If the website has a malicious , it was already compromised, and you can't trust their normal login form either. No password manager can protect you from that risk unless they can detect that the site has been compromised.
Google Sites does this by design. Sites like Twitter allow media to be embedded from an i frame on certain sites (i assume this is whitelisted thought)
Many embedded ads use s as well. Or someone may choose to embed an to a site/page they trust. May not be the smartest, but it happens. Great that Bitwarden addressed the concern and fixed it though!
Big fan of Bitwarden here, I like how open and transparent they are. As you say the more people scrutinise their codebase and applications the better! Glad to have moved to them from Lastpass abiut 3 years ago now 👍
It reminds me of that " critical " CVE that everyone was going on about for mikrotik. And the issue was with winbox ..... if you exposed your management interface to the internet.......... i am afraid that is not a flaw that is a you problem.
You can apply that same argument to all security vulnerabilities. While it’s true that a tremendous amount of skill, patience, time, and luck are required for a bad actor to even have the opportunity to exploit a software bug… you as an IT professional must accept that patching these nuisance security vulnerabilities is essential to a layered security approach.
You should definately think twice, thrice and fourcice (?) expose your management interface to the public, but the security risk there is brute force or weak passwords. While you should never assume a management interface is 100% secure, vendors should still ensure that any security holes in them are treated with upmost security concern.
While you are not wrong, the main issue with that flaw was not someone accessing your digital life, but using your router as a jump point to spread the malware and hide the rest of the botnet it was running. Given the capabilities of the router (robust packet capture, VPN and proxy options, etc.) It's still a scary concept to have your device accessed remotely. On the bitwarden side, since they offer and many people take advantage of it's built-in TOTP feature, gaining the password for access to a publicly accessible password management server could mean dangerous risks such as access to bank accounts, crypto/trading exchanges, or health information to name a few. I agree that if you choose to turn it on, it still comes down to management, but a lot of people scared of what happened with LastPass, don't have the technical mindset to read the warning and consider all of the attack avenues it could open. This patch is geared more towards the non-technical people that would turn it on just because it makes the software "easier" to use.
Really nice video. You put a lot of thought planning this presentation, and I appreciate it. The TLDW summaries at the front were a nice touch. Thank you for this. Also, I really like the intro banner you put together recently. All of this makes for a tidy professional polish instead of a hastily blurted-out informal blog. Nicely done.
I was just reading the other day that bleeping computer's article and now bang! you already gave us some more context about it. We know you're invested, nonetheless there's nothing comparable to Bitwarden in transparency and I'm so glad we have it. Great content, thank you!
Nice video but you scrolled by where it says Bitwarden will lock out the use of a PIN after 5 wrong attempts presenting a big hurdle to casual brute force hacking. All the misleading click bate headlines are unfortunate as are forum trolls or users defending their choice of another password manager. No password manager is perfect but Bitwarden is a very compelling open source and transparent product. It’s sad to see it unfairly maligned when that likely cuts into the teams sources of revenue and ability to continue to improve the product. It wouldn’t surprise me if some of this stuff is coming from proprietary commercial competitors like Last Pass. Please keep up the good work.
@@An.Individual Yeah but that’s well beyond the ability of the average person who grabs your laptop. And if you think the PIN feature isn’t sufficiently secure just don’t use it. It’s not enabled by default and Bitwarden is transparent in how it works.
One thing BitWarden is really bad at right now is updating and/or communicating to legacy accounts when security defaults change. Case in point: auto-fill passwords was on by default until LastPass made the news with exactly the same attack vector being. Sure, they changed the defaults for new accounts, but older accounts still may have auto-fill enabled. Same with the security key hashing setting. They’ve increased the number of iterations from 5000 to 600000 in several steps, but at no point did they updated or prompted the legacy users to update their settings for new defaults.
Regarding pin unlocking; I am surprised you did not mention that you are prompted for the master password after 5 wrong pins. - So far 'brute forcing the pin'. So long it is indeed not 1234 or similar it is an non issue. And if the user is using 1234 then that is not fault of Bitwarden.
The article is based on work published by FlashPoint. FlashPoint are a large respectable cyber security corporation. I'm suprised he didn't notice that.
I love Bitwarden for its portability - I moved over from Google when switched to Firefox on Fedora/Raspberry Pi 4 as my daily driver for some time and I do not look back ever since. I still disabled PIN however after the video as it is not so easy to avoid reusing PINs across different devices
i love the information you give, i use BitWarden and no i do not use the pin. I didn't know you could use anything other than numbers which is great. i am still not going to use it but good info
I just wait for the screeching of the people that "rely" on the cross domain feature ... well I mean these "tech" "journalists" on there "blogs" need some things to present on there clickbaity clickbait headlines. It is hard for them to find clickbait-worthy "things" to sensationalize. 😨
I mean this would happen with any compromised website, regardless of which password manager you are using or settings. If the usr/pssw fields are compromised, you shouldn't blame the psswd manager.
Very convenient can not with security together , so if you are worry about your password security, please do not use PIN or encrypt you disk with Veracrypt.
I shouldn't say this over the internet, but my master password is so long that I only ever use pin to unlock. It's so much more convenient this way. But I must admit, it's pretty dumb. It's as if I had changed my master password to a much much weaker password. It's still better than what I used to use
I have to say I laugh so hard when you do the "to long, didn't watch" it's a sad fact that people don't have the attention span for videos like this... specifically ones that may or may not change how they do security in their network... which could be the difference in say... clicking off a dhcp server...or not setting it up in the first place on a VLAN... and then wondering where it went wrong. Troubleshooting personal mistakes... probably worse than troubleshooting something that once worked and suddenly stopped. Trained myself to find interest after so many wasted hours and that was at the beginning 🤣 That said. Anyone else sick of inflammatory headlines? This literally reads as a "don't do stupid things, but hey, we'll hold your hand in case you do" they aren't liable for mishandled security, it's nice they addressed this simple situation... I don't use them. Considering it though.
I love the video, it's amazing the important info that gets left out of headlines. I would just add at 2:48 that there are ways to compromise dns for just subdomains. it requires specific process but an attacker can gain access to just a subdomain vs having to get at the root domain to then decide between a sub domain vs the root domain. The other problem there is the subdomain would have had to already been used and abandoned by the org in question, so potentially users might have uri's matching that sub in their bitwarden. This requires bad hygiene on the part of the org in question but we are human after all :P.
Thanks. Would have been good if you could have shown on the menus what disabled/enabled looked like. My browser extension was confusing with an unchecked box for autofill, but the greyed out option said autofill on page load. I'm fairly certain it wasn't doing that because I always need to use the shortkey combo to make it happen so not too concerned. However - it was confusing so I enabled the option at the top, changed the now accessible drop-down to say *don't* and then unchecked at the top again. Probably no different but I feel better 🙂 I've used BW self-hosted for about 5+ years now with vaultwarden and I a). like the company and app and b). feel so much better that my data is totally in my control - if I get hacked (never say never) then it's likely down to me in some way :-)
Bitwarden received investment last year and I am concerned about how that will affect the product. The investors need to make their money back and more profit... so what is going to change to make that happen? The change doesn't need to be negative and I am not necessarily worried about it being negative... but it would be great to know what Bitwarden intends to do for investors.
No blunder. Hacker will use number generator to find PIN, but it's not a PIN, it's a multi character password his generator can't find. Also, great to use a password as a PIN when setting up a new computer for someone and the customer refuses to use a PIN, but Microsoft forces it during install. Everybody is happy. (The client scenario happened to me a few times).
Thanks for taking the time to explain the scope of this issue. It doesn't seem like people are reading beyond the headline and freaking out without cause.
Any time you want to type 'anytime' pause and... Type it better. 😅 "Anytime" is an adjective, while "any time" is the combination of an adjective and a noun. They mean different things.
I tried BW looking to change from Dashlane when my premium expires in a year or so, i really really wanted to love it, but BWs UI and UX is just so blech. I much prefer dashlane's separation of Personal Info (as names, emails, phones, addreses, and companies elements) and ID (ID cards, driver license, tax numbers ssn etc) all individual stuff rather than having it all dumped into one person info with custom fields which makes it harder to properly manage expiry dates and other related information to the ID (or even find the ID in the first place). The whole captcha login needs improving as if you dont pass the first time then you can't actually try again without canceling out and starting the whole login process again. Also the import from dashlane was less than ideal, though since it's a once off thing its manageable.
This morning I've upgraded my my account to premium and now I can't access my account and my mobile app is open but it's not syncing with the server. Any one had same issue?!
PIN may be a problem if you are using it in addition to windows hello, which means keyloggers are useless. Then again, I don't know who would do such a thing
When I started using Bitwarden about 6 months ago, I did a fair amount of research re PINs. For reference, the PIN is only a password to an encrypted copy of your master password. The PIN (imo) is insecure if you have the PIN and encrypted password save to disk - which means that anyone who can copy your disk would be able to brute force it. Otherwise, the PIN and its corresponding record is only stored in RAM which is a lot more difficult for anyone to extract. It saves to disk if * You UNTICK the option 'lock with master password on browser restart' (in which it needs to save it somewhere, rather than browser session), or * Your vault timeout is set anything less strict than 'on system lock' (in which case, the computer going to sleep/hibernate may cache the information on disk). In many ways, using a PIN that only has the relevant info in memory, is more safe than using the master password every time, as it makes it less likely your use of the master password gets compromised (e.g., accidentally typing the master password into a field on the browser!)
Love bitwarden, using open source self hosted Vaultwarden, doing it offline though have to tunnel in to sync or rely on cache when not home. Didn't want to expose it to the internet.
Thumping thing would be fine if it unlocks the key in Agent memory. But this is it only if you do not disable thr „protect with master password“ setting. That setting should be removed, it’s really stupid to encrypt with weak pins, even if locally (persisted)
Me happily typing my 50+ master password everything time I have to 🤸🏼♂️ weeeee, security is a responsibility not a feature, you can have the best and most secured password manager in the world but if you are a lazy and careless person, you will get hacked, simple... As a sys admin I'm very strict when it comes to security, I once found a PW written on a postid and stuck to a monitor and not only did I reported this person to the head of my department but HR as well, that was unacceptable and reckless.
@Justin F It hurts when I have to type in my admin password (about the same length) for users, and they go, "Wow. That must be hard to remember". Those are the sorts of people that will probably have their password written down next to the computer somewhere.
Let's face it. A pretty large number of folks are too lazy to use their turn signals, or carry an empty paper coffee cup to a receptacle to dispose of and certainly too lazy to return a shopping cart to a designated spot instead of an empty nearby parking spot or behind some other shopper's car. So I think that memorizing a complex 30+ character mixed mode password is definitely out of the question and much too much to expect!
The reason I use Bitwarden is to use the extension in the browser and trigger autofill. I also use KeepassXC on the desktop, primarily as a way to back up my login credentials, but secondarily to use the copy/paste functionality when the browser extension is either inappropriate or fails to autofill.
No it isn't more secure. And no, we cannot see that here. 1. When using the app, you are copying the password to the clipboard in plain text. 2. If a site actually has a hidden iFrame, the browser extension will warn you now. But if you are manually copying the password from the app, you probably would have just pasted it in.
If the website has a malicious , it was already compromised, and you can't trust their normal login form either. No password manager can protect you from that risk unless they can detect that the site has been compromised.
Google Sites does this by design. Sites like Twitter allow media to be embedded from an i frame on certain sites (i assume this is whitelisted thought)
Many embedded ads use s as well. Or someone may choose to embed an to a site/page they trust. May not be the smartest, but it happens. Great that Bitwarden addressed the concern and fixed it though!
Problem is the way that BW handle s (currently), unlike any other pwd manager
Yeah but you still use 2fa so it's not that bad.
@@durschfalltv7505 not everything offers 2fa. This is referring to the sites that BW autofills for, not only Bitwarden itself.
Thanks for explaining. I love when folks go in depth past the stupid headlines. Keep it up!
Love the shirt!!
I don't think users are fully aware of the risk of using autofill with BitWarden. It is good that user awareness is getting raised.
good thing I always use the cli
Big fan of Bitwarden here, I like how open and transparent they are. As you say the more people scrutinise their codebase and applications the better! Glad to have moved to them from Lastpass abiut 3 years ago now 👍
It reminds me of that " critical " CVE that everyone was going on about for mikrotik. And the issue was with winbox ..... if you exposed your management interface to the internet.......... i am afraid that is not a flaw that is a you problem.
You can apply that same argument to all security vulnerabilities. While it’s true that a tremendous amount of skill, patience, time, and luck are required for a bad actor to even have the opportunity to exploit a software bug… you as an IT professional must accept that patching these nuisance security vulnerabilities is essential to a layered security approach.
You should definately think twice, thrice and fourcice (?) expose your management interface to the public, but the security risk there is brute force or weak passwords. While you should never assume a management interface is 100% secure, vendors should still ensure that any security holes in them are treated with upmost security concern.
While you are not wrong, the main issue with that flaw was not someone accessing your digital life, but using your router as a jump point to spread the malware and hide the rest of the botnet it was running. Given the capabilities of the router (robust packet capture, VPN and proxy options, etc.) It's still a scary concept to have your device accessed remotely. On the bitwarden side, since they offer and many people take advantage of it's built-in TOTP feature, gaining the password for access to a publicly accessible password management server could mean dangerous risks such as access to bank accounts, crypto/trading exchanges, or health information to name a few. I agree that if you choose to turn it on, it still comes down to management, but a lot of people scared of what happened with LastPass, don't have the technical mindset to read the warning and consider all of the attack avenues it could open. This patch is geared more towards the non-technical people that would turn it on just because it makes the software "easier" to use.
Bitwarden is quickly becoming the Signal of password managers, kudos to the team! Not trying to jinx it, just credit where it's due. xD
Team blue all the way fam
i was LastPass now BitWarden fully
Really nice video. You put a lot of thought planning this presentation, and I appreciate it. The TLDW summaries at the front were a nice touch. Thank you for this. Also, I really like the intro banner you put together recently. All of this makes for a tidy professional polish instead of a hastily blurted-out informal blog. Nicely done.
Thank you
Bitwarden all the way, been using them for years. Will continue to do so.
Me too but there is substance to this problem. Good they are fixing this week.
Bitwarden is my daily driver. Love it.
I was just reading the other day that bleeping computer's article and now bang! you already gave us some more context about it.
We know you're invested, nonetheless there's nothing comparable to Bitwarden in transparency and I'm so glad we have it.
Great content, thank you!
Nice video but you scrolled by where it says Bitwarden will lock out the use of a PIN after 5 wrong attempts presenting a big hurdle to casual brute force hacking. All the misleading click bate headlines are unfortunate as are forum trolls or users defending their choice of another password manager. No password manager is perfect but Bitwarden is a very compelling open source and transparent product. It’s sad to see it unfairly maligned when that likely cuts into the teams sources of revenue and ability to continue to improve the product. It wouldn’t surprise me if some of this stuff is coming from proprietary commercial competitors like Last Pass. Please keep up the good work.
Just fork the code (open source) and remove the 5 wrong attempts check.
@@An.Individual Yeah but that’s well beyond the ability of the average person who grabs your laptop. And if you think the PIN feature isn’t sufficiently secure just don’t use it. It’s not enabled by default and Bitwarden is transparent in how it works.
love bitwarden. I don't trust anything that isn't open source that cannot be peer reviewed
One thing BitWarden is really bad at right now is updating and/or communicating to legacy accounts when security defaults change. Case in point: auto-fill passwords was on by default until LastPass made the news with exactly the same attack vector being. Sure, they changed the defaults for new accounts, but older accounts still may have auto-fill enabled. Same with the security key hashing setting. They’ve increased the number of iterations from 5000 to 600000 in several steps, but at no point did they updated or prompted the legacy users to update their settings for new defaults.
Maybe, can we get a “Bitwarden Best Practices” video please 🙏🏾?
Regarding pin unlocking; I am surprised you did not mention that you are prompted for the master password after 5 wrong pins. - So far 'brute forcing the pin'. So long it is indeed not 1234 or similar it is an non issue. And if the user is using 1234 then that is not fault of Bitwarden.
next bleeping computer article: bitwarden allows the user to proceed with an attack on their password with a proceed button. lol
The article is based on work published by FlashPoint. FlashPoint are a large respectable cyber security corporation. I'm suprised he didn't notice that.
Great nuanced video, we need more of these on RUclips as a whole.
Thanks
I love bitwarden, used it for several years already, paid version also for 2FA
You cant brute force BW pin. After several tries, it removes the pin and promots for master password.
I love Bitwarden for its portability - I moved over from Google when switched to Firefox on Fedora/Raspberry Pi 4 as my daily driver for some time and I do not look back ever since. I still disabled PIN however after the video as it is not so easy to avoid reusing PINs across different devices
I ❤Bitwarden.
i love the information you give, i use BitWarden and no i do not use the pin. I didn't know you could use anything other than numbers which is great. i am still not going to use it but good info
I just wait for the screeching of the people that "rely" on the cross domain feature ... well I mean these "tech" "journalists" on there "blogs" need some things to present on there clickbaity clickbait headlines. It is hard for them to find clickbait-worthy "things" to sensationalize. 😨
FlashPoint is a large cyber security threat agency. They are well qualified and their article is level headed.
Just wondering what would have been the bitwarden community’s response if something similar was spotted for another PW manager such as lastpass
Lastpass? They still around? I thought nearly every IT person dropped that money grubbing outfit years ago. I've been on Bitwarden ever since.
Bitwarden all the way....!!!!! 😀
I mean this would happen with any compromised website, regardless of which password manager you are using or settings. If the usr/pssw fields are compromised, you shouldn't blame the psswd manager.
Love Bitwarden!
First
Thanks for this balanced, calm and informative video :-)
Very convenient can not with security together , so if you are worry about your password security, please do not use PIN or encrypt you disk with Veracrypt.
I'm so tired of the bleepingcomputer clickbaits it's not even funny anymore.
Thanks Lawrence for your content!
I shouldn't say this over the internet, but my master password is so long that I only ever use pin to unlock.
It's so much more convenient this way. But I must admit, it's pretty dumb. It's as if I had changed my master password to a much much weaker password.
It's still better than what I used to use
Nothing password manager is perfect, but boi Bitwarden is best among others PM
I have to say I laugh so hard when you do the "to long, didn't watch" it's a sad fact that people don't have the attention span for videos like this... specifically ones that may or may not change how they do security in their network... which could be the difference in say... clicking off a dhcp server...or not setting it up in the first place on a VLAN... and then wondering where it went wrong. Troubleshooting personal mistakes... probably worse than troubleshooting something that once worked and suddenly stopped. Trained myself to find interest after so many wasted hours and that was at the beginning 🤣
That said. Anyone else sick of inflammatory headlines? This literally reads as a "don't do stupid things, but hey, we'll hold your hand in case you do" they aren't liable for mishandled security, it's nice they addressed this simple situation... I don't use them. Considering it though.
I've seen this article and really wondered how much that guy got paid and WHO paid this guy to pump out this crap.
I love the video, it's amazing the important info that gets left out of headlines. I would just add at 2:48 that there are ways to compromise dns for just subdomains. it requires specific process but an attacker can gain access to just a subdomain vs having to get at the root domain to then decide between a sub domain vs the root domain. The other problem there is the subdomain would have had to already been used and abandoned by the org in question, so potentially users might have uri's matching that sub in their bitwarden. This requires bad hygiene on the part of the org in question but we are human after all :P.
Thanks. Would have been good if you could have shown on the menus what disabled/enabled looked like. My browser extension was confusing with an unchecked box for autofill, but the greyed out option said autofill on page load. I'm fairly certain it wasn't doing that because I always need to use the shortkey combo to make it happen so not too concerned. However - it was confusing so I enabled the option at the top, changed the now accessible drop-down to say *don't* and then unchecked at the top again. Probably no different but I feel better 🙂
I've used BW self-hosted for about 5+ years now with vaultwarden and I a). like the company and app and b). feel so much better that my data is totally in my control - if I get hacked (never say never) then it's likely down to me in some way :-)
Thx Tom for another great video packed with great and useful information.
Bitwarden received investment last year and I am concerned about how that will affect the product. The investors need to make their money back and more profit... so what is going to change to make that happen? The change doesn't need to be negative and I am not necessarily worried about it being negative... but it would be great to know what Bitwarden intends to do for investors.
So many people hear open source and they think it's a charity.
@@An.Individual very true. I'm glad Bitwarden is proving a profitable open source model.
So, why do they call it PIN (Personal Identification NUMBER) when they accept more than just digits?!
Microsoft have done the same blunder...
No blunder. Hacker will use number generator to find PIN, but it's not a PIN, it's a multi character password his generator can't find. Also, great to use a password as a PIN when setting up a new computer for someone and the customer refuses to use a PIN, but Microsoft forces it during install. Everybody is happy.
(The client scenario happened to me a few times).
Thanks for taking the time to explain the scope of this issue. It doesn't seem like people are reading beyond the headline and freaking out without cause.
as usual....
For my money I will only use 1password
Anytime you want to say 'i seen it' pause and... Say it better. 😅
Any time you want to type 'anytime' pause and... Type it better. 😅
"Anytime" is an adjective, while "any time" is the combination of an adjective and a noun. They mean different things.
Bitwarden with yubikeys!
Or don't use Bitwarden.
I tried BW looking to change from Dashlane when my premium expires in a year or so, i really really wanted to love it, but BWs UI and UX is just so blech.
I much prefer dashlane's separation of Personal Info (as names, emails, phones, addreses, and companies elements) and ID (ID cards, driver license, tax numbers ssn etc) all individual stuff rather than having it all dumped into one person info with custom fields which makes it harder to properly manage expiry dates and other related information to the ID (or even find the ID in the first place).
The whole captcha login needs improving as if you dont pass the first time then you can't actually try again without canceling out and starting the whole login process again.
Also the import from dashlane was less than ideal, though since it's a once off thing its manageable.
This morning I've upgraded my my account to premium and now I can't access my account and my mobile app is open but it's not syncing with the server.
Any one had same issue?!
Bidwarden all the way. It's only $10 a year for the pro version so I can use hardware keys as my 2FA method!
I only use Bitwarden inside a VM on banking sites. For everything else, just leave it to good n' old chrome/firefox.
I cannot hack Bitwarden, but I can and do hack Chrome and Firefox passwords fairly often. Can I borrow your computer for a minute?
@@SpaceCadet4Jesus lel 😂
👍👍👍👍
Bitwarden all the way but I came across passbolt. Which sounds great for small teams!
im still really dabintg if im going to do the self hosted bitwarden with a cloudflare tunnel or if im just going to pay them for the plan.
PIN may be a problem if you are using it in addition to windows hello, which means keyloggers are useless. Then again, I don't know who would do such a thing
BW user here. F/OSS is clearly superior in a great many ways.
I think bitwarden app should add support mtls.
Just put a proxy in front of it and set it up.
Reverse proxy with mtls works well in Chrome/Edge web browser, but not iOS/Android bitwarden mobile clients.
When I started using Bitwarden about 6 months ago, I did a fair amount of research re PINs. For reference, the PIN is only a password to an encrypted copy of your master password.
The PIN (imo) is insecure if you have the PIN and encrypted password save to disk - which means that anyone who can copy your disk would be able to brute force it. Otherwise, the PIN and its corresponding record is only stored in RAM which is a lot more difficult for anyone to extract.
It saves to disk if
* You UNTICK the option 'lock with master password on browser restart' (in which it needs to save it somewhere, rather than browser session), or
* Your vault timeout is set anything less strict than 'on system lock' (in which case, the computer going to sleep/hibernate may cache the information on disk).
In many ways, using a PIN that only has the relevant info in memory, is more safe than using the master password every time, as it makes it less likely your use of the master password gets compromised (e.g., accidentally typing the master password into a field on the browser!)
Saving on disk really shouldn't be an issue though. A securely configured system should have password-on-boot full disk encryption.
Love bitwarden, using open source self hosted Vaultwarden, doing it offline though have to tunnel in to sync or rely on cache when not home. Didn't want to expose it to the internet.
Could you use Tailscale to make it easier?
@@chrsm probably.
Sir please talk about rust desk software which is open source and it is a beautiful peace of software
Until it has gone through a proper security audit I am not interested in using it.
@@LAWRENCESYSTEMS ok sir
I'd rather use Vaultwarden from now on.
Thumping thing would be fine if it unlocks the key in Agent memory. But this is it only if you do not disable thr „protect with master password“ setting. That setting should be removed, it’s really stupid to encrypt with weak pins, even if locally (persisted)
Me happily typing my 50+ master password everything time I have to 🤸🏼♂️ weeeee, security is a responsibility not a feature, you can have the best and most secured password manager in the world but if you are a lazy and careless person, you will get hacked, simple...
As a sys admin I'm very strict when it comes to security, I once found a PW written on a postid and stuck to a monitor and not only did I reported this person to the head of my department but HR as well, that was unacceptable and reckless.
Damn. I'm falling behind with only a ~25-30 character password.
@Jimmy I'd suggest you're following best practice and value your time.
@Justin F It hurts when I have to type in my admin password (about the same length) for users, and they go, "Wow. That must be hard to remember".
Those are the sorts of people that will probably have their password written down next to the computer somewhere.
Let's face it. A pretty large number of folks are too lazy to use their turn signals, or carry an empty paper coffee cup to a receptacle to dispose of and certainly too lazy to return a shopping cart to a designated spot instead of an empty nearby parking spot or behind some other shopper's car. So I think that memorizing a complex 30+ character mixed mode password is definitely out of the question and much too much to expect!
@@Jimmy_Jones indeed, those are also the ones who use the same password for every account they have including personal ones as well 🤦
Passwords are too insecure, I've switched to a long PIN nobody would EVER guess, 123456789
Well, I don't use the browser extension. We can see here why. It is a bit more inconvenient to use the app, but it is more secure.
The reason I use Bitwarden is to use the extension in the browser and trigger autofill. I also use KeepassXC on the desktop, primarily as a way to back up my login credentials, but secondarily to use the copy/paste functionality when the browser extension is either inappropriate or fails to autofill.
No it isn't more secure. And no, we cannot see that here. 1. When using the app, you are copying the password to the clipboard in plain text. 2. If a site actually has a hidden iFrame, the browser extension will warn you now. But if you are manually copying the password from the app, you probably would have just pasted it in.
@@superfoo555 Took the words right out of my mouth. I was pretty sure he was using cut/paste. Talk about insecure.