Thank you for the idea!
I’m now using the portable Version as that one does not force the update after every app-close.
Here the github Link:
My hope is that this will make all the developers cringe enough to think about a better solution…
Users like their convience and will go to great length to preserve it, this includes not caring about security.
As someone who belongs to an organization who uses SSO, this change is very frustrating. We’re not supposed to need to use our passwords, and now all the sudden we do?
I’m using the desktop app, and if I don’t want to enter my password I need to fully log out, enter my email address, click use SSO, and then finally I’m back in.
I hope biometrics get re-enabled soon because this is not very user friendly at all, I did setup a PIN in the meantime but again it’s not as user friendly as just using your face.
Thanks for the quick response and helpful recommendation. I’d complain vigorously here about the removal of this functionality and the lousy communication about its removal but I see there are plenty of others who have already done that.
To use “login with device”, I need to reset the extension to log out when I close the browser. Login with device is not available unless it’s logged out.
What I meant was, when you just start the desktop app, since biometrics isn’t available, you log out from the app, then “Login with Device” using your phone to approve, and then continue as usual. This is what I’ve been doing since I stopped using biometrics unlock (not requiring password on restart). Since I also don’t turn off the PC, only putting it to sleep, I only do this when I reboot or log off, which are days apart.
OK. Here is what I’m doing now:
The desktop starts and runs minimized when Windows boots. I turn my laptop off every night and restart it in the morning. The desktop is locked at the point. If I start my Firefox browser, then “Unlock using Windows Hello” is not available, even though I’ve enabled “unlock with biometrics” and ask for biometrics on start up.
I had taken your previous post to mean that I need to log out every time I closed the browser and then use “login with device” if I wanted to log back into the extension when/if I restarted the browser.
Now I boot up my laptop, then open the desktop app, log out, then log in with device and minimize the desktop app after unlocking it. Then when I start the browser (or restart it), biometrics and Windows Hello is available to unlock the extension. But the desktop app is running and unlocked. Is that “safe” enough?
Is this what you recommend that I do? I’ve tried to understand all the detail in this post but it’s well over my head. I appreciate you taking the time the help.
Does your desktop auto-lock after a short while? After the desktop auto-locks or is explicitly locked, can you still use biometrics unlock in the extension?
Leaving the desktop app unlocked is not generally safe practice, and there should be no need to. Simply lock the desktop app after the “login with device” and before minimizing (or set the vault timeout to something very short).
Sorry to say, but this is complete nonsense and very user unfriendly. With Windows Hello I can unlock a lot of applications. I am using a fingerprint sensor with Windows Hello and this works fine. Now I must use a PIN or a long, unfriendly to type, master password to unlock the Bitwarden Desktop application. Can anybody explain why a PIN is safer than using Windows Hello? So, you can also remove the option Unlock with Windows Hello, because it is useless. Is the next step to remove biometrics on smart devices as well?
Kind regards,
Jens
I have it set to lock on re-start. I just now locked it manually, closed my browser and restarted my browser. I was able to unlock the browser extension with Windows Hello. The desktop app continues to run minimized, but locked, in the background.
Edited to remove note about “lock” icon. It disappears after awhile.
I will reset the desktop app to lock after a short time. Thanks for the help.
With a vault locked using Windows Hello, an attacker who has access to your device can copy all of the information that they would need to immediately decrypt your vault contents (the main delay would be that they first have to sift through the collected data to determine which set of 64 consecutive hexadecimal characters in the data dump represents the encryption key).
With a vault using a PIN, an attacker who has access to your device would also need to copy data from your device, and sift through the data to find the relevant 64-byte string. The big difference would be that in this case, the 64-bit string is not the actual key that reveals all of your secrets, but an encrypted version of the required key. Thus, the attacker must first carry out a brute-force attack to guess your PIN, before they are able to decrypt your vault.
Therefore, PIN lock is safer than biometric lock (but only marginally so, if your PIN is easily guessable).
I’m no expert, but this suggests I should abandon biometric logins on all apps and use PINs instead? Or does this only apply to Bitwarden? And if so, why?
An attacker who has access to my device has to break into my house, has to start my PC, unlock it with Password or Windows Hello and has to proceed with all the described above. I think I will have other problems then. This is very hypothetical. As well as on my laptop, he has to get physical access to my laptop, start it and unlock it with the password or Windows Hello. Again, this is very hypothetical. You can also lock yourself to death… I say again that this is very user unfriendly.
Bitwarden should allow disabling updates to it. But it doesnt. New version automatically updates itself. Disallowing automatic updates would have saved from these disasters, since admins could have noticed that “This is not an update we want” and deny the update and continue to use the old version until good solution would have been found.
They could also use malware to access your device remotely. If you feel that your device is sufficiently well protected from unauthorized physical access and malware attacks that the concerns about Windows Hello are moot, then the most convenient option for you would be to set the Vault Timeout to “Never”.
They could also use malware to access your device remotely: yes, and when the sky falls, all the sparrows are caught. I am using fingerprint sensors connected to Windows Hello, so it was easy to open Bitwarden before (good luck decrypting that). Now I am forced to type in a long Master Password or a PIN, more typing more waste of time. I hate it when simple things get complicated. The most convenient option would be to set the Vault Timeout to “Never”: I am really considering doing that.
It is really working against the whole principle of making security an easy thing to implement. If security becomes too difficult to perform, people will just abandon the process. Setting the timeout to ‘Never’ is an atrociously bad option. I might as well keep all my passwords in a plain text file called Passwords.txt and store it on my desktop.
Identity and security used to be based on three things: something you know (an ID, a password etc); something you have (a swipe card, Yubikey etc); or something you are (fingerprint, face, iris etc). Of these, biometrics was strongly promoted by O/s and app developers because it could never be forgotten, never be lost, and was incredibly difficult to fake.
Now Bitwarden appears to have removed this safe method and insisted we have to use more complex and less effective methods. My master password is 16 characters long with all the recommended character combinations. That is complex for me to remember, deliberately. I dislike having to laboriously type it in every single time. So, should I shorten it or make easier, like ‘abc123’? That seems the wrong approach, but I’m already exploring other password managers to replace Bitwarden.
There is a Feature Request for that. Go vote for it. If you read through the conversation, you will find that there is in fact a workaround that disables updates; there is just not a pretty GUI for it.
The best practice for master passwords is to use a randomly generated passphrases consisting of 4 randomly selected words (e.g., book-burp-dismal-petition). These are relatively easy to memorize and to type, yet practically impossible to crack by brute-force guessing.
Personally, I just lock by master password alone all the time, because I don’t consider it too difficult to type my random passphrase. I understand that others may feel differently.
Are you referring to being able to use “Login with Device” option from the Windows desktop Bitwarden application as an alternative to typing your master password after a system restart? If so, how do you enable that? I do not see “Login with Device” on the Windows app start screen, nor do I see an option in the app settings to enable “Login with Device”.
I do see the “Login with Device” option when I attempt to log in to my vault using the full web browser app.