Is it considered a security risk or is it safe to save the Bitwarden Master Password in google’s password manager?
Generally, I think that is considered a bad practice because now the security of all your passwords and other secrets saved in Bitwarden are dependent on the security of the Google Passwords client and/or access to your Google account.
Here is what Bitwarden suggests:
Yeah, if your laptop or phone is stolen and google just opens your vault automatically all your security is for naught. Though I guess google login should be in the Bitwarden vault, yeah?
Yes, I put my Google credentials into Bitwarden. The BW clients are purpose-built for security, so I trust them far more than Google’s account security. Google sites also auto-fill well with Bitwarden, so I usually stay logged out of Google unless I am using one of their sites.
Do you launch websites from Chrome bookmarks? I’m not sure I want to login to Chrome a million times a day…
I don’t use chrome anymore, and I try to stay off Google sites on my PC’s as much as possible, so my situation is different from yours, I suspect. My advice might not be very applicable to you!
How do you organize and access websites?
I use Firefox bookmarks. It is the only Mozilla service I use, so I feel safe using it.
So do you log into Firefox every time you want to visit a website or do you stay logged in?
I stay logged in. I don’t see any reason to logout.
Stolen/lost laptop or phone?
Locked with biometrics.
I see. Do you use a timeout for locking?
Yes, always. The period depends on where my devices will be (e.g., home, commuting, vacation, etc.).
Got it. Sounds like a very solid scheme. Thanks much for the info.
instead of using google pw mgr why not make a second bitwarden for just storing your master pw in. unless you fully trust google pw mgr. then you could use it as a shared vault in case if the pw is changed its already sync in your backup bitwarden
I need to learn more about BW’s timeout features, but do you set a timeout on BW login, the items in your vault, or both?
It’s either or. You set the time-out action to either “log out” (which erases your encrypted vault from local disk storage and requires you to re-authenticate to regain access), or to “lock” (which erases your decrypted vault from memory and prevents the UI from being used, but leaves your decrypted vault stored on your local disk).
If you have to memorize the password to this second BW, then why not just memorize the password to the first BW? Or if you’re proposing to store the password to the second BW somewhere, then where? Just a bit confused about what you are suggesting.
Yes I understand that. I’m less clear on the granularity. Do you set a single timeout on your BW vault or each item in the vault?