Either I missed it or the current state of completion in chrome extension is only through mouse based interaction.
I do not think I am the only one thinking that keyboard based interaction would be nice too.

Add a new option to the context menu that will copy a new generated password to the clipboard using whatever password generation settings are currently configured.

Hi,

What are your future plans with Bitwarden? Are you planning to turn it into a company?

If not, would you consider relicencing (or dual licencing) with a BSD/MIT style licence? The reason I ask this at this moment is that it is easiest to do this before any other contributors get involved.

Implement an overlay popup content script that will assist with autofilling in-line within the website. The popup will overlay the website using shadow-DOM techniques. The overlay will be opened by clicking an icon that is presented with login form fields on the page.

bitwarden never sends unencrypted data to the server. All data is kept on the client machine and decrypted during runtime using the master password as the key. For the browser extension, all vault data is stored using the chrome.storage API. All sites and folders are stored in their encrypted form in chrome.storage. chrome.storage is considered an unprotected data storage medium since it's just plainly on the client disk. The chrome.* API for web extensions does not provide a secure way to store data (for example, like the iOS Keychain).

Currently the browser extension also stores the encryption key in chrome.storage. This could be considered a security issue since anyone with access to the client machine could access it. I see no other alternative to securely store this data.

One option would be not to store the key at all, keeping it only in memory, however, that would require the user to re-enter their master password every time their browser was restarted. Although this could be made an option for more security aware individuals, this does not seem to be feasible from a normal user experience.

From what I can tell, this is an issue with any web extension. It is also an issue with the default password storage that browsers like Chrome and Firefox do out of the box. The consensus seems to be that if the nature of your extension is to store sensitive information on the client, then users need to be taking proper security measures to keep their machines safe (locked with password, anti-virus, etc).

Other options? Suggestions? Comments?

I translate browser ext. to russian language and get it.

Am I mistaken or is bitwarden supposed to auto populate the user/password fields? For example, I just went to the github login page. Bitwarden Chrome extension recognized that it knows the user/password but doesn't populate it until I manually select it from the Bitwarden dropdown menu.

• Implement chrome.i18n API https://developer.chrome.com/extensions/i18n
• Find contributors to translate extension into various languages.

For those interested in helping translate new languages, I have posted on contributing guidelines for this here: https://github.com/bitwarden/browser/blob/master/CONTRIBUTING.md

When an <input type="password"> has a maxlength property, BitWarden will happily autofill into it, silently cutting off any characters that don't fit. This can cause problems if, for example, the user autofills a 64-character generated password when signing up for a site with maxlength=32; if the site ever decides to raise the maximum length, the user will suddenly find themselves unable to log in.

I'm using Bitwarden extension (1.8.2) under Vivaldi 1.7.735.11 (Build officiel) (64 bits)

Each time i have the top banner about saving a new password, that Bitwarden banner is "flickering" (appearing / disappearing very quickly over and over). I can't even close the banner with the close button on the right, i have to close the tab (CTRL-W), disable Bitwarden extension, and then reopen it again.

Any idea about that behavior ? (haven't found anything related)

LastPass has a 'Secure Notes' feature which is basically a password entry with no username/password/url associated with it.

It would be nice to see a differentiation between standard username/password combinations and 'Secure Notes' which are typically longer and might contain line breaks etc.

Detect when a form on a website is submitted. If it is determined to be a registration form or a new login that does not yet exist in the vault, overlay a notification at the top of the page asking the users if they would like to automatically save the information submitted into their vault. This will allow users to more quickly add new sites into the vault without having to open the browser action popup for the current tab.

Here is the offending line. Paranoia level 0 disables all entropy requirements for the PRNG. This is the warning from SJCL when paranoia=0. I don't think it'd be a good idea to use a predictable value as an AES nonce.

it doesn't add to favorites

Reports from reddit user Landy22:

• icloud.com -- unable to auto-fill username
  • iframe login form
• Fiverr.com -- unable to auto-fill password and username
  • Fixed
• mint.com -- unable to auto-fill password and username
  • Fixed
• stackexchange.com -- unable to auto-fill password and username
  • iframe login form

There are users that use bitwarden with a vault of several thousand logins. The current implementation is not meant to handle vaults of this size. Improvements need to be made to introduce a UI that will work for larger vaults:

Detect when a user has a large vault and change the UI flow of the "My Vault" page to the following:

• Instead of listing all sites that are grouped by folder, only display a list of folders.
• When a folder is selected, display a new list that lists all sites in that folder.
• Paginate this list with infinite scrolling.
• Searching from the main list of folders should search all sites from all folders.
• Searching from a listing for a specific folder should only search from within that folder.

Find many code samples like that:

What about rewrite things like that to Promises?

Angular has its own promise functionality: $q, so there is no big problem to create clean and understandable code.

Hello,
Love Bitwarden and have swapped to it from Lastpass. I noticed that there is no support for separating sites based on the full domain. Bitwarden detects tech.example.com and forms.example.com to be the same site and offers both sets of logins for both sites. If a user could setup a URL rule to prevent this, that would be great.

When importing from lastpass a few of my passwords were imported incorrectly. The passwords that are incorrect contained & which I am assuming the lastpass export converted to & which was imported as is to bitwarden. Replacing the & in bitwarden with & fixes the passwords.

Add additional password manager options to the import process:

• 1Password
• KeePass
• Dashlane (determined not possible at the moment)
• Keeper

We use google analytics to to better learn how the extension is being used by users so that improvements can be made. Some users to not want to be tracked in this way. Add an option in settings to allow a user to opt-out of of google analytics.

Something to look into. Safari has a lot of the same APIs that Chrome offers, they're just named or implemented differently.

https://developer.apple.com/library/content/documentation/UserExperience/Conceptual/SafariExtensionsConversionGuide/Chapters/Chrome.html

The options would be:

1. We can use if statements to use different APIs by detecting which browser the extension is running on. This is what I've done in my own projects.
2. Or we can make some sort of polyfill for the chrome.* object and implement Safari APIs that way.

Thoughts?

I installed Firefox Developers edition 51.0a2 which allows disabling signature checking with toggling the option 'xpinstall.signatures.required;false'. I thought this may be the issue but no luck. The warning still appears. Thanks for any help and for the remarkably well functioning first release!

The add-on downloaded from this site could not be installed because it appears to be corrupted

Add an icon to the current tab page to allow editing from there.

Ex:

I noticed that the Chrome extension does not react to enabling of two-factor authentication. I'm a little bit unsure if it needs to, but anyway here is the procedure I wonder whether is a bug or not:

1. Login to cloud interface (two factor disabled)
2. Login with extension to the vault
3. Enable two-factor auth in the cloud interface

Without forcing the extension to make a re-login there is no awareness of the two-factor auth. If after the mentioned steps 1-3 I edit entries in the vault via the extension interface (i.e. update a password of one site), the modification succeeds perfectly fine.

The question is that after enabling two-factor auth, should one enforce all active connections to re-authenticate) or is this legit behavior?

Some screenshots would be nice in the README.

Allow the user to specify a setting that will automatically log them out of the extension after X minutes. Before this can be implemented, we'll have to implement a way for two-factor cookies to be remembered so that they do not have to go through that process each time.

Another option is to figure out a way for this to just "lock" the session and not really log them out. This may be difficult to do securely on a web extension (as opposed to the mobile apps which just present a modal overlay).

Paypal Checkout popup is ignored? Here's the HTML.
PayPalCheckout.html.txt

Use site search index to assist with adding new sites. This will assist users with pre-filling a proper URI for the site.

Here's the HTML.
view-source_str.html.txt

I just installed the latest extension to my latest Chrome, and noticed an issue with password updates. The procedure I did was this:

1. Create a login/password pair in the cloud interface for a new site
2. Install extension and login to bitwarden
3. Use extension to retrieve password for the test site -> this works
4. Update password of the site via cloud interface
5. The extension seems never get the update and proposes the old password all the time.
6. (did 30 minutes of waiting if the password updated, but no)

Page refresh does not help. Chrome restart does not help. Uninstalling the extension and reinstalling it works.

As a side remark, the android app sees the updated password immediately so this smells like the extension has the issue.

LastPass has the ability to store form fill profiles. I can create profiles which I use to fill out forms on new signups, etc

Angular have some special rools about Dependency Injection: DI

Its need for requireJS or any other js minifier, becouse without it gulp can't minify code correctly and all functionality just don't work.

I believe, that production code must be combined and minified, and right DI can help to do it for the preject.

The Firefox extension was submitted to Mozilla on Sept 23rd and is currently in review. It seems that the review process for Firefox is a much longer wait time (compared to Chrome, which is nearly instant) since they rely on volunteers for this code review process. There is an indicator on their developer site that shows what position you are in line for review. We started on Sept 23rd @ queue position 111 of 111. I will follow up in this thread with the status.

https://addons.mozilla.org/en-US/firefox/addon/bitwarden-password-manager/

Everything imported from Lastpass just fine, other than the & character. This was imported (in all cases) as &

Using the chrome extension from the extension store.

Thanks!

Is it possible to have an option when registering to a new website and therefore generating a password to add website to the vault with login/password?

The vault assumes everything will be a website link, but it doesn't have to be.

When adding any other kind of link, it tries to guess what the domain is. This gets particularly tedious with IP addresses. When it's an SSH link (totally made up by using the ssh://) it only shows the last 2 segments.

For example:
ssh://192.168.1.100 shows as 1.100

This results in having to click edit to see what the IP address needs to be.

Logging into an AWS account can involve both an account and username field entry. One account can have many usernames.

Actual Behaviour
Bitwarden reads the "account" field as the one into which the saved username should be injected on auto-fill.

Expected Behaviour
The saved username is inserted into the correct field (either leaving the "account" field blank, or filling it with the originally entered value).

According to this comment on an article advocating using bitwarden, google analytics is apparently used to track user activity?

https://medium.com/@chihchun/thanks-for-disclosing-the-issue-of-lastpass-5308ffbd93f#.hn73mdhik

Any thoughts on that? I haven't dug into code myself yet.

I'm using the latest version of Firefox developer edition as of writing (51.0a2), 32-bit, with xpinstall.signatures.required set to true. I'm unable to install the addon either directly from addons.mozilla.org or from my local drive after saving it, with the message that it "appears to be corrupt."

If you want to place a login in a folder, you go to "Edit login" and select the folder. However, if the folder does not exist, you are forced to go all the way back to Settings > Manage Folders, create the folder, and then return to the Edit Login menu. It would make sense (especially for new users, who probably do not yet have a lot of folders) to give the ability to create a folder directly from the "Edit login" menu.

Add a hotkey to autofill username/password for a website so that a user does not have to open the browser action popup to select.

If no site is available in the vault, do nothing.

• Ideally we would show a notification error of some sort but this is not available at the moment.

If multiple sites are available, just pick the first one.

• Ideally we would use the most recently used, but we would need to start tracking dates for sites that are autofilled which is not currently available.

Thoughts on the hotkey combination to use?

Given that this is open source the ability for individuals or small companies to run a private install of the server software would be appreciated. From what I can see this should just require setting the API url from settings instead of the hardcoded api.bitwarden.com. I am happy to help out with this work if you would want to support this.

First, kudos to Kyle (main & original author) for this project.
A high-quality, nicely implemented open source password manager is very welcome news.
This project looks very promising for replacing the proprietary and less transparent incumbents given additional time and effort.

LastPass allows the user to change the default number of rounds in PBKDF2 (their default is 5000). Faster hardware have made increased number of rounds a necessity over time.

• The FAQ should include the default number of rounds used.
• End users should be able to change this value (computation is done locally on the client anyway).
• Should consider additional (user-selectable) open-source, key-stretching schemes such as Argon2 See alternatives listed in wikipedia

Upon auto logout you're only asked for the master password to log back in when Two Factor is enabled.

If you manually logout then you're asked for the master password and authentication token.

This seems broken, it should ask for both if I'm asking it to automatically log out.

Hey. It's strange, cuz ctrl+shift+y worked fine until I clicked the "update extensions now" button. Arch Linux, Chromium. Did not notice if it actually updated or what's going on. Here are the errors i've been able to pick up. All other functions seem to work fine.

And errors from the console (extension console as I understand):

same in text format, if someone's googling this:

_generated_background_page.html:1 Unchecked runtime.lastError while running contextMenus.create: Cannot create item with duplicate id autofill_noop
    at loadContextMenuOptions (chrome-extension://nngceckbapebfimnlniiiahkandclblb/background.js:359:29)
    at loadNoSitesContextMenuOptions (chrome-extension://nngceckbapebfimnlniiiahkandclblb/background.js:354:5)
    at chrome-extension://nngceckbapebfimnlniiiahkandclblb/background.js:216:9
    at _rejected (chrome-extension://nngceckbapebfimnlniiiahkandclblb/lib/q/q.js:844:24)
    at chrome-extension://nngceckbapebfimnlniiiahkandclblb/lib/q/q.js:870:30
_generated_background_page.html:1 Unchecked runtime.lastError while running contextMenus.create: Cannot create item with duplicate id copy-username_noop
    at loadContextMenuOptions (chrome-extension://nngceckbapebfimnlniiiahkandclblb/background.js:369:29)
    at loadNoSitesContextMenuOptions (chrome-extension://nngceckbapebfimnlniiiahkandclblb/background.js:354:5)
    at chrome-extension://nngceckbapebfimnlniiiahkandclblb/background.js:216:9
    at _rejected (chrome-extension://nngceckbapebfimnlniiiahkandclblb/lib/q/q.js:844:24)
    at chrome-extension://nngceckbapebfimnlniiiahkandclblb/lib/q/q.js:870:30
_generated_background_page.html:1 Unchecked runtime.lastError while running contextMenus.create: Cannot create item with duplicate id copy-password_noop
    at loadContextMenuOptions (chrome-extension://nngceckbapebfimnlniiiahkandclblb/background.js:379:29)
    at loadNoSitesContextMenuOptions (chrome-extension://nngceckbapebfimnlniiiahkandclblb/background.js:354:5)
    at chrome-extension://nngceckbapebfimnlniiiahkandclblb/background.js:216:9
    at _rejected (chrome-extension://nngceckbapebfimnlniiiahkandclblb/lib/q/q.js:844:24)
    at chrome-extension://nngceckbapebfimnlniiiahkandclblb/lib/q/q.js:870:30

there is an auto-lock feature for the browser plugin, but there doesn't seem to be an idle timeout when accessing the web vault. is that a bug or by design?