I just started using BitWarden for over a month and I love how convenient it has been. I’ve installed the extension into a number of my browsers and devices. I have one security concern. If any of my browsers or devices unawaringly got phishing or keylogger installed and whenever I type my BitWarden masterpassword to unlock my vault, can my password get compromised resulting my entire vault accessible to the hacker that I may never know about?
Yes.
Don’t type passwords on devices that are not under your complete control. And on those you do, keep current with all your software updates.
Hello Jayjay and welcome to the community!
One technique is to use “Login with Device”, which alleviates having to type the master password in on logins, but you still have to type it on vault exports.
The other thing you can do is to make sure you use 2FA. FIDO2/Webauthn is unphishable, but TOTP maybe acceptable. Don’t ever click on “Remember me” for 2FA on all important accounts (since this remembered states can be stolen).
If you get a keylogger on your system, you most likely have gotten an infostealer on your device. You most likely will know you have been hacked (with warnings from major services, unauthorized payments, messages being sent from your accounts, etc.), but you may never find out if they have successfully gotten into your vault or not. You may never get email notifications about logins from other places (because the infostealer can steal your “having logged in from this device” state).
Infostealers are nasty. They steal your sessions and bypass your password/MFA/notification protections. The best way to deal with this is to get into the habits of not getting a malware on your systems at the first place. Once you get it, it maybe hard to figure out how to get into the safe zone again.
See a hallowing example recently:
https://www.reddit.com/r/Bitwarden/comments/1fw3j2j/i_think_something_is_stealing_my_sessions/
https://www.reddit.com/r/Bitwarden/comments/1fw809o/session_stealer/
Thanks! I’ve already installed a Yubikey for 2FA under the website setup but it never ask to insert my Yubikey to unlock my vault whenever I login to the browser extension. The only time that I am asked to insert my Yubikey is when I login under the website method after typing in my account email and password. Since I use the extension on my browser often, what I am looking for is a method to login/access my vault under the extension without typing any keys. Less type strokes, less exposure.
How is “Login with Device” setup done?
Hello, when logging in, the client apps should all request for 2FA, unless you have clicked “Remember me” on previous logins. You can reset the states (first making sure you have the right password and 2FA handy) by:
deauthorize sessions from the Account settings page of your web vault to force logout on all devices.
The summary of “Login with Device” is that, after you have logged into that client once, you can use logged-in (desktop, mobile) apps to approve login on that device without typing in any master password. 2FA is still required, unless you click on “Remember me”. Here are the details:
Thank you very much. I got everything setup now. I no longer have to type my password whenever I login from my extension by selecting the “Log in with device” option and I simply approve the login on a running Bitwarden app on another device and then insert my Yubikey for my 2FA method. I now have a very high secured login with no vulnerability. BitWarden is the best!
1 Like