scruffles360 t1_j1gs5fw wrote on December 24, 2022 at 5:39 AM

Reply to comment by OppositeCode in The Lastpass hack was worse than the company first reported by glawgii

I presume bitwarden doesn’t have any browser integration until the user logs in and asks for credentials?

I ask because that’s likely why LastPass doesn’t encrypt urls. When you go to a site, it knows it has a password and can prompt you to fill it. It’s a compromise in security for the convenience of browser integration. Whether or not it’s a good compromise is debatable but a lot of people are making it sound like laziness or a flaw. It’s most likely a usability choice.

OppositeCode t1_j1gxe32 wrote on December 24, 2022 at 6:40 AM

Yes, unless you are logged in your vault won't be decrypted. I assume you mean something similar to this? https://bitwarden.com/help/uri-match-detection/ https://bitwarden.com/help/website-icons/

Correct me if I'm wrong, but I assume the website match should be done locally otherwise it would be encrypted. https://bitwarden.com/help/what-encryption-is-used/

Browser extensions are a weak point but it also prevents everyday people from getting phished. As if the domain is not matching, you won't be able to fill your information (since it won't show).

As always, if you don't trust cloud you can either self host or use a local password manager.

scruffles360 t1_j1gymq9 wrote on December 24, 2022 at 6:56 AM

That may be similar. When you go to a login page and LastPass tells you you have 4 accounts on that site.. it gets that information using the unencrypted URLs. It doesn’t log you into your vault unless you try to use one of them. (There are settings to leave you logged in, but they discourage that).

I’m going to have to do some research and see what’s out there.

OppositeCode t1_j1gz5yx wrote on December 24, 2022 at 7:03 AM

I'm not a developer so it would be your best bet to ask in different subreddits such as: r/privacy r/PrivacyGuides r/Bitwarden