I’ve just gotten started with Bitwarden and I’ve copied all my passwords into my vault. It works great, now I can easily log into Netflix on my phone, or log in to my bank account from the computer in my bedroom!
I can also now log in to my bank account from my phone, from a tiny locked room in Moscow next to a large violent gentleman with a crowbar. That’s bad. I couldn’t do that back when I had my bank account password written on a piece of paper in the bottom of my underwear drawer.
While that scenario is a little melodramatic, I do feel like using Bitwarden opened up some additional avenues of attack. There are certain logins that I will never legitimately access from my phone, or that I will only legitimately access from my home desktop – but now I (or someone else with my master password) can access anything, anywhere, anytime.
Is there a workaround for this? Some way to restrict certain logins to certain devices, or require an additional secret (like a YubiKey that I leave in my underwear drawer) for access to certain high-value logins? Whatever it is, I still want to be able to log in to my Netflix from anywhere.
One way to do this is to partition the information into two different accounts—one paid and one free. You can create an organization between them and share the non-sensitive passwords in the organization’s collection between the two accounts.
Another option is to use the master password reprompt for more important accounts; this would be a hassle to type on smaller devices besides having to know the password.
Alternatively, you could use an offline password manager to store more important accounts, specifically for use on your PC or desktop.
Overall, though, if they have a wrench and they have you, most likely, they will get anything out of you.
Setting up a free Organization vault (as suggested by @Neuron5569) to share the non-sensitive vault items between devices is probably your best option. However, if you need to use any Premium features (e.g., file attachments, or TOTP generation using the integrated authenticator) for these shared items, then you will need two Premium subscriptions (one for the account logging in from any traveling devices like your phone, and one for the account logging in from secure devices like your computer).
Once you spend a little more time on the forum (to advance your membership status from “new user” to “basic user”, which unlocks voting privileges), you may also want to vote for one or more of the following feature requests:
Thank you, this is helpful. Having an offline password manager for sensitive accounts sounds like the way to go. I like the simplicity of, “If you don’t want to carry something around with you, then leave it at home.”
I was being a little melodramatic with the kidnapping scenario. Much more likely is a border guard who will spoil my vacation unless I “just let him look”. Or somebody shoulder-surfs my master password because I keep typing it in in public places when I want to check my email. Or, most likely, another scenario that I haven’t thought of yet.
You can largely avoid shoulder surf concerns by locking your vault (instead of logging out) and then unlocking with biometrics . Then use one or more of the 8 autofill mechanisms to fill from the vault.