I’ve seen some other posts here that may address my question, but the tech jargon is way over my head (maybe others feel the same?). I’d really appreciate it if someone could dumb these answers down into a “Explain Like I’m 5” type of deal.
I travel a lot and use public wifi, but oftentimes my VPN doesn’t want to cooperate.
If I’m on public wifi:
1.) On laptop - Can I enter in my master password to unlock the Bitwarden extension WITHOUT being connected to a VPN? Or should I always have a VPN running? (sometimes VPNs don’t like to work while traveling).
2.) On laptop - If VPN is not active, but Bitwarden extension is unlocked, can I copy and paste passwords and sensitive info into websites? Or is copy/pasting just as dangerous as typing them in manually?
3.) On phone - do I need VPN activated whenever I enter in a passcode/PIN to open an app? What about if I’m logging into things using Bitwarden passwords that I unlock with Face ID?
Apologies in advance if these are stupid questions. Thanks so much!
It’s more about the device than the network in 99% of cases.
Basically, don’t open your Bitwarden vault on a computer or phone you don’t 100% trust.
Not only is the connection to Bitwarden encrypted, but so is your vault, so it’s doubly encrypted, so time is better spent worrying about the device than the network. VPNs are kind of oversold, not that they’re useless, but advertising has people overthinking them.
VPN’s are largely useless when it comes to “protect me from having my shit stolen on public wifi”. Basically every phone app requires you to use HTTPS, along with extensions like bitwarden. Websites can be a bit hit or miss, they can certainly require you to use HTTPS, although many don’t even though they should (reddit, google, etc). Either way, you’re almost certainly wasting your money if the reason you get a VPN is to protect you from that kind of threat.
VPN’s are typically useful for two situations: a) you need to appear to come from a different physical location (want to watch that Netflix while you are away in Europe, or SkyTV in the US) or b) you want to do a better job hiding what you’re doing from the network provider you’re on, because say you’re gay but attending BYU, and you’re using your own device which you have full control over.
1.) If you are on the legitimate BitWarden website, using the BitWarden extension or using the BitWarden app, then your plain text master password never leaves your device. It is hashed before being sent to the BitWarden server and the hashing process cannot be reversed. This hash is sent over an encrypted connection and so it cannot be intercepted.
The risk is that you’ll be tricked into visiting a fake BitWarden website and enter your master password there. So I wouldn’t visit the BitWarden website when on public wi-fi. A reputable VPN may reduce this risk and provide some protection against fake websites. However, you are essentially deciding to trust the VPN company more than the public wi-fi provider.
In addition, especially when visiting the BitWarden website, make sure you are not using a browser with any unnecessary extensions. They can have broad permissions to scan the page and a rogue one could harvest your login credentials.
2.) The same logic applies to other websites. Auto-filling using the BitWarden extension is safer because it will not auto-fill most fake websites.
3.) Passcodes/PINs are local to your device and of no value to an attacker who has not already compromised your device.
This is very helpful! right now I’m in Egypt and can’t get my VPN to connect at all. So as long as I’m on my own laptop, I shouldn’t stress about typing in my Bitwarden master password into the extension, auto filling passwords, etc when on janky wifi connections at restaurants and such?
People have pounded the idea of “ALWAYS USE A VPN ON PUBLIC WIFI!” into my head, so I’ve been paranoid. But after reading these comments, I’m wondering if the people who preach that might just be repeating inaccurate advice. 
Yes, sometimes I use a VPN to access geoblocked sites while traveling, but most of the time I use it is for fear that someone will steal my identity or passwords or something while on public wifi. If the later is not a risk as long as I’m using HTTPS… is there a way to set Chrome to only allow websites with HTTPS so I never have to worry about it?
For the average person, VPNs provide no benefit at all.
That’s not true. A VPN hides traffic and DNS queries from your ISP. Depending on the country, this means circumvention of legal (meta)data retention. Furthermore, a VPN can circumventing internet filters and blocked websites, as well as allow access to geo-restricted content. Lastly, a VPN can protect from legal consequences when downloading pirated material.
Thanks for this info!
1.) I do have quite a few extensions, but most of them I use regularly. Is having lots of extensions a risk even if I only ever type my password into the Bitwarden extension? (I never go to the actual Bitwarden website).
2.) so from what I’m understanding, the main risk is typing passwords into fake websites. The risk is NOT that people can hack into an insecure wifi network and spy on what everyone connected to that network is typing?
The network won’t have any idea what your master password is, but an infected computer would.
VPNs have their place, but they’re being oversold as some tool to stop hackers, and that is not even what they do. The HTTPS (padlock) is more secure than any VPN, and it’s default on every browser and most websites today. If you’re worried about privacy, then a VPN would be useful, but their privacy only goes so far.
Also, having 2FA on your Bitwarden account is a good idea.
If the later is not a risk as long as I’m using HTTPS… is there a way to set Chrome to only allow websites with HTTPS so I never have to worry about it?
https://beebom.com/how-enable-https-only-mode-chrome-firefox-edge-safari/
You can also use the HTTPS everywhere extnesion from EFF instead.
but most of the time I use it is for fear that someone will steal my identity or passwords or something while on public wifi
And you are absolutely right: phishing attempts can happen if you click on a HTTP link, even if the website supports HTTPS. Except if it also supports HSTS preload, which it probably doesn’t, sadly.
1.) Having lots of extensions increases the risk of individual passwords being captured from the page. However, other extensions shouldn’t be able to see what you type into the BitWarden extension.
2.) Yes and no. The connection between your device and the website is usually encrypted with HTTPS. So the main risk is fake websites. However, someone who has access to the insecure wifi network can use this to send you to a fake website or reverse proxy.
I think we’ve moved out of explain it like I’m 5 territory haha. Would you say it’s safe if I only use the Bitwarden extension for everything and only use autofill?
We probably aren’t the average people, but right now we’re in Egypt and tons of stuff is blocked. Neither Surfshark or tunnelbear VPN is connecting here, but their support sent me super secret high tech instructions on how to get around it…we’ll see if I can get it to work!
I disagree. I know many “average”, that is not very tech-savy, people that use torrent-based websites to watch series. Or want to access online casinos (which are blocked in my country). Or watch Youtube videos that are “not available in your country”. And I live in a generally free country.
In countries with more repressive governments, a VPN is necessary to have access to basic information. In these circumstances, the average person does indeed have a desire to access blocked content.
Ahhhh interesting! So as long as I’m using the Bitwarden extension to autofill my login info, the insecure wifi isn’t a risk (because they autofill won’t work on a fake page)? That would be reassuring!
I doubt mentioning HSTS preload is eli5.
As for your question: Yes, assuming you didn’t save a phishing URL in the extension as the URL of an entry.
Yes, its always better to use the BitWarden extension for this reason.