Bitwarden extension popup disappears when switching away from browser window

I use Bitwarden on Firefox. After clicking on the Bitwarden icon, the popup appears fine but because I have 2FA enabled for my Bitwarden account, I switch the active window from Firefox to Authy app. When I do that, the Bitwarden popup disappears. Clicking on the icon again re-prompts for the master password.

Does anyone else think the popup must be visible until the 2FA token is entered?

For now, a workaround that I use is, memorize the Authy 2FA token, clicking on the Bitwarden icon, enter master password and enter 2FA token right away.

1 Like

Not too sure I am seeing an existing discussion here:

https://community.bitwarden.com/search?q=disappear%20%23support

Should I move this feature requests instead?

Hi @arun - the browser extension popup functionality closes when it loses focus, which is something we can’t control.

We do have some requests to persist any entered data when it closes, as well as allow users to edit in a different mode i.e. a new browser tab instead of within the popup.

3 Likes

I am testing out the Chrome extension and I am running into the same problem. The Master password must be long. The LastPass breach has taught us this. So, I go to my chosen password vault to copy the Master password, switch back to Chrome and the bitwarden extension closes. The Email address has been cleared when I reopen it. There is no way to log into the extension. The Firefox extension behaves the same way.

This is a bit extreme of a conclusion. If you don’t have your master password memorized, you could just copy it before you open the browser extension to log in. A better solution is to use a master password that can be memorized (i.e., a passphrase consisting of 5-7 randomly generated words).

I randomly generated a >200 character Master password. I would like to be able to cut and paste it.

You’re making your life more difficult than it has to be, but go ahead. Just copy the password before you open the browser extension login screen.

FYI, the actual encryption key that is required to decipher all of your vault contents has 256 bits of entropy, which is impossible to crack. A 200-character randomly generated password has 1,314 bits of entropy. Not only is this a ridiculous amount of entropy, but if you consider the fact that the purpose of the master password is to protect the 256-bit encryption key, if you were being targeted by some supervillain with a Deathstar full of quantum computers, they would just brute-force the actual encryption key instead of brute-forcing your master password (i.e., your master password is irrelevant if its entropy is greater than 256 bits).

You can get a password with 256 bits of entropy using only 40 characters; anything longer does not increase your security, as explained above.

Furthermore, your vault would be resistant against cracking by mortal hackers with only 65-90 bits of entropy. For 90 bits of entropy, you would only need 14 randomly chosen characters, or you could use 7 randomly chosen words (from any list containing at least 7500 words).

In that case, the maximum characters allowed in the Master password should limited to just 40 characters.

I was cut and pasting the email address first, then going back to cutting and pasting the password. I’ll try typing the email address manually, then pasting the password. I will have to increase the time before the password clipboard is erased.

The LastPass extension can be logged into from the LastPass.com login (potentially another surface to attack). Bitwarden’s extension could open a new tab/window to allow logging in from a localhost web page?

40 characters is sufficient if drawing randomly from a character set consisting of 85 or more different characters. For smaller character sets, a longer password would be needed to reach 256 bits of entropy (e.g., an all-numeric password would require 78 digits to exceed 256 bits of entropy; pseudo-Morse code would require 162 characters).

More importantly, passphrases (which are a better option for the master password) are much longer (around 3 times the number of characters) compared to a string of random characters that has the same entropy. Thus, setting a length limit on the master password input field would restrict the entropy that could be achieved using a passphrase — not a good idea.

If you’re not using Incognito mode, you can use this URL to log in to your browser extension in Chrome:

chrome-extension://nngceckbapebfimnlniiiahkandclblb/popup/index.html?uilocation=popout#/home

1 Like

chrome-extension://nngceckbapebfimnlniiiahkandclblb/popup/index.html?uilocation=popout#/home works until I enter my password. It says invalid password without asking for the Google Auth code.

The same credentials work fine logging directly into my self-hosted Bitwarden server from a different Chrome tab.

Are you sure that you didn’t paste an extra whitespace character or anything else into the the password field that shouldn’t be there? Or that you accidentally didn’t select all 200 characters when copying?

For me, the login process completes successfully (including 2FA) using that URL in a full browser tab. I have tested it both by typing the master password, and pasting it from the clipboard — both method work.

The server URL I set was cleared somehow. Chrome works now. Thank you.

Does a similar URL exist for Edge and Firefox?

This comment by @RyanL explains how to get the URLs:

1 Like