I want to make BitWarden for Chrome Desktop log out only every two weeks, so I don’t forget the password, but it doesn’t work as I want it to: I set the Account security in Chrome to “Logout” every 336 hours, but when I close and open the browser, it asks me to log in again.
I understand that, in this case, BW logs out on browser restart, but there is an option to keep it logged in forever and not ask for login even on PC restart for months at a time. Why can’t it do the x hours correctly?
This makes it less secure, as instead of logging out every time, I will set it not to log out at all, and that’s it.
Please implement something for this use case.
Thanks.
Staying logged in forever effectively stores your master password on your hard drive. All other mechanisms store it only in RAM. Allowing logins to persist browser restarts would similarly require storing the master password (or more precisely, the “encryption key”) on your hard drive. That is not a good place for it.
Most of us work around this by opening a spare browser window, minimizing it and never using it. This prevents the browser from truly quitting and therefore clearing out its RAM.
Another technique is to set the desktop app to have your desired 2-week timeout and the browser extension to use biometrics to login. Since biometrics in the extension requires the desktop to be logged in, you will get close to your desired behavior.
Regarding forgetting your master password, the best solution is to create an emergency sheet.
Risk acceptance is a very personal thing. You are free to make that risk decision for your own vault.
Hello,
I’ve encountered a similar issue with Bitwarden’s timed logout feature for the Chrome extension. I’ve set up the “Logout after X hours” option (e.g., 336 hours or about two weeks), but it doesn’t work as expected. Every time I restart the browser, I’m prompted to log in again, even though I’ve configured it to stay logged in for the set duration.
It seems like Bitwarden doesn’t track the session timeout properly when the browser restarts, overriding the desired “logout after X hours” behavior. This forces me to either log in manually after each restart or disable the logout feature entirely, which reduces the security of my account.
I understand the need for secure login practices, but it would be great if the feature could function as intended logging me out only after the configured time period. If this issue could be addressed, it would help improve the user experience while maintaining security.
Ok, my solution is great for this:
Make the extension “save” the master password to the hard disk (Which I am already doing for convenience), but after 2 weeks (or xx hours) delete it forcing the user to log in another time and save it another time to the hard disk. In case the computer is stolen/not used for that time, at least we are sure it is going to not be logged in.
This won’t work, as I am among those who “turn off” the PC when not in use.
I’ll check how this works, and will let you know. Still, I am hoping my 1st option gets implemented
@tech_eng@frank58richard I moved this thread to the Ask the Community section of the forum, because there did not seem to be a clearly defined proposal for a new feature, and because some of the comments revealed potential misunderstanding of how Bitwarden works. If either of you want to propose a specific new feature for Bitwarden, feel free to open a new topic in the Feature Request section of the forum, and clearly describe your proposed idea in the top post.
Logging In: This requires you to be authenticated to the server (by supplying your username, master password, and 2FA, or a passkey). On successful authentication, the server provides your device with a session token (authorizing communication between your device and the server) and a copy of the encrypted vault data. The session token and encrypted vault data are cached on your device until you log out, or until your login session is deauthorized.
Unlocking: This requires you to supply either your master password, or a PIN, or a biometric input to the Bitwarden app (or browser extension) running on your device. The provided unlock credential is needed by the Bitwarden app/extension to decrypt the encrypted vault cache, and upon successful decryption, the app/extension stores the decrypted vault contents in the volatile memory (RAM) of your device, allowing you to access, use or modify the vault data. When logging in, the vault is also unlocked.
Locking: When a Bitwarden app or browser extension is locked, all unencrypted vault data are cleared from the device memory, but the encrypted vault cache remains stored on the device.
Logging Out: When a Bitwarden app or browser extension is logged out, all unencrypted vault data are cleared from the device memory, and in addition, the encrypted vault cache and the session cookie are both purged.
For most users, their Bitwarden apps and browser extensions should be kept logged in indefinitely, and the Vault Timeout Action should be set to “Lock”.
For security reasons, the vault should be kept in a “Locked” state when it is not actively being used, so it is recommended to set the Vault Timeout Interval to a relatively short time period (e.g., 1, 5, or 15 min). You will need to unlock the app/extension after the timeout interval has expired, or anytime that the browser is restarted (the reason why the vault is normally locked on browser restart is that the process memory containing the unencrypted vault data is wiped out whenever the browser shuts down — thus, the unlock process must be completed when the browser is restarted, so that the encrypted vault cache can be decrypted and read back in to the browser extension’s process memory).
By default, unlocking requires you to supply your master password. However, this does to mean that you are logging in, because you are not supplying your username or 2FA, and because unlocking can be done even if your device is unable to communicate with the server.
All Bitwarden apps give you an option to unlock your vault using either a PIN or a biometric input as an alternative to supplying the master password. These methods provide weaker protection for your encrypted vault cache than does the master password, which is why Bitwarden has a default setting to require the master password to be input for unlocking whenever you first restart your browser (or app). However, Bitwarden also gives you the option to disable this default behavior, so that you can use your PIN or biometrics to unlock the vault even after an app or browser restart.
Thus, enabling PIN (or biometric) unlock, and disabling the default option “Require mature password on browser restart”, may be a solution that allows you to comfortably use your extension with a short (≤ 15 min) timeout interval.
The other aspect of what you want (fully logging out the extension every 2 weeks) is not possible to automate in the Bitwarden apps and extensions. However, you could always set a recurring notification in your calendar app, reminding you to manually log out every other week.
In addition, there is another feature request, which if implemented, would allow you to set a 2-week timeout for logging out, while keeping a much shorter (≤ 15 min) timeout interval for locking the vault:
