Bitwarden Passwords At Risk? | A Security Expert Explains
HTML-код
- Опубликовано: 17 мар 2023
- A recent report emerged that showed Bitwarden can mistakenly send your passwords to hackers if you misconfigure your settings.
📝 Sign up for my free weekly security newsletter: weekendbyte.teachmecyber.com/
❤️ Leave a comment and hit the like button because it helps spread cyber security knowledge to more people.
🔔If you found this helpful, subscribe to the channel!
www.youtube.com/@teachmecyber...
🚀 Connect with me on LinkedIn
/ jrebholz 
Наука
Good news, Bitwarden has fixed this issue so it's not longer vulnerable!
github.com/bitwarden/clients/pull/4994
so its safe to have it enable??
Yes, it's safe to use now!
@@teachmecyber but the warning is still there...
This is one of the great benefits of open source!.. there's a problem, someone will fix it!
Summary of the video:
Settings > auto fill > disable autofill on page load
That about sums it up
At least nothing crucial. Thank you for keeping us in the loop!
An edge case that hopefully stays minimal! Hopefully this gets Bitwarden to push a fix as well to close this out.
Thank you for a great content !!!
I never use auto-fill because I only store my passwords partially. A little inconvenience to copy and paste my username and passwords + add the missing characters but it gave me a piece of mine. I'm not worried if BW got hacked, the hacker still don't have my complete passwords.
I've heard similar tactics from others as well. It's a pretty cool way to do it. You could still use autofill to make it a bit easier and then add your manual character at the end. It's a cool little hack!
Partially storing your password and not auto filling is good advice if you use a password manager. This content creator is just advertising. His videos just explain how convenient it is to use password managers. There are always dangerous exposures if you store your passwords anywhere. The different password managers just have varying amounts of risk.
Your practice of storing a partial password and adding something you remember is the best practice which ensures that your full password is never available anywhere.
So It's like salting the data? Interesting. How much salt do you add? Is it a nonsense string? There is also always the possibility that a password is stored in a server as plain text instead of as the hashed value.
@@xileets - It's up to you how many character(s) you want to add. In my case I add my driver license number.
I never use autofill anyway it doesn't work very well in the first place. Great video btw, lots of info condensed into a highly digestible video - love it thanks!
I've found your mileage can vary with auto fill depending on your setup and the password manager. It's gotten better but some apps or sites can be troublesome.
Thanks for the feedback!
Thanks for the edumucation anyway!
Always good to be aware of the risks!
Am I able to add an extension with my Safari browser?
Which password manager do you recommend among these 4 in your free plan? I am between Bitwarden, Dashlane, Nordpass or Protonpass. thanks
I would go for Bitwarden or Dashlane. I value firms that focus on their key products.
Don't go for Lastpass, like me..
I gather BitWarden doesn't have "monitoring of dark web" and other features you get with Lastpass Premium. but that would be "user chose to gave it up" type thing anyway before a attack happened.
bitwarden or KeePassX, dont use anything from Nord
I don't get this. If I was on the proper website, it would not have a malicious on it. If I was on a fake site, it will not autofill.
sweet!
Thanks for watching!
Hey is there maybe a plan for making a Q&A format?
What would you like to see for it?
Heyy i need your help i broke my phone and lost all contacts and my master password as well for bitwarden how do i recover my bitwarden back
Check out this link. Your options might be limited here depending how you set it up.
bitwarden.com/help/forgot-master-password/
So it is just when BW. autofill's on page load that is the problem? Once the page loads isn't the malicious still on the page what happens when I manually click autofill?
Well the good news is that Bitwarden fixed the flaw, so it won't happen automatically now when autofill is enabled. When you are using the manual autofill, BW will warn you if there is an untrusted that would get filled.
@@teachmecyber So should we still disable auto-fill? Or is it ok to use now?
@@teachmecyber please answer So should we still disable auto-fill? Or is it ok to use now?
All good to use now!
@@teachmecyber I from Brasil. Gostei do seu vídeo. Agora fiquei com medo de usar. Isso vale pra qqr navegador? Existe algum ajuste que não carregue esse ?
So just dont use the browser extension and youre good! Esay!
Bitwarden a year ago didn't have that auto-fill or prompt-to-fill or select to fill feature ...that was why I went to another vendor! Not sure how much improvement Bitwarden has now ,,,but it seems to slack behind other vendor!
It's a bit like the Android vs Apple argument. Other password managers have a more streamlined interface and are easier to use but don't have as much customization, like Apple. Bitwarden isn't the best looking but it has most of the features and a lot more customization.
I guess it's not yet a life threatening procedure 😂
Thankfully this is a minor issue and one that has since been patched!
@@teachmecyber so now I don't need to check, if it's unchecked?
Correct, it will be off by default and Bitwarden fixed the underlying issue
@@teachmecyber thanks :) I appreciate your reply
EVERY bit of convenience other than memory in your brain is a *potential* security vulnerability. (Even your memory is a liability, for example, I'm presently working on developing security practices for older people who have memory issues.)
😆 Apple iFrame... Watch this space.... .....
Arn't all online password managers at "risk" then ? Lastpass has auto-fill has well, but as least we know now *why* its disabled by default. Since its disabled anyway, and the number of sites is 'low' for this risk, perhaps the option shouldn't be there at all. Stop that at its source. :)
what would be the legit reason for this low risk exploit?
I see it as an oversight in the code. They didn't account for different s they could be sitting on the main web page. This has been fixed now thankfully!
I’ll just copy/paste.
That's a tried and true method. One benefit of the autofill (with user interaction) is that it can help you detect phishing sites. If you click on a link and it prompts for a login, your password manager will look for the URL. If it's not something it recognizes, there's no password to put in.
I just drag'n'drop .... Doesn't go to clipboard that way
That's a good approach.
Booo, this is not fixing the root cause
They recently released a full fix for this
This is the end of bitwarden for me