Can other members please comment on the following thread on the Bitwarden reddit page?
https://www.reddit.com/r/Bitwarden/comments/170y2dq/security_and_privacy_implications_of_browser/
What is the consensus on the current best practice on using either the the desktop application vs extension?
Hope someone can shed some insight into this.
If you’re concerned about what access the Bitwarden browser extension has to your data, then the Bitwarden desktop app has even more access.
Recap: you have untrusted browser extensions on your Mac browser(s), and you are concerned about using BW extension for its potential memory leak to the untrusted extensions. You are wondering if using a desktop app and cut-and-paste into the browser would give you a better protection.
Reddit answer: you should use BW extension to gain additional protection such as phishing resistance and avoiding transference of data through clipboard, and stick to trusted extensions only.
I think the “consensus” on best practice is pretty clear: use browser’s extension. You can see that major password managers, including the “offline” ones like KeepassXC, have them.
Your risk in using a browser’s untrusted extension is more on the extension being able to read your pages’ data, including the passwords, one at a time on each page (login, BW password entry page). Your risk of the extension breaking the sandbox is much lower, because it most likely requires vulnerability exploit of such model.
Your risk in using cut-and-paste method is phishing and malware that interferes with the clipboard (most common is infostealer related to Cryptocurrency, but usually not passwords).
You can try to evaluate your risks in either case. Living with potentially malicious extensions/programs are difficult because it’s hard to get definite information and the evolving capabilities of such malware.
On a side note, you can lower the risk of total breach by using unleakable FIDO2 2FA, and by using leak-resistant TOTP 2FA with secrets stored outside of BW. Peppering your passwords may also slow some kinds of breach down a bit too.
If concerned about other extensions seeing a password entered on a web page, it does not much matter if it was done by the bitwarden extension, by copy/paste nor by you typing it.
If you don’t like the idea of extensions seeing/changing the contents of your DOM (web page) then don’t install extensions.
And if you don’t like the thought that all apps on your PC can see passwords put on the clipboard then don’t put passwords on the clipboard.
Seems I have more to learn. I never knew that the Bitwarden desktop app has even more access than the extension, I thought it was the other way around.
I was unaware that this is a possibility. Can you please advise how this is done?
Yes that is my concern. Seems i will give the extension a try.
If you are using a Desktop then consider using a unique browser profile for when you are using BW. The “other” browser profiles - e.g. Firefox cannot see the contents of each other which provides insulation. For clipboard concerns I use a clipboard manager to keep mine clean, especially when I toggle between profiles on my browser. Easy stuff!