Thanks, I’ve read that article. I’m asking why lock and timeout policy aren’t working according to my settings (and how I understand they should work). I’ve got 2FA set up (Authy) and a PIN set.
Given my settings (post 1) I would expect only to be prompted for my PIN every 4 hours to access either my web vault or the Chrome extension. Instead, I’m prompted for my master pswd every time I access either.
BTW, Master Password is not set to Enable in Authy.
Did you see this part in the article I linked above:
If you close your browser tab, you will be logged out of your web vault. Closing a single tab will not affect a browser extension. If you quit your browser, you will be logged out of both your web vault and browser extension.
I’m confused by this statement, as it does not match my experience. When I quit my browser (Chrome, Incognito mode) while logged in to the vault, the browser extension is locked but not logged out whenever I restart the browser. Possibly relevant Bitwarden settings: PIN unlock not enabled, Vault-timeout 30 min (not “Never”).
I’m wondering if this may be related to the following vulnerability that has been reported on Github for the Chrome web extension:
Thus, the behavior I’m seeing on Chrome may be the result of the Chrome browser extension being unable to log itself out.
The browser extension has these options for Vault timeout:
The fact that On browser restart is an option, leads me to believe that the other options, like 4 hours, will NOT lock my vault on browser restart. Meaning, if I close all my browser windows and then reopen Edge, the vault should still be unlocked because it has not been 4 hours.
What am I missing?
I want the vault to only lock after 4 hours – even if I have closed all the browser windows, as long as it has been less than 4 hours before I reopen the browser.
Humm. Since the Never option works, is there any-way to make the time limit options stick to just the time limit and not the browser restart? If it’s possible with Never, it must be possible for other options?
No, that’s not possible. As soon as the browser is closed, all the sensitive info stored by Bitwarden in secure memory is deleted when the browser’s memory space is released. The Never option is also not recommended because it stores some sensitive info on your computer’s disk drive, where is is less secure than in memory.
If you are new to Bitwarden, you will find that their approach to their software design is secure-first, convenience-second (which is backwards compared to a LOT of popular password managers out there who cater to convenience and user experience at the expense of security). Personally, I prefer the secure-first approach and am more than willing to accept small inconveniences like this. Not all will agree, however, and features like Never timeout are there as a compromise for those folks, I suspect.
I work in cybersecurity. So I get/agree with you. But security is, ultimately, a decision users make. Not everyone has the same threat landscape. A bad actor would have to jump through numerous hoops to get to my machine to be able to access my BW if it was unlocked. For me, having it work the way I want is still extremely secure because of my setup.
I do get why BW does it how it does it, and I do get having sane/safe defaults. But, at the end of the day, user experience and user satisfaction is what drives product success and, in that vein, for users like me, I think there should be an option to do what I am describing.
Mind you, security is never “secure-first”. It’s always, “assess-first”, then secure accordingly. Do you lock your front door when you step out to throw the trash? Probably not. But you do lock it if you leave the house other times. There is no one-size-fits-all for security. Trying to pigeon-hole all users into one security profile is what turns users off and away. And it ultimately leads to users doing dumb/stupid things that make them LESS secure. It’s our job, as security developers and architects, to make products easier for them.
As a (non-elegant) workaround, you might consider always leaving your browser open in the background. Macs do this by default when you close all your browser tabs, which I find very convenient, but on Windows or Linux you have to minimize the browser manually when you are done with it.