Remove automatic Autofill (beta) from Bitwarden and browser extension
Feature function
Not offer automatic autofill on any level
Enhanced protection from third party “phishing” scripts
Related topics + references
HowtoGeek and 1Password both have excellent write-ups on why it’s such a dangerous feature to have enabled, and 1Password specifically takes a hard-line somewhat unique stance among password managers in not offering it at all despite constant requests for it.
HowToGeek’s article includes a little test page to show how vulnerable a manager may be to this sort of attack. Thankfully Bitwarden is not vulnerable in that specific scenario but the possibility is easily there. The average end user most likely doesn’t realize the huge hole it is despite the warning.
Bitwarden browser extension does not Autofill on page load. It has to be manually turned on by the user. Also, Bitwarden will only display the login in the Tab page, when the user is on the exact site.
It’s because not everyone’s use case is the same. One of the reasons why I moved away from password managers like 1Password is that they don’t listen and it’s their way or the highway. At least Bitwarden will listen and let us vote on features.
I have a few people I know who need this feature and would not use a password manager without it. Having this feature is better than them reusing passwords. Plus, this feature is not on by default and a warning is given so why not keep it?
I also feel this issue has been blown out of proportion. It is an issue, but people act like there is code injected into Twitter and it can steal your bank password. This is not true, the extension will only fill based on the Browser and not the contents in the page. You also have the browser protecting you from such attacks, this is why Chrome or Firefox has no issue with auto-filling passwords.
Everyone’s threat level and use cases are different. The fact that Bitwarden gives us so many options to suit our needs is what makes it so great.