You are here:Home»KB»Web Server»Web Security»My Bitwarden Notes
Sunday, 10 November 2024 13:33

My Bitwarden Notes

Written by

This collection of notes makes using Bitwarden easier.

 

Some thoughts (I might changemy mind)

  • You should not store your TOTP codes in Bitwarden
    • Bitwarden = Username and Passwords
    • 2FAS = TOTP codes
    • Protect your devices (i.e. mobile phone) with your fingerprint, Yubikey or PIN.
  • Enable 2FA on your Bitwarden vault with an external App (i.e. 2FA)
    • This makes everything 2FA (sort off)
    • Stops password guessing
    • Print your TOTP codes for Bitwarden

Settings

  • Domain Matching Issue
    • Using URIs | Bitwarden Help Center - Find out more about how URI match detection works in the Bitwarden password manager.
      • "browser extension --> Settings --> Options --> General --> Default URI match detection: Host"
    • You can set the match detection to “Host” on all your logins.
      • They will only be suggested when the host fully matches (subdomain and port included) the page you’re on.
    • Lastpass password manager had the ability to specify which mapping to perform for the example.com domain.
      • In Bitwarden Manager, the mapping happens either GLOBALLY or at the individual password / host / URL level. It is not comfortable.
  • Not Autofilling in passwords
  • How to add a custom field easily
    • Autofill Custom Fields | Bitwarden Help Center - Bitwarden can do more than just autofill your usernames and passwords! Bitwarden browser extensions can autofill custom fields to simplify filling in security questions, PINS, and more using the unique Tab view.
  • Bitwarden keeps timing out
  • Lock or Lockout
    • Vault Timeout Options | Bitwarden Help Center - Learn how to set a Vault timeout timer and behavior for your Bitwarden password manager.
    • Best Practices - Log Out or Lock? - Password Manager - Bitwarden Community Forums
      • It’s pretty simple:
        • Logging in retrieves a copy of your encrypted vault data from the cloud, stores the encrypted data file (data.json) in persistent storage on your device (e.g., on your hard drive), and automatically proceeds to unlock your vault.
        • Unlocking reads the data.json file, decrypts its contents, and stores the decrypted vault data in the memory of your device.
        • Locking clears the (decrypted) vault data from the memory of your device, but leaves the encrypted data.json file in persistent storage on your device.
        • Logging out clears the memory of your device (same as locking), but also purges the encrypted contents of the data.json file. Thus, your device no longer contains any vault data, either encrypted or decrypted, neither in memory nor on disk.
      • The majority of users stay logged in all the time, and just lock their vaults when not in use.
      • = lock
  • Floating Window
    • On the app click on the square with the arrow and resize as required
    • This floating window can stay open

Tutorials

 

Import / Export Data

2FA

  • I need some clarification on 2FA
    • Q:
      • Obviously if I just add an authenticator 2FA to my account and then I loose the tokens and my recovery codes I cannot access my account.
      • My question is, if I also add an alternative email for 2FA, will this be available and work even if I do not have my TOTP tokens and recovery codes?
    • A:
  • Two-step Login Methods | Bitwarden Help Center
    • The Bitwarden password manager supports multiple two-step login methods, also know as 2FA and two-factor authentication, such as through an authenticator app or email. Learn how to set up and use each method.
    • TOTP + email can be used for free
  • Two-step Login via Authenticator | Bitwarden Help Center - This article explains how you can add an extra layer of protection to your Bitwarden Vault by setting up two-step login with an authenticator app like Authy.
  • How To Set Up and Use 2FA on Bitwarden | Nerds Chalk - Let’s take a look at how to set up 2FA on Bitwarden and then how to use it. 
  • Integrated Authenticator | Bitwarden Help Center - Password Manager integrated authentication is an alternative to dedicated authentication apps which you can use to verify your identity for websites and apps that use two-step login and offers greater convenience.
  • Using Bitwarden for both passwords and TOTP (i.e both 2FA factors)
    • Benefits of using the Bitwarden Authenticator - Securing your GitHub Account with Bitwarden | Bitwarden Blog
      • With two-factor authentication built into Bitwarden, you can rest assured that you always have it handy and ready to go. Of course some people ask what is the point of having the two-factor authentication within Bitwarden and doesn’t this negate the value of two-factor?
    • Using the Bitwarden Authenticator with external accounts - Basics of two-factor authentication with Bitwarden | Bitwarden Blog
      • Of course, some may ask what is the point of having your username, email, and your two-step login code all stored within the same application — namely Bitwarden? Doesn’t that negate the value of two-step login?
      • The answer depends. Let’s break it down.
        1. Your Bitwarden Vault hopefully already has two-step login using some other method. (ie. do not use the Bitwarden Authenticator to protect your Bitwarden account.) Therefore it is currently protected with a high level of security and, in fact, two-step login.
        2. Having two-step login enabled for websites and applications is always better than not having it enabled. A tighter bundling of two-step login makes it easier to use more frequently, which promotes better security hygiene as a practice.
        3. If you need to share an item, you can share it with two-step login enabled, which, again, is better security practice. This is a collaboration and two-step login power move.
        4. You do not need to remember which authentication app you used, since it is built in.
        5. You can always choose, on an individual basis, which login you want to authenticate internally within the Bitwarden app, or externally using a separate Authenticator app.
      • Bitwarden users find that the integrated Authenticator functionality provides faster workflows with better security and dexterity for collaboration. Users also note that they apply different policies to different types of accounts. Primary financial institutions may be authenticated externally using a separate Authenticator app, while all of their ecommerce logins are authenticated internally within Bitwarden.
    • Security risks of using Bitwarden as authenticator and password manager - Password Manager - Bitwarden Community Forums
      • This is  great discussion about this topic and should be read in full.
      • Q:
        • I’d appreciate the opinions and inputs of others with more expertise in security. My concern of using Bitwarden as both authenticator and password manager is that it seems to defeat the whole purpose of two-factor authentication.
        • If someone were to hack into my Bitwarden account, they’d basically have access to everything, including the one-time passwords. Having the password manager separated from the authenticator by device and account seems to be a much more secure approach. For this reason, I’m currently not using Bitwarden as authenticator, only password manager. However, in principle I think this should be disabled completely for every users’ security. Again, I’m totally open to others’ thoughts.
      • A:
        • hwsamuel
          • Your Bitwarden Vault hopefully already has two-step login using some other method. (ie. do not use the Bitwarden Authenticator to protect your Bitwarden account.) Therefore it is currently protected with a high level of security and, in fact, two-step login.
        • Pulsar
          • I’ve thought about that long time ago and I came to conclusion that if you have 2FA on bitwarden you are just moving the 2FA from directly authenticating to authenticating on 2FA with bitwarden.
          • There is a higher probability of hacking any of your other accounts than bitwarden itself. Although you are theoretically increasing attack surface, as a hacker I would rather attack your direct account rather than bitwarden.
        • B0UNC3R
          • I would store the less sensitive OTP in Bitwarden (e.g., Amazon, random webshops) and use hardware security keys for the more sensitive stuff (e.g., email, banking).
        • slavdok
          • There are 2 concepts:
            • Two-Factor Authentication (2FA)
            • Two-Step Authentication (2SA)
          • A lot of times these are used interchangeably. They both offer increased security, but they are not the same. Having your 3rd-party account TOTP seeds stored in Bitwarden, unlocked by the same method as your 3rd-party account password (i.e. unlocked by single master password) downgrades them from 2FA to 2SA. A different factor would be something different than your master password. That’s why it’s called 2-factor.
          • A factor is not “another password”. A factor is one of:
            • Something you know (a password, a TOTP seed)
            • Something you have (a security key, a phone/device with TOTP seeds)
            • Something you are (biometrics)
          • You see above how storing 3rd-party passwords and 3rd-party TOTP seeds together (in password manager) makes it “same factor”, unlocked by the same method: something you know, i.e. the 1st-party master password. [But what about 1st-party 2FA? I will get to that later]
          • But is it a bad thing? Not always. That depends on your threat profile.
        • slavdok
          • But, what if you had Fingerprint (something you are) or PIN (something you know) on BW app? Well, that’s a 2nd factor. So now, if someone steals your phone (something you have), which would give them access to unlocked Authy, or SMS TOTP codes, for that matter, they still don’t have your BW MP (something you know) or PIN (something you know) or Fingerprint (something you are). They can steal the phone, marvel at the TOTP codes changing on the screen all day long, and they still cannot access your vault without the 2nd factor.
        • Ben86
          • I think we can all agree that using a separate TOTP app on a separate device is more secure.
          • The purpose of TOTP isn’t to protect against these Hollywood fantasy attacks, it’s to compensate for weak passwords or buy time for password leaks, not your computer getting hacked. Storing TOTP in BW still delivers on this.
        • Carlos
          • I use an external app as a 2FA for my bitwarden account so even if someone managed to steal my bitwarden credentials, they would still need a 2FA to gain access.
        • icefyre
          • If you have a secondary authentication app that requires biometrics for access which is different than Bitwarden (and maybe even on a different device, for example an app on your phone rather than on your PC) you will have introduced yet another layer of security and difficulty for the attacker to access those particularly sensitive accounts.
          • The main argument I would say in favor of storing TOTP code in Bitwarden is convenience.
          • If you are less likely to use MFA due to the inconvenience of using authenticator apps and Bitwarden would make you use it more then you should probably use this feature (e.g. people with lower risk tolerance or family members with less technical proclivities).
          • Otherwise, separating the authenticator app from the password manager would add an extra layer of security and it probably the right way to go.
    • Where do you store your 2FA backup codes? | Reddit
      • Q:
        • Imagine this scenario: Your house burns down and you lose your phone and the printed backup codes with it, locking you out of your account.  
        • Should i store my backup codes elsewhere or is there any other approach for this? Or am i just overthinking this?
      • A:
        • atoponce
          • Key points
            1. You should not use Bitwarden for your 2FA. Use a mobile app that supports backups (Aegis, andOTP, etc (not Google Authenticator)).
            2. 2FA TOTP backup codes should be stored in a separate password manager, like KeePass, etc..
            3. Your TOTP app (Aegis, etc) and TOTP backup codes (KeePass, etc) should be backed up to at least two locations.
          • Keeping TOTP out of Bitwarden prevents a single point of failure with compromises. If your Bitwarden vault is compromised, you don't want your accounts where 2FA is enabled to be compromised also. Keep TOTP away from your main password manager.
          • The backup codes service providers give you when you enable 2FA should be saved, in case you lose your device where you're managing TOTP. Again, don't put them in Bitwarden. Put them in a second password manager like KeePass or KeePassXC, for the same reason. That means you have:
            • Bitwarden: Managing account passwords
            • Aegis/andOTP: Managing TOTP codes
            • KeePass: Managing 2FA backup code
          • All of these support backups. So take advantage of that! Export your Bitwarden vault, export your Aegis/andOTP entries, and copy your KeePass vault. A backup is not a backup if you only have one copy! So put them in multiple places.
          • ........and more.....
    • What do you do to keep from being locked out because of 2FA? | Reddit
      • I’m curious what everyone does so that they don’t lose access to their 2FA and/or account? For example, you lost everything due to a fire and the firefighter drags your unconscious body out how would you get back in your account? (A little dramatic but you get my point).
      • Second Bitwarden account.
    • Should Secure Notes be used to store 2FA backup codes? | Reddit
      • Q:
        • Just wondering what the use case for Secure Notes is and realized one thing I never know how to store are 2FA backup codes.
      • A:
        • The way I see it: If you use BW´s 2fa feature, you might as well save the backup codes of the respective services within BW. Because after all, the only way for me to get to your backup codes is to get full on access to your BW vault, where I also had the 2FA for the stored services so I wouldn´t even need the backup.
        • As for the actual location within the vault: I also used the secure notes at first. But I quickly came to realize that it is more logical to store them in a "hidden" field within the actual entry for the respective service.
    • Not Bitwardern
      • Best way to store 2FA backup codes | Reddit
        • Q:
          • When I enable 2-factor authentication, some websites (like Google, Github, etc.) offer a few backup codes which I can use to login in case I lose access to my phone/2FA app.
          • Earlier I used to store these in my password manager itself. However, I just realised that having the backup codes along with my passwords defeats the purpose of 2FA as anyone having access to my password manager now also has my 2FA codes.
          • So just wanted to know what strategy other people use or what is the best way to store these codes.
        • A:
          • There are a number of methods, each have its Pros and Cons.
            1. Storing it in the cloud
            2. Storing in a second 2FA service
            3. Storing it offline in a thumb drive
            4. Add a second device (ie 2 x YubiKeys)
            5. Paper
          • I know the OP is talking about backup codes! However, for 2FA codes themselves I like the Yubico Authenticator - Yubikey as I get the ease of access of an Authenticator but the codes are stored on the Yubikey so nothing in the app until I refresh the nfc!
      • Should you store your 2FA/TOTP tokens in your password manager? | James Cridland - radio futurologist - Wouldn’t storing your two-step verification codes in the same place as your passwords be the stupidest thing imaginable?

 

 

 

 

 

 

Misc

Read 173 times Last modified on Sunday, 10 November 2024 16:13
Published in Web Security
back to top