The Bitwarden Blog
Vault Security in the Bitwarden Password Manager
July 13th, 2020
As your password manager, Bitwarden takes vault security seriously. This secure approach includes end-to-end encryption, administrative controls, and safety for client applications. Let’s take a closer look at each.
Bitwarden uses end-to-end encryption for all vault data. Only your email and master password can decrypt your vault. Bitwarden does not have the ability to see any data in your vault.
Since your data is fully encrypted before ever leaving your local device, no one from the Bitwarden team can ever see, read, or access your data. Bitwarden servers only store encrypted and hashed data. This is an important step that Bitwarden takes to protect you. To put it simply, your data is encrypted at the moment it is stored on your device and remains that way until you view it with your unique email and master password combination. You can read more about how your data is encrypted and transmitted in our help article here.
In the case of organizational data, every organization has its own encryption key that is shared with authorized members of that organization. So, the same encryption protection applies to shared organization vaults.
For organization accounts such as Teams and Enterprise, administrative controls provide additional levels of vault security.
When you invite users to join an organization you have the choice to set
- User type, which provides a range of administrative rights
- Access control, which enables you to control item permissions
For more info on user types and access control, see this help note.
Hide Password Warning
Enabling hidden passwords prevents the easy copy and paste of hidden items, however it does not completely prevent user access to this information. Please treat hidden passwords as you would any shared credential.
Enterprise policies allow administrators to create a secure foundation for their teams, and extend the use of security best practices across any size organization:
- Two-step Login: Require all users to enable two-step login
- Master Password: Configure the minimum complexity and length of passwords for your team
- Password Generator: Set guidelines for end user password generation to fit with the organizational requirements
The final part of the secure-information-sharing chain is the end user and the client applications they employ. Bitwarden supports a wide range of applications to make storing and sharing secure information accessible to all.
All Bitwarden client applications encrypt the vault data before it is ever stored and, of course, once two-step login is enabled for your Bitwarden account, that too will apply across all client applications.
Bitwarden applications also come with settings for Vault Timeout, which allows you to set how your vault should lock or log out within a specific time.
All clients offer the setting to Unlock with PIN, and mobile applications provide the ability to Unlock with Biometrics.
The Desktop and Mobile clients offer the option to clear your clipboard within a specified interval. Here’s a breakdown of what those options are to date:
|Settings||Choices||Desktop||Browser Extension||Web Vault||Mobile|
|Vault Timeout||Options by client app|
|Vault Timeout Action||Lock or Log Out|
|Unlock with PIN Code|
|Unlock with Biometrics||Options by device|
|Settings > Options|
|Clear Clipboard||10 sec to 5 min|
Of course the best security also involves end user awareness and education. In addition to understanding the options available within the Bitwarden solution and clients, take the time to ensure your users know how to manage their computing environments securely.
For more information or to sign up for a free Bitwarden account visit bitwarden.com.
Back to Blog