I am using Bitwarden and it is very convenient. My concerns are the security. I use mainly Windows 10 professional with the Google Chrome Browser but I will also use Linux.
I have downloaded several Google Chrome Extensions both before and after creating and using Bitwarden. These extensions often have many rights.
Some of my installed extensions for the browser are: Compose AI: AI-powered Writing Tool
Permissions:
Read browsing history
Change data you copy and paste
Manage apps, extensions and themes
eJOY AI Dictionary 6.7.18
Permissions:
Read browsing history
Show notifications
Workona Tab Manager
Permissions:
Read and modify browsing history on all your logged in devices
Bitdefender Anti-tracker 1.4.0.25
Permissions
Read browsing history
Block content on any page
Communicate with collaborating native applications
I often copy usernames and passwords to the clipboard so, the extensions or other apps outside the browser with according permissions have access to, e.g. the clipboard. Is this a security issue?
Thanks!
edit 1: I have disabled the history for the clipboard now in the system settings, but the clipboard is active and you can use the last copied element, of course.
edit2: Should I change all the passwords which I stored in Bitwarden now?
The extension Compose AI: AI-powered Writing Tool has access to your clipboard and your browsing history. If this extension becomes malicious, it could steal your login credentials (that you have copied to the clipboard) and the possible websites that those credentials are for. If you know for sure that this extension is malicious and is stealing clipboard data, you should change your passwords immediately.
Here are some things you can do to reduce your risk of clipboard theft:
Use autofill for websites, as this does not use the clipboard.
Use a hardware 2FA device like a YubiKey. This will protect your account even if your clipboard or keyboard is compromised.
Windows is a very permissive environment. If you allow malware to get onto your system, your Bitwarden credentials could be compromised in a number of ways, including:
Clipboard stealer: This could steal your username, password, and TOTP code from the clipboard.
Keyboard logger: This could record your Bitwarden username and password as you type them.
Memory reader: This could steal your entire decrypted vault from memory, although this is probably somewhat mitigated by BW’s using ASLR
File stealer: This could steal your encrypted vault, and your session tokens
Malware can also load additional modules to make all of the above possible.
So, the number one rule for security on Windows is (maybe difficult/impossible?) is to not get a malicious program/extension on the machine at the first place.
Is there any feature of password generation in Bitwarden so that one can internally in the vault, within the according account information can generate a new password from the same type? So one does not have to generate in the Generator pane and one does not have to copy to clipboard? Maybe this is a feature request.
Is it possible to change several/all passwords at once internally in the vault, e.g. in a case of password steal? But then I have to change all of these passwords on the account sites/servers of course, better would be if Bitwarden could change passwords on the account sites directly.
Cheers!
edit1: I use the iPhone and have the Bitwarden app installed. Isn’t the copy clipboard issue also an issue there with all the countless apps I have installed there?
No, there is no per account password rule. To generate a password for the site that fits its rule, you have to configure the generator’s page individually per site. It maybe possible to use autosave + password generation shortcut (Ctrl+Shift+9 in Firefox extension) to generate a new password and save to Bitwarden’s entry without going through the clipboard, but I don’t use the autosave feature at all. So, I’ll let others answer that one.
change several/all passwords at once internally in the vault
No. There is no such feature.
if Bitwarden could change passwords on the account sites directly
No. There is no such feature.
iPhone
Yes. Same problem, except that on iPhone, you can find all the apps that paste from other app’s clipboard; if you are unhappy, you can remove the permission or uninstall the app. In Chrome extension on Windows, you can also look for the extensions with the specific permission. But for Windows apps in general, you can’t iterate through all the apps that can copy from your clipboard: you have no idea who’s looking at your clipboard.
Not sure about the the first part of the question, but you can definitely avoid copying to the clipboard. This is the method I recommend:
Once you’ve reached the password change form, open the browser extension.
Click the “View” icon (looks like a card with three lines) for the matching vault item, then click the “Edit” button.
Click in password field to access Password Generator.
Click “Yes” to confirm you want to change the password.
Make any required adjustments to Password Generator settings, then click “Select” in the upper right corner.
Click “Save”!
Scroll down and click the “Auto-fill” button to transfer the new credentials into the password change form.
Submit the form.
Note: If the password change form requires you to supply the old password, then you do have to put the old password on the system clipboard (which is not a security issue if the old password is unique); this is because Step 7 will auto-fill the new password into all password fields on the web form (including the “old password” field). Thus, before submitting the form, you need to clear the “old password” field and paste in the previous password. You can copy the original password from the Bitwarden password field during Step 2, or from the Password History after completing Step 6.
That was exactly what I was looking for, how could I oversee this!? It would be great if there was a feature to change several selected passwords at once (fitting the same type, some sites do not allow special characters).
in password field to access Password Generator.