I live alone in a private home with no one looking over my shoulder or even getting near my computer. Basically I really don’t need ANY security at all, no passwords, no pins, no 2fa. However, I’m forced to use the security systems imposed by various websites.
BUT!
If someone breaks into my house while I’m away and steals my computer, they could have a field day with my bookmarks and that’s why I need Bitwarden. Unfortunately, it appears to have the same problem that Lastpass has (and the main reason I left Lastpass).
While I’m using my computer, I don’t want to have to re-enter my password every “n” minutes and I don’t even want to have to do this if I should close the browser for a bit. Hence I have my timeout setting at “Never”. I REALLY only want to have to login after I’ve shut the computer down for an extended period (when someone could have stolen access to it without me there). Hence, it would make a LOT of sense to have BW logout when the computer has been shut down. BUT, there doesn’t appear to be a way to do that. If I pull the computer out from the power cord and run away with it. BW will kindly restart my browsers automatically logged in! How insane is that!?
Can someone please tell me if I’m just ignorant and that there’s actually a way to automatically log out if the computer is re-booted? (With Lastpass, I was at least able to write a script that fired a hotkey to do the logout on computer startup. Not elegant, but it was more than BW can provide).
Do you not setup a login to your computer. If they steal your computer, they won’t be able to log into the computer. In addition, bitwarden has its own master password so they would need to know that to get into the password vault. As long as you don’t leave your password on a posted it note or a text file you should be fine.
In the Bitwarden Settings, there is an option for Vault Timeout on System Lock. This may be similar to what you are needing.
Do you have biometrics on your computer? I use my Windows Hello camera to log into Bitwarden and find it far more convenient then typing my long Master Password.
I’m fairly new user but I don’t think there is exact option for that, nor I would ever use it. The closest would be ‘on browser restart’ or use ‘on system lock’ (that previous post mentioned) if you have password set up. I’d also use PIN option as I find that real time saver so I don’t need to type in Master password every time, but PIN that you chose. You might need to play with these options and see exactly what they do.
Using the Windows password is worthless - the easiest thing to crack. I have no knowledge of this “system lock” condition. I don’t see it in my Vault Timeout Action. Where is it and what does that mean?
Still, it is insane that after a power down condition, BW would come back up open and ready for spilling the beans on my passwords! Gotta be some way to block that.
Actually what Peter suggested will work, but change the vault timeout to logout so your setting would be:
Vault Timeout = On System Lock.
Vault timeout action = Log out
When you lock your system or your system locks, Bitwarden will log off and remove the vault so that you have reconnect to the internet and login to get the vault. You would need to relogin when you unlock your machine.
If you computer is mot a laptop, then it would have power off when it was stolen. Unless you have the setting of never, you would have logged out.
But system lock (as I understand it) only would apply if the browser is still open. If you close the browser, then lock the computer (sleep?) BW would still be unlocked upon restart. I really think there needs to be an option to lock BW on computer powerdown / restart.
Yes, closing the browser supersedes everything except “never”.
That is unless you have unlock with PIN and uncheck the option to ask for master password. This way you only need to enter your PIN to unlock your vault.
Also, are you using Windows 7? Your scroll bars look different.
Based on what I observe on windows. The rules goes something like this:
If you close the browser and wipe out the browser extension, Bitwarden will remove the vault from your computer. This is apparently by design so that hackers can’t access the bitwarden vault. If you reopen the browser, you will need internet connection to reopen the vault from the cloud because the local copy is just gone.
This also mean that if you restart or turn off the computer, the browser will go away and so does your vault.
This supersedes any time setting. Let’s say you set the timeout to 15 minutes and you close the browser, it will close the vault even if the 15 minute is not up.
Last pass apparently has some option where the vault may be kept around even when the browser is closed but the computer was running. This setting does not exists in Bitwarden. A few users on this board have simulated this beahvior by installing another extension that kept the bitwarden extension running after the browser is closed, preventing the vault from closing.
The setting for the vault to never close supercedes the close vault behavior. When you set the vault timeout to never, it stores that encryption key locally so that the vault can always be reopen without password. Bitwarden warns you that this is less secure.
When you relogin, the client can be configure to login using pin rather than master password and in some cases fingerprint.
Yes, Win7 (old dog / old trick). I’ve tried the command line API hoping that I could lock BW at least on computer startup, but it only runs a separate session and can’t affect the fact that my browsers will still have BW open (darn). I’ve been thinking about writing a script that would run on computer startup that would open Firefox and Chrome and trigger the hotkeys in them to lock/logout of BW. Kludgy though! At least Lastpass considers that action to apply to the entire device, not just the individual client.
@ paulsiu: Interesting analysis. I’m very interested in the extension you speak about that keeps BW running after a browser closes, BUT would that then require a login if the computer was restarted?
IN SUMMARY: no one is going to use my computer while I’m at the house so I’d like to rarely enter my master password. BUT if someone breaks in and steals the computer (thus powering down). I don’t want them to be able to just restart the computer and get into my BW. Any setup that fills that need would make me happy! Please advise if you can provide a way to do this.
I haven’t tried it, but according to the other user, it does work to keep BW running.
Wouldn’t powering down also close your browser and thus Bitwarden unless you set up to hypernate or standby. As long as you don’t set it to a parameter that is never, you will be force to login whenever you start the browser.
That’s just it: I open and close my browsers many times a day. Don’t want to have to login to BW each time. Wouldn’t mind doing it even once a day (set to sleep overnite). But I definitely WANT to enter it after the computer has been powered down. Where is this extension available? I’ll check it out.
I am curious, I have worked with lastpass before, I did not realize that it kept the session around when you close the browser. I recall the documentation saying that if you close all of the browser, it will kill the vault session. This mean LastPass must keep a copy of the vault around. I am pretty sure Bitwarden do not do this out of security concern.
I am not sure. Maybe it just leaves the password in memory and opens the vault when the browser is relaunched? Either way, why is having the vault open whilst your browser is closed, any less secure than having the vault open when the browser is open? Strikes me that any malware trying to read your unencrypted vault contents could just do it whilst your browser is open. And in fact probably would do it whilst your browser is open.
That would be for someone like the Bitwarden team to answer. Most likely they are probably trying to minimize attack profile. People don’t work on their computer 24/7 and people may not keep their computer up to date or use an OS that is no longer getting security updates. When you logout the vault completely disappear leaving nothing to attack.
