Whilst I very much prefer Bitwarden over something like KeePass, something that has kept bugging me ever since switching is the fact that I need to use the webclient every now and then.
There is abosuletely no guarantee that the javascript delivered to the user’s browser hasn’t been a malicious version that steals the masterpassword at some point. I understand why it’s there from a useabillity standpoint but client-side encryption really shouldn’t be done in the browser, especially not if it’s used to manage all of your passwords.
We could argue about the security of client-side encryption through javascript in the browser but ultimately I just wish there was an option to avoid it altogheter. Currently there are quite a few features that are only exposed through the webclient forcing you to use it at some point. such as:
- changing the masterpassword, key derivation
- setting up 2FA
It’d be great if these (and all the other tools and settings) were available in the mobile/desktop clients.