Password visibility during login and password protection while tresor unlocked


I’d like to disable the “eye” icon which allows to show the password in plain text during user login/tresor unlocking. That applies to everywhere - mobile app, windows app, browser extension and website.

Recently a friend and I were playing around with bitwarden and I had the eye icon clicked (while we were complaining about its existence) and a few minutes later in the very same window he started to type in his password and boom I did see the first part until he realized that it was visible in clear text.

So one could accidentally disclose his password and thus, in my opinion this eye button should be either be optional/be able to be disabled by company policy or at least it should revert itself to hidden after a few seconds or maybe even as soon as one releases the mouse button.

A malicious user could also steal passwords using this button in an unobserved moment.

Same applies to unlocked vault - in chrome, one can’t simply view saved passwords. You always have to enter your credentials to clear-text view saved passwords. Chrome only auto-pastes passwords to the desired form fields. IMHO that’s another nice protection layer, even if I guess that one could let chrome fill out some form field with an otherwise unaccessible password and thet fetch the passwort from that form by JS manipulation or something but at least that is more elaborate than simply clicking the eye icon and copying the password. Mabye that feature would be more suitable for the browser extension than for the windows app client.

Thanks for reading!

I think you are overreacting/overthinking it. If you are typing your password in front of someone, then don’t press the “eye” button. You said it yourself - you and your friend were playing around, testing things and forgot the eye icon was clicked. Who is to blame? By the same logic, I want to remove the “x” button in the top right corner because I might accidentally close the window before posting this comment.

If you are talking about the master pass, the only way is if you type it, leave it like that, go somewhere else and have someone else press the eye icon - just not happening.

Can I simply view your saved passwords in Bitwarden? Can you simply view mine? I’m pretty sure I would need you credentials (email and master pass) to view your passwords.

If you leave the vault unlocked and unobserved, it’s only your fault.

Just a friendly note that we do support hidden passwords in organizations (even the free cloud-based 2-person org!) - but this puts the item into an ‘autofill-only’ state, so you can’t see/copy the password from the Bitwarden client.

More info here:

IMHO doesn’t matter how it happened but it happened and considering bitwarden to be a software with potentially highly sensitive information, such an eye button has absolutely no right to exist in the login mask, imho. Someone could force you off your computer while or just after you finished typing your password. Who needs that anyway? For gods sake that’s ok for some unimportant logins but the password vault?! If you’re unsure whether you had made a type, go and just retype that pw, jeez. And if you’re unsure about the keymap, try the symbol in question in a cleartext field!

I’m sure, many security aware companies (I work in one) would want to remove that button from the login form. It is just unsecure by design. And: anything can happen (referring to “just not happening”. Think outside the box.

Actually, I like the feature mentioned by tgreer. Guess I will be using that.
You have to make a compromise between usability/comfort and security. If I autolock my PW safe instantaneously, bitwarde loses the competition with google chrome in terms of usability. If I autolock it after x minutes, my passwords are at risk any second that I do not watch my PC until bitwarden autolocks itself (e.g at home, with friends/colleagues/whoever at my place). Even if I’d paid attention to the lock status of the vault, the day will come where I’ll forget to lock it and someone steals my PWs or other sensitive information. Humans make errors. Software can and should be smart enough to compensate at least a bit for that.

In my opinion the solution to that is:

  • fast autolock of the “fat” Windows Desktop client (or whatever OS), normal access to PWs there, so eye-icon is enabled
  • no or very long waiting autolock for the browser extension, but no view-access to passwords without the master password, only autofill (similar to the feature which has been linked by tgreer)
  • fast or almost instant autolock on mobile apps, cause you can unlock it simply with your finger. I know, someone could force your finger on the sensor or cut it off but at least it is locked when your phone gets stolen or ripped out of your hands. also, everyone can choose to disable biometrics if one is seeing this as an realistic attack vector.

In my opinion, it would be enough that the user has to enter his master password (or Pin) after clicking on the eye. This way the password can be filled automaticall and not seen by anyone who should not see it.

this whole discussion was about the master password itself, IIRC.