So when I want to access my Passwords, I have a pin which is unique, but easy for me to remember and type. Something kind of like “dog567” In 1Password, which I used before, I only had “1 Password” to access my passwords, but here I am supposed to have two? I don’t get it. Right now my PIN and master password are the same. Is that not right? Why do I have to have two different passwords to access my passwords?
PIN is shorter but less secure, BUT, it is still acceptable to many because an attacker needs to have access to your device first. Meanwhile, Master Password is Internet-facing, hence the need to have a longer and stronger password. Nobody stopping you to have 12345678 as Master Password.
So the Master password is the key to my online account when I login via a web browser. A shorter pin for everyday access on my device, which would require access to my physical device, but anyone can access the online account from any computer if they figure out the password, so in that case, you want the Master to be a little longer and more complex, but still easy to remember. So if my pin was dog567, my Master Password might be mydogfarts$&?.
The pin is optional and I only turn it on for my Firefox mobile app because fingerprint reader is not an option for the add-on.
On my computer, I manually type my password in every day just so I don’t forget what it is.
I recommend enabling 2 factor authentication so even if someone knows your password, the extra authentication step makes it a bit more difficult for them to get access.
You have the option of using a PIN to unlock your vault on a platform you’re already logged into. If you’re logged out, then logging in requires a master password. This is what is meant by saying “you use a PIN on your device.” That is to say, you logged in somewhere and haven’t been logged out; the vault is just locked. To say the master password is “public-facing” is to say it’s required anywhere you haven’t logged in yet. The difference is: if you’re logged in, your vault is cached locally (albeit heavily encrypted) on your device for your PIN to unlock; if you’re not logged in, it is not currently cached so the master password is required to then cache it.
I’m with @gk17 on this. You should enable 2FA for your vault, thereby making knowledge of your master password not the only vector. Even if someone knew your master password they would still need your 2FA code which, in the case of TOTP, literally has a million combinations and changes every 30 seconds.
The principle for a pin is to have a unique pin for each device. The PIN is local to your device, there are two reasons to setup a pin.
- You have a mobile device where typing in the full master password is prohibitive.
- It adds another layer of security by not typing in the master password. This is to partial protection against keyloggers. Let’s say a malware managed to get install on your device and is recording your keys. They will see that you are typing in your master password and use that to login. Suppose you are typing in a pin, that pin is local to your device, and so they can’t use it. Keep in mind that if you are compromise by malware there are probably other ways they can steal your data, this is just one way it protects you.
Adding a pin does not actually decrease your security. If you missed 5 pin access, you are prompted to enter the master password.
For best practice, use a pin as long as you can remember and make it unique on each device.
2 Likes
I… didn’t know that. And in fact—now that I look at it, it appears that if I log out, my locally-stored PIN is deleted and the ability to unlock with a PIN is reset. So the PIN is definitely not stored globally.
Good to know.
Thank you for the comments. I can understand how the 2FA is more secure and so preferred, but for me, a user who so often accesses my passwords for one thing or another, I really need the convenience of one password and the same password on all devices. My brain can’t handle trying to remember which of my three distinct passwords work on each of my three devices and I certainly don’t want to have to wait for an emailed code every time I want to log in. It’s a pain when my bank does that if I am in an unusual location (although it’s rare and I appreciate the extra security, so I don’t gripe).
I guess the 1Password app is based on this notion, that you only need to have one single password. It’s in the very name of their application and marketed that way, so is the view amongst some that 1Password is not as secure a tool because it is just that, 1 password?
I would imagine 1Password has 2FA functionality. I don’t see why they wouldn’t.
I have 2FA set up on Bitwarden, as I also did when I used LastPass. I don’t use texted or emailed 2FA codes; I use an Authenticator app. However, on my phone I do have Biometrics set up, so when my vault is locked, I can unlock it with my fingerprint. Biometric access doesn’t get reset on logout, but I don’t log out of the app anyway.
When you use 2FA on a device, you can tell it to trust that device and not require 2FA on it every time. So having to use a TOTP (Time-based One Time Password) or whatever, every time on a device you frequently use, shouldn’t have to be a thing.
@Tin_Robot Just to clarify, you will not have different passwords for each device. It’s the pin that can be different if you choose to use it. Otherwise, you can just use that master password you created and not use a pin at all. I still highly recommend using 2FA though. Just a one time hassle when using it on a new device and going forward you just need to enter your master password.
2 Likes
Keep in mind that 2FA is a separate thing from PIN and master password. The idea is that you cannot login without authorization from another device. This add security because the hacker must also compromise another device.
You only use 2fa during login on Bitwarden. You do not use 2fa on unlocking.