Accidentally typed Master Password into email field on bitwarden app - problem?

Is there any risk of the password being exposed in this scenario?

I’m using the official bitwarden application on Pop! OS.

Hi @Merlin7 - unless you actually submitted the login, you are fine. Even if you did, the misplaced password would only have been sent to a Bitwarden server, and they seem like pretty trustworthy folks, so I wouldn’t be concerned that they are logging and monitoring logins for things like misplaced passwords. But if you are concerned, you can always Change your Master Password.

1 Like

I think I may or may not have clicked Log in… I’m really not sure. In any case, my bitwarden account is protected by 2FA. I really don’t want to change my Master Password as it is extra hassle…

Personally, if it were me in that scenario, I wouldn’t bother either. :+1:

1 Like

Slightly related, what if you accidentally typed the Master Password into the Chrome address bar (but did not hit enter)? :flushed:

1 Like

Good question - I don’t know the answer (although, I suspect it is safe), but maybe someone else here can answer this?

1 Like

I know that some browsers start suggesting results from the search engine as soon as you begin to type. I don’t use Chrome because I hate Google and try to avoid their products and services as much as I can, but particularly if you were logged in to Google Chrome browser with the same Gmail address that you use for bitwarden, then paranoid me would change the password. But I’m always nervous about doing that as you need to make certain you are accurately typing the new password AND storing it safely off-line. For me, that is a piece of paper in a secure location.

1 Like

Yes, this is definitely the case with Chrome, which means that everything entered into the address bar is transmitted, keystroke-by-keystroke to Google. What I was unclear on is whether they bother storing this information (i.e., unsubmitted searches) for future use. I think I found the answer in an old Google blog: at least in 2009, there was a 1 in 50 chance that the unsubmitted information would be logged by Google (but anonymized within a day or so). The current Chrome Privacy Whitepaper indicates that 100% of the data are now stored unanonymized for 2 weeks (and 2% retained anonymized after this 2-week period). However, the language in the whitepaper suggests that the data are not logged unless you select one of the autocomplete suggestions, and that there are exceptions for Incognito mode and “authentication credentials” that are typed into the address bar:

When in Incognito mode, in order to provide these suggestions, Chrome relies on an on-device model that does not communicate with your default search engine until you select a suggestion.

If Chrome determines that your typing may contain sensitive information, such as authentication credentials, local file names, or URL data that is normally encrypted, it will not send the typed text.

If Google is your default search engine, when you select one of the omnibox suggestions, Chrome sends your original search query, the suggestion you selected, and the position of the suggestion back to Google. This information helps improve the quality of the suggestion feature, and it’s logged and anonymized in the same manner as Google web searches. Logs of these suggestion requests are retained for two weeks, after which 2%% of the log data is randomly selected, anonymized, and retained in order to improve the suggestion feature.

So if typing a password into the address bar while in Incognito mode, but not submitting the search or selecting any autocomplete suggestions, seems like this would cover three different exceptions to the logging policy.

1 Like