I was looking for the most secure and convenient way to use BW. I thought that using autofill was more secure than copy and paste but I’m wondering if that is really the case. In the NIST guideline https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63B-4.2pd.pdf NIST recommends copy and paste (or at least a password manager must support that). NIST isn’t talking about autofill. See line 2304 of the document.
The desktop app, web vault and the extension supports all copy and paste but the web vault is the only one (I’m using Linux) which supports passkeys during the login. I don’t want to fill in every time my master password and using a PIN weakens the security. Therefore the most secure and convenient way is to use the web vault with the copy and paste, unfortunately the clipboard cannot be cleared after some time.
The heading to that section, which contains line 2304, states (line 2297):
“Usability considerations for typical usage without a password manager include:”
(emphasis added)
As far as I can see, these NIST documents are about authentication, identification… (criteria etc. for) passwords, passkeys… etc. But they are not really about “secure password manager usage”.
Just use the browser extension; pretty sure you can set the time to clipboard clearing. By using the browser extension you can leave it locked when unused and unlock via biometrics or PIN.
BTW, I often repeat this suggestion - users need to (my opinion) type in their Master Password here and there to help build retention in their minds. Otherwise they don’t know what the MP is without looking it up. I know mine by heart and type it in several times a day.
The most secure and convenient way to use Bitwarden for entering login credentials for online accounts (accessed via web browser) is to install the Bitwarden browser extension, and to use autofill methods (of which there are about a half-dozen to choose from) to transfer the username and password into the login form. This completely by-passes the system clipboard, so there is no need to clear the clipboard after autofilling.
If you must use the Web Vault, then I would suggest using drag-and-drop instead of copy/paste, as drag-and-drop also by-passes the system clipboard. Simply hover your mouse pointer over the “Username” or “Password” label in the vault entry, until the pointer changes to a “move” icon (four arrows arranged in a compass shape), then left-click the label and use the mouse to drag the field contents into the required input field. If the login form is on a different browser tab, drag the mouse to the tab that has the login form (but do not yet release the left mouse button), wait for the tab to open, and continue dragging the mouse until you reach the destination. When the mouse pointer (which should be displaying the field label that is being dragged) is on the desired input field, release the mouse button.
They use the word “random”, but their example passphrase (which contains the undecidedly non-random word sequence GreenForest) has evidently not been generated using a CSPRNG, so their definition of “random” seems to be “nonsensical” — which is not the same thing, from a cryptographic standpoint.