Good news, Bitwarden has fixed this issue so it's not longer vulnerable! github.com/bitwarden/clients/pull/4994

@kyn1xx

9 ай бұрын

so its safe to have it enable??

@teachmecyber

9 ай бұрын

Yes, it's safe to use now!

@kyn1xx

9 ай бұрын

@@teachmecyber but the warning is still there...

@mr.boniato6402

7 ай бұрын

This is one of the great benefits of open source!.. there's a problem, someone will fix it!

Summary of the video: Settings > auto fill > disable autofill on page load

@teachmecyber

7 ай бұрын

That about sums it up

I never use auto-fill because I only store my passwords partially. A little inconvenience to copy and paste my username and passwords + add the missing characters but it gave me a piece of mine. I'm not worried if BW got hacked, the hacker still don't have my complete passwords.

@teachmecyber

9 ай бұрын

I've heard similar tactics from others as well. It's a pretty cool way to do it. You could still use autofill to make it a bit easier and then add your manual character at the end. It's a cool little hack!

@freewilly8557

7 ай бұрын

Partially storing your password and not auto filling is good advice if you use a password manager. This content creator is just advertising. His videos just explain how convenient it is to use password managers. There are always dangerous exposures if you store your passwords anywhere. The different password managers just have varying amounts of risk. Your practice of storing a partial password and adding something you remember is the best practice which ensures that your full password is never available anywhere.

@xileets

Ай бұрын

So It's like salting the data? Interesting. How much salt do you add? Is it a nonsense string? There is also always the possibility that a password is stored in a server as plain text instead of as the hashed value.

@manny7886

Ай бұрын

@@xileets - It's up to you how many character(s) you want to add. In my case I add my driver license number.

At least nothing crucial. Thank you for keeping us in the loop!

@teachmecyber

Жыл бұрын

An edge case that hopefully stays minimal! Hopefully this gets Bitwarden to push a fix as well to close this out.

I never use autofill anyway it doesn't work very well in the first place. Great video btw, lots of info condensed into a highly digestible video - love it thanks!

@teachmecyber

8 ай бұрын

I've found your mileage can vary with auto fill depending on your setup and the password manager. It's gotten better but some apps or sites can be troublesome. Thanks for the feedback!

Thanks for the edumucation anyway!

@teachmecyber

5 ай бұрын

Always good to be aware of the risks!

Am I able to add an extension with my Safari browser?

Hey is there maybe a plan for making a Q&A format?

@teachmecyber

Жыл бұрын

What would you like to see for it?

Which password manager do you recommend among these 4 in your free plan? I am between Bitwarden, Dashlane, Nordpass or Protonpass. thanks

@teachmecyber

10 ай бұрын

I would go for Bitwarden or Dashlane. I value firms that focus on their key products.

@Tech-geeky

10 ай бұрын

Don't go for Lastpass, like me.. I gather BitWarden doesn't have "monitoring of dark web" and other features you get with Lastpass Premium. but that would be "user chose to gave it up" type thing anyway before a attack happened.

@BooleanDev

8 ай бұрын

bitwarden or KeePassX, dont use anything from Nord

I don't get this. If I was on the proper website, it would not have a malicious on it. If I was on a fake site, it will not autofill.

Heyy i need your help i broke my phone and lost all contacts and my master password as well for bitwarden how do i recover my bitwarden back

@teachmecyber

7 ай бұрын

Check out this link. Your options might be limited here depending how you set it up. bitwarden.com/help/forgot-master-password/

sweet!

@teachmecyber

9 ай бұрын

Thanks for watching!

So it is just when BW. autofill's on page load that is the problem? Once the page loads isn't the malicious still on the page what happens when I manually click autofill?

@teachmecyber

Жыл бұрын

Well the good news is that Bitwarden fixed the flaw, so it won't happen automatically now when autofill is enabled. When you are using the manual autofill, BW will warn you if there is an untrusted that would get filled.

@craigmonty

10 ай бұрын

@@teachmecyber So should we still disable auto-fill? Or is it ok to use now?

@user-zk3rc1po2v

10 ай бұрын

@@teachmecyber please answer So should we still disable auto-fill? Or is it ok to use now?

@teachmecyber

10 ай бұрын

All good to use now!

@tiagolima3241

9 ай бұрын

@@teachmecyber I from Brasil. Gostei do seu vídeo. Agora fiquei com medo de usar. Isso vale pra qqr navegador? Existe algum ajuste que não carregue esse ?

So just dont use the browser extension and youre good! Esay!

Bitwarden a year ago didn't have that auto-fill or prompt-to-fill or select to fill feature ...that was why I went to another vendor! Not sure how much improvement Bitwarden has now ,,,but it seems to slack behind other vendor!

@teachmecyber

6 ай бұрын

It's a bit like the Android vs Apple argument. Other password managers have a more streamlined interface and are easier to use but don't have as much customization, like Apple. Bitwarden isn't the best looking but it has most of the features and a lot more customization.

EVERY bit of convenience other than memory in your brain is a *potential* security vulnerability. (Even your memory is a liability, for example, I'm presently working on developing security practices for older people who have memory issues.)

I guess it's not yet a life threatening procedure 😂

@teachmecyber

Жыл бұрын

Thankfully this is a minor issue and one that has since been patched!

@fearless6947

Жыл бұрын

@@teachmecyber so now I don't need to check, if it's unchecked?

@teachmecyber

Жыл бұрын

Correct, it will be off by default and Bitwarden fixed the underlying issue

@fearless6947

Жыл бұрын

@@teachmecyber thanks :) I appreciate your reply

😆 Apple iFrame... Watch this space.... ..... Arn't all online password managers at "risk" then ? Lastpass has auto-fill has well, but as least we know now *why* its disabled by default. Since its disabled anyway, and the number of sites is 'low' for this risk, perhaps the option shouldn't be there at all. Stop that at its source. :) what would be the legit reason for this low risk exploit?

@teachmecyber

10 ай бұрын

I see it as an oversight in the code. They didn't account for different s they could be sitting on the main web page. This has been fixed now thankfully!

I’ll just copy/paste.

@teachmecyber

Жыл бұрын

That's a tried and true method. One benefit of the autofill (with user interaction) is that it can help you detect phishing sites. If you click on a link and it prompts for a login, your password manager will look for the URL. If it's not something it recognizes, there's no password to put in.

@Tech-geeky

10 ай бұрын

I just drag'n'drop .... Doesn't go to clipboard that way

@teachmecyber

10 ай бұрын

That's a good approach.

Booo, this is not fixing the root cause

@teachmecyber

2 ай бұрын

They recently released a full fix for this

This is the end of bitwarden for me