5 years after an issue was filed, Bitwarden fixes its browser extension to support private windows in Firefox
Bitwarden had fixed its browser extension to support private window mode in Firefox. This brings a solution to an issue that was first filed in April 2017.
This isn't a deal-breaker for the majority of users, but some people use the Private browsing mode for protecting their privacy. It can be quite useful to block trackers, and to prevent storing cookies permanently. It is handy for accessing and managing shopping, and banking accounts without worrying about cross-site trackers.
Personally, I prefer using a dedicated container per site or genre (shopping, banking, games, etc) in normal browsing mode. That, combined with uBlock Origin, provides solid security and privacy from cross-site trackers. That's a different story, let's focus on Bitwarden.
What was the issue?
Bitwarden's pop-up panel wouldn't work in Firefox private windows. Clicking the password manager's button on the toolbar would display an empty modal, or show an error that it can't work in private mode. The Chrome version of the add-on wasn't impacted by the issue. This meant that users couldn't access their logins, or save new usernames/passwords conveniently, as they could in regular windows.
The founder of Bitwarden pointed the finger of blame at Mozilla, claiming that Firefox did not allow background page communication in private windows, and this was preventing the add-on from functioning in said mode. The password manager's pop-up panel is unlocked in a normal, non-private window, the contents of which wasn't accessible in a private window.
Interestingly, the context menu works perfectly in private mode, and so does the hotkey Ctrl + Shift + L. The problem here is that you need to have unlocked the password manager in a normal Firefox window, and switch to the private window in order to access these other options.
So, it is Mozilla's fault, or is it? Take LastPass for example, or any other password manager extension. Most, if not all of these add-ons, support Firefox's Private mode. How is that possible if there are restrictions in place?
A member of the Bitwarden team recently mentioned that Bitwarden's extension would be reworked in order to support Manifest v3. His statement explains that other password managers had been designed in such a way, they could work with the limitations in Firefox, but Bitwarden had to be rewritten to be functional. This refactored version will support Firefox's Private mode as well.
This basically confirms that it was not a problem caused by Mozilla, and that the way Bitwarden's extension was written indeed the cause of the issue. In other words, they didn't bother to fix the concern.
I'm not saying Bitwarden is a bad product, far from it actually, I respect it for the fact that it is an open-source software sans the limitations imposed by the free tiers of its rivals. But the miscommunication from the company isn't doing them any favors, this is what people call a lack of transparency. They should have, at the very least, acknowledged the issue, and worked on resolving it, instead of blaming others. As a company that offers premium services, it is the only acceptable approach in customer support, otherwise they are going to take their business elsewhere. Bitwarden has promised to keep its community up-to-date on the developments, by hiring a platform and community product manager. It seems like they learned their lesson, which is welcome news.
Bitwarden fixes its browser extension to support Firefox private windows
Bitwarden has managed to find a solution for supporting Private mode in Firefox.
The fix is not available for users in the current version of the add-on, v1.56.6. According to a commit made at the password manager's GitHub, the workaround for private mode is currently being tested, it is expected to be made available in a future update scheduled to roll out in March.
Image courtesy: Bitwarden.
Limitations in Bitwarden's support for Private Browsing in Firefox
While the workaround is welcome news, it is not without limitations. You need to unlock the vault every time you click the pop-up in private mode. Enabling the add-on's sidebar circumvents this restriction.
To use PIN unlock, you will need to disable the "Lock with master password on browser restart" option from the settings. As I mentioned earlier, the autofill and right-click menus can be accessed in private mode, but only if you have unlocked the vault in a regular browser window. The extension's icon will not update to reflect its status. The Biometric unlock and save password prompt are currently being tested for compatibility issues.
It's good to see that the issue has been finally fixed, even though it took 5 years to arrive at the resolution.
I rather use offline method like KeePass.
I completely agree the words of @Ashwin at the end of the article. Indeed imho this is not safe to store passwords around the web and also it’s a bad idea to store them on the own computer. Thanks @Ashwin for the good article! :]
@John G
hahahaha your comment is so full of ignorant… why is it “unsafe” to store passwords? You don’t even know that passwords are supposedly to get encrypted per device. Chromium does, I don’t know about Firefox. People can’t just get the passwords from your computer unless you are physically using the computer.
Are you going to tell me that it is the Browser’s fault if someone doesn’t have a pin or password in their computer and let anyone use it? In that case, Browsers like Chromium will ask you for authentication if you try to even see a password. But yeah so… insecure……. /s
Insecure maybe because you are ignorant about the technology? I mean, show proof how many times have Chromium password encrypted system being hacked?
The stupid thing about bitwarden is that people trust it more than the browser password manager, when they are literally storing all their passwords in a server they know nothing about, and they have to provide email and whatever else to be able to use those cloud services, even payment information is stored in those servers.
Where do you save your passwords, in your head? you really have 200 different passwords stored in your head? yeah sure.
Keep living in a fantasy land where hackers care about your life and you are apparently the center of the universe and other lifeless people watching anime or porn or stupid netflix in their computer and not using anything but apparently facebook or twitter or whatever. Most people who worry about “password managers” and “privacy” and all that, are a bunch of lifeless clowns who don’t have anything to offer to hackers or governments spy agencies. People live in such a clown world is just funny.
Maybe you would be better not using technology? that will not stop spying or people hacking your credit cards and getting your bank account information or something, which happens and matters if you have $$ in your account (which I doubt you do). But at least you are not saving passwords anywhere.
I used to view my friend’s password with this trick
https://blog.winhost.com/surprise-mozilla-firefox-and-google-chrome-store-passwords-in-plain-text/
Dunno if they changed it or not
@Anonymous
If you have physical access to a machine you can do a lot more than just view passwords.
If a master password was set it would need to be entered before the password database can be viewed.
@Moises
that’s not a trick you * [Editor: removed, please stay polite]
also thank for posting articles from almost 10 years ago
jfc
@McLaugh Duck please, do feel free to store your passwords painted on a wall if you want. I don’t recommend and I won’t ever recommend to store nothing at any device or at cloud. If someone still wanted to proceed to store them in such that way, Keyscrambler is required to block keyloggers. Any other similar software will be useful also. For me the best way to save a password is to write it on paper using some kind of useful basic mental code (i.e., “a” means “u”, “1” means “9” or any other easy system). And I tell you for sure that if some dangerous guys dressed in black and with sunglasess wanted to know your passwords, they will do, of course they will do. By the way, there is no need to insult. :]
Well, this is what happened when a bug is filled with a browser that has the least market share. It gets ignored for years since the impact is minimal compared to bugs affecting other browsers. :(
I don’t use Bitwarden in private window. I do care how its auto-fill function works. With version 1.55.0 it would auto-fill pop up windows such as with Disqus. Now I am forced to go to the Disqus.com, login there, then return to the site I want to comment on. Wastes my time. That auto-fill function was removed or broken. I’m back using Bitwarden 1.55.0.
Indeed some really big changes happened between version 1.55.0 and version 1.56.x.
1.55.0: 4.87 MB
1.56.6: 8.43 MB
It basically doubled in size from one version change!
Also, important note for those who self-host Bitwarden, version 1.54.0 may be the last known good version for now:
https://github.com/bitwarden/browser/issues/2410
The tone of this article is way too negative towards Bitwarden in my opinion.
First, Bitwarden today is still a pretty small company with a free service that’s better than any other password manager. And their Premium tier is amazingly cheap, to the point I just do it to support them and not because I need those features. They were even smaller in 2017.
Second, this is a niche of a niche use-case. Firefox has been losing users left-and-right, and although I still think it’s a good browser I too have left it for other browsers (mainly Vivaldi and Edge). And then you’re only referring to this problem for people who only use Private Mode in Firefox. I can’t really imagine this is a whole lot of people.
Third and closing argument: Bitwarden, its extensions and desktop program are open source. If somebody wanted this problem fixed, they could’ve done it themselves any time in the last 5 years. Further proving that this wasn’t really a noteworthy issue for anyone.
Ergo: This article makes a pretty big deal out of something that really isn’t.
Sorry for being monotonous, but I will never tire stressing this again and again — and then once again: just do _n_o_t_ use any password managers (such as this one) that offer to store your encrypted passwords in the cloud. If you want to use a password manager, then for your own safety use one (such as KeePass) that stores your passwords in an encrypted local file only, and will NOT send those data out into the cloud. Extra tip: if you do have such an encrypted local passwords file, do not forget to disguise it by renaming it to a non-default name and extension.
@Henk
Hear, hear.
Problem is you don’t understand how password managers work so maybe stop wasting your time repeating that people shouldn’t use cloud ones? With good password manager (which Bitwarden is, same with Keepass) and strong master password it shouldn’t matter if you save your vault in cloud or not since it’s impossible to bruteforce it.
And about renaming the local vault – this is great case of security by obscurity and another example that you should educate yourself first before anyone else.
The Bitwarden password cache is stored locally in encrypted form at rest and therefore is encrypted BEFORE being synced to the remote cloud. Unless the standard encryption being used is fundamentally broken your passwords remain secure.
And using the remote cloud sync is entirely optional. You can roll your own Bitwarden sync server locally on a PC you control (local cloud sync). This option provides all the control and security offered by Keepass while offering convenience Keepass can’t match.
This is incredibly silly.
And then what, only have access to those passwords on that single device that the file is on?
Oh, you can enable access across devices by uploading it to *the cloud*?
The irony.
Not to mention keepass is a desktop program which a) increases the attack surface and b) is a security vulnerability in itself because, unlike Bitwarden and the likes, it cannot utilize the browser sandbox.