is bitwarden autofill safe

reddit.com › r › Bitwarden › comments › 1ea7v17 › is_it_safe_to_use_autofill

Don't manually copy from bitwarden due to phishing risk. I turn off "autofill on page load." So what I do is simply click in the email/user ID field, then BW almost always provides the correct credential to click. (BW checks to see if the url you're visiting matches the url you've defined in your password record in BW) If you're on Gmail for example then clicking in the user field should provide all your google accounts to choose from. Answer from petrolly on reddit.com

reddit.com › r/bitwarden › is it safe to use autofill?

r/Bitwarden on Reddit: Is it safe to use Autofill?

July 23, 2024 -

Hello. I've been reading through various threads on this subreddit for a few days now about various aspects of using Bitwarden.

And in one of the threads, I came across a message that using Auto-fill fully is not the most secure method of using the web extension for Bitwarden. Supposedly, some sites can read passwords from Auto-fill (I don't remember the exact wording, sorry if it sounds silly).

In general, I have no problem using the Ctrl+Shift+L combination manually, but on some sites I have several accounts (for example, Google email), and if I completely disable Auto-fill, I will have to manually press the key combination a certain number of times until the desired login/password appears.

But, as I see it, there are several variations of using Auto-fill in Bitwarden:

1. Do not use

2. When field is selected

3. When auto-fill icon is selected

And also a separate option - Auto-fill on page load.

In general, it is very convenient for me to use Auto-fill with the second option “When the field is selected”.

Is there any risk that the site can read/steal/etc. the password when I use Auto-fill in this configuration? Or is it better to manually use Ctrl+Shift+L / copy through a password manager?

Top answer

1 of 4

2 of 4

In total, the Bitwarden browser extension offers 8 different ways to auto-fill/auto-type your stored credentials (not including copy-and-paste, or drag-and-drop). Auto-fill on page load can be risky if URI matching is not properly configured. I haven't studied the implementation Bitwarden's inline auto-fill menus, but I believe that they are most likely no less safe than the other auto-filling methods. However, one drawback of the inline menus is that they inject code directly into webpages, which can cause some sites to not work properly. Personally, I prefer the OG keyboard shortcut (Ctrl/Cmd+Shift+L), and don't mind pressing the key combo a few times if I need to cycle through the available credentials. If you prefer a more visual approach for sites that have multiple matching accounts, I would suggest either opening the browser extension window (click the icon at the top of your browser, or use the keyboard shortcut Ctrl/Cmd+Shift+Y), or going to the right-click context menu at Bitwarden > Auto-Fill Longin, and then selecting the desired account from the list displayed at one of those two locations. As others have noted, avoid copy/paste if at all possible, because of the security risks inherent in using the system clipboard, and because of the lack of protection against phishing or AiTM attacks. If none of the auto-fill methods work, use the drag-and-drop method to transfer credentials instead of copy-and-paste.

PCWorld

pcworld.com › home › news › security news

Don’t use autofill on your password manager—especially if it’s Bitwarden

April 28, 2025 - Password managers have long offered ... feature carries risk, and for popular service Bitwarden, the danger is high enough that you should avoid autofill all together....

Bitwarden

community.bitwarden.com › ask the community › password manager

Autofill, should we turn it off? - Password Manager - Bitwarden Community Forums

March 17, 2023 - What are your thoughts on the following article from PCWorld, should we all turn off autofill?

BleepingComputer

bleepingcomputer.com › home › news › security › bitwarden’s new auto-fill option adds phishing resistance

Bitwarden’s new auto-fill option adds phishing resistance

February 22, 2024 - Specifically, the following safeguards ... system: Bitwarden will only fill credentials when a user selects a form field, mitigating the risk of automatic credential filling on malicious websites or iframes without user awareness...

Bitwarden

bitwarden.com › help › auto-fill-browser

Autofill From Browser Extensions | Bitwarden

Press Cmd/Ctrl + V to paste the TOTP. ... This feature is disabled by default because, while generally safe, compromised or untrusted websites could take advantage of this to steal credentials.

Bitwarden

bitwarden.com › blog › what is bitwarden autofill and how do you use it?

What is Bitwarden autofill and how do you use it? | Bitwarden

Sure, that might be more steps than you're used to taking, although likely easier than grabbing a notebook or sticky note. Yet the security gained is invaluable. However, it doesn't have to be such a challenge. In fact, Bitwarden includes an autofill feature in both the web browser extension and the mobile app that can help make your life considerably easier.

Digital Trends

digitaltrends.com › home › computing

If you use this password manager, you could be at risk | Digital Trends

March 14, 2023 - In order to keep working on websites that use iframes, Bitwarden has to leave this window of opportunity open for possible phishing and password theft. It’s worth noting that autofill on page load is disabled in Bitwarden by default, and the ...

reddit.com › r/bitwarden › you should turn off autofill in your password manager

r/Bitwarden on Reddit: You should turn off autofill in your password manager

May 23, 2021 - ... There's an Autofill setting in Bitwarden on both Chrome and Firefox extensions that's disabled by default, it automatically fills the username and password as soon as the website loads.

reddit.com › r/bitwarden › is enable auto-fill on page load a security risk on the chrome extension?

r/Bitwarden on Reddit: Is Enable Auto-fill on Page Load a security risk on the Chrome extension?

February 15, 2021 - This is generally safe, though there is a certain attack that involves adding hidden text boxes into a website that you can't see but end up tricking your password manager into giving that site your login information.

Find elsewhere

Google Bing Mojeek

reddit.com › r/bitwarden › how do password managers with autofill keep your accounts secure?

r/Bitwarden on Reddit: How do password managers with autofill keep your accounts secure?

May 12, 2024 -

Hi I'm struggling to understand how password managers like Bitwarden that autofill your passwords keep your accounts secure in the event that someone has access to your physical device. I must be missing something here. Can someone please explain how my accounts are secure considering the following scenario?

I use Bitwarden on Chrome and have a Chrome extension. Bitwarden is set up with Autofill on page load so that when I go to a website that requires me to login the username and password pops up automatically.
I'm using my phone or laptop in a cafe and it's unlocked because I'm physically using it.
Someone unexpectedly steals my phone or laptop whilst it's unlocked.
They are then able to enter any website address they like and if I have an account my details will be autofilled when the page loads. Obviously this would be bad because the thief now has access to my bank accounts.
Furthermore the thief is able to get into my Bitwarden, simply through clicking on the Chrome extension button. This gives them access to everything stored within Bitwarden.

This seems like such a huge risk when using Bitwarden or any other password manager with autofill because as soon as someone has access to your physical device that's unlocked they also have access to your Bitwarden account and any other account you own. Bank accounts, email accounts, you name it the thief now has it. What do password managers do in order to prevent the thief having access to everything in this situation?

I'm clearly missing a lot here with regards to how password managers like Bitwarden are better at keeping people's accounts secure because to me it seems like not using a password manager might be safer. I mean if I don't use a password manager I'm forced to manually enter my account details, which means if someone has access to my unlocked physical device they don't have access to all my accounts. Sure the thief will have my device but at least they don't have access to all my account information if I opt not to use a password manager.

What am I missing? How are password managers like Bitwarden a better option than not using them?

UPDATE: So it turns out I was missing some critical aspects of Bitwarden's use that I wasn't aware of. Thanks to the community I was able to find the settings I was looking for within the chrome extension and I'm now happy with the security it offers. Yes, it's a far better option than not using a password manager at all.

I missed the setting in the chrome extension where it said vault lock was set to lock on browser restart. Since browser restarts rarely happen on my laptop it obviously wasn't safe like that. Now that I've set the vault lock timer to a much shorter duration I can see that things are starting to work as I hoped they would and as the designers of Bitwarden intended. Thumbs up from me!

I also removed the autofill on page load and replaced it to autofill with shortcut hot keys. I also changed the shortcut hot keys to something different and the usual shortcut hot keys lock the vault. I figured if someone random gets access and tries to load a password using the typical hot keys that it adds an extra layer of safety as that will effectively lock the vault if it wasn't locked already.

I'm also going to add some pepper to my most critical passwords and have made my master password plenty strong enough to withstand any brute force attacks.

I'm now confident the hypothetical scenario I mentioned earlier is not as much of a security concern as I first thought. I'll continue to spend more time learning about the functionality within the Bitwarden platform and adjust settings as necessary so that it works in a way that's suitable for my needs. Thanks to everyone who commented. Stay safe!

Top answer

1 of 22

Password managers help you remember strong, unique passwords for every site. You are at higher risk of becoming a victim due to poor passwords that you recycle among multiple websites. If your unlocked device is stolen or compromised, it’s game over anyway. You do have the option to lock your vault down with pin, password, or biometrics to reduce the risk of your unsecured device being stolen.

2 of 22

Someone unexpectedly steals my phone or laptop whilst it's unlocked. This is a balance of convenience vs security. You can automatically lock Bitwarden sooner by decreasing the Vault Timeout setting.

reddit.com › r/bitwarden › is there protection against autofill phising?

r/Bitwarden on Reddit: Is there protection against autofill phising?

March 14, 2016 -

I had read an article about autofill phising recently and realized that the automatic autofill option is dangerous to have enabled for websites. But then I noticed on Facebook's sign in page, it has multiple fields for email and passwords because it has the sign up fields there as well as the sign in one at the top, and no matter which method I use to autofill (keyboard hotkeys, right click in the field, or clicking on the extension icon) with the Firefox extension, it always fills in both sets of fields rather than just the one I intend to. So now I'm concerned that it could also fill in hidden form fields as well. Does Bitwarden have a protection against hidden fields?

Top answer

1 of 1

My understanding is that it will only fill fields tied to the domain associated with the entry in your vault.

reddit.com › r/bitwarden › autofill

r/Bitwarden on Reddit: Autofill

March 5, 2023 -

i currently use lastpass and am considering moving to a selfhosted bitwarden. one of the things that frustrates me about lastpass is that the autofill is really crappy. on android and on the web (chrome). so my question is how well does bitwarden's autofill work?

Top answer

1 of 5

am considering moving to a selfhosted bitwarden Don't do that. Use the Bitwarden hosted service. If you choose a strong unique password, you are not dependent on the quality of Bitwarden's opsec. And they will offer better uptime and security management than you possibly could … unless you have 24×7 staff monitoring your service, responding to intrusion alerts, and curating container patches. [autofill] on android This is mainly an Android issue. It's usable, especially on Android 12 or later. But it's nothing to jump up and down about. and on the web (chrome). So autofill works completely differently in Bitwarden. The reason LP behaves so badly is they made a bad decision: they MODIFY the rendered page in order to give you those cutesy on-screen menus. And it kinda sorta usually works. But it occasionally effs up, and it when it does it is bad: the user deals with a web page that inexplicably just doesn't work. The Bitwarden Way is a keyboard shortcut, usually ctrl-shift-L. This works really well — much better than LastGasp ever did.

2 of 5

I have no experience with Android, but on Chrome, my personal experience and my experience helping other users here and on the Community Forum is that it auto-fill is maybe 98% reliable if properly configured (the 2% failure rate is caused by website developers who use programming practices that are hostile to password managers). However, if you are not open to learning new workflows and habits, but insist that Bitwarden's autofill workflow must match what you've been used to in Lastpass, well, then you may just be destined to join the throngs of ex-Lastpass users who are unhappy with Bitwarden's autofill methods . By far the easiest way to auto-fill in Bitwarden is to use the Ctrl+Shift+L keyboard shortcut (unless you decide to go whole hog and enable fully automatic auto-fill "on page load", which would be even easier).

Bitwarden

bitwarden.com › help › auto-fill-android

Autofill From Android App | Bitwarden

If you use Brave or Chrome as your web browser, toggle the Use Brave autofill integration or Use Chrome autofill integration options on to ensure that autofill will work in these browsers. Doing so will take you to that web browser's settings, where you will also need to enable the option to use a third-party service. This is required by Chrome so it can securely use Bitwarden to autofill passwords through its protected autofill system, and requires that Autofill services is enabled in Bitwarden and that the installed Chrome app is at least version 135.

reddit.com › r/bitwarden › is it safe to auto fill credit card details?

r/Bitwarden on Reddit: Is it safe to auto fill credit card details?

September 5, 2022 - Auto fill should be safer against phishing attacks, as it is very unlikely that Bitwarden will be fooled by a phishing site (certainly less likely than a person). Though it relies on you to tell it what URLs are safe in the first place.

1Password Community

1password.community › 1password community › discussions › 1password at home

Security Issue with Autofill? | 1Password Community

As far as i would understand the situation with Bitwarden, is that the Browser Extension from Bitwarden will auto-fill Login Credentials without any user interaction if you enable that feature.

Bitwarden

community.bitwarden.com › feature requests › password manager

Option to Autofill Only the Selected Text Box - Password Manager - Bitwarden Community Forums

March 17, 2023 - Feature name Option to Autofill Only the Selected Text Box Feature function Seeing the articles about the iframe Autofill vulnerability got me thinking about any way to avoid having passwords sent where I don’t expect t…

BleepingComputer

bleepingcomputer.com › home › news › security › bitwarden flaw can let hackers steal passwords using iframes

Bitwarden flaw can let hackers steal passwords using iframes

March 17, 2023 - Bitwarden's credentials autofill feature contains a risky behavior that could allow malicious iframes embedded in trusted websites to steal people's credentials and send them to an attacker.

reddit.com › r/bitwarden › what is the point of autofill?

r/Bitwarden on Reddit: What is the point of autofill?

February 16, 2024 -

Just started using Bitwarden due to a few people I know getting their phones stolen unlocked and thieves taking control of all their accounts. If someone stole my phone or laptop, surely they would still have easy access to all my passwords as they will simply autofill on any website they would want to get into...

Am I missing something?

Top answer

1 of 5

You should have equally heavy security on your physical devices, like strong passwords, remote wipe, lock, biometric login, etc. Second, the Bitwarden app should also be additionally protected using biometrics so even if they get into your phone, they can’t get into your Bitwarden.

2 of 5

surely they would still have easy access to all my passwords as they will simply autofill on any website they would want to get into... It's not quite that simple. Nothing about a password manager or autofill relieves you of the responsibility of having good operational security on your device. That means a screen lock, don't let others touch your device, and so forth. And for instance, on my iPhone, I have everything set to lock IMMEDIATELY, so if the thing is out of my hands for even a moment, it automatically locks. You can also set the password manager to ALSO lock, so that you must unlock it as well in order to get autofill services. Finally, autofill is somewhat safer than merely copying passwords out of the vault and pasting them where needed. Not only does the password manager automatically referee and make sure you are not entering credentials into a fraudulent site, it avoids using the system clipboard, which is available to EVERY app running on your computer. Look, it's impossible to remove all risk around your passwords. But if you think through all the alternatives and workflows, I think we can convince you that a password manager (AND autofill) are better than the alternatives.

reddit.com › r/bitwarden › autofilling master password: is this safe?

r/Bitwarden on Reddit: Autofilling master password: Is this safe?

January 13, 2024 -

Hi there! I've stored my Bitwarden login credentials inside of the vault. For additional protection against phishing attacks and protecting against inputting login credentials into a fake website disguised as the official Bitwarden one, would it make sense to only login via the extension and then for the web vault just use Command+Shift+L to log in there? Or is this unsafe somehow?

I also have an emergency sheet, so the login credentials are not only inside vault.

Top answer

1 of 5

It’s certainly okay to store your master password in the vault, and then use autofill when you need to log into the web vault. Just keep in mind that for filling in credentials to other sites, you should still be using the browser extension.

Some would argue that if you store your master password in the vault, then someone who has access to your vault will…have access to your vault? That seems kinda circular to me. If you choose NOT to store your master password in the vault, that’s also okay. You shouldn’t need the web interface very often anyway.

You could even use Bitwarden to launch your browser to the correct site, but not store the master password in there. That would satisfy everyone, I guess. But again, I don’t think what you’re doing is very bad.

2 of 5

My personal opinion is that your master password should be 16+ characters minimum (resist future quantum computer attacks) and exists only in your head. Don't use biometrics for auth as you can be legally compelled to use it (or get your finger cut off), but one can "forget" passwords.

reddit.com › r/bitwarden › what are the dangers of autofill on page load? how secure is it compared to the firefox/chrome password manager?

r/Bitwarden on Reddit: What are the dangers of autofill on page load? How secure is it compared to the Firefox/Chrome password manager?

March 10, 2025 -

In the Bitwarden documentation, there is a prominent warning that "...while generally safe, compromised or untrusted websites could take advantage of this to steal credentials." (https://bitwarden.com/help/auto-fill-browser/#on-page-load)

I also found this article, which explains a possible attack vector that seems to have been addressed: https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/

I now have a few open questions that I am not quite able to answer:

What are the actual dangers? The warning makes it seem like if I visit any untrusted site, I run the risk of losing my login credentials if this feature is enabled.
Chrome and Firefox have password managers that also auto-fill on page load. If there really is an attack that allows a bad actor to extract credentials when I visit their untrusted site, wouldn't Chrome and Firefox also have this HUGE problem?

Top answer

1 of 1

Proton has a good explanation of the risks ( https://proton.me/blog/safe-to-autofill-passwords ): Using automated password autofill means you don’t have to think about entering your credentials, but this is risky. Autofill will automatically fill any field on a webpage without your permission. For example, a malicious landing page may have multiple invisible fields which hackers can use to convince your password manager to autofill with your credentials. This can happen without your knowledge, and multiple passwords can be compromised by a single landing page. This is a well-known attack called an AutoSpill exploit(new window) . In 2023, many password managers were confirmed to have been compromised using this exact exploit, including 1Password, LastPass, Enpass, Keeper, and Keepass2Android. It’s a vulnerability that many password managers simply didn’t have a rigorous enough autofill policy to combat.