Copying PART of the Password or Username (BW, desktop app)

LGL · October 24, 2023, 12:26pm

I am wondering why it is no longer possible to copy a PART of a password or username in the BitWarden (Version 2023.9.3 (12828)) vault of the desktop app. I used to be able to do so. Even though i select part of the password or username, it copies the entire thing. I am trying to achieve what i think is called “peppering” in which one manually (without pasting) types in the characters left out of the copied password/username so as to lessen security problems like clipboard jacking.

Many thanks,
Louis

LGL · October 24, 2023, 12:29pm

I am running Mac OS. v. 13.5.1, Ventura.

grb · October 24, 2023, 5:31pm

Peppering would be if you added something to the stored password. For example, the password stored in Bitwarden might be aBVF7F%44ao9!%*J# but the actual password required to log in to the account would be aBVF7F%44ao9!%*J#Y!8d, where Y!8d is a “pepper” that you add to the end of every password.

Furthermore, you can avoid clipboard jacking risks altogether by using Bitwarden’s auto-fill feature (e.g., using the Cmd+Shift+L keyboard shortcut).

Also, I am unable to reproduce this issue when it comes to partially copying usernames. However, for passwords, what you are describing is an issue that apparently started in version 2023.9.0; there is a Github bug report here:

github.com/bitwarden/clients

Copy and Paste of partially selected password returns entire full password,

opened 06:40PM - 27 Sep 23 UTC

BizClimb

bug help wanted desktop

### Steps To Reproduce Windows 11 - Desktop Client. To reproduce: 1. Select… an item from your vault, 2. Click the eye icon to view the password in plain text. 3. Highlight only a portion of the password (not the entire password, e.x. first character only). 4. Press Ctrl+C (or right click and select Copy). 5. Paste to notepad. This is a new bug that started today for me after update. ### Expected Result The selected portion of the password should be copied to clipboard. ### Actual Result The entire password (ignoring selection) gets copied to clipboard. ### Screenshots or Videos _No response_ ### Additional Context _No response_ ### Operating System Windows ### Operating System Version 11 ### Installation method Direct Download (from bitwarden.com) ### Build Version Version 2023.9.0 - Shell 24.8.3 - Renderer 112.0.5616.204 - Node 18.14.0 - x64 ### Issue Tracking Info - [X] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

LGL · October 25, 2023, 1:30pm

Ok, thanks for those responses grb. I get the peppering idea now. Thanks for distinguishing. Maybe we could call it reverse-peppering.Though i would still appreciate knowing why one cannot copy part of the password.

Unfortunately the auto-fill function does not exist in the Mac desktop app. I know it exists in the browser extension. Is this ever going to be added to the BW desktop app or is it too complicated to do a non-clipboard transfer from BW desktop app to the browser. I realise it also checks the site URL to those records in the vault.

I recently switched to the desktop app because i thought it would be more secure. Can you say anything about the security of the BW browser (Brave in my case) extension vs. the BW desktop app?

Thanks,
Louis

grb · October 25, 2023, 4:14pm

As long as you are not running any other browser extensions that are sketchy, and you refrain from defeating various security options in the browser extension (e.g., disabling “lock with master password on browser restart”, or enabling “auto-fill on page load”), then I would say that on the balance, using the browser extension is safer than using the desktop app.

Personally, I use the browser extension almost exclusively.

Did you have any specific concerns about browser extension security?