Some questions about PIN's security

Hello guys !!

There are many posts here about the security of the pin, but i couldn’t found some answers i wanted.

1. I know that if i unchecked the option “lock with password on browser restart” when create a pin (on a windows pc and with the edge extension) then the master password will be stored locally on the disk and will be encrypted/decrypted with the pin. But i couldn’t found WHERE exactly is stored. I assume it will be in this path "C:\Users\Username\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jbkfoedolllekgbhcbcoahefnbanhhlh " but i don’t know in what file it is.

2. If i remove the pin and re-created with the “lock with password on browser restart” checked will the master password automatically removed from the disk ??

3. What about android ?? Are these 2 questions i asked applied on the android too ??

To start, what is going to be stored is a copy of the generated symmetric key (a.k.a. the account encryption key), which has been encrypted using a stretched key derived from your PIN (by running it through a KDF algorithm). The master password will not be stored locally, encrypted or otherwise.

You’re looking in the wrong folder. The locally cached vault data for the Edge extension are going to be stored in the following folder:

%LocalAppData%\Microsoft\Edge\User Data\MyProfile\Local Extension Settings\jbkfoedolllekgbhcbcoahefnbanhhlh

Note that the value of MyProfile will depend on your setup, and could be either Default, or a numbered profile like Profile 1, or a custom profile name.

In this folder, you should find a file named something like 000123.log,which is where your vault data are cached. You can open this file in a text editor (e.g., notepad.exe), and search for the string pinKeyEncryptedUserKey. The long random-looking string (starting with 2.) that follows contains the protected account encryption key.

Technically, yes, but in Chromium-based browsers (like Edge), there is apparently a bug that causes the *.log file contents to persist, even after logging out. A similar bug was found in 2022 and reportedly fixed in 2023, but there appears to have been a regression in the meantime.

You could manually delete the *.log file, but please note that this will also wipe out any customizations that you have made to the browser extension settings and options.

Alternatively, if you repeatedly log in, log out, and restart your browser, then eventually the *.log file will get erased and replaced by a new *.log that has a higher number as its filename. In this new *.log file, the pinKeyEncryptedUserKey will no longer be present (assuming that you did disable “Unlock with PIN” and re-create it keeping “Lock with master password on browser restart” enabled).

Thank you very very much for your detailed answer !! That’s what I was looking for !!

So, can you explain to me how anyone with physical access to my pc can get to my vault, If I keep the “lock with password on browser restart” disabled ?? What the steps for doing that ?? It’s very unlikely as it is a desktop, but I want to know.

Is it safer to have a pin, in a case I have a malware/keylogger on my pc ?? This is very unlikely too.

Someone with physical access to your machine would simply make a copy of your %LocalAppData%\Microsoft\Edge\User Data\MyProfile\Local Extension Settings\jbkfoedolllekgbhcbcoahefnbanhhlh folder, take this folder to their own machine, and then run a brute-force attack to guess the PIN.

An example of this is demonstrated in the following blog article:

https://ambiso.github.io/bitwarden-pin/

Safer than what? And are you contemplating the scenario in which “Lock with master password on restart” is enabled, or disabled?

In general , no password manager can protect your passwords if your device has malware. If malware is on your device, then there are many ways that your vault could be compromised. So you need to do everything in your power to prevent malware.

As i am not a high value target or threat, the thief will probably try to sell it, instead to try to crack it. Either it’s a pc or a phone. But you never know !! On my phone I had it to require my master password if I close the bitwarden app or restart the phone, cause I rarely do it that.

I mean it generally. Because if I use only the pin, a keylogger will not found my actually master password

For an opportunistic attacker who finds your device unattended (or who steals the device), it would take only a few seconds to brute-force a 4-digit PIN, so by extension, a 7-digit numeric code could be cracked in an afternoon. So I wouldn’t assume that they’re not going to try.

It’s a 10 digit !! But I said that in a sense that a regular thief may not have the tools to brute forced a password. But he can try it by himself.

If it’s not a telephone number or something else that is nonrandom, then that’s not bad, but still, someone with a $7000 cracking rig (containing 4 GPUs) could crack it in a day.

Disabling “Lock with master password on restart” does create risk. A Bitwarden user on Reddit recently had all of their accounts compromised because they had disabled that safeguard.

I didn’t though/consider that there is a possibility to someone steal my vault cache without physical access to my pc

So, in that case maybe it will be wise to enable that option. It’s safer, but on another hand, it’s very annoying to type multiple times a day a 30+ character password, unless I’ll keep the browser open all the day.

Yes, it is helpful to keep the browser open. Alternatively, keep your mobile app open, and then use the option to Login with Device. Depending on your setup, it may be easier to log out of the browser extension and then approve a login using your mobile device (compared to remaining logged in, but unlocking using the master password).

Personally, I just type the master password to unlock.