Why not? This option offers very limited additional security. You should protect your vault by keeping it in a locked state whenever it is not being actively used (and you do have an option to select a suitable timeout period for automatic locking — e.g., 1, 5, 15, or 30 min), and by never allowing any other individuals to access your devices while you have a Bitwarden app unlocked (and preferably — limiting all access to your computing devices by any untrusted individuals). If you do not protect your devices from unauthorized access, then the master password reprompt will do little or nothing to secure your vault — an attacker with access to your unlocked vault can easily bypass the master password reprompt. There is even a warning about this in the documentation.
I’m the only one who uses my computer. I set my vault to lock upon browser restart, but for the most part, its always unlocked while I’m on my PC since my browser is always open, and I’m always logging into stuff. My understanding is that once unlocked the vault contents are within memory, so any vulnerability, hostile website, malware browser extension, etc might be able to grab certain credentials, but not the ones that are locked and most important, and hopefully I’d notice them before it’s too late.
I actually just had a real example like this - one of my longtime browser extensions was compromised, and auto-updated to a version with malware. It randomly opened a crypto wallet and asked me to enter the passphrase. It was clearly malware and I found and removed it. I have no idea if during that time it was able to grab any passwords. This is a perfect scenario for requiring the master password for the bank login, as it would have been kept safe, locked by default, and not within memory.
Your understanding is incorrect. All your credentials exist in plaintext in your computer memory while the vault is unlocked, even the ones for which you have enabled master password reprompt. As explicitly stated in the documentation, the master password reprompt mechanism does notencrypt (i.e., “lock”) the item. It merely requires the password to be entered in order to view the item using the Bitwarden UI. However, malware could just exfiltrate a memory dump of all of your running processes, which would allow an attacker to sift through the collected data using their own software tools — they are not required to use any Bitwarden client app or browser extensions to examine the unencrypted data that is contained in the memory dump they stole from your device.
As explained above, your bank credentials were not safe during this incident. You may have been spared any negative repercussions if the malware in question was not designed to steal information using memory dumps, but you may not be so lucky next time.
The only way to protect your bank credentials (and other vault date) from malware is to lock all of your running Bitwarden apps and extensions. Thus, if a malware exposure happens at a random time and date, then the probability that it will be able to steal your vault data equals the percentage of time that your vault is unlocked while your computer is in use. With your current practices, you have practically no meaningful protection against vault data theft by malware:
Hmm, okay - thanks for the explanation. Perhaps I need to adjust the way I’m using BW. I login to various services very frequently during the day. What would you suggest? Perhaps I should set it to lock the vault after a minute or so, and when I need to unlock, use something more convenient like a physical fingerprint key? What do you suggest for maximum convenience on a Windows desktop? I dont currently own a webcam or fingerprint reader.
Yes, unlocking with biometrics is convenient and secure. If you invest $29 in a Yubico Security Key, then you can also configure it to unlock your vault. As long as the physical security of your computer is assured, you can just keep the YubiKey plugged into your computer anytime you are working, and then have an extremely secure and convenient unlock method, which requires only the following steps:
Click Unlock with passkey at Bitwarden’s unlock prompt;
Select “Security Key” in the Windows passkey prompt;
Enter the PIN that you configured for your YubiKey (may be as short as 4 digits);
Touch the YubiKey.
If you don’t want to purchase or use a YubiKey, you can do something similar by setting up a PIN in Windows Hello, and then using Windows Hello as a passkey for Bitwarden’s “Unlock with passkey biometrics” feature.*
*Edit: Corrected some details, pursuant to the clarification posted in the comment below.
Setting that up with Windows Hello is possible with the “traditional biometric unlock” feature (which doesn’t involve passkeys at all)…
… but as recently as a few days ago I checked whether Windows Hello now can store PRF-passkeys – which are necessary for “unlock with passkey” – but it still can’t. So, Windows Hello can’t be used for “unlock with passkey”, yet.
PS: Currently, I’m on Windows 11 25H2, Build 26200.7922.
This feature is what Bitwarder really lacks and what other password managers I used had like LastPass.
From dev point of view this should not be hard to implement, probably PasswordRepromptService and AutofillService services will need update and ofc config.