is, if you don’t have to enter your MP from time to time it’s easy to forget it. That’s why I want to have to enter it every time I log ibto my desktop browsers