I've decided to stay with 1password

Honestly I don’t particularly like 1pw. Their interface and design choices are getting too annoying and idiot-proof. It’s annoying to have to disable more and more of their ‘helpful’ new features.

With my 1pw subscription coming up, I decided to give Bitwarden a shot. This is because of BW’s recommendations on Security Now Podcast (Twit Podcast Network). I am always up for giving an Open Source project a try. I love the concept of Bitwarden and hope it has great success going forward.

In the end, I am choosing to keep my 1pw subscription. The main reasons are easy to identify: Tagging and Browser Integration.

While I’m aware there’s many workarounds to having tag-like features in BW, the lack of a native approach to tagging is a deal-breaker for me. This basic feature is available even in KeepassXC.

As for the Browser Integration, why do they make us unlock in the browser, when the main BW application is already unlocked? I use many different browsers, and this multiple unlock situation is annoying to say the least.

Bitwarden is good, but I am sorry to say, it has too many obvious shortcomings for me to use it as a full-time PW manager.

1 Like

“As for the Browser Integration, why do they make us unlock in the browser, when the main BW application is already unlocked? I use many different browsers, and this multiple unlock situation is annoying to say the least.”

Just add your master password to your vault. Then it’s a simple matter of copying it from the open vault to the locked vaults.

1 Like

I agree with @bluet00th on the browser integration.
I use 1password on my work laptop, and its really nice to unlock once and use everywhere. Would be great if Bitwarden also adds the same feature.

1 Like

Just add your master password to your vault. Then it’s a simple matter of copying it from the open vault to the locked vaults.

I would like to counter this.

First of all copying passwords and that too your master password might be extremely vulnerable as your clipboard is not secure.

Additionally, the browser integration works with biometrics so you really don’t need a master password. But the real question is why would I authenticate with my fingerprint, multiple times for different browser, when it could simply be done once in the desktop app?

You could use drag-and-drop instead, which bypasses the clipboard.

For anybody not using biometrics to unlock their browser extensions, I also question the need to routinely keep the Desktop app running. Just unlock your browser extension only (using master password or PIN) when you need access to your vault data.

4 Likes

“You could use drag-and-drop instead, which bypasses the clipboard.”

I just realized that. Nice tip!

By the way, if the system is not compromised with malware, is copying to the clipboard really a legitimate concern? I use a clipboard manager, so any time I copy something significant, such as a password, I promptly clear it. Therefore, sensitive information does not remain for long in my clipboard.

Forgot to mention one of the things I like about e-mail and SMS 2FA is that I can tell when a password is in the possession of an attacker. With TOTP, I have no clue.

1 Like

By the way, if the system is not compromised with malware, is copying to the clipboard really a legitimate concern? I

I would love to see this discussion fleshed out in details.

Clipboards can contain sensitive data, apps commonly access it, and I haven’t ever seen Window apps flagged by AV solution because of clipboard practices (but see more with keyboard hooking practices). I can imagine a semi-legitmate Windows app that claims not to be a malware but does something shady with the clipboard without consent, but I haven’t ever come across an article that exposes such an app. I have seen a market platform app copying clipboard data on Android unexpectedly, so I can imagine the shady practices happen more on mobile platforms, and less now that the mobiles raise this awareness.

Because of the clipboard concerns, the offline password managers commonly implement keyboard entry simulation, even with the obfuscated method. Even if keyboard logging is more likely to be flagged by AV, but being lured to install a malware means keyboard logging is possible, just as much (???) as the clipboard sniffing.

Drag-and-dropping is a nice one, though, Bitwarden. With “Login with Device”, you can tongue-in-cheek claim that BW is keyboard-logging, clipboard-sniffing, malware-resistant!

2 Likes

Some 4 years ago, a broad collection of “legitimate” apps (TikTok, Reuters, Hotels.com, Accuweather, etc.), were caught red-handed snooping on users’ clipboards when Apple added a banner warning alerting users such events in iOS 14.

Although I have not seen any specific reports of clipboard data scraping by apps running on other operating systems, I think it would be prudent to assume that if app developers can do it without getting caught, they will spy on users’ clipboard data.

Mainstream, “legitimate” apps are unlikely to intentionally do anything nefarious with passwords that may be hoovered up in clipboard scraping campaigns, but there is a non-negligible likelihood that such data will be persistently stored in databases (used for purposes of marketing, etc.). Thus, if a malicious actor compromises a server storing one of these databases, your passwords could fall into the wrong hands.

4 Likes

Wow, thanks for the tip @grb

+1

Just so we don’t diverge from the original topic,
these are the 2 concerns originally posted by @bluet00th

  1. Lack of native “tag-like” features
  2. Lack of “unlock once use everywhere” feature considering the browser integration
1 Like

Here’s one relevant discussion:

The unlock-once-use-everywhere doesn’t seem to be a feature request yet. The OP is probably not the person to take it there.

There are actually two specific feature requests: automatically log onto browser extension when logged into desktop app and automatically log onto browser extension when logged into web vault:

3 Likes