bitwarden / clients Goto Github PK
View Code? Open in Web Editor NEWBitwarden client apps (web, browser extension, desktop, and cli).
Home Page: https://bitwarden.com
License: Other
Bitwarden client apps (web, browser extension, desktop, and cli).
Home Page: https://bitwarden.com
License: Other
Allow the user to specify a setting that will automatically log them out of the extension after X minutes. Before this can be implemented, we'll have to implement a way for two-factor cookies to be remembered so that they do not have to go through that process each time.
Another option is to figure out a way for this to just "lock" the session and not really log them out. This may be difficult to do securely on a web extension (as opposed to the mobile apps which just present a modal overlay).
First, kudos to Kyle (main & original author) for this project.
A high-quality, nicely implemented open source password manager is very welcome news.
This project looks very promising for replacing the proprietary and less transparent incumbents given additional time and effort.
LastPass allows the user to change the default number of rounds in PBKDF2 (their default is 5000). Faster hardware have made increased number of rounds a necessity over time.
I installed Firefox Developers edition 51.0a2 which allows disabling signature checking with toggling the option 'xpinstall.signatures.required;false'. I thought this may be the issue but no luck. The warning still appears. Thanks for any help and for the remarkably well functioning first release!
The add-on downloaded from this site could not be installed because it appears to be corrupted
For those interested in helping translate new languages, I have posted on contributing guidelines for this here: https://github.com/bitwarden/browser/blob/master/CONTRIBUTING.md
Something to look into. Safari has a lot of the same APIs that Chrome offers, they're just named or implemented differently.
The options would be:
if
statements to use different APIs by detecting which browser the extension is running on. This is what I've done in my own projects.Thoughts?
Upon auto logout you're only asked for the master password to log back in when Two Factor is enabled.
If you manually logout then you're asked for the master password and authentication token.
This seems broken, it should ask for both if I'm asking it to automatically log out.
Here's the HTML.
view-source_str.html.txt
Add a hotkey to autofill username/password for a website so that a user does not have to open the browser action popup to select.
If no site is available in the vault, do nothing.
If multiple sites are available, just pick the first one.
Thoughts on the hotkey combination to use?
Is it possible to have an option when registering to a new website and therefore generating a password to add website to the vault with login/password?
there is an auto-lock feature for the browser plugin, but there doesn't seem to be an idle timeout when accessing the web vault. is that a bug or by design?
Some screenshots would be nice in the README.
Hi,
What are your future plans with Bitwarden? Are you planning to turn it into a company?
If not, would you consider relicencing (or dual licencing) with a BSD/MIT style licence? The reason I ask this at this moment is that it is easiest to do this before any other contributors get involved.
LastPass has the ability to store form fill profiles. I can create profiles which I use to fill out forms on new signups, etc
Paypal Checkout popup is ignored? Here's the HTML.
PayPalCheckout.html.txt
Implement an overlay popup content script that will assist with autofilling in-line within the website. The popup will overlay the website using shadow-DOM techniques. The overlay will be opened by clicking an icon that is presented with login form fields on the page.
When an <input type="password"> has a maxlength property, BitWarden will happily autofill into it, silently cutting off any characters that don't fit. This can cause problems if, for example, the user autofills a 64-character generated password when signing up for a site with maxlength=32; if the site ever decides to raise the maximum length, the user will suddenly find themselves unable to log in.
There are users that use bitwarden with a vault of several thousand logins. The current implementation is not meant to handle vaults of this size. Improvements need to be made to introduce a UI that will work for larger vaults:
Detect when a user has a large vault and change the UI flow of the "My Vault" page to the following:
When importing from lastpass a few of my passwords were imported incorrectly. The passwords that are incorrect contained & which I am assuming the lastpass export converted to & which was imported as is to bitwarden. Replacing the & in bitwarden with & fixes the passwords.
Add a new option to the context menu that will copy a new generated password to the clipboard using whatever password generation settings are currently configured.
Use site search index to assist with adding new sites. This will assist users with pre-filling a proper URI for the site.
I'm using Bitwarden extension (1.8.2) under Vivaldi 1.7.735.11 (Build officiel) (64 bits)
Each time i have the top banner about saving a new password, that Bitwarden banner is "flickering" (appearing / disappearing very quickly over and over). I can't even close the banner with the close button on the right, i have to close the tab (CTRL-W), disable Bitwarden extension, and then reopen it again.
Any idea about that behavior ? (haven't found anything related)
LastPass has a 'Secure Notes' feature which is basically a password entry with no username/password/url associated with it.
It would be nice to see a differentiation between standard username/password combinations and 'Secure Notes' which are typically longer and might contain line breaks etc.
I just installed the latest extension to my latest Chrome, and noticed an issue with password updates. The procedure I did was this:
Page refresh does not help. Chrome restart does not help. Uninstalling the extension and reinstalling it works.
As a side remark, the android app sees the updated password immediately so this smells like the extension has the issue.
Either I missed it or the current state of completion in chrome extension is only through mouse based interaction.
I do not think I am the only one thinking that keyboard based interaction would be nice too.
it doesn't add to favorites
The vault assumes everything will be a website link, but it doesn't have to be.
When adding any other kind of link, it tries to guess what the domain is. This gets particularly tedious with IP addresses. When it's an SSH link (totally made up by using the ssh://) it only shows the last 2 segments.
For example:
ssh://192.168.1.100 shows as 1.100
This results in having to click edit to see what the IP address needs to be.
Hey. It's strange, cuz ctrl+shift+y worked fine until I clicked the "update extensions now" button. Arch Linux, Chromium. Did not notice if it actually updated or what's going on. Here are the errors i've been able to pick up. All other functions seem to work fine.
And errors from the console (extension console as I understand):
same in text format, if someone's googling this:
_generated_background_page.html:1 Unchecked runtime.lastError while running contextMenus.create: Cannot create item with duplicate id autofill_noop
at loadContextMenuOptions (chrome-extension://nngceckbapebfimnlniiiahkandclblb/background.js:359:29)
at loadNoSitesContextMenuOptions (chrome-extension://nngceckbapebfimnlniiiahkandclblb/background.js:354:5)
at chrome-extension://nngceckbapebfimnlniiiahkandclblb/background.js:216:9
at _rejected (chrome-extension://nngceckbapebfimnlniiiahkandclblb/lib/q/q.js:844:24)
at chrome-extension://nngceckbapebfimnlniiiahkandclblb/lib/q/q.js:870:30
_generated_background_page.html:1 Unchecked runtime.lastError while running contextMenus.create: Cannot create item with duplicate id copy-username_noop
at loadContextMenuOptions (chrome-extension://nngceckbapebfimnlniiiahkandclblb/background.js:369:29)
at loadNoSitesContextMenuOptions (chrome-extension://nngceckbapebfimnlniiiahkandclblb/background.js:354:5)
at chrome-extension://nngceckbapebfimnlniiiahkandclblb/background.js:216:9
at _rejected (chrome-extension://nngceckbapebfimnlniiiahkandclblb/lib/q/q.js:844:24)
at chrome-extension://nngceckbapebfimnlniiiahkandclblb/lib/q/q.js:870:30
_generated_background_page.html:1 Unchecked runtime.lastError while running contextMenus.create: Cannot create item with duplicate id copy-password_noop
at loadContextMenuOptions (chrome-extension://nngceckbapebfimnlniiiahkandclblb/background.js:379:29)
at loadNoSitesContextMenuOptions (chrome-extension://nngceckbapebfimnlniiiahkandclblb/background.js:354:5)
at chrome-extension://nngceckbapebfimnlniiiahkandclblb/background.js:216:9
at _rejected (chrome-extension://nngceckbapebfimnlniiiahkandclblb/lib/q/q.js:844:24)
at chrome-extension://nngceckbapebfimnlniiiahkandclblb/lib/q/q.js:870:30
I noticed that the Chrome extension does not react to enabling of two-factor authentication. I'm a little bit unsure if it needs to, but anyway here is the procedure I wonder whether is a bug or not:
Without forcing the extension to make a re-login there is no awareness of the two-factor auth. If after the mentioned steps 1-3 I edit entries in the vault via the extension interface (i.e. update a password of one site), the modification succeeds perfectly fine.
The question is that after enabling two-factor auth, should one enforce all active connections to re-authenticate) or is this legit behavior?
bitwarden never sends unencrypted data to the server. All data is kept on the client machine and decrypted during runtime using the master password as the key. For the browser extension, all vault data is stored using the chrome.storage
API. All sites and folders are stored in their encrypted form in chrome.storage
. chrome.storage
is considered an unprotected data storage medium since it's just plainly on the client disk. The chrome.*
API for web extensions does not provide a secure way to store data (for example, like the iOS Keychain).
Currently the browser extension also stores the encryption key in chrome.storage
. This could be considered a security issue since anyone with access to the client machine could access it. I see no other alternative to securely store this data.
One option would be not to store the key at all, keeping it only in memory, however, that would require the user to re-enter their master password every time their browser was restarted. Although this could be made an option for more security aware individuals, this does not seem to be feasible from a normal user experience.
From what I can tell, this is an issue with any web extension. It is also an issue with the default password storage that browsers like Chrome and Firefox do out of the box. The consensus seems to be that if the nature of your extension is to store sensitive information on the client, then users need to be taking proper security measures to keep their machines safe (locked with password, anti-virus, etc).
Other options? Suggestions? Comments?
Hello,
Love Bitwarden and have swapped to it from Lastpass. I noticed that there is no support for separating sites based on the full domain. Bitwarden detects tech.example.com and forms.example.com to be the same site and offers both sets of logins for both sites. If a user could setup a URL rule to prevent this, that would be great.
Logging into an AWS account can involve both an account and username field entry. One account can have many usernames.
Actual Behaviour
Bitwarden reads the "account" field as the one into which the saved username should be injected on auto-fill.
Expected Behaviour
The saved username is inserted into the correct field (either leaving the "account" field blank, or filling it with the originally entered value).
Reports from reddit user Landy22:
We use google analytics to to better learn how the extension is being used by users so that improvements can be made. Some users to not want to be tracked in this way. Add an option in settings to allow a user to opt-out of of google analytics.
The Firefox extension was submitted to Mozilla on Sept 23rd and is currently in review. It seems that the review process for Firefox is a much longer wait time (compared to Chrome, which is nearly instant) since they rely on volunteers for this code review process. There is an indicator on their developer site that shows what position you are in line for review. We started on Sept 23rd @ queue position 111 of 111. I will follow up in this thread with the status.
https://addons.mozilla.org/en-US/firefox/addon/bitwarden-password-manager/
Given that this is open source the ability for individuals or small companies to run a private install of the server software would be appreciated. From what I can see this should just require setting the API url from settings instead of the hardcoded api.bitwarden.com. I am happy to help out with this work if you would want to support this.
Detect when a form on a website is submitted. If it is determined to be a registration form or a new login that does not yet exist in the vault, overlay a notification at the top of the page asking the users if they would like to automatically save the information submitted into their vault. This will allow users to more quickly add new sites into the vault without having to open the browser action popup for the current tab.
If you want to place a login in a folder, you go to "Edit login" and select the folder. However, if the folder does not exist, you are forced to go all the way back to Settings > Manage Folders, create the folder, and then return to the Edit Login menu. It would make sense (especially for new users, who probably do not yet have a lot of folders) to give the ability to create a folder directly from the "Edit login" menu.
Add additional password manager options to the import process:
According to this comment on an article advocating using bitwarden, google analytics is apparently used to track user activity?
https://medium.com/@chihchun/thanks-for-disclosing-the-issue-of-lastpass-5308ffbd93f#.hn73mdhik
Any thoughts on that? I haven't dug into code myself yet.
Everything imported from Lastpass just fine, other than the &
character. This was imported (in all cases) as &
Using the chrome extension from the extension store.
Thanks!
Find many code samples like that:
What about rewrite things like that to Promises?
Angular has its own promise functionality: $q, so there is no big problem to create clean and understandable code.
Am I mistaken or is bitwarden supposed to auto populate the user/password fields? For example, I just went to the github login page. Bitwarden Chrome extension recognized that it knows the user/password but doesn't populate it until I manually select it from the Bitwarden dropdown menu.
Angular have some special rools about Dependency Injection: DI
Its need for requireJS or any other js minifier, becouse without it gulp can't minify code correctly and all functionality just don't work.
I believe, that production code must be combined and minified, and right DI can help to do it for the preject.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.