"Never" missing from Vault Timeout in Firefox

Hello, I just assisted a friend with getting setup in Bitwarden in Firefox, but for some reason he does not have “Never” as a vault timeout option.
Untitled
Untitled

Any ideas?

Hello, and welcome to the community!

I confirm on the Web vault, although it’s still available on the 2024.4 versions of desktop/extension.

Try setting it to custom and setting the number of hours. Not the same thing, but may be workable. I think it’s set up this way because they don’t want to persist the encryption key into a cookie.

OTH:

  1. Extensions and desktop are more customizable in this regard (locking/unlocking), and may be more suitable for general use.
  2. It’s generally safer to use “Login with Device” (so you don’t have to enter the password mostly) coupled with a lock (like PIN). It’s considered safer to make the automatic lock as short as possible.
  3. Bitwarden seems to have recurring bugs regarding lock settings, especially those that are set to never or a long time. So, updates may change the behaviors.

Having your friend write down the master password and the 2FA recovery code, and keep them safe and reliably accessible are probably a (uneventful) life-saver thing.

@Beaupedia Welcome to the forum!

What version of the browser extension do you have installed? In version 2024.6.2, the “Never” option does appear in the browser extension Account Security settings:

@Beaupedia You had tagged your post app:browser (for browser extension), but it seems that your question is actually about the Web Vault app. I have gone ahead and changed your app: tag to app:web-vault, to prevent additional confusion.

In the Web Vault, if you were able to select “Never” as a timeout option, then the resulting behavior would be identical to what you will get with the existing option “On browser refresh”. This is because any Web Vault session will become logged out (regardless of whether your Timeout Action has been set to “Lock” or “Log out”) anytime that you close the browser or even close the tab in which the Web Vault app has been opened. Furthermore, even refreshing an open tab that has an unlocked Web Vault app will cause the app to immediately lock.

This behavior is due to technical limitations, and is documented in the Help Center (“Web and browser extension timeouts”).

In any case, using the “Never” option for your timeout is not recommended, as it makes the security of your Bitwarden vault similar to that of an unencrypted Excel file containing all your passwords. A hardcopy notebook to write down your passwords in would actually be safer.

Hi there, this is incorrect. My question is about the Firefox Add-on. This is happening in the Add-on.

1 Like

Well, then please include the right pictures, because the pictures in your first post do seem to show the web vault - see here:

1 Like

@Beaupedia Below is a copy of the screenshot from your original post in this thread, which clearly shows you are looking at the Vault Timeout options in the Web Vault (not the browser extension):

image

 

If you actually want help with the Firefox browser extension, then make sure to post screenshots from the browser extension’s Account Security section (go to Settings > Account Security). The Account Security settings in the Firefox browser extension should look like this:

 

In addition, please let us know which version of the Firefox browser extension is installed (go to Settings > About > About Bitwarden).

Thanks for catching that. It was driving me crazy. Again, this isn’t me doing this, I’m getting these screenshots second hand from a friend who is rather tech illiterate. I am well aware of the difference, but didn’t catch the “web vault” in his screenshots.

I have no idea how he was ending up in the web vault. He does have the Firefox Add-on installed and sent me video of him using it, but somehow he was ending up in the web vault earlier.

As for the security of it, if your computer is locked to you and you only, do you still think there is a security risk of using “Never”? No one else has access to my computer.

Like I said, it would be essentially equivalent to keeping all your passwords in plaintext in a Word document or Excel file stored on your computer. If the physical security of your device is strong, then maybe you are sufficiently safe from password theft by a person with physical access to your computer. But if you even temporarily get exposed to malware, then a remote theft of your passwords would be trivial for the attacker.

If your friend is “tech illiterate”, then it is likely that they will be at very high risk of getting compromised if setting the vault timeout to “Never”.