Bitwarden browser extensions - our thoughts

In a blog post by a vulnerability researcher at Google, the author concludes that your best option for a password manager is the one in your browser.

The author shares opinions about password manager extensions as a general category without distinction to implementation.

The premise of the article is focused on the communication between browser extensions and websites as a potential attack vector.

The post focuses on the use of content scripts, which are the current way that a password manager can interact with a website and make suggestions for things like autofill. It is important to note that in the mobile world, both iOS and Android provide standard APIs for autofill. It would be most welcome if browser providers offered something similar.

However, even when using content scripts, the implementation can take a light or heavy approach. With Bitwarden we take a light approach that relies a bit more on the end user. For example, Bitwarden does not attempt to autofill web page data by default. Many users of another password manager ask us about an overlay interface to select credentials directly on the web pages they visit. Since this approach falls more into the heavy-manipulation of web pages with content scripts, and increases the reach of the content script, Bitwarden has purposefully chosen to approach this level of data injection very carefully, and does not offer this feature at this time.

As with most security choices, users can decide what works best for them. At Bitwarden, we view our browser extension as safe and secure, with the best balance of security and convenience for the average user. For example, we expect more users to use more unique passwords for every site they visit when they can visit those websites and autofill with the convenience of a password manager.

For users who might view the world differently, Bitwarden offers a full range of client implementations across mobile, desktop, browser extensions, web vaults and a command line interface. All of them built with security at the forefront.

If you’d like to hear more from the industry on why you should not use a browser based password manager, you can read more here: https://www.makeuseof.com/reasons-shouldnt-use-browsers-password-manager/

15 Likes

Very well said!

1 Like