Bitwarden Passwords At Risk? | A Security Expert Explains
Ғылым және технология
A recent report emerged that showed Bitwarden can mistakenly send your passwords to hackers if you misconfigure your settings.
📝 Sign up for my free weekly security newsletter: weekendbyte.teachmecyber.com/
❤️ Leave a comment and hit the like button because it helps spread cyber security knowledge to more people.
🔔If you found this helpful, subscribe to the channel!
www.youtube.com/@teachmecyber...
🚀 Connect with me on LinkedIn
/ jrebholz
Пікірлер: 58
Good news, Bitwarden has fixed this issue so it's not longer vulnerable! github.com/bitwarden/clients/pull/4994
@kyn1xx
9 ай бұрын
so its safe to have it enable??
@teachmecyber
9 ай бұрын
Yes, it's safe to use now!
@kyn1xx
9 ай бұрын
@@teachmecyber but the warning is still there...
@mr.boniato6402
7 ай бұрын
This is one of the great benefits of open source!.. there's a problem, someone will fix it!
Summary of the video: Settings > auto fill > disable autofill on page load
@teachmecyber
7 ай бұрын
That about sums it up
I never use auto-fill because I only store my passwords partially. A little inconvenience to copy and paste my username and passwords + add the missing characters but it gave me a piece of mine. I'm not worried if BW got hacked, the hacker still don't have my complete passwords.
@teachmecyber
9 ай бұрын
I've heard similar tactics from others as well. It's a pretty cool way to do it. You could still use autofill to make it a bit easier and then add your manual character at the end. It's a cool little hack!
@freewilly8557
7 ай бұрын
Partially storing your password and not auto filling is good advice if you use a password manager. This content creator is just advertising. His videos just explain how convenient it is to use password managers. There are always dangerous exposures if you store your passwords anywhere. The different password managers just have varying amounts of risk. Your practice of storing a partial password and adding something you remember is the best practice which ensures that your full password is never available anywhere.
@xileets
Ай бұрын
So It's like salting the data? Interesting. How much salt do you add? Is it a nonsense string? There is also always the possibility that a password is stored in a server as plain text instead of as the hashed value.
@manny7886
Ай бұрын
@@xileets - It's up to you how many character(s) you want to add. In my case I add my driver license number.
At least nothing crucial. Thank you for keeping us in the loop!
@teachmecyber
Жыл бұрын
An edge case that hopefully stays minimal! Hopefully this gets Bitwarden to push a fix as well to close this out.
I never use autofill anyway it doesn't work very well in the first place. Great video btw, lots of info condensed into a highly digestible video - love it thanks!
@teachmecyber
8 ай бұрын
I've found your mileage can vary with auto fill depending on your setup and the password manager. It's gotten better but some apps or sites can be troublesome. Thanks for the feedback!
Thanks for the edumucation anyway!
@teachmecyber
5 ай бұрын
Always good to be aware of the risks!
Am I able to add an extension with my Safari browser?
Hey is there maybe a plan for making a Q&A format?
@teachmecyber
Жыл бұрын
What would you like to see for it?
Which password manager do you recommend among these 4 in your free plan? I am between Bitwarden, Dashlane, Nordpass or Protonpass. thanks
@teachmecyber
10 ай бұрын
I would go for Bitwarden or Dashlane. I value firms that focus on their key products.
@Tech-geeky
10 ай бұрын
Don't go for Lastpass, like me.. I gather BitWarden doesn't have "monitoring of dark web" and other features you get with Lastpass Premium. but that would be "user chose to gave it up" type thing anyway before a attack happened.
@BooleanDev
8 ай бұрын
bitwarden or KeePassX, dont use anything from Nord
I don't get this. If I was on the proper website, it would not have a malicious on it. If I was on a fake site, it will not autofill.
Heyy i need your help i broke my phone and lost all contacts and my master password as well for bitwarden how do i recover my bitwarden back
@teachmecyber
7 ай бұрын
Check out this link. Your options might be limited here depending how you set it up. bitwarden.com/help/forgot-master-password/
sweet!
@teachmecyber
9 ай бұрын
Thanks for watching!
So it is just when BW. autofill's on page load that is the problem? Once the page loads isn't the malicious still on the page what happens when I manually click autofill?
@teachmecyber
Жыл бұрын
Well the good news is that Bitwarden fixed the flaw, so it won't happen automatically now when autofill is enabled. When you are using the manual autofill, BW will warn you if there is an untrusted that would get filled.
@craigmonty
10 ай бұрын
@@teachmecyber So should we still disable auto-fill? Or is it ok to use now?
@user-zk3rc1po2v
10 ай бұрын
@@teachmecyber please answer So should we still disable auto-fill? Or is it ok to use now?
@teachmecyber
10 ай бұрын
All good to use now!
@tiagolima3241
9 ай бұрын
@@teachmecyber I from Brasil. Gostei do seu vídeo. Agora fiquei com medo de usar. Isso vale pra qqr navegador? Existe algum ajuste que não carregue esse ?
So just dont use the browser extension and youre good! Esay!
Bitwarden a year ago didn't have that auto-fill or prompt-to-fill or select to fill feature ...that was why I went to another vendor! Not sure how much improvement Bitwarden has now ,,,but it seems to slack behind other vendor!
@teachmecyber
6 ай бұрын
It's a bit like the Android vs Apple argument. Other password managers have a more streamlined interface and are easier to use but don't have as much customization, like Apple. Bitwarden isn't the best looking but it has most of the features and a lot more customization.
EVERY bit of convenience other than memory in your brain is a *potential* security vulnerability. (Even your memory is a liability, for example, I'm presently working on developing security practices for older people who have memory issues.)
I guess it's not yet a life threatening procedure 😂
@teachmecyber
Жыл бұрын
Thankfully this is a minor issue and one that has since been patched!
@fearless6947
Жыл бұрын
@@teachmecyber so now I don't need to check, if it's unchecked?
@teachmecyber
Жыл бұрын
Correct, it will be off by default and Bitwarden fixed the underlying issue
@fearless6947
Жыл бұрын
@@teachmecyber thanks :) I appreciate your reply
😆 Apple iFrame... Watch this space.... ..... Arn't all online password managers at "risk" then ? Lastpass has auto-fill has well, but as least we know now *why* its disabled by default. Since its disabled anyway, and the number of sites is 'low' for this risk, perhaps the option shouldn't be there at all. Stop that at its source. :) what would be the legit reason for this low risk exploit?
@teachmecyber
10 ай бұрын
I see it as an oversight in the code. They didn't account for different s they could be sitting on the main web page. This has been fixed now thankfully!
I’ll just copy/paste.
@teachmecyber
Жыл бұрын
That's a tried and true method. One benefit of the autofill (with user interaction) is that it can help you detect phishing sites. If you click on a link and it prompts for a login, your password manager will look for the URL. If it's not something it recognizes, there's no password to put in.
@Tech-geeky
10 ай бұрын
I just drag'n'drop .... Doesn't go to clipboard that way
@teachmecyber
10 ай бұрын
That's a good approach.
Booo, this is not fixing the root cause
@teachmecyber
2 ай бұрын
They recently released a full fix for this
This is the end of bitwarden for me