Newbie here, and I am struggling to understand some things about the two vault timeout options (lock vs. log out). I think it’s because I am not understanding an underlying principle behind BW, so bear with me. (I’ve researched this on the forum, but still am a bit confused.)
My vault timeout action is currently set on Lock, and from what I have read, it’s the timeout option most people select. Here is my confusion:
After I log into BW, it’s my understanding that BW is then “enabled” for me to use. That is, BW downloads a copy of the vault onto my PC. So I log out. Then I simply use BW to autofill my passwords.
My confusion is this: Once the vault is on my PC, isn’t it vulnerable to hacking? And so, wouldn’t I want to select the “Log out” option so that every time I want to use my vault to autofill a password, it requires me to reauthenticate with my master password and 2FA?
In addition, does the vault get cleared from my PC after the vault timeout (15 minutes)? And if that is the case, why don’t I have to log into BW again after 15 minutes?
So obviously I am confused. Can someone clarify for me, in simple language?
PS - I am not clear on the tags or what they mean, so I just picked two.
Thanks
Hello and welcome to the community!
There are generally 3 states: logged out, locked, and open.
When you first log in successfully, you are in the open state, where your encrypted vault is downloaded and persisted on the machine where it is encrypted at all time, and your unencrypted vault and encryption key are in memory. This is where you can autofill and change the content of your vault.
When you set the timeout to lock and you have reached the end of the timeout period, or when you explicitly lock, you are in a locked state. You data on disk remains encrypted; your vault in memory and your encryption key are also encrypted. If you try to autofill or access the vault, BW will ask you to unlock your vault. BW considers this state to be safe, i.e. everything is encrypted. For PC, you should not disable requiring password on restart for PIN/biometrics unlock, because it makes your encrypted vault more vulnerable (unless you can accept the risk).
When you are logged out, your vaults/encryption keys are purged from memory and persistent storage. If you try to autofill or access the vault, BW will ask you to log in.
If you don’t set up PIN/biometrics unlock, sometimes it hard to differentiate between a locked/logged out state, because BW will ask you for a password to unlock or log in. So, you can try setting up unlock by PIN, requiring password on restart, and try this to see the 3 different states more clearly.
; TLDR; in a locked state, all your secrets are encrypted everywhere. Requiring password on restart will keep the encryption strong.
Thanks Neuron, I understood some of what you said, but not all. Let me clarify my question by way of an example:
- I am currently NOT logged into bitwarden.com. Yet I can still use my vault to log into my various websites. It locks out after 15 minutes of idle time, and then I just unlock it with my master PW.
- I am reading that “unlocking can only be done when you are already logged in.” Well, I am not logged in to bitwarden.com, and I am still able to use my vault. So I am confused what that statement in quotes means.
- I also read where people say, “I stay logged in all the time, and just use the lock/unlock function.” What are they logged into?
- I don’t want the vault to stay on my PC permanently. It strikes me as risky … or am I missing something? So, would selecting the “log out” option instead of the “Lock” option mean that after 15 minutes of idle time, the vault is purged from my PC?
Hope my questions make sense. I think the crux of my confusion is what “logged in” means.
Thanks again
Updating a bit from my last post. I think I am starting to understand the process a bit more. Bottom line is that it seems the safest option (for me, at least) is to log out every night, which I am seeing I can do from the browser extension. Thanks again.
Logged in does not mean you being logged in with a web browser to the web vault. Instead, it refers to the Bitwarden app or the Bitwarden web extension being connected to the bitwarden cloud.
At a high level, when the app/extension is:
-
Logged out – the vault is removed from the device.
-
Logged in – a copy of the encrypted vault is on your device. Bitwarden considers this state to be completely safe.
-
Unlocked – the encryption key is available to the app/extension so that it can decrypt/use the vault entries.
Here is Bitwarden’s description.
Do note that Logging in requires the master password and possibly a 2FA. Unlocking can be done with the master password, biometrics or a PIN.
An extremely common approach is to always keep devices logged in and to lock on “app exit”, “system lock” or “reboot” (your preference). This ensures the encryption key is only there when you are. And, it minimizes the use of the Master Password to decrease the odds that it can be key-logged.
Thanks, I think I am starting to get it now. I was not aware that you could log in directly from the browser extension; I thought you had to go to bitwarden.com to log in. So that was one source of my confusion. And I see now that once I am logged in, I can set the lock out for 15 minutes, which will only require my master PW to unlock. Then I can use the vault all day, and then log out at night. When I log out, that will remove everything from my PC. Then the next day I can start over by logging in again.
Even though, as you note above, Bitwarden considers the “logged in” state to be completely safe, I just feel better knowing that the vault is removed from my device every night when I log out. But maybe that’s just me being paranoid, plus my limited technical knowledge.
Thanks again.
Sorry, I re-read your answer again. Could I get some clarification on your second bullet item, regarding “Logged in.” You say that in this state, a copy of the encrypted vault is on my device (which I understand), and that BW considers that to be completely safe (which I don’t completely understand).
My question (or confusion) is: Even if I am the Locked state, doesn’t the fact that the vault is still on my device expose me to some risk of a hacker getting ahold of it, vs. if I log out every night and remove it completely from my device?
I’ve seen comments that most people stay logged in and just lock/unlock, so I am curious why they don’t go the extra mile and log out every night, or every so often.
Thanks
bitjl666, against what threats are you seeking to protect? What is the risk level?
Perhaps those will help in deciding how you manage lock and logout settings for your situation.
Not sure I understand your question. I would think that like everyone, I am trying to protect against any and all threats, in theory. And that we would all consider the risk level to be high. Hence the need for PW managers.
At this point, I have a reasonably good understanding (I think) of the various states of the vault. My only real question is why somone would stay logged in (and locked/unlocked) vs. just logging out completely, if they know they won’t be using BW for awhile. So for me, I would think that logging in in the morning, then logging out in the evening when done for the day, would be safer than staying logged in indefinitely and simply locking/unlocking.
But … what I am reading seems to be that most people in fact do stay logged in, and simply lock/unlock. So I am thinking that presents a bit more risk than logging out completely. But maybe I am confused about this or missing something, which is why I am asking.
Thanks
I will not pursue this further after adding the comment that one cannot design against nebulous criteria. Risk always exists. Knowing your threat model, the reasonable likelihood of any particular form of intrusion, really helps to make things as good as they need to be.
That is a paraphrase from their Security FAQ and their Security White Paper:
We consider the application’s encrypted data to be completely safe while the application is in a locked state.
The Security White paper goes into a weeds a bit, but it does give you the background as to why they take this stance.
My take is that they are rooting their trust in good encryption rather than hiding in plain sight because even when logged out, your vault is stored on a public web site (vault.bitwarden.com), hosted in Azure. Lots of variables there that one can not control.
OK, thanks for the additional explanation, makes more sense now. As you say, lots of variables, and there’s probably no “right” answer per se for everyone. And of course, nothing is 100.00% secure these days anyway.
I guess at some point, everyone has to choose their own level of comfort and weigh their options accordingly. One size doesn’t fit all.
Thanks again
If you are logged in but have your vault locked, then an attacker who gains access to your device (either physical access, or remote access via malware) could steal a copy of your encrypted vault data. They could then work off-line using their own hardware to brute-force guess your master password, thereby allowing them to decrypt the stolen vault.
If you have a sufficiently strong master password, you can thwart such an attack, by making it too costly to be worthwhile for an attacker. What is considered “sufficiently strong” or “too costly” depends on who is attacking your vault and why. This is why @Mulled7768 was asking you about your threat model.
Bitwarden’s statement about the vault being secure in its locked state simply means that the vault data in this state cannot be accessed or reconstructed without knowledge of the master password.
To answer your question, users who have strong master passwords (e.g., 50 bits of entropy or more) and have strong operational security (i.e., strict malware defenses, good internet hygiene, and strict control over device access) are confident that the combination of good opsec and strong encryption will make the risk of vault compromise negligible.
Thanks all, very helpful answers.