Bitwarden browser extensions - our thoughts

In a blog post by a vulnerability researcher at Google, the author concludes that your best option for a password manager is the one in your browser.

The author shares opinions about password manager extensions as a general category without distinction to implementation.

The premise of the article is focused on the communication between browser extensions and websites as a potential attack vector.

The post focuses on the use of content scripts, which are the current way that a password manager can interact with a website and make suggestions for things like autofill. It is important to note that in the mobile world, both iOS and Android provide standard APIs for autofill. It would be most welcome if browser providers offered something similar.

However, even when using content scripts, the implementation can take a light or heavy approach. With Bitwarden we take a light approach that relies a bit more on the end user. For example, Bitwarden does not attempt to autofill web page data by default. Many users of another password manager ask us about an overlay interface to select credentials directly on the web pages they visit. Since this approach falls more into the heavy-manipulation of web pages with content scripts, and increases the reach of the content script, Bitwarden has purposefully chosen to approach this level of data injection very carefully, and does not offer this feature at this time.

As with most security choices, users can decide what works best for them. At Bitwarden, we view our browser extension as safe and secure, with the best balance of security and convenience for the average user. For example, we expect more users to use more unique passwords for every site they visit when they can visit those websites and autofill with the convenience of a password manager.

For users who might view the world differently, Bitwarden offers a full range of client implementations across mobile, desktop, browser extensions, web vaults and a command line interface. All of them built with security at the forefront.

If you’d like to hear more from the industry on why you should not use a browser based password manager, you can read more here: https://www.makeuseof.com/reasons-shouldnt-use-browsers-password-manager/

Very well said!

I don’t suppose if you have a link to the article from Google?

Over the years security on the browser has improved so that it is usable as a password manager. The issue I have is that it’s too tied to the account you are using from everything else.I rather we use a separate account for the password manger. Let’s say you let the browser save your google password. A malware that impersonate you will be able to access the password through that saved password.

Secondly, the password recovery is a vector of attack. Many of the accounts like Microsoft and Yahoo still force you to either use SMS or email even if options like Yubikey are available. So if you are using SMS, you could probably do something like a SMS swap, which would get you access to SMS. You can then use that to change the password on your MS account or yahoo account and login. Once in, you now have access to your password manager. For google account, it’s possible to set the account not to use email or sms, so they wouldn’t be able to use that avenue of attack providing that you remove the recovery option.

See here:

It’s not a very well thought-out argument in the article.

Would it be possible to offer an option to deactivate all features which require a content script, and as a consequence switch off the content script injection? This would allow people who find copying the credentials from the browser toolbar convenient enough to close this attack vector.

Thank you - I encourage you to stay on course. And if this ever makes its way into the product, an option to switch it off would be much appreciated.

Thanks for the feedback, feel free to open a feature request for this one for voting and discussion for community input and Bitwarden review

In the meantime, you an also download the desktop application if you prefer to copy/paste between them.

2022.11.2 also streamlines logging into the web vault if you prefer that method:

• Log in with device: Log in to the web vault by sending an authentication request to your registered mobile device instead of using your master password (see here).