Master Password Re-Prompt Every Week

Hi, I’d like to set my vault timeout to never but I have one concern. I’d like for Bitwarden to prompt me, say, every week so I can remember my master password.

I tried setting the timeout to 168hours (1week) but every time I close my browser or I restart my computer, I would need to re-enter my master password for both Chrome extension and the desktop application. I reverted back to the vault setting of never expiring.

All my /iOS/Android/Linux/Windows PCs have their drives encrypted so I am not so worried of keys stored on the computer.

Any workarounds on this?

Hello Kasazn,

Usually, reminding yourself to enter a master password is best done using the reminder app on your phone. Set it up to remind you weekly to logout and login again.

As for not having to enter your master password all the time, there is this “Login with device” option. You can set up your phone (typically most technically secure) to be your approving device. When you log in from other clients, you choose “Login with Device” and then approve the login via mobiles or desktops. This of course has the same drawback of having to set the newly logged-in client to never expire again.

As for setting the app to never timeout, it seemed to me the functionalities around this area are prone to bugs from updates to updates. They fix it, then it comes back, and on and on. If leaving your clients to “never timeout” always work for you, I’d leave them like that, and remind yourself to reenter the password via other means.

You should also know that there are risks with storing your encryption key persistently on your devices, especially if you don’t lock the clients at all:

  1. On mobile, the keys are usually stored protected by the hardware, so this is fine. But if you don’t lock your BW by biometrics or PIN, somebody who can grab your phone, unlocked or knowing your PIN, will have the entire store. They most likely would turn off the network connection, so you won’t be able to delete your vault, and the contents will be available offline.
  2. On Windows desktop, the encryption key may be stored in the Windows credential manager, but apps running in your userspace will have unfettered access to the keys. If you don’t have malware on your system, it’s fine. If your computer ever catches an infostealer such as raccoon, it will exfiltrate your encrypted vault and might also your encryption key (now or future), potentially getting the entire store.

When your vault is unlocked, your entire vault and key are loaded in plaintext in memory. Even if there isn’t a malware that takes advantage of that now, this is a potential attack surface.

The bitlocker encryption on Windows is typically good for at-rest protection (when shutdown, hibernate, with pre-boot PIN), it doesn’t do much for run-time protections (malware running as you, as admin, as other users if you share computer).

2 Likes

Hi!

Apart from the good advice about the security apsects from @Neuron5569 , I would like to add one thing:

If your main goal here would be to remember your master password, then I would say, that there is no real need for that (anymore).

One reason: your master password should be anyway on your emergency sheet, so that even if you forgot your master password, it wouldn’t be a problem.

Second reason: there are more and more other login/unlock mechanisms, so that you don’t need the master password that often, if at all. @Neuron5569 already mentioned “login with device” - and there is “login with passkeys” (BTW: a good additional “backup” for login if one lost the master password), but that is unfortunately still in beta and only possible for web vault-login (which hopefully changes some time in the future)…

Don’t get me wrong: the master password remains important and you should have a very strong master password. But, as I stated above, there is no “(absolute) coercion” to have it stay in your memory (depending on your login/unlock choices), apart from having it stored safely on an emergency sheet and/or other backup places.

2 Likes

Thank you for the lengthy and awesome advice. I have set-up weekly reminders on my Google Calendar and proceed to authorized some of my devices for login approvals.

I do understand the risks involved even with an encrypted storage on my devices as other attack vectors are still there as pointed out by you.

Also big thanks to @Nail1684 for reminding me to store my password on an emergency sheet, for that I have yet to do. I’m thinking where to store it as I take my information security very seriously. I do backup my vaults to my encrypted NAS and a few external encrypted HDDs as well.

1 Like

If you can identify multiple independent storage locations that only need the property of having a low probability of being found if any of the other locations have been found, then you can use Shamir Secret Sharing to split your Emergency Sheet information into multiple encrypted parts. For example, you can give out encrypted parts (“shares”) to trusted friends who don’t know each other; you can store an encrypted share on your computer; you can print out encrypted shares and keep one with your passport, one inside a book, etc. When creating the encrypted shares, you decide how many shares to make, and how many of those shares will need to be assembled if you want to decrypt the information.

1 Like

@kasazn, while @grb’s advice about S4 is impeccable, more secure than the thoughts I am about to offer below, I believe you should also give some thought to the realism of threats compared with ease of the protection.

My starting point is that paper saves reliance on a computer (hence the emergency sheet at all) and this is most conveniently kept at home or on your person. To me it implies that no computer should be involved in recovering the content when paper was the point.

One good strategy is called hiding it somewhere. :slight_smile: For extra security, a polyalphabetic or polygram cipher is readily decoded by hand and offers surprisingly good protection for a few reasons.

Firstly, how many burglars have a sideline in cryptography (or vice versa)? I am sure there are some in the world but the odds are against those being in your neighbourhood, so what we could call a 19th Century cipher offers real protection at least for a period of time, and computer processing does not necessarily change that, based on my further points.

Secondly, blind cryptographic attacks rely on sufficient data so that deductive or statistical pattern analysis can be applied. This is extremely difficult when the target is 4-6 random words, not a sentence, no salutation content or other ‘crib’. If the plain text is a random string then breaking is nigh impossible because the plain text encrypts the key, an effect like that of a one-time pad.

Finally, for how long does the information need to be secured? The answer is basically “How long will it take to discover the theft and act in response?” which is your own particular piece-of-string estimate for your circumstances. I count on several hours and can probably expect 24 of them with “forever” a possibility. Certainly far more than hiding the plain text, which can be done with the cipher text anyway.

I am not recommending to do as I have described, but always to think about proportionate response to realistic threats.

1 Like