Vault Timeout - "On system lock" not working?

It worked for me too :bulb:
Thanks :+1:

Agreed. I just changed from free last pass to paid bitwarden. My main complaints are autofill requires like 3 clicks (so isn’t really autofill lol) and the master password timeout options are not helpful. From what I can see, it will ALWAYS prompt upon browser close/open regardless of settings. I want either a true timeout, ie I can close and open new browser sessions up until that timeout, or better yet, only require upon reboot or PC lock, if the machine is unlocked then I’m working on it and I really don’t want it to re-authenticate for that entire PC work session.

Edit - I can confirm that edge chromium is set to run background apps, and to use the rapid startup feature which keeps some addition stuff in memory presumably.

Why not use Ctrl + Shift + L instead ?

If you want auto-fill, you can select the option to auto-fill from page load. I turned it on for family members who can’t figure out how to click on the fill button.

1 Like

Great! On Edge I found the “Fast Reopen” extension which should have the same functionality as Chrome’s “Lightning Reopen”.
Bitwarden now respects the timeout set when I close the browser.
Thank you.

1 Like

Thanks for letting everyone know that it worked.

It works, but leaves a lot of processes running and taking resources. Also, there appears to be no equivalent for Firefox. It’d make a lot of sense if BW synced its login state across all clients on a device, not individually. Why would I want to be logged into one client (or the app) but not another?

So how does LastPass do it. If you can close the browser and then the vault unlocks when you reopen it, it’s saving the encryption key to disk. Isn’t that the same as vault timeout = never on Bitwarden except that LastPass doesn’t warn you that it is saving the encryption key to disk.

That is a question only you can answer. However, I use the different bits of software for different things.

Who knows? Maybe LP stores the key in memory?

In order for an extension to retain information after a browser close it has to either keep running or save the info to disk.

That’s misleading. All your need to do to keep a key in memory is a small process which keeps the key in memory.

Not really, a chrome extension runs within the browser. So if the browser goes away, so does the memory associated with it. You can get chrome to run extension in the background, but that only means the chrome browser continues to run in the background. Generally most apps do not do this.

If I turn off “Continue running background apps when Google Chrome is closed” in Chrome, lastpass does not require me to login and there is no chrome process running after closing. LastPass is therefore saving the encryption key to disk. Essentially the default mode in LastPass is the same as Vault timeout = Never in bitwarden. HOweverk the main difference may be that last pass has more granular permission, so you can for example tell it to prompt you for a password under different circumstances.

Another reason I think it’s save to disk and not memory is because when the machine is rebooted, it still retain the login.

1 Like

Can you explain how Lastpass’ “Logout after x minutes of inactivity” works, when the browser is closed, the extension is unloaded and there’s no chrome processes running in the background? What process do you think logs you out of the vault when there’s no chrome processes running?

Interesting, so these are extensions and not webapps, but the analogy sort of fit (mostly, more on that later). Bitwarden is using something similar to a session cookie. A session cookie exists in memory only. When you close the browser, the session cookie is killed off and you have to login again.

LastPass is using something like a persistent cookie that is save to disk. While a persistent cookie is save to disk, it is dies not need to last forever. Persistent cookie can be set with an expiration time. When you open a browser, it reads the persistent cookie and immediately check the expiration date. If you set the timeout to 5 minutes, the persistent cookie will have an expiration of 5 minutes. If the extension accesses the cookie and it notice that it’s expire, it will prompt you for a login.

The strange thing is that if you close the browser, the timer seems to stop for last pass. So if I set the vault timeout to 1 minute and then close the browser and come back 5 minutes later, LastPass will reset the timer. However, if I then wait 1 more minute, the vault will logout. Normally, when you have a persistent cookie and the expiration is 1 minute, if you close the browser and come back after a minute, your cookie will expire. This is for security reasons, since you don’t want someone to reuse your session. On a public machine, it would be pretty bad if you login into a site, close the browsers and have the next person open it up and retain the login.

In my opinion, this way of treating session is very specific to LastPass. If you want your password manager to behave this way, you should probably need to stick with LastPass. I don’t think I have seen another password manager behave this way.

As a person who is not in the security dept but had to code web apps that passes security, lastpass extension behavior is in my opinion weird. In general, most people assume that once they close the webapp, their session is gone and if they are not gone, the session expired after a company specific timeout. What lastpass seems to do is timeout only if the browser is up and stops the clock if you close the browser before expiration. If you reopen the browser, you don’t need to login. A scenario would be if you are bad about locking your computer and close the browser and leave your cubicle, your less than savory coworker could hop on your computer and open your browser and get to your password manager.

1 Like

Thanks.

No, I’m happy to switch to Bitwarden - as soon as we get the ******* U2F support on Android which was promised for end of 2020 and then “early Q1 2021”!

(unless by some miracle LastPass wake up to the dangers and implement it themselves. I am not holding my breath. Some droll poster pointed out to them that the LastPass forum has better security than their own password vault!)

Using something like Lightning Reopen, I can get the behaviour I want - i.e. enter a password (not a pin, a full password) on first browser open, and then no need to subsequently enter it until logout or reboot. Perfect. The only downside being the Chrome processes still loaded and using a few hundred megs of ram but on a system with 32GB system and 16 cores, who cares. Zero real-world impact.

I agree. My understanding is that Chrome extensions can request that they be kept running in the background. If an extension makes the request, and if the Chrome “keep running” option is set, then Chrome sticks around.

I’d like to see the Bitwarden Chrome extension make the “stick around” request if “On system lock” is selected.

1 Like

But wasn’t the point that you wanted to be able to close chrome to save resources? Running in the background probably uses nearly as many resources as foreground.

I think this bug should be added to a Feature Request if it hasn’t already been added. I have mine set to Forever, which is the same as I had with LastPass, but I never use my laptop outside of my home so its not really an issue for me.

Also, there is a feature in the Chrome settings for “Continue running background apps when Google Chrome is closed” so you don’t need an addon.

I think the correct response is not to do it like lastpass but more like the android client. For that version, you can close the app and not have it log out. There may be some reason security wise that they don’t do this.

This in a nutshell! I made the request to BW a while back. Seems silly to have to have an extension loaded simply to do this when BW could do it themselves very, very easily. As I understand it there is almost no code in the “Lightning Reopen” extension, so it should be trivial to ask the BW client to do same.