With the “Ask to add login” and “Ask to update existing login” optinos enabled, Bitwarden asks if you would like to save the password when you login on a website that is not saved in Bitwarden yet.
This banner is added to the DOM of the page, and subsequently loaded pages. This has a few disadvantages:
- The website could have CSS styles that change or break it’s appearence.
- The banner could be hidden behind other elements on the page if they also use the same or higher ‘z-index’ value
- JavaScript on the page could interfere with the banner. This could even be a security concern. I’m not sure, but could there be a way the website accesses the banner and reads data from Bitwarden (like the Folders that are listed in the dropdown, or worse)?
- When you sumbit the form or click links on the page, or the page reloads for any reason, the banner is not visible until the page has loaded again completely. So I often find myself waiting until the banner appears again so I can click Save. Or I click the Login button, the banner appears, I try to select the Folder and click Save, but in the mean time the response from the login comes back, a new page starts loading and the banner is gone. Then I have to select the folder again.
- Other times the banner doesn’t appear after the login because the login is done on a different domain (SSO identity provider) than the actual website. When the SSO provider redirects to the original site, Bitwarden will not show the “Remember password” banner again. Sometimes the banner doesn’t appear at all, not even for a short time before the other page loads (for example https://login.devolutions.com)
If there is a way to make the banner completely independent from the DOM, I think this would be a better solution. If could be like the flyout when you click the Bitwarden Add-On icon, or any UI that is handled by the add in or the browser itself rather than added to the web page itself.
For example the built-in password manager in Chrome does it better in my opinion. You can see the panel overlaps the address bar so you can be sure it’s coming from the browser rather than the website.
Also for the auto-fill popup that appears when you click the password field is independent from the DOM The website itself sould not even be able to know it’s there:
