Remotely Lock The Vault On Another Device : Bitwarden Web Browser Extension

Hello. I have a question. Nice to meet you all!

My question: I use Bitwarden for my account logins/logons in essence to save my passwords for numerous accounts. I have setup for popular web browsers (Google Chrome and Mozilla Firefox to name a couple) the Bitwarden extensions. I left my “Vault Timeout” As “Never” as a convenience on my Windows 10 laptop. Now, I was wondering. If by accident or via theft I lost my Windows 10 laptop. Is there a way from say from another device (Say, a smartphone for example) that I could INSTANTLY LOCK my vault on ALL devices? So even if the thief or finder of my laptop were to gain access into my Windows 10 laptop environment; if they were to open Chrome or Firefox web browser, the app extensions of Bitwarden would instantly close and require a master password login into Bitwarden to access my vault? Is there such an instant trigger involving a vault unlog feature built into Bitwarden to do this from the users standpoint? If so, how? Please explain. If not, may I suggest it.

Please reply. Thank you!

Welcome to the community, montecarlo1987.

The practice of never locking your vault is highly not recommended.

If you were to lose your laptop to theft, for example, how soon would you expect to know? However small the window, there is nothing to impede a thief from accessing at least some of your data.

Each device logs in to the database independently. I am not aware of any mechanism to terminate other sessions instantly, even if you were to change your master password. Other open sessions will persist for an hour or more and they already have the data in their own memory anyway.

I have abbreviated your heading for greater clarity on what I understannd to be your request.

The closest thing you can do is to log in to your Web Vault app and select “Deauthorize Sessions”. However, a knowledgeable attacker can circumvent this defense by disconnecting the laptop from the internet before launching a browser and exfiltrating all of your unencrypted vault contents.

In there is a “Deauthorize sessions”. This will do what you are asking for, but with a few caveats:

  • It logs the sessions out, which is not the same thing as lock. This is slightly more secure, but more disruptive.
  • It requires Internet connectivity to function. If the bad actor were to access your laptop while distant from your access-point, the local vault would have no way to hear the “lock now” alarm.
  • It depends upon the extension be listening. If, for example your browser were not running, it would not receive the alarm.

My advise, try it out and see if it works to your satisfaction.

I personally would not set a vault timeout to “Never”. At a maximum, I would use “upon browser restart” or “upon system restart”. “Never” cause the Master Password to be stored on the hard drive so it can still sync the vault after a reboot. all the others store it only in RAM (ELI5 here. I am conflating the Master Password with the encryption key. See the security whitepaper for gory details). And, if you find browser restart to be annoying, keep a second minimized browser window open, so you only rarely actually shut down the browser.