Were you aware !
level 1
That's why use an 18 character or longer password
level 2
It's only legal if it's over 18 anyways
level 2
I use 28. Obnoxiously long
level 1
Criticisms from this article:
Bitwarden does not warn about this risk.
...
However, Bitwarden takes little effort in communicating the risks of choosing a short low-entropy PIN. Currently there is very little information to be found about the PIN in Bitwarden documentation
Bitwarden's help docs on using PINs: https://bitwarden.com/help/unlock-with-pin/.
Warning
Using a PIN can weaken the level of encryption that protects your application's local vault database. If you are worried about attack vectors that involve your device's local data being compromised, you may want to reconsider the convenience of using a PIN.
level 2
When I read that part I recalled reading an official warning about the feature.
The article was too alarmist in tone.
level 2
It also looks like in the author’s own screenshot, the PIN entry is even warning about using an insecure PIN. Big red letters saying low entropy. Seems like the author just kind of “glossed over” anything counter to their argument lol.
level 2
Yeah PIN’s are not the best Security for your vaults and BitWarden is pretty transparent about it.
I use biometric with the occasional prompt for password on my laptop and same on my mobile.
level 2
Why does the feature exist? If it is possible to use Bitwarden without a PIN, why is there a PIN?
level 1
very poor researched article that tries to warn people about all the wrong things
if someone gets your laptop which they will have your username and password, or your disk is unencrypted, then the reality is that you would have used an already easy password for your pm.
one can easily read on the apps docs details about the features. its like unlocking windows with a 6 digit pin. You are going to tell us that you did not understand that it was easy to crack?
level 1
Am I just too tired to think straight or are we missing a few easy remediation options in the article?
- enforce high entropy PIN (kind of making the PIN obsolete, might as well use the password)
- enforce use of complex master password (definitely making PIN obsolete AND the master password is the standard option anyway)
level 2
PIN and password have different meanings. they are not interchangeable.
PIN is used on the device and nowhere else. This means even if your PIN is stolen, the bad actor must also have access to your device to unlock the vault. The same can't be said for passwords.
level 1
Who knew 4 digit pins were insecure? /s
This is a non-issue article, if you care about securing your vault, you wouldn't use the 4-digit pin.
level 2
Yeah, but you only get 3 tries, and then the master password will be asked again. Of course that is, if you (the attacker) aren't smart and copy the pinlocked wait. Then you can have as many tries as you want...
level 1
Shocked Pikachu
Low entropy pins are less secure than higher entropy passwords...
level 1
As far as I know you would need access to the device with the pin that is enabled anyways.
So if someone has managed to gain access to your device and have it logged into I don't think your concern is so much the pin for your bit warden extension/application at this point.
level 1
Need physical access to the device to use pins, pins don't work even over RDP. Not a real security risk. It does support windows hello, not sure if it supports FIDO2 yet.
level 2
Not sure why this is being downvoted. Biometric unlocks are the way to go.
level 1
Bitwarden specifically warns you about using a pin in their docs. Literally and 4 digit pin is weak when compared to an actual password.
level 1
since,its saying it takes only 4 seconds to brute force 4 digit pin ,what about using 10+ digits pin , because using my very strong master password everytime i use bitwarden is not comfortable
level 1
You've gotta be a dummy to fuckin use a 4 digit pin. They might call it a pin but it's a password like any other. Mine is complicated yet shorter than the main. Enough for me to type it quickly. The main purpose of the pin.
level 2
What’s your phone number with area and country code? Also can I have your device too please? I really want that RuneScape account password you’ve got tucked away in there.
Edit: I don’t understand why people are strongly against the 4 digit pin. If someone owns your device, no length is going to make a difference in them getting your pin. If someone physically steals my device, I’ve got a sleuth of other things to worry about but by the time they hook it up and are trying to brute force in that master password and session will be expired.
Don't forget that camDown is the solution for securing your webcam from cyber criminals and pedophiles and I know your father would agree!
