I brought this up on GitHub almost a year ago, and there were threads way before that. It really is a security hole that not just needs to be reported to the team, but acted on.
Not only does the default need to change for new installations, any existing user should be forced to change the value unless they actively say otherwise. Not that I can think of any reason why that should be so. If a user has Windows password history invoked, then it is doubly important that the clipboard should be cleared. Note that if the default is changed to clear after x minutes, it will not clear existing entries in clipboard history. This should be brought to the users attention.
I only found out by accident that this was set to Never. I was installing Android apps remotely with my recently installed Win11 PC (you have paste Google PW for every Google Play app installation).
When I found the default was off all I could think it was an error.
If you don’t want to change default to something that’s somewhat secure, the least you can do is when the Bitwarden extension/app is installed prompt the user that the setting is OFF/Never by default.
I would like to remind you on this subject, which appears to be a significant security flaw. If the default clipboard cleanup value is not changed would it at least be possible to push a value through the registry or some other way?
Unless I’m missing something, this has gone from bad to worse.
In the new Bitwarden UI, as far as I can see there is no option in the settings to set the clear clipboard time, indeed there are no clipboard settings anywhere as far as I can see.
BW still does not clear the clipboard; not on time, not on Lock, not on Logout, not on Close Browser. Same for Win browser and Android app.
Hiding the settings does not make the issue go away.
Yup, should have found that on the Windows and Android apps - thanks. The new glasses must need cleaning
On the PC, I wasn’t using the broswer extension, but logged in through a webpage. There is no setting available on the webpage and the clipboard is not cleared.
Anyway, I notice that the default value is still never to clear the clipboard. Surely it is just a simple value that needs to be changed in the installation files, can’t understand why it has not been done.
Is there any news on this topic?
If this is not possible, would it be possible to configure this on the server side? For example, as an organisation we would like to set the clipboard timeout to 10 seconds for all accounts in our self-hosted organisation.
Now it is only configurable on the client side AND the default is set to never…
Some help to interpret the current situation is much apprecheated
PM-8458 is closed since 3 months, but still, in the web app I do neither find a configuration for “clear clipboard” nor is the clipboard entry actually cleared despite the “countdown” appearing at top right
which looks pretty much the same as the “countdown” at bottom right in KeePass
indicating how long I can use the copied password.
As the web app seems to be the most powerful client, e.g. it allows batch manipulations while desktop app does not, I expected the feature is implemented for sure in web app, but maybe it is not?
Well, that depends. – For daily work, the browser extensions are usually considered “more powerful” as they provide the possibility of “autofill” (which is both more secure and more convenient that e.g. copy & paste).
And I think, as the web vault doesn’t have any “clear clipboard setting”, I think it might not get this change. I can’t say for sure, but I think this was somewhere here on the forum discussed before – and if I’m not completely off, the web vault, as just a “website” in the browser, doesn’t have that potential control over the clipboard. (even if it is not wrong it’s probably also over-simplified)
Thank you for clarifying that in GitHub PRs “Closed” has the meaning “not implemented but rejected” Good that another PR exists!
For my daily work, I rarely need to enter credentials into the browser thanks to Single Sign On but mainly in other applications like command line interfaces or database clients, so app:browser extension is not really interesting for me − while it is for someone not having SSO within the browser.
As written in my previous post, this feature request is about the browser extension, not about the web vault. (and I might add, clear clipboard does work in general on the browser extension – what doesn’t work: for the browser extension to clear the clipboard when the clipboard history is enabled on Windows – that’s what that feature request is about)
it’s probably also over-simplified)
