I think it would be very nice to have the BW extension warn the user if they try to enter a user+pass on a website, especially if they search for the credentials and the domain is slightly different. For example, if the user visits googel.com (instead of google.com), the bitwarden extension should display a yellow warning inside the extension. maybe something like this:
What method do you use to “enter” your login credentials in such cases?
FYI, if you must search the vault to find a login, this by itself is already a clear warning that the website does not have any legitimate login in your vault.
Welcome, @raiden-e to the community!
Bitwarden does this today; it is just a bit more subtle than you might imagine. When results show up under “Autofill suggestions”, the URL matches what is stored in the vault entry and it is generally safe to fill. If, however, the results show up in “all items”, the URL did not match and one ought to pay close attention.
Do note that you can have multiple URLs for one vault entry (e.g. google.com and gmail.com) and there are a variety of ways one can control when an entry matches. Once things are set up “correctly” you will rarely find yourself searching because the proper items will automatically show up in autofill suggestions when you go to the website.
You might also read up on the various autofill mechanisms. With them, you can often fill web pages without even opening the extension. Configuring and using autofill is the best defense we have against look-alike websites.
Hi thanks for letting me know, but my suggestion is exactly for the reasons you guys pointed out.
I would argue that the current way is not explicit enough. I am thinking about recommending my grandma for example to use Bitwarden, and im thinking about what could go wrong. Imo it would be better if Bitwarden could anticipate this user error and ward about misleading URLs and such.
I guess a lot of IT-people understand your point. I’m just saying, I see a lot of casual users forcing the mistake and I’d like an option for the UI to be more cautios. Does that make sense?
In anycase thanks for the replies so far!
Aside, but whatever happened to web browsers helping spot bad domains by highlighting just the domain in the address bar. So right now I’d be seeing bitwarden.com
highlighted. It seemed a very sensible idea to me that was simple to implement.
Sure. Your feature request is not unreasonable.
Assuming that you will need to teach your grandma how to use Bitwarden, one work-around would be to simply not show her the steps required to make this type of mistake. Autofilling on the wrong domains requires the following steps to be completed:
- Open the browser extension.
- Search for a login credential, or browse the “All Items” or “Favorites” sections to find a login credential to autofill (after expanding these sections, if they are collapsed).
- Click the overflow menu button (kebab icon = three vertical dots) and select “Autofill”; alternatively, use copy and paste.
Thus, you can significantly mitigate the risk by not using “Favorites”, while also ensuring that the “Favorites” and “All Items” sections are collapsed, and then simply not teaching her how to do a vault search or how to expand a collapsed section; additionally, do not teach her how to use the overflow menu.
In addition, if you set her up to use inline autofill menus and prompts to save new passwords, then she should never even need to open the browser extension popup window (except to unlock the vault).