Bitwarden, the popular cybersecurity company, is introducing a new security feature for its open-source password manager. Namely, the auto-fill feature will be getting advanced anti-phishing protection.
The new feature fixes a major security concern that security analysts first pointed out with traditional auto-filling methods a year ago. When automatically filling credentials into a website, hackers could take advantage of backend vulnerabilities to steal your credentials.
By injecting rogue iframes into legitimate websites, hackers could take advantage of password managers’ auto-fill features that automatically pasted login credentials into fraudulent fields.
Bitwarden initially released a bandaid fix. They kept the services online for those who relied on the service but turned it off by default. Anyone who attempted to turn it one would be met with a warning, making sure they knew the risk. Now, they’re addressing the problem in full with two major changes.
Passwords will no longer automatically fill into a website login field unless you click on the field first. Just remember that if the website is fraudulent, you should never attempt to log in. No technology can save us from brute-forcing our way into making a mistake.
You can also password-protect your login information. This simply means you’d use a master password anytime you try using your password manager auto-fill feature. This is a cumbersome feature for some users but you also have the option to toggle it off.
Bitwarden also introduced comprehensive URL matching.
“Bitwarden users can also set specific URL requirements that will determine when a login will be offered for auto-fill. This ensures sensitive information is only shared with trusted websites,” Bitwarden writes in its blog.
Alongside the security features, the auto-fill UI was also updated, streamlining the experience for most users. Now, you’ll be able to select from a menu of relevant login boxes when you go to log in.