I’m still new to BW. Although I have spent some time with the BW Security Whitepaper and reading forum posts, much remains unclear to me. In particular, I cannot complete a risk-benefit analysis of PIN use (a popular option, apparently) without fully understanding the risks of this feature.
Let’s make the following assumptions:
- The computer is physically secure (only used inside a private home).
- The Master Password is sufficiently strong.
- The only BW client is a browser extension on the computer.
- The extension settings are set to Vault Timeout Action Lock; further, Unlock with PIN is enabled, but Lock with master password on browser restart is disabled. My understanding is that these are the settings required to use a PIN in lieu of the Master Password for unlocking the vault (please correct me if I have misunderstood).
- The PIN is low-entropy.
- The user never logs out of or manually locks the vault account while using the computer at home.
Thus, the vault would remain unlocked at all times, except for when a browser is first opened (until the first input of the PIN). The vault doesn’t even lock when entering or waking from sleep, or when locking/unlocking the OS – although it does lock on reboot. Thus, what threats does the user face while their browser extension vault is unlocked under the assumptions outlined above?
It seems the main threat is access to the local computer by an attacker, through malware or through a remote connection, but what exactly would they have access to? While unlocked, is the vault stored in decrypted form on disk and/or in RAM, thus allowing exfiltration of the stored secrets by an actor who has broken into the computer and knows where to look?
Would the same actor have the ability to obtain the Master Password, either by memory scraping to find plain-text instances of the password, or by stealing some credential that can be decrypted using the PIN (which is susceptible to brute force guessing)?
Finally, can any of the risks/threats be mitigated by manually locking the vault (e.g., using Lock Now – not sure if there is a hotkey for this) when not in use? What happens when the vault is locked (but not logged out)? Presumably, any decrypted copy of the vault is erased from memory and disk (although these days, there are no guarantees of complete erasure from disk drives, so some risk would remain if the decrypted vault did exist on disk while it was in the unlocked state). However, can an attacker learn
the Master Password by a successful brute-force attack against the PIN?
I believe that with a unique and sufficiently strong Master Password, the encrypted vault stored on Bitwarden’s cloud is pretty much impenetrable, so the main risks would be those resulting from threats against the local computer/device. Thus, to make an informed decision about how to balance usability vs. security, knowing the answers to the above questions is essential.