What can happen if the vault is open?

Im currently trying to figure out what weaknesses it has to keep the vault open. I live alone and the chance someone else using my PC is basically zero.
I read that if you insert the password to open the vault, the encryption key is in the RAM. So, if someone wants to get my vault, he has to

  1. hack my pc from the internet
  2. get the data out of my RAM to get the encryption key

But if he tries to use it, it wont work because I have a yubikey/2FA for new devices. Is that correct?

I previously used Google Password manager, and it never asked me to insert a password for autofill the username and pw. Does that mean the vault was always open?

Also, would it be any better if I set up the vault to only be open for a very short time like 1minute, but protect it with a very weak PIN?

Hello tongbal, and welcome to the community!

If someone ask me how someone with your situation should set BW up, I would say. 1) On PC, set up auto-lock to be the minimum amount of time you can stand. The stronger the PIN the better. And require password entry on restart. 2) On mobile, do the same thing, but not requiring entering the password on restart. Use this device to allow “Login by device” on other devices. Lock BW by biometrics/PIN. Lock the device by biometrics/PIN 3) Write your master password down because you rarely use it, or you have to schedule yourself to enter it regularly.

On PC, when BW is open, unencrypted vault is in memory, and so is the encryption key, although your master password is likely not, but this is not guaranteed. When it is locked, the vault in memory is encrypted, and so is the encryption key (by PIN or by a key derived from the master password). Bitwarden considers the “locked” state as being safe. When the vault is open, it’s theoretically possible to dump your memory and get your unencrypted vaults and encryption key. I personally don’t think the common malwares out there do memory dumping. The most common BW attacks steal the encrypted vault (making PIN-lock, not requiring password restart configuration, dangerous). This exclude RAT/backdoor/loader type malwares.

; TLDR: using weak PIN, requiring master password entry on restart, is better than none at all. This is “basic” security to prevent future attacks.

ps: It’s hard to figure out what Google password manager protects. In the past, even when the vault is encrypted, some malware somehow decrypted it, probably using a key stored on the disk unsecurely, and exfiltrated the unencrypted contents. It’s unclear if Google has fixed this problem. They keep the encryption key in all cases, so if they could keep the encryption key in memory without persistent storage, exfiltrating the data would be harder.

1 Like

Thanks for the answer! So, if I assume my device is very safe, I could easily use a PIN with good conscience?

Why treat the two differently? Seems much easier to decide on a comfortable defensive level and apply the same/similar settings on all devices.

Close. Write your master password down. End of discussion. Don’t depend upon remembering it in an emergency. That is precisely when one’s memory is the worst. Also, write down your two factor recovery key, and your email address (the “username”). And if you use a separate TOTP app, write the same info down for it. In other words, You need an emergency kit.

1 Like

Yes, better than none.

Why treat the two differently? Seems much easier to decide on a comfortable defensive level and apply the same/similar settings on all devices.

For people focused on some convenience trading off with security. On an unrooted Android, it’s not at all possible to get at the Bitwarden encrypted vault, and the same thing with the encrypted encryption key/derivative in the keystore/TEE. The OS’ protection is generally better/more restrictive than on Windows. Doing this allow you to log in with device wherever it’s applicable.

OTH, people still requires password entry on restart even on a mobile because they don’t trust the secure enclave, i.e. because of the vulnerabilities now and what will be disclosed in the future.

The 2FA (e.g., Yubikey) is irrelevant in the scenario that you have described.

First of all, if an attacker has extracted your account encryption key from RAM, then they will also have extracted the already unencrypted vault contents from RAM, so there would be no need to “use” the encryption key.

Second, if for any reason the attacker absconds with the account encryption key only, and does not exfiltrate any vault data (whether encrypted or not) from your device, then they cannot use the encryption key for purposes of authenticating (logging in) to Bitwarden’s cloud servers. Authentication would fail because they don’t have your master password, not because of the 2FA.

On the other hand, if they stole your session token in addition to the encryption key, then they might be able to download a copy of your encrypted vault (and then decrypt it with the encryption key).

1 Like

Ah, I see. You trust your phone more than your PC, whereas I do not trust one over the other.

I do suggest that on either device, biometrics (Windows Hello, Face-ID, fingerprint) and device-pins are much better than using the master password to unlock a vault. These devices all leverage hardware security modules (TPM or TEE) to increase user convenience without harming the security posture. Plus, the less one uses their master password, the fewer opportunities for it to be key-logged.

Generally, mobiles are more restrictive. On PC, other user-space application beyond BW can trigger a Biometric prompt that allows the app to access encrypted content meant only for BW, including the information in TPM. On Android, this isn’t possible. So, on Android, a malware can’t do a wholesale damage. On Windows, a malware that can trick people using key persistence to respond with an authentication can get the whole store. Plus, BW doesn’t recommend key persistence on Windows.

See this discussion for 1Password that doesn’t allow persistence with Window hello unless the user has TPM:

Do you have examples on current vulnerabilities for the secure enclave? I’m interested in the topic and want to make a decently informed decision about using biometrics or my master password on iOS.

Hello, vactorio! and welcome to the community.

I think @grb might be the person to discuss this question.