The Clear Clipboard default is set to ‘Never’ under Options in Bitwarden. This is an unnecessary security risk and easy to resolve by changing the default.
Risk: your last copy or full history of copies (OS dependent) from Bitwarden is left sitting in your OS clipboard after you paste them. This would be passwords, for example.
Recommendation: change default from ‘Never’ to a length that most users will never need to store a copy before they paste, such as 2 or 5 minutes, dramatically reducing this risk.
Benefit: This improves the base level of security for all users. This would especially benefit new password manager users who may not be aware of the security implications of the current default setting of ‘Never’ clearing their clipboard.
Update: changed recommended time to 1 minute as I didn’t intend to suggest adding a new, longer value. Rather, the intent is to simply not have Never be the default. So, I have changed it to the highest existing value other than Never, which is 1 minute. This will likely be more than enough for the vast majority of users. I don’t personally care what Bitwarden sets it to as long as it’s not Never and that it mitigates the described risk.
Why that design decision was made in that way is something we can’t know, unless somebody who was present in that decision-making process chimes in, or perhaps if you get lucky and find some clue in an old discussion on GitHub.
Suffice it to say that there appears to be no fundamental reason why choosing this default value would be preferable to all other options. Perhaps the next option (5 min) would still not be long enough to prevent a user who is unaware of the existence of this option from losing data (e.g., they copy their current password, spend 5 minutes setting up the password generator options, selecting a new password and filling out the update password form on some website, then are surprised when they can’t paste their old password anymore). Perhaps the fact that many users have enabled clipboard history or other clipboard managers, in which case the automatic clipboard clearing mechanism is not effective, was a factor in deciding to effectively disable this feature by default.
You are of course right, that enabling the clipboard clearing functionality (by setting a value other than “Never”) is more secure, unless you have enabled some form of clipboard history.
Just as a PSA for current and future readers of this thread — several of the comments above allude to the existence of this feature, but none have explicitly shown it. Thus, in case anybody wasn’t aware, it is possible to enable automatic clearing of the clipboard in Bitwarden, by changing the default value of the timeout parameter from “Never” to something else. For example, in the browser extension, go to Settings > Options, where you will find the Clear Clipboard timeout setting:
The default value for a new installation is “Never”, and @222 has created this thread to ask about or discuss this decision to have the setting default to “Never”.
I am researching re: Apple and am seeing that iOS and Macs only hold the last item in their clipboards, not a history. So, that limits the risk. But, it will be held a long time if the Bitwarden is set to Never clear.
Thanks, @grb. I should have attached a screenshot.
If Bitwarden goes to the trouble of clearing an unencrypted vault from memory in a pretty meticulous way, as I have read, it is an odd choice to default the clipboard to Never clear, potentially exposing a user’s password(s). The users who don’t touch this at all are more likely to be users who are less security conscious or simply unaware. I would think that Bitwarden would want to be doing its best to protect this group of users from themselves and set a base level of default security for all users that doesn’t introduce unnecessary risk such as this.
Even defaulting it to 2 minutes, more than most users would ever need, would dramatically reduce the risk.
Bitwarden devs should pay attention to articles like this. Such low hanging fruit. It’s like LastPass not setting a strong minimum KDF for everyone’s account: once the risk is realized, it doesn’t look good in hindsight.
I brought this up on GitHub almost a year ago, and there were threads way before that. It really is a security hole that not just needs to be reported to the team, but acted on.
Not only does the default need to change for new installations, any existing user should be forced to change the value unless they actively say otherwise. Not that I can think of any reason why that should be so. If a user has Windows password history invoked, then it is doubly important that the clipboard should be cleared. Note that if the default is changed to clear after x minutes, it will not clear existing entries in clipboard history. This should be brought to the users attention.