I always use https://passwords.google.com/ to manage passwords.
Now I have built bitwarden self-hosted and installed the google chrome plugin bitwarden. I want to get rid of google pass manager so that it doesn’t have control over my passwords.
I want to use the Google Chrome browser all the time.
Is it safe to use the bitwarden plugin in Google Chrome? Can google chrome get my passwords?
In the world of security, nothing is 100% but bitwarden is pretty darned good, including the browser extension. I would say yes, it is safe. Bitwarden is very widely used and respected open source software. It has been independently audited. Because of its widespread use, it gets a lot of attention from security researchers. But yet not a lot of security vulnerabilities have ben identified that I know of. This site shows only 2 since 2019 and they are level 5 which is not very severe (and of course these have been patched) Bitwarden : Security vulnerabilities
There is a respected google security researcher Tavis Ormandy who spoke out against using browser extensions for password management: Password Managers. His concerns were more theoretical than indicating any actual vulnerabilities, mostly focusing on the fact that placing sensitive information inside an extension is not particularly consistent with the original chrome browser security vision. He would prefer you to keep your passwords in google chrome’s password manager, of course he works for google, so there’s that.
Imo Tavis’ concerns fall in the realm of theoretical, not something to worry about. The bigger thing to worry about is being phished and entering your credentials into the wrong site. The browser extension protects you from that if you are watching the way it responds. i look for the number to show up in the extension icon as confirmation that i am on the right site. and i never search for my account in the extension, i always choose it from the options offered (bitwarden is comparing to the stored sites). If i found myself having to search for an entry in the extension that would mean i’m on the wrong site.
That’s what i assume, and i consider it a safe assumption.
Considering the widespread use of bitwarden, if an attacker did find a way to steal passwords from the browser extension we would undoubtedly hear about it quickly.
i have 2FA on my account so even if they stole my password from the extension, they’re not going to be able to retrieve my encrypted vault from bitwarden (2FA is great idea in general, irrespective of this one scenario). And if we ever heard about such a vulnerability then i would change my password.
The likelihood of both a last-pass style attack obtaining our encrypted password database along with browser extension attack obtaining master password without us finding out about either one is negligible imo.
you’re going to face similar theoretical risks no matter what password manager option you select. bitwarden is as good an option as any, and better than most. if the whole idea of on-line password managers makes you nervous, you can consider an approach sometimes called “peppering” your passwords. it means the password the website recognizes will be your stored bitwarden password plus a few extra characters that you manually type after the extension fills your password. it can be the same few characters for every site to make it easy for you to remember. if you want to start a peppering strategy, you can start with your critical accounts (and you can end there if you want, it’s up to you). make a note about the pepper in the stored comments in order to help you remember which accounts you have added it to. with a peppered password, even in the extremely unlikely event that the bad guys somehow get hold of your entire bitwarden password database an unencrypt it, there’s still more needed to access the underlying critical account (for example your bank)… they still need the pepper, and that’s only stored only in your head.