For Windows 7: App, Browser Extension or Web App?

Hi. I have some Windows 7 machines where I use Bitwarden. On two machines I got the app to work (2022.5.1), the other did work with the app but now it doesn’t work and I can’t get it to work. I did download the Chrome Extension, and that works great. I also noticed I can just directly login to the Web Vault App. So my dilemma is what to settle on.

First, I know, I know, Windows 7 isn’t current. I have three computers running under Windows 7 so it would cost me a lot to change out the hardware for Windows 11. Also, I have apps that won’t run under Windows 11 so that would be another issue. It’s not an easy upgrade for me.

So, for me, I’m thinking the app is out because I can’t reliable get it to work on all of my computers. The Chrome extension does work, but as you may know, Chrome won’t be updated anymore because Windows 7 is out of date. The Web Vault Client works everywhere - even at work where they block me adding extensions to the browser.

So, again for me, I’m thinking the Web Vault Client would be the best bet. What would be the downside (besides someone in the middle pretending to be the web address)? Maybe I should just use the Chrome extension?

@joe002 , welcome to the community!

The web vault requires copy-paste, which means that passwords end up on the clipboard and accessible to other apps on your PC. And since there is no auto-fill, you need to do two or three pastes, username, password, and maybe TOTP. You will also not be able to avail yourself of some of the newer friction-reducing technologies, such as biometrics, passkeys, etc. We have already seen that older androids/iPhones take a long time to decrypt the vault due to insufficient processing power. This will also happen to you at some point.

The web vault is a relatively sophisticated JavaScript app that runs in your browser (not on “their” server). At some point the web app will depend upon a browser feature not found in your outdated browsers and will stop working in mysterious ways.

At the very minimum, I would purchase a used PC off Ebay so that you have one machine that can be kept up-to-date. From this machine, I would create occasional off-line backups (which one should do even if all of there systems are up-to-date). Having reliable backups will help reduce stress and risk and it will ensure you are not 100% down when that fateful day arrives.

Hi. Thanks for the reply. I do have a phone that has the current app loaded and uses biometrics (a lot easier to use then typing in my password).

Yeah, I do use the clipboard to copy my passwords. I used to have them in an encrypted Word document, now they are in Bitwarden. I’m really OK with cut and paste (instead of auto-fill), been doing it forever, but right there are potential security issues if my apps get hacked.

Yes, I do have the browser update issue too. I was eventually forced to go from XP to Windows 7 for that reason - I swapped browsers until nothing worked anymore.

I already do make copies of my vault (in case of the big failure and/or Bitwarden going away).

Besides the copy/paste issue, and the possibility of someone redirecting my login to a hacker site, is there any reason to use the Chrome Extension over the direct Web Vault login? I’m into not adding things until they are necessary (why I’m still on Windows 7, lol). The Web Vault seems to work for me anywhere, and I don’t need to customize my browser for it to work, but maybe there are other security flaws that the extension handles better?

Hi Joe, and welcome to the community!

With the web client, you can’t lock it with PIN or biometrics, so you’ll have to continually give it a master password after it locks. You can have it logged out, and use “Login with Device” feature to approve login from your phone instead of entering the master password.

With the browser extension, you can lock with PIN. You can also use Login with Device, as above, whenever you are logged out.

Some people don’t use the desktop app at all. People may use the desktop app for: biometrics unlock for extension (which win 7 doesn’t have), faster response, and to approve devices for login.

Your OS is not getting updated. Your browsers (FF’s update is also ending in September) aren’t getting updated. Soon your extension clients may stop working. Any kind of security that you depend on your OS and your browsers to provide, they may not be able to because of vulnerabilities. Also, opening up your personal vault on your work computer may not be good if it uses any kind of end-point monitoring software, because your IT may be able to snoop on you.

The safest thing to do (meaning possibly leaking credentials more slowly) is probably to type in the passwords directly from your vault kept on your updated phone. This is obviously inconvenient.

If you can afford it, maybe consider using something like “OnlyKey” hardware password manager. It’s more isolated, even if it’s still prone to keyloggers just like any other password managers, it is limited in capacities, and it’s hard to set up.

Thanks for the suggestions!

I’m OK with entering my password over and over again. I have to do it a zillion times at work because I have multiple computers and they all have 10 minute screen savers per IT. It looks like I can log into Web Vault and not have to re-enter my password as much if I change the default setting. The biometrics on the phone is handy.

Yeah, I was thinking the browser extensions would be the next thing to stop working, which is why I was leaning toward the Web Vault. Ha, yeah, I’m sure my IT department does spy on me, but sometimes I need to log into places at work. I’ve been using a password protected/encrypted zip file for a handful of passwords, but I wouldn’t be surprised to know they’ve been looking at me using it. I’m not sure if Web Vault is any worse than that file?

Ugg, yeah, I could use the phone, but not at work. I can’t have the phone in the room where I work. Outside of work the phone is good or my home computers will be using Web Vault (it looks like). Copying those crazy passwords by hand is not fun at all, especially when some letter and numbers look almost the same.

Hmmm, OnlyKey, Oh, can’t use it at work. No USB devices too - they locked all the USB ports. It would work at home, but then I wouldn’t have a single solution.

It seems that Web Vault will have the longest life span for me, with the potential security issues at work and with my aging OS and browser(s). It’s still better than my password protected Word document and zip file, and I suppose the app on my phone (Android) should always be the safest.

This is just a trivia, not related to your situation.

For passwords that you need to type in by hand, consider also passphrases; for example, use a 4-word passphrase for your BW master password. Use all lower cases, separated by spaces. If you can touch type, you probably can type in 10 words in less than 30 seconds. It’s also harder to shoulder-serf, unless they video-record it or keylog you.

Right! For my Web Vault I use a passphrase because I’m typing it in all the time. All of my other other passwords are the random generated ones.

1 Like