Do you know if it’s in memory even after the unlocking process is finished ?
In other systems (that are NOT available offline !), you don’t have access to the whole vault from a memory dump.
You COULD get all the vault items by making API requests using a token found in memory, but it’s not as easy as getting them from the memory.
I’m not sure that this is possible, since Bitwarden is working “online” (at least “on-intranet-line”), so the device can be infected through the network at the end. But i get the idea.
Not sure which product in particular you are referring to above, but this is not a general truth, and it has nothing to do with offline availability. For example an ISE report from 2019 demonstrated that the entire vault was stored decrypted in memory when using 1Password or Dashlane; even in KeePass, every vault entry that the user has interacted with remains stored in memory. In addition, unless you have personally verified the claim (or can reference a report in which the claim has been tested), I would take any assertion about memory management with a grain of salt.
It is your responsibility to properly secure your devices against malware. You should worry about this maybe if you are a high-value target who may be attacked using a zero-day exploit, but otherwise, you should not be at risk if you practice good internet hygiene and use appropriate malware defenses.
I’m a Bitwarden fan and I didn’t wanted to be mean when I dropped the “in rare cases” : that was just not the important thing for me and I though it could be disturbing for others. But I could/should have left it in my quote. Sorry for that.
Thank you for that. I was thinking of Passbolt and LockSelf, that seems to not copy the vault locally when accessing it but I haven’t tested it, so this is NOT accurate.
I was talking about theoretical attack possibilities.
I’m OK about your last point. It’s just that (to my mind) no system connected to a network is secure enough to not “potentially be infected by malware”, so Bitwarden should not be installed on any device in this case. But that seems to be extreme. That was my point and I think we’re OK at the end.
The point is that if an attacker is able to install malware running on your device, it is impossible for any password management system to protect your secrets — there will always be a multitude of ways that the secrets can be accessed in such scenario (for example, by using a key logger to sniff your master password, or by sending API requests, etc.).
Thus, it is somewhat meaningless to theorize about securing a password manager on a system that has already been compromised by malware.