Minimal to ultra-paranoid security

There is no one best security setting. The best security setting is the one that best fit your profile. I though I can explore the minimal security I will put up with to the ultra-paranoid.

This setting maximized convenience but is still fairly secure and is the minimal setting I would be comfortable with.

  • Desktop Browser vault setting is set to vault timeout = never. I am assuming that you have to login with a decent password on your computer and you have disable remote control software or at least secure them. The nice thing about never is that the vault is not close so you can export if you forget your master password and need to export the vault to reset.
  • set up autofill because it’s easier to use.
  • Mobile app vault setting is set to system lock and open using biometrics.
  • Bitwarden is protected by a password that is at least 14 characters long while still being easy to remember but hard to hack.
  • Bitwarden account is protected by TOTP 2FA.
  • There are no duplicate password in any of the accounts.
  • There are no week password in any of the accounts.
  • Account 2fa are stored in Bitwarden (assuming you have premium) or a cloud service like Authy.

The Ultra-Paranoid
The following settings are for maximum security, but may be a pain to live with

  • Do not use biometric. If they hack them, you are unable to change your body.
  • Do not allow Bitwarden to autofill. You must press fill yourself after examining the URL to make sure it is not fake. The password manager will check to see if the site is fake, but it is not foolproof.
  • Use Yubikey u2f for 2FA if possible. Make sure you have backup Yubikey.
  • Store 2fa on a different app assuming it’s not possible to use yubikey. See next.
  • Use different PIN and login for 2FA, password manager, and device. Keep 2fa on a different device. To login, hacker has to hack your device, the password manager, and then hack a separate device, and then the 2fa.
  • Store only partial password in your vault x2wfwWrewr!##w88, when the full password is x2wfwWrewr!##w8828356. You use password manager to fill in password and fill in the rest. Even if hackers hack your password manager, they still need to know the secret phrase to log in.

You know it’s not your biometrics that unlocks the vault right? Your biometrics unlocks the TPM on Windows, or the keys on Android. So them getting your fingerprint doesn’t mean your biometrics will work on any pc or phone. It only works on the device that you setup and registered with Bitwarden.

Aka your biometrics unlock a key that unlocks that vault. The key is unique per device.

This is why MS actually considers Biometrics in Windows Hello for Business more secure than passwords. A keylogger which can grab your password everytime you type it in can’t grab your key from the device when you use biometrics to unlock.


Good point. The fingerprint or face may be weighted against danger of keyloggers and I haven’t heard of fingerprints being stolen just someone faking fingerprint by using a fake finger or some sort of device to fool biometric that they usually fix using an update.

1 Like

The guide of my Samsung A7 smartphone indicates:

"The likelihood of the fingerprint sensor
fingerprints confuse two different fingerprints is very small. However, in rare cases where two fingerprints are very similar, the sensor may recognize them as identical ."

…so, even with biometric recognition you can not be 100% sure? :wink:


The nice thing about biometric is that they can improve them with software update. There were issues with some of the fingerprint readers where someone figure out if you use silly putty and copy the finger print, it would allow you to unlock.

My issue with fingerprint is that for some reason it doesn’t work on one of my fingers.


1 Like

I think the probability of finding someone with a fingerprint similar to mine is definitely considerably less than that of someone being able to guess the pin after a few attempts. :wink:


Point is they’d need your Samsung A7 and your fingerprint or that rare fingerprint that is very similar.
Another A7 with a restore of your A7 isn’t going to work with your fingerprint copy.

1 Like