I agree with this proposed addition.
If/when this is implemented, could you please ensure that it is easy to turn off. That was the most annoying feature in the other password managers that I have used. I do enjoy how Bitwarden stays out of the way until I need it. Please keep up the good work
10 Likes
Yes - I found with LP it also often got hidden/overlayed/mixed up with show/hide options on the password boxes.
2 Likes
I didn’t mind the generator icon so much (actually more annoying when not there as a site isn’t using the correct html), more the fill icon when returning to a site.
Voted, this would be very handy
I know this is a highly requested feature but I just saw this link about how it can be abused. Bitwarden might be better off without the overlay?
5 Likes
Interesting article - not sure about their final advice to just use the in built browser password manager though.
3 Likes
To be fair, it seems the guy who wrote that article works for Google so suggesting using Chrome is a conflict of interest.
The little I’ve played with it this is a legit concern but might be a little overblown.
I find it interesting he picks on NordPass and not LastPass as they would be a bigger target to go after if you ask me. It also seems the exploit hinges on the URL (about:blank#.google.com). I bet you can fix this by simply having the password manager ignore any URLs that start with a hashtag though I feel this is what most password managers already do and thus why he picks on Nord as they’re still new and have not figured this out.
1 Like
The FAR bigger risk, as I keep banging on about, is not having U2F support on your Android phone. You get an alert when you are half asleep, you pick up your phone and being half asleep you stupidly click the login link which takes you to a fake (but identical) BW vault, you enter your credentials and then touch your Yubikey or enter your authenticator code and bam, all your passwords stolen in an instant.
Yes, you can put this down to human error. But guess what, we are all humans and we all make errors!
What??
I don’t understand what you’re trying to say here. First this hypothetical scenario has nothing to do with U2F. And second, it’s not human error; it’s extremely foolish.
Education is key: Don’t click links in emails; don’t trust account-related texts or emails unless you already expected them; and don’t accept 2FA requests unless you already expected them.
I’m certainly not going to accept an unexpected Duo Push request, even if I’m half-asleep.
Finally, a “fake (but identical) BW vault”? What even is that?
I’ll assume you just didn’t understand, rather than your were deliberately being obtuse.
My hypothetical scenario has EVERYTHING to do with U2F. MFA is about providing a second level of protection, over and above having a secure (and secret) master password. If the second level of protection in fact provides no protection at all - as is the case with a clever MITM attack - then it is not worth having. In the scenario I described, then a TOTP code from Yubikey or Authenticator app is useless since both would be sent to the bogus MITM, who then accesses your account, decrypts your vault and steals all of your vault contents.
Effectively the second authenticator factor is useless if you fall victim to a phishing attack like this.
So are you saying we should just not bother with 2FA? That is the logical conclusion, since it is useless? I am sure you are not.
Of course people should be vigilant and not carelessly fall victim to phishing attempts. Oh that it was that simple. Phishing is responsible for the VAST majority of security breaches becuase unfortunately, to err is to be human. We are all susceptible to being caught off guard or being caught be a very clever attack which fooled us. That’s where 2FA comes in, to protect us in the rare even that we get it wrong. But there is no protection with TOTP in such circumstances, as I explained. It is not fit for purpose. Only U2F provides protection against a MITM attack where you are duped into logging in to a bogus site.
And finally “a fake (but identical) BW vault? What even in that?”
Spot the difference? Whilst half asleep, or on the phone perhaps?
I’m still not seeing where the “fake vault” comes in. If you use the official Bitwarden app and you tell Android to use it to Auto-Fill, the MITM you would encounter would be between you and a given website.
In a browser, you would have to be particularly foolish to log into a fake Bitwarden “Web Vault” located at www.creedthoughts.gov.www\bit-warden. Especially while on your phone.
Maybe if you got an email from a fake Bitwarden support address with a link to reset your Master Password or whatever, and you were dumb enough to trust it. But again, it wouldn’t for sure know what 2FA you use, if you use one at all.
I would think if someone were to put all their password-related eggs into one basket, they would be particularly careful about making sure where they access it from is legit. If someone is so security-absent-minded with their credentials as to require they use U2F, they are probably not wise enough to pay for U2F. Therefore, the scenario you’re imagining wouldn’t help because it’s not mandatory.
I can’t agree with much of that, if any. I note you picked a pretty silly fake URL - www.creedthoughts.gov.www\bit-warden. And glossed over vault.bitwardem.com. Be honest, did you even notice it was wrong? Honestly?
And your comment “But again, it wouldn’t for sure know what 2FA you use, if you use one at all.”? I’ve no idea what you are thinking. The hacker doesn’t need to know what sort of 2FA you are using. If it’s a TOTP from an authenticator app, from a Yubikey, from a text message or from anything else… it doesn’t matter. It gets intercepted, used, logged in and your passwords stolen.
Your suggestion that if people are duped or are not careful enough, that therefore they should not have additional protection to help them in such circumstances? Well that’s just ridiculous.
It’s a reference to the US version of The Office.
I’m saying the people who need the most protection are the people who are the most at risk, and the complaint that they don’t have it is moot because they won’t use it since it’s not required.
You yourself want it, and that’s fine. But the scenario you created is rather over the top. Just say that you want it and leave it at that. Also, this discussion is off-topic, so it’s best taken to the relevant thread.
2 Likes
3 years and still nothing? How do you want to compete with other password managers without such basic feature that others have had for a long time?
Feature name
- Save on clicks when I start my browser with bitwarden locked
Feature function
Currently When I start the browser I need to do the whole dance before the autofill works.
I have the biometrics on, but i need to do the following:
- Click on Bitwarden Icon
- Click On Unlock With Biometric ( why this additional step )
- Touch the fingerprint reader
- Press reload in the browser
Would be much easier if I had an icon in the password field that when clicked immediately prompted for the fingerprint and filled the fields for me. 1 click instead of 3.
Is there any update on this? Currently, it’s quite annoying to either have to right-click and then hover over the Bitwarden option, then hover over the autofill and then finding the password you want can still be difficult then. It’s also annoying to continually move from the password field, usually located in the center of the screen, to the extension bar at the top if the field didn’t autofill automatically.
1 Like
Wowsers. Top voted feature request. Any word on when this will be implemented? I, and hundreds other are really looking forward to this feature.
1 Like
I’m really surprised at the level of interest in this feature.
To be honest, I’ve gotten used to using the pinned toolbar icon. Additionally, as a previous LastPass user myself, I can say that having the LastPass overlay icon overlap with a Show Password icon on certain websites was an annoyance, given how reliant I had become on using the overlay icon. But now, given that my behavior has adjusted in accessing Bitwarden without an overlay icon, it’s not really that big of a thing for me. Sure, it would be nice—and it would be one less negative in a direct, new-user comparison with converts from other particular Password Managers. But I wouldn’t call not having it a deal breaker.
4 Likes
Agree - in fact I found the LP icon sometimes obscured bits of the login box and I must admit I tend to now use the Ctrl-Shift-L keyboard shortcut all the time now to cycle between logins (or the toolbar icon for sites with 3+ logins)
2 Likes