I’m new to Bitwarden and to this community, so please forgive if this question has already been dealt with.
I’ve just migrated from LastPass and notice that Bitwarden has a handy “Lock” option, which LastPass doesn’t have (or if it did i was not aware of it). So the way i understand things, this Lock option allows you to lock your vault when you step away from your laptop, without having to completely log out. In my mind this is a good thing, as aside from the convenience of unlocking the vault with a pin instead of my very long master password, i think it is also safer as it reduces the number of times that one has to enter the master password, which feels safer to me. My question really just is whether it is safe to have the vault signed in for a prolonged period of time and whether there might be any other security concerns around doing so that i’m not aware of. Let me just add that I am very security conscious when it comes to my vault and i always used to log in to LastPass only when i needed a password, and then immediately logged out again. I am also in the habit of locking my laptop whenever i step away from it. My question also extends to the mobile app, and whether it is safe to remain logged in for a prolonged period of time whilst ensuring that the app is locked whenever i’m not using it.
SAFE is a relative word. You won’t get the same answer from everyone reading through this thread. I do use “locked” over logged out the majority of the time. Others will differ and they have valid reasons for doing so. In my case I am on a Linux laptop being used in my home primarily. I have a separate FF profile where I keep Bitwarden to be used with “login only” sites I visit. For all other internet surfing I use different profiles so that Bitwarden isn’t nearly as exposed if at all. Bitwarden’s PIN lock is pretty safe because someone entering the incorrect PIN 5 times will be logged out automatically. I use an 8-9 digit PIN so the odds of guessing the correct PIN in 5 attempts is basically zero! BTW - I also use PIN lock on my Android, but if I am being honest I access that BW instance way less. Things like banking I feel safer using on my laptop over Android. Security of Android is a long thread and outside of the scope of this thread.
I don’t know your exact application but I would not surf all over the internet with my BW vault simply locked. The sites I access via login are known legit sites - e.g. bank, actual name emails, etc… When I read around without login requirements those sites have not been vetted by me so to speak. I don’t want those to have any access to BW at all, ever. My .02
Thanks for your reply @OpSec. In that case i think i’ll continue my habit of logging in only when i need a password and then logging back out again. I don’t type my master password into Bitwarden every time i need to use it, instead i paste most of it in from somewhere else and then type in only a certain part of it, so having to enter the master password frequently shouldn’t be a major security concern, i don’t think. I was thinking that the Lock option would be more convenient but i’d rather deal with a little inconvenience if it means a more secure vault.
Your threat really is anyone who has physical access to your computer. Using the PIN option is great for things like this as it gives you the convenience of getting into your vault without having to enter your long master password but if someone enters the PIN wrong 5 times it reverts back to your master password.
Just remember the PIN is not a replacement for your master password, you still need to remember your master password.
Hi @dangostylver. Thanks, yes i understand that the PIN does not replace the MP and that’s all good. I’m just trying to understand if the vault will be any more vulnerable if it is in locked state, compared to being in logged-out state, specifically from an online perspective (i.e. not a physical perspective e.g. laptop getting stolen or someone helping themselves to the vault while i step away from the laptop). I run windows 10, if that makes any difference. From @OpSec 's reply i gather that there does seem to be a concern around visiting “unvetted” (as he/she calls it) websites whilst having BW in locked status.
Yes, the question is by how much? Opinions vary on this, as they do with most questions which are not about simple things.
I would need to re-read the details in the help system to refresh my memory, but IIRC locked with a PIN means that the information is in memory, possibly encrypted in some way, but at leas tin theory in theory accessible.
Logged-out means that all information is not in memory. To put it into memory means supplying the master password, which is the only way to unlock the information.
From an online perspective, there is not much difference between a locked state or a logged-out state from your computer.
The encryption level is the same and the only difference is that in a logged-out state you’ll need to supply your 2FA if you have it to get back in your vault.
Visiting a bad website doesn’t mean the Bitwarden extension will become compromised. Even if you did and Bitwarden is in a locked state it would be just as secure as if it was stored on Bitwarden’s own servers. If you’re still worried you can always salt your important passwords. https://passwordbits.com/salting-passwords/ This way even if someone got in your vault they would not have the full passwords.
OK, I believe your question is if there is a difference between timeout and logout. The main difference is when you logout, the vault data is purged where timeout means the vault data is still on the device. In either case, I believe you need to enter the pin or master password to reopen the vault when you unlock your computer.
The vault data is encrypted so there isn’t an issue where someone can hack into your account. Actually, I would suggest that you don’t log out. If you lose your internet connection, you won’t be able to access the vault if you log out. It’s also useful if you somehow mess your account that you cannot log using your master password. You can go to a computer where the vault is not logoff and export the vault, so you can use it to recreate the vault.
And to answer your question, I would say that it is safe to stay login as long as it’s protected by a pin or master password.
Thank you for the insights and advice everyone, much appreciated. Seems that there are arguments both for and against staying logged in… I think I’ll err on the side of caution and continue to only log in when needed. Thanks again.