I am using Chrome. What is the best setting to lock if I close my browser frequently?
Set your Vault Timeout Action to “Lock”, not “Logout”.
Other than that, it depends on your threat model and your appetite for risk.
The most secure option would be to set a short Vault Timeout period (maybe 15 min or less), and leave all other options as they are (default settings). The least secure option would be to set your Vault Timeout period to “Never”.
This totally depends on your preferences.
grb was quicker and more concise than my answer was going to be. So I’ll just add to their answer. If you’re looking for convenience without giving up too much security, you could set a PIN (and uncheck “lock with master password on browser restart”) or possibly use Biometrics.
1 Like
Just a PSA: If you disable the option “Lock with master password on browser restart”, then the key required to decrypt your vault contents is stored on your device, and the key is protected (encrypted) only using whatever PIN that you have set. Because the encrypted vault and the PIN-protected key are stored together in the same file on your device, anybody with access to your device (whether temporary physical access as in an “Evil Maid”-type attack, physical access by someone who has purchased, found or stolen your device, or remote access via malware) can quickly make a copy of this file without your knowledge, and is then able to crack your vault by transferring the data to their own computer, and brute-force guessing your PIN. There is even a demonstration showing how a stolen vault data file can be cracked in a few seconds if it is protected by a 4-digit PIN and the setting “Lock with master password on browser restart” has been disabled.
Well that bites. I’ll have to reevaluate using that option then. Now I’m really looking forward to unlocking my vault with a hardware key.
It’s OK to use that configuration if your “PIN” is actually a strong, randomly generated password/passphrase, with a somewhat reduced entropy/length/complexity (as compared to your master password), which can be justified based on the likelihood of a successful attack against your device, and/or your ability to keep your device secure. For example, you might use a 2-word random passphrase for your PIN (instead of a 4-word random passphrase as you would use for your master password); thus would reduce your entropy by 26 bits, which is OK if the probability of a successful attack against your device is 60 million times lower than the probability of a successful attack against the server hosting your vault (where the “probability of a successful attack” is the combined probability that an attack is attempted and that the attack succeeds in acquiring a copy of your encrypted vault).
If your hardware key is something like a YubiKey 5 NFC, you can program the spare slot of the Yubico OTP application with a static password that you can use as pin (you can even pepper it).
I used to do that some time ago (I rotated that static password every week), but I ended getting tired of the hassle it was and stopped doing it (not so big of a deal since I don’t uncheck that “lock with master password on browser restart”).
Another benefit of not disabling the “Lock with master password on restart” option is that it reduces the chances of you forgetting your master password. Of course you should also have an Emergency Sheet to guard against that risk.
Personally, I just unlock with the master password every time.
One argument for not entering the master password is to protect against shoulder-surfing, if you frequently have to unlock your vault in a public setting. In such cases, biometric unlock may be preferrable.
Thanks for all the good replies! I should have added that is on my Windows desktop not a laptop.
A post was merged into an existing topic: Extension Pop-out Requirement for DUO 2FA