I’m a newbie trying out Bitwarden as an alternative to LastPass. I seem to be prompted to re-enter my Master Password very frequently, doesn’t seem to matter whether it’s in the web browser, desktop app, or browser extension. I’m a Mac user with the latest iOS and Safari. I think I’ve inputted my Master Password dozens of times today. I’m guessing there must be settings that will reduce the frequency of being prompted, any advice much appreciated. Thanks.
You are going to want to explore some features that can reduce the frequency of typing in your master password:
-
Vault Timeout Options: You can set the timeout trigger (i.e., after X amount of time of inactivity, or based on events — e.g., on system idle, on app restart, etc.) as well as the timeout action (Lock the vault or Logout from the vault — difference between these actions is explained here).
-
Unlock with PIN: On mobile apps, the PIN is a string of numerical digits (of any length), but in all the other client apps (vault, desktop, browser extension), the PIN can contain any combination of upper/lower-case letters, numbers, and special characters. Thus, you can in effect set an alternate password that is easier to type than your master password.
-
Unlock with Biometrics: Use Face ID or fingerprint to unlock your Bitwarden vault (instead of typing the master password).
I’d recommend experimenting with the above options until you find a configuration that suits you.
There’s an error with the Chrome extension (or maybe I’m misunderstanding its implementation): when you set a vault timeout of 30 mins, hour, etc. and quit Chrome app and then restart it, it asks for the password again despite not meeting the vault timeout time requirement. This is both with macOS and Windows Chrome versions.
Is this the intended way for this to operate? I was thinking you could close/open Chrome as many times as possible without it prompting for the password until the timeout is reached.
I’m still a new user but I can tell you what I have done. I log in just once and then set it so it never require the master password ever again. The responsibility for security is with the Mac which is FileVault (HDD encryption) and Touch ID so safe.
In BitWarden/Settings on Mac
Vault Timeout: Never
Vault Timeout action: Lock
Unlock with Touch ID: tick
I have gone so far overboard with the length and complexity of my master password that typing it in is not an option.
I know I can do a passwordless login on the web vault (Log in with device) where a prompt comes up on my iPhone to allow the login instead of using the master password. That may work for you? I enabled it on my iPhone and iPad.
I think passwordless login is the future.
I haven’t installed Firefox extension yet which will be my main workflow but I’m hoping that does “Log In With Device”.
The iPhone is set to Face ID so no master password required.
HTH
You will find that Bitwarden is a lot more safety-conscious than other password managers, and this behaviour is by design. Unless you set your vault to Never timeout (which is not recommended), the key to your vault is stored in protected memory by your browser extension. When you close your browser, that memory is deleted and you lose your key, so you have to login again.
See more here:
I think what most people do is lock their vault and leave their browser running in the background, since typing in a PIN to unlock is much more convenient that typing in your master password each time. Or, if you have biometrics enabled on your device, you can use that instead.
Makes sense.
Try this, if you haven’t already:
Enable the option Unlock with PIN, but make sure to disable (uncheck) the option Lock with master password on browser restart.
The Help documentation for this option says:
If you want the ability to unlock with a PIN even when the browser restarts, uncheck the option.
However, I think there may some differences between browsers as to whether this will work as described
Thank you everyone for these suggestions. I think my issue was coming from trying to use the web-based app, the desktop app and the browser extension all at the same time (long story). Now I see I can do everything I want using just the browser extension, and your suggestions above will help me find a “frequency of being prompted for password” that will work for me. For the other newbs out there, I found this video helpful: Bitwarden Browser Extension Quick Start - YouTube
I hadn’t realised but “The Log In with Device” is a new feature (last 2 or 3 weeks) and currently only on the web vault. BW seem to do regular releases (monthly?) and I expect it will be added to the browser extensions soon. I think it’s the future. Passwords are crap.
That’s awesome! How does it work? I haven’t seen this prompt when I go to my web vault until just now. Probably hadn’t noticed it before.
I don’t like how it asks for your master password on your device. At least when I clicked the prompt on my iPhone’s lock screen, it brought up a prompt to enter my master password. I clicked resend notice, did it again, and it logged me in without the password. However, the prompt for the password was still there. I force closed the app and reopened it and it logged me in with my FaceID as expected.
Here is the Help page:
I noticed this too, I was helping a new user setup their account, and even when I setup their account to timeout “never” they would still get bugged for their Master password.
The thing I noticed most was that it was a new cell phone they got, and they weren’t used to the fingerprint reader, so if I enabled biometrics and the fingerprint reader didn’t read properly, it would suddenly start prompting them for their master password again. This new user has a medical condition that makes it hard for them to type without typos, so this was infuriating to them, and even I was getting frustrated (as I started typing the master password for them) so there certainly seems to be some kind of bug that is affecting new users during their initial setup.
While I love the intent behind Bitwarden, the implementation of the Vault timeout options is both bad design, and encourages bad security decision making with users.
First, it’s bad design, because the timeout dropdown options suggest, that setting something other than “On browser restart” would prevent a vault lock on browser restart. This is not the case, setting it to something like “4 hours” will still lock the vault on browser restart. This setting is probably the single most important setting that users will look at and consider changing. The fact that there are multiple community threads discussing what the options do, goes to show the failure of its design. Even if a forced lock in all cases other than “Never” would be good for security (which I don’t believe it is), this is still bad design. For new users, it’s not clear at all what the options do and what their intent is.
Secondly, forcing users to select “Never” if they don’t want to sign in on every browser restart, just encourages them to either set it to “Never”, or to stop using Bitwarden entirely. There is no reason why Bitwarden should not store the master password locally if users set a timeout other than “Never”. If doing so is irresponsibly insecure, then why is “Never” even an option? I would much rather be able to set a long timeout (such as a week) on my home desktop nobody else has access to, than “Never”. While I appreciate the concern and the encouragement to be safety conscious, I don’t understand why this can’t be a checkbox right under the dropdown, whether the password should be stored locally (like with the “Never” option), or not.
Again, I love the hard work on this project and the service it provides, but I really hope this is addressed.
I will not argue about the fact that there are opportunities to improve the UI design and new user onboarding, but the fact is that keeping your vault locked when not in use may be one of the most important things you can do to secure your credentials (second only to using a unique, randomly generated master password).
In your case, your concerns can easily be addressed by setting up a more convenient unlock method, such as a PIN or biometrics (or, indeed, setting the tiemout to “Never”, if your system is not susceptible to malware attacks or unauthorized physical access).
Welcome, @justadude to the community!
If you have a better design idea, mock it up and create a feature request for it. Bitwarden is quite receptive to user feedback, especially when it starts getting many votes.
You will find disagreement with this position.
Much safer is to lock your vault instead of logging out and then setting up biometric unlock. Once the friction is reduced, you will find it much less burdensome to authenticate quite so often.
Another trick is to fire up a spare browser window, minimize it and never touch it. This will keep your browser running, so that “browser restart” rarely happens.