There is no one best security setting. The best security setting is the one that best fit your profile. I though I can explore the minimal security I will put up with to the ultra-paranoid.
This setting maximized convenience but is still fairly secure and is the minimal setting I would be comfortable with.
- Desktop Browser vault setting is set to vault timeout = never. I am assuming that you have to login with a decent password on your computer and you have disable remote control software or at least secure them. The nice thing about never is that the vault is not close so you can export if you forget your master password and need to export the vault to reset.
- set up autofill because it’s easier to use.
- Mobile app vault setting is set to system lock and open using biometrics.
- Bitwarden is protected by a password that is at least 14 characters long while still being easy to remember but hard to hack.
- Bitwarden account is protected by TOTP 2FA.
- There are no duplicate password in any of the accounts.
- There are no week password in any of the accounts.
- Account 2fa are stored in Bitwarden (assuming you have premium) or a cloud service like Authy.
The following settings are for maximum security, but may be a pain to live with
- Do not use biometric. If they hack them, you are unable to change your body.
- Do not allow Bitwarden to autofill. You must press fill yourself after examining the URL to make sure it is not fake. The password manager will check to see if the site is fake, but it is not foolproof.
- Use Yubikey u2f for 2FA if possible. Make sure you have backup Yubikey.
- Store 2fa on a different app assuming it’s not possible to use yubikey. See next.
- Use different PIN and login for 2FA, password manager, and device. Keep 2fa on a different device. To login, hacker has to hack your device, the password manager, and then hack a separate device, and then the 2fa.
- Store only partial password in your vault x2wfwWrewr!##w88, when the full password is x2wfwWrewr!##w8828356. You use password manager to fill in password and fill in the rest. Even if hackers hack your password manager, they still need to know the secret phrase to log in.