Auto-type/Autofill for logging into other desktop apps

Hello Bitwarden Community,

I was also frustrated with this feature, so I create my own little autotyper:

Note that this is
a) Windows-only (see below).
b) not production ready. I’m doing my best, but If you migrate your 500-logins strong Keepass database without trying it first, you might have a bad time.
c) Somewhat shoddy third-party software, much inferior to official support. As far as I’m concerned, this is not a solution, it’s a workaround.

Cheers!

PS: I apologize to all the Linux & Mac folks, but global hotkeys, window titles and autotyping are very system-dependant things that make cross-platform difficult. I - or we, if you help me - have to write bespoke implementations for each platform (and each display server, on linux). I’ve aimed for the platform that gives the most benefit to the most people first, and that’s Windows.

The problem is that workarounds and clipboard managers create security holes. We didn’t come to Bitwarden to be less secure. There’s no reason for Bitwarden not to have this feature unless the developers simply aren’t savvy enough to know how to do it. Since it isn’t actually that hard to do, I have to believe that they simply refuse to do it, but I cannot fathom why.

Amen.

I should note that the client is open-source - if one is skilled enough, it is possible to implement this feature and bring it into the official client. That somebody is not me though. Here’s hoping that Bitwarden does it.

@yutamago @arjanvdbroek like you I’ve been waiting for the official implementation, my workaround like @MCOfficer was to write one of my own, I did so over a year and is updated as few days.

Some advantages are that it doesn’t use the clipboard and has support for user+pass, user only, pass only and it generates TOTPs.

Among the many KeePass’ features I implemented, it can use Two-Channel Auto-Type Obfuscation as increased security against key loggers. Speaking of security it can interact with browsers, so you can ditch the insecure browser extensions.

Like Bitwarden, the source code is there to be audited and users can opt to use the pre-built binary or built by themselves for the more paranoid. You can check it out in GitHub.

Definitely will be checking that out, thanks

I checked this out, after many failed install attempts. UI is not WYSIWYG, very early implementation. Scripted complex setup. Could not get it to run with windows apps, especially Windows 10 Store apps.

• There is no UI.
• Is not an early implementation.
• The installation is a click 'n run setup.exe.
• Works with native Windows apps from Windows 7 onward.
• Works with UWA (Universal Windows Apps) in Windows 8.1.
• Works with UWP (Universal Window Platform) Apps in Windows 10.

MCOfficer’s version uses the same name as mine, check if perhaps you’re referring to his version. If you need assistance, let me know.

One of the most important features to work productive in privat and work environment.

So… are there any news regarding Auto-Type? Or has the development still not started?

Not on the dev timeline just yet

It’s pretty obvious that a lot of us want and need this. To the point that we’ve offered to help fund it.

Is the problem that you don’t know how to do it, or is the problem that you just don’t want to do it?

Should we just go back to KeePass?

Shane

The team is definitely appreciative of the offers, unfortunately, there is no ‘free lunch’ with this type of thing since it is a large task for both initial dev and ongoing maintenance.

There are plenty of open source examples for this, and even a few Windows-based examples on this thread.

However, we would prefer to take a more explicit approach to passwords as I’ve mentioned in a few prior posts (and I do see the irony that we have not yet released an option for macOS to use their password features) - but understand that this may not be possible for all platforms and applications.

This function isn’t off the radar, in fact, we discuss it often, but are attempting to balance the requests we get from a business and individual standpoint, and this particular feature is in the queue, but not active.

Bitwarden truly believes in password security for everyone (hence our forever free, cross-platform options) - if using KeePass allows you to maintain your personal security in a manner that aligns with your needs, we understand and hope that we’ll be able to provide the features you need in the future.

Thanks for the frank answer. We’ll go back to KeePass and keep looking for something better.

Shane

Even tho Bitwarden developer is one kind-hearted and sympathetic guy, this task requires more than just want to do it and technical knowledge.

The problem is the stack chosen to write Bitwarden, in Layman terms Bitwarden is just a webpage encapsulated so it might run without a browser. As you know webpages in browsers are isolated from the host OS in order to have some degree of security.

That very same reason keeps Bitwarden to be able to interact with the OS plus to my knowledge there are no projects that can be used to interact with Windows, macOS and the different Linux desktop environments. That’s an issue KeePass doesn’t have for example.

KeePass is written in C#, and it can run under Linux via Mono; KeePassXC is written in QT5 (that’s why is Cross-Platform). KeePass/KeePassXC developers didn’t have to care about this because the underlying technology takes care of it, remember Bitwarden is just a complex webpage.

If Bitwarden was to add this feature it means a project way bigger than the whole password manager itself, because it means to write a layer to neutrally talk to and that layer would have to translate the calls for the Win32API (Windows API), Cocoa (macOS API) and the most complex with the least return of interest: the Linux Kernel Interfaces through perhaps a Portable Operating System Interface (POSIX).

The last part alone would be a project bigger than Bitwarden, if you add the macOS and Windows counterparts and the layer between them… makes it faster to rewrite Bitwarden from the ground up in a C-like language. I’d choose C because it beats the hell out of anything in terms of speed and portability, but also is not a fast or easy language.

Until someone doesn’t write that, I don’t see Bitwarden or any Electron-based app to have implemented a way to talk to the host OS. At the end is against the end goal of the whole sandboxing principle (its biggest selling point).

Anyway, now that Microsoft has fallen for Electron (Visual Studio Code and the 20ish 365 desktop apps are Electron apps), seems to enjoy the Open Source principle and their suspicions interest in having the Linux Kernel as an extension of their own perhaps they pitch in with that layer. And let’s not forget that the Blink project (the core of Chromium and in turn Electron) has the names of Google, Facebook, Adobe, Intel, IBM, etc… there’s a lot of money and hands sitting at disposal if they see fit.

It’s not impossible to make system calls from javascript, for example here’s a project that uses the win32 API. In my opinion the issue is that the concept of autotyping - literally simulating keystrokes - really sucks.

• It’s trivial to keylog (though you can make it more difficult with 2-Channel Obfuscation).
• it’s error prone: one keystroke by the user and boom, wrong password
• it’s risky: click the wrong window after starting an autotype, and your password is sent around the world by means of your favourite chat program.
• it needs to be implemented and maintained for each platform individually, and having tried it, that’s not straightforward in the fractured unix-world.

The one thing that makes it preferrable is that it’s the only automatic solution on desktops - period. The best for users right now would be to implement it, but I can’t blame Bitwarden for looking for a better solution instead of having to maintain Autotype.

(Sorry about the name collision, i wasn’t aware of your project when writing mine. I’ll consider renaming.)

I know is not impossible, what I said is that a cross-platform implementation will be a monumental task, WinAPI and Cocoa are somewhat easy (you even pointed out a win32 implementation) but the diminished return of the all that embraces *nix is what’s more troublesome.

• Yes I know one of the problems is key logging and that’s why I implemented the TCATO (Two-Channel Auto-Type Obfuscation) algorithm KeePass uses.
• The user input while the auto-type is underway is blocked to avoid wrong credentials.
• There’s also a fail safe for the mouse (not just keyboard input). Information will only be sent to the URL/executable the user defines.
• Yes, my implementation is Windows only because it was what I needed and had the most impact.

My job require me to spend most of my tine in Windows closely followed by macOS (I stopped using Linux as desktop like 20 years ago because I never ultimately feel worth the compromises), but I literally manage over a hundred of Linux VMs (WSL and Cloud instances included) so I know the importance.

The company I work for uses MYKI which has some degree of functionality in macOS that I can live with. All my workflows that need credentials automation are written in pass because it fits my needs and literally there’s nothing you can’t do with it (however is not a user-friendly process). So yeah, I share all of your concerns and I tried the best of my abilities to overcome them.

As for the name, don’t worry I don’t take it personal or as any form of attack. Both projects are there to help people and are completely Open Source., that in itself speaks of good intentions rather than malice.

I appreciate the update.
It’s not a deal-breaker for our organization, but it would certainly make this is an easier sell for the enterprise package.

Thankfully the organization only has a few desktop apps that don’t support some other form of auth. (Certainly not enough to try something like MCOfficer/bitwarden-autotype)

Anonymous1184: Downloaded to my Win7 machine and ran setup.exe:

image662×508 20.3 KB

Then it asked if I wanted to download Bitwarden CLI. What is that?

Hi @wysocki, unfortunately never tested Windows 7 as its mainstream support ended in 2015 and the extended support ended in 2020. Security related products (like Bitwarden) are aimed to be ran in the latest and most up-to-date possible platforms (or at very least not in ones that already reached their End-of-LIfe cycle).

I have a 11/12 years old Laptop that runs fine Windows 10 (dual core, 4gb RAM, HDD). So it might be possible to update the OS if the hardware is similar.

The error you’re getting is basically a lack of updated secure protocols, you can find more info in the Microsoft Support Site, the TL;DR is that Windows 7 uses as default an insecure transport. A fix is already in the repository (develop branch) but I’m testing more changes that will go on the next scheduled release.

As for “downloading Bitwarden CLI” is part of the auto-type as is used in order to access the password vault.