I recently moved from Lastpass to Bitwarden. Lastpass required me to enter master password whenever I wanted to copy password for a site. But Bitwarden’s Firefox extension allows me to copy the password easily without entering master password.
I’m concerned that this exposes a security vulnerability as anyone can use the extension to copy password for a site. This is all the more concerning because I remain signed in on Bitwarden extension even after closing and reopening Firefox browser.
Hello @prateeks and welcome to the community,
I can understand the concern here. For security conscious individuals and for sensitive logins this can be an important factor as well.
Regarding this, have you looked into Bitwarden’s available vault timeout options?
This could help to alleviate the concern of the browser extension remaining unlocked.
As far as your main concern however you can check out the Master Password Re-prompt
Option for Vault items. This will require you to verify your master password for any items you deem necessary.
Hope that helps
I believe that the most common way that users secure their secrets is to keep the browser extension in a locked state when it is not in use, or at least when there is any possibility of another person accessing the device.
Kent’s excellent post above explains how locking of the vault can be automated (using vault timeout options), and how additional protection for especially sensitive vault items can be put in place using the master password reprompt option.
Every password manager product is different, and it can take some time to change one’s habits and adopt new practices and work flows when changing to a new product.