This is a feature request to consider not showing an ‘Unlock account’ button in web pages, it’s something that I think about every time I see it, and thought it was worth opening a discussion here. The problem I see is that it would be trivial for a malicious website to fake the ‘Unlock account’ button, fake the browser extension pop-up where you enter your username and password, and therefore steal your master password.
See below an example from the bitwarden community forum login page to illustrate what I mean. Now, imagine this is actually a malicious website. Surely it would be incredibly easy to fake this?
My suggestion is to stop showing this button, because it basically conditions people to click on any button on a website which looks like this, and enter in their master password on anything which looks like a popup window on the same website.
This is why I never actually use this button - I always use the button in my browser extensions toolbar, just in case.
Am I wrong about this? I would welcome any comments or push back.
)