Desktop app - auto-type (Windows, MacOS, Linux)

Thanks for the questions!

• I was expecting to see (but did not see) a disclaimer to the effect “use at your own risk, and not without frequently backing up your vault contents — using this client has the potential to corrupt your vault database.” Does the absence of language to such effect suggest that you have a high degree of confidence (certainty, even?) that the risk of database corruption is no higher when using this client than when using the official clients?

Of course, as with any unofficial software it’s at your own risk. That being said, except for if you add ssh keys through goldwarden, no modification is being done to your vault, the client is read only. Thus, for auto-type, there is no way for it to corrupt your vault.
Even for SSH keys, Bitwarden has a fairly strict and structured API. The worst that could happen - if there is such a bug - is a new undecryptable note instead of an SSH key note being added to your vault. You could in that case simply delete it from another client.

In a KeePass database this would be different, since you always overwrite and sync entire vaults. This is not the case in Bitwarden.

I see that the releases also include “stripped-down” and “untested” builds for Windows and macOS. Does “stripped-down” refer only to the new Gladwarden feature set, or are some native features from the official Desktop client also stripped? And do you feel comfortable making any pronouncements with regards to the risk of vault corruption associated with these “untested” releases?

The Windows and Mac builds are work-in-progress, but since I don’t actively use those platforms, it’s somewhat slow moving. SSH-agent support, regular CLI access, and environment variable injection for other CLI tools should work.

Browser-biometrics integration theoretically works, but is not that useful, because
the official desktop clients already support that on mac and windows.

Aside from that, “pinentry” has not been implemented on mac and windows, and “biometrics” has only been implemented on mac (touchid). Autotype is not available on either platform. Since I don’t use the platforms at the moment, I’m not sure I’ll invest the effort on building out the featureset, but pull-requests are of course always welcome

or are some native features from the official Desktop client also stripped?

By the way, this is not based on the official desktop client in any way, it’s a completely separate codebase. It’s not a full bitwarden client, it really just serves to implement the (to me) useful but missing features such as autotype and ssh-agent support. You can use it in conjunction with the regular desktop client.

I see — thank you for clarifying!

Can you have the source code audited by some official service, so I can be sure my passwords wont get stolen by this?

It will be safer than the clipboard.

Bitwarden, please don’t let silliness like this slow this any more than it already has been.

The code is publicly viewable (and downloadable/compilable) on the GitHub repo. Third-party code audits are not free, but you absolutely have the option to hire some security firm to audit @Quexten’s code. I hope that you will share the audit results publicly when you receive them.

Auditing costs money, and this is a project I do in my spare time for free, which already “costs” me a lot of hours, so I cannot hire any external contractor to audit it. I’m open to getting the project audited if you want to finance that

If you think the maintainer (me) is malicious, I do have my real identity tied to it, as a maintainer, and reside within the EU, so I would be pretty stupid to try to steal credentials using this open source project, as in most EU countries you would definitely get jailed for that.

As for accidentally introduced security flaws, the threat model here would be either pulled in dependencies (some upstream library) being malicious, or some local attack against the app (other applications running on your local system), as it uses the same end to end encryption that all other Bitwarden clients use.

But if you are paranoid (which may be reasonable), and can’t / won’t audit the source code for yourself, and don’t have trust that others would do so, then you should probably stick to the official clients (which do not have this feature at the moment).

As @grb mentions, the source code is public, and the public builds are only ever built by the CI pipelines, the output log of which are also public. I don’t know whether they are bit-for-bit reproducible yet, specifically because of the C bindings of libfido2.

Anyways, it’s only a voluntary offer that I posted here in case it helps people. I’m not trying to convince anyone to use my tool.

Lol, im no programmer and will not request an audit.

I just wont use this software as I dont trust some random third party.

Would be great if the features from that App would be implemented into Bitwarden though.

Hopefully, you don’t have your Bitwarden account configured to use Argon2id as the KDF algorithm, then, since that code was written by the same “random third party”.

That alone demonstrates how much you’re not a software developer, @Shadily4224. Bitwarden probably has 40 dependencies, each themselves dependent upon 10s to 100s of dependencies, almost all written by 3rd parties.

I never claimed to be a software developer?!

@Shadily4224, I referred to

Just replying to express interest in this being a feature. Our company could save several minutes per user, per day if this feature were implemented. We have hundreds of users on Bitwarden and this feature would be greatly appreciated!

The best way to do that is to click “vote” at the very top of this window (scroll way up).

Did that already, but considering 900+ people have already done that and we don’t have the feature after 6 years… ya know.

That is an astoundingly useless response to a user request. - Especially to one that is by now common among desktop secret managers, to clarify: Bitwarden is lagging behind the field in this issue.

The fact that “some users don’t want this” was never a valid argument when talking about a feature that users can choose to use.

@richard.wonka Welcome to the forum!

However, you have read that 2-year old comment completely out of context. That was a direct response to the immediately preceding comment, in which a user asked why anybody would want to use the Desktop app, given the lack of auto-fill functionality. Of course the explanation is going to mention that some users still use the non-autofilling Desktop app because even though they have no need for auto-fill, they wish to use the other unique capabilities of the Desktop app!

There was never an implication that Bitwarden was not considering this feature request because “some users … prefer not to use the auto-fill function”, which is how you seem to have interpreted the comment.

Besides, the user to whom you responded has since left Bitwarden. The most recent statement from Bitwarden in this thread is the following one:

Hello grb,

I did indeed interpret the response as you have described. As such I an relieved to hear that this was a misinterpretation.

Given the age of the feature request, the very nature of the feature and development in other secret management software, I’m still somewhat surprised at the slow trickle of news on the topic and still not finding this feature in the app.

I had read the last statement from half a year ago, by the way, and am welcoming the slight glimmer of hope, as I am coming to appreciate the rest of the software more and more.

Looking forward to more news on this!

I hope this key feature will be implemented before i die

A much needed feature!
+1 for me on this.

I still keep keepassx on the side for those times when I need to fill in logins of desktop apps.

This is now going so many years. Honestly I’m pretty disappointed on the communication as well as the requirements of users. The feature roadmap is way to high level and there is not really a chance on getting a feeling on how honest the bitwarden team is in communication. Always is the topic somehow in “work” - thats how you loose trust. As a new user this could be the topic why you are not starting with bitwarden.