I’ve never opened my web vault and not been prompted for my master pswd.
In my web settings I’ve got vault timeout = 4 hours and timeout action = lock.
In the Chrome extension I’ve got vault timeout = 4 hours, timeout action = lock, and Unlock with PIN checked.
I am not sure exactly what you are asking, but perhaps the information in this link will help:
Thanks, I’ve read that article. I’m asking why lock and timeout policy aren’t working according to my settings (and how I understand they should work). I’ve got 2FA set up (Authy) and a PIN set.
Given my settings (post 1) I would expect only to be prompted for my PIN every 4 hours to access either my web vault or the Chrome extension. Instead, I’m prompted for my master pswd every time I access either.
BTW, Master Password is not set to Enable in Authy.
Did you see this part in the article I linked above:
If you close your browser tab, you will be logged out of your web vault. Closing a single tab will not affect a browser extension.
If you quit your browser, you will be logged out of both your web vault and browser extension.
I’m confused by this statement, as it does not match my experience. When I quit my browser (Chrome, Incognito mode) while logged in to the vault, the browser extension is locked but not logged out whenever I restart the browser. Possibly relevant Bitwarden settings: PIN unlock not enabled, Vault-timeout 30 min (not “Never”).
I’m wondering if this may be related to the following vulnerability that has been reported on Github for the Chrome web extension:
Thus, the behavior I’m seeing on Chrome may be the result of the Chrome browser extension being unable to log itself out.
Ah, OK. Now we’re getting somewhere.
So I am a little confused here. I read https://bitwarden.com/help/vault-timeout/#vault-timeout but it still doesn’t make sense.
The browser extension has these options for Vault timeout:
The fact that On browser restart is an option, leads me to believe that the other options, like 4 hours, will NOT lock my vault on browser restart. Meaning, if I close all my browser windows and then reopen Edge, the vault should still be unlocked because it has not been 4 hours.
What am I missing?
I want the vault to only lock after 4 hours – even if I have closed all the browser windows, as long as it has been less than 4 hours before I reopen the browser.
This guidance appears near the top of the page you linked - I think you must have missed it:
If you quit your browser, you will be logged out of both your web vault and browser extension
I didn’t miss it; it doesn’t make sense.
On browser restart, the vault is not logged out, it is locked – as indicated in this message:
True, that wording could be more precise. It should say logged out or locked, depending on your settings, I guess.
Regardless, closing your browser always forces a logout or lock for security reasons. The timeout options apply when the browser is running.
Humm. Since the Never option works, is there any-way to make the time limit options stick to just the time limit and not the browser restart? If it’s possible with Never, it must be possible for other options?
No, that’s not possible. As soon as the browser is closed, all the sensitive info stored by Bitwarden in secure memory is deleted when the browser’s memory space is released. The Never option is also not recommended because it stores some sensitive info on your computer’s disk drive, where is is less secure than in memory.
If you are new to Bitwarden, you will find that their approach to their software design is secure-first, convenience-second (which is backwards compared to a LOT of popular password managers out there who cater to convenience and user experience at the expense of security). Personally, I prefer the secure-first approach and am more than willing to accept small inconveniences like this. Not all will agree, however, and features like Never timeout are there as a compromise for those folks, I suspect.
I work in cybersecurity. So I get/agree with you. But security is, ultimately, a decision users make. Not everyone has the same threat landscape. A bad actor would have to jump through numerous hoops to get to my machine to be able to access my BW if it was unlocked. For me, having it work the way I want is still extremely secure because of my setup.
I do get why BW does it how it does it, and I do get having sane/safe defaults. But, at the end of the day, user experience and user satisfaction is what drives product success and, in that vein, for users like me, I think there should be an option to do what I am describing.
Mind you, security is never “secure-first”. It’s always, “assess-first”, then secure accordingly. Do you lock your front door when you step out to throw the trash? Probably not. But you do lock it if you leave the house other times. There is no one-size-fits-all for security. Trying to pigeon-hole all users into one security profile is what turns users off and away. And it ultimately leads to users doing dumb/stupid things that make them LESS secure. It’s our job, as security developers and architects, to make products easier for them.
Like I said, not everyone will agree. But it sounds like the Never option suits your needs best.
It also sounds like you might be interested to vote for this feature request:
No. I don’t like the never. For my use-case every 4 hours at most would be best.
As a (non-elegant) workaround, you might consider always leaving your browser open in the background. Macs do this by default when you close all your browser tabs, which I find very convenient, but on Windows or Linux you have to minimize the browser manually when you are done with it.
Yeah. My workflow habit is to close all windows. I might see if I can find a way to force it to never close. I am sure there is a way to force Edge to always be running.