Required to enter password each time, even if within 10 seconds

II am a new user. The following occurs:

Every time I close, then open either the Windows Bitwarden desktop app or the a Firefox browser (with the Bitwarden extension installed and active), I am forced to enter my master password.

I have changed the settings several times. I have it set ideally to vault timeout “5 minutes” and vault timeout action to “lock”. So I assume that means that as long as I open either the Windows Bitwarden desktop app or the Firefox browser within those 5 minutes, that I am not forced to reenter my password. But every time I close Firefox and then open it again even if within a few seconds, I have to enter the password. Same with the Windows Bitwarden desktop app. The only way I get it to not do that is if I set the timeout to “Never”. What is the issue?

Thanks,

Marco

When you close the browser, it removes the reference to your encryption key (since it’s tied to your Browser’s process) - requiring your to input your Master Password again.

@tgreer What??

Okay, wait. I just set my Vault Timeout to 5 minutes and set my Vault Timeout Action to Lock just like OP. I then closed Firefox and reopened it, and Bitwarden was still unlocked.

[trying this in the Windows app] … Oh okay. It prompted for my master password here. So you’re referring to the Windows app then, as it doesn’t store cookies in the same way a browser does.

@xuv224 Do you have Firefox set to “delete cookies and site data when Firefox is closed”?

Wait… I just realized when I check “Unlock with PIN” there is a checkbox labeled “Lock with master password on (browser) restart”. That’s probably the culprit on both the app and the browser extension. You need to re-setup your PIN and uncheck that box.

@tgreer So what you’re saying is only a thing by default, but is not required.

This happens in both, the Windows app and in the browser.

I have my Firefox security settings on extra high. Some of that means having it delete all history and all cookies each time the browser is closed. Are you saying that this relies on cookies to work?
Because I just switched from Roboform and that does not rely on cookies.

Also, if the windows app is doing this by design (no cookies there), then why does it offer all those same timeout options, if there is no way that they could work anyway?

Thanks,
Marco

I close and open browsers 50 times a day. If I really have to type that long password just to fill one login, then I’m better off just manually typing it myself and not use a password fill app.

You can also set a numeric PIN and Windows Hello as well, instead of the master password.

Thanks. If this actually relies on cookies, could I not still set Firefox to clear all history including cookies on browse close, but set an exception to not clear the Bitwarden cookie? I’ll have to try that tomorrow.
Not sure why the windows desktop app also behaves like that, as there are no cookies in that app.

It does not rely on cookies. That post was someone who was speculating at how BW works.

1 Like

It doesn’t matter anyways what I initially said. I changed it because I realized what you’ve probably done is check the “Lock with Master Password on restart” box when you set up your PIN. You need to re-setup your PIN and uncheck that box.

Well, I like Bitwarden. But this having to unlock it 50 times a day is very annoying, even if a simpler PIN is set up. The old RoboForm does not do that, it knows that once I unlocked it, it will stay unlocked until my timeout has expired, no matter if I close the browser or not.
What it should base the lock on, is to see of the system was idle, as in no mouse movement or keyboard use in specified timeout period and only lock if that occurred.

Have you tried changing the unlock settings? You can set it to unlock only on a time period, on browser restart or Never if you want.

I have tried all of them.
“immediately” is no good as that will definitely ask each time
“never” is no good because that is a major security issue
“on browser restart” is not wanted, but apparently that is exactly what it does anyway, even if I did not select that
“any of the time periods”, should honor that, but does not. If I put 30 minutes in there and i close the browser and reopen it 3 seconds later, it will ask for the PIN again. The only way to prevent that is to always leave at least one Firefox window open, then it will not ask for the PIN, but that is a bandaid solution as I normally close all windows (including browsers) when not needed.
There is already the Windows desktop app. If that is running at Windows startup and then continues to run in systray, it should be sufficient to enter the PIN or password just once after booting up the laptop and then not log out of Bitwarden until one of two happens: Computer was idle for the timeout period specified or the computer is restarted.

I should add:
On the Android Phone, Firefox browser, Bitwarden will honor the timeout. I set it to 30 minutes, then closed all Firefox sessions, waited 10 minutes. Then tried to login somewhere and Bitwarden did not ask for the PIN.
But on the laptop, with the same settings and also using Firefox, it will insist on a PIN even it I just closed the last Firefox window only 3 seconds ago.

I believe @tgreer has explained Bitwarden’s current behavior.

Since part of the code for Desktop app and Browser extension are shared (which includes logic for encryption key storage), the behavior is probably similar for both.

From a quick glance, it looks like the encryption key is only stored in a variable (RAM) when a timeout value is set, which will only be retained over the process lifespan (i.e. will be lost once browser is quit).

When using Never option, it may be storing the key into the more persistent chrome.storage API. Docs:

If this is the case, then the only way to get the behavior you want would be to add new logic to store keys using storage API and clear out keys on timeout.

Someone will have to comment on any potential security implications of this.

As you have said, this is probably what password managers like Roboform are doing without notifying you that it’s a security risk.

1 Like

No, RoboForm does not set it to “Never”. RoboForm has a process running in the Windows background that manages the timeout and it can be set to whatever I want. If I want 43 minutes than that is what it does and it does that very well. If there is no activity on the computer for that amount of time, it will lock. But if it detects activity, it will extend the time by 43 minutes (in this example). That is exactly as it should be. And it also does not require at least one browser window to be left open at all times to avoid having to enter the PIN again, unlike Bitwarden. So in this respect, RoboForm is much better.

@xuv224 Have you reset your PIN and made sure the “Lock with Master Password on restart” box is not checked?

image

Currently, the level of integration between the Bitwarden desktop app and browser extension is low. It was only recently that we got biometrics support, which made use of native messaging to allow browser extension to request Windows Hello / Apple Touch ID via the desktop app.

I believe there were comments elsewhere about plans to improve communication between the Bitwarden instances, but (like all features), it has been prioritized based on criticality, popularity (votes), complexity, etc. One of Bitwarden team members might be able to comment on status in roadmap.

At this point, you will need to accept typing in your PIN every time you restart the browser. Beyond that, you can add a vote to a related feature request to increase importance of feature, or find an open-source developer interested in coding the feature since Bitwarden is open to external contributions.

The current behavior is again related to Bitwarden encryption key handling: jslib/crypto.service.ts at master · bitwarden/jslib · GitHub

It is possible that the solution will require adding a way for Browser extension to securely communicate with Desktop app on encrypted keys & timeout status, perhaps finding a way to share a common secure storage location if Desktop app is running.

EDIT:

Yes, I have done that and it does as advertised. My master password is very long, if I had to enter that each time, I would not get anything done in my day besides typing that password. Just having to repetetively type a simple PIN is annoying enough. I basically have to do two things to avoid doing that 60x per day: Set the timeout to 4 hours and always leave at least one Firefox window open. If I remember to do that, I only have to type the PIN 2 or 3 times per day. But having it set at 4 hours is not ideal, neither is running a Firefox window all day when I do not need it.
All this could be prevented, if the Bitwarden Desktop app could run a process in the background that will hold open the timeout, even if the browser is closed and if that timeout can be automatically extended, based on one of the following: mouse movement, keyboard input or other method to determine if the computer is actively being used.

Thank you [cho-m],
I have just posted a feature request in this regard. Bitwarden is great otherwise. Maybe this login / timeout issue can be improved in the future.