The other password system I love, is Master Password. A stateless password system is definitely my favourite (I enjoy the absolute confidence that I can NEVER lose my passwords). Unfortunately there are always going to be passwords that cannot be changed, and that need to be remembered, so a stateless system can only really work as part of a more traditional password manager like bitwarden. I would love bitwarden forever/so much if it had the option to generate passwords in this stateless way (using Master Password algorithm).

Probably not something you'd want to even look at implementing at this stage, but someday, maybe?

It would be nice to have structured storage for some common form fill situations, such as entering addresses or credit card information.

Contact Info

• Name
• Email
• Address
• Phone number

Credit Card

• Name on card
• Credit card number
• Expiration date
• CVV code

mozilla.org and firefox.com are listed as equivalent domains. However, accounts.firefox.com is used to access Firefox Account (ie, Sync) credentials, so bitwarden will offer to fill any mozilla.org page with a password that will allow access to all your synced information.

While the root of firefox.com will redirect to mozilla.org, there are no other accounts on firefox.com, so there's no good reason to keep them as equivalent, and doing so risks a user accidentally entering a very important password into the wrong site (or just as bad, encourage them to reuse their Firefox Accounts password on mozilla.org). Users can re-add them if they so choose, but I think that default should be removed.

Hi thanks for the project it looks interesting but there is no licence file.

Move authentication to Identity Server when it goes RTM.

https://identityserver.io/

Hello,

Currently, in order to move logins to a folder, we have to edit each login entry, select a folder from a drop-down menu, and then save. This is very inefficient when having to move many entries to a folder.

Is there a way to move multiple entries to a folder at the same time?
It would be useful to be able to select entries in the web vault and drag and drop to a folder.

Thank you.

https://msdn.microsoft.com/en-us/library/system.directoryservices.protocols.ldapconnection(v=vs.110).aspx

Might be useful for business environments.

It would be handy if we had the ability to add notes to a password.

Would it be possible to add support for GA? I already use this for various other things, would be nice to not have to install a separate app.

With some Googling I found this GA implementation for C#: https://github.com/BrandonPotter/GoogleAuthenticator

i'm gonna make a seemingly bold claim:

"every password generated and not stored puts user accounts at risk"

what i mean is this: using the password generator it's easy to generate a password, copy it to the clipboard, set a new password for some account on the web to that generated password, and then lose the password -- it was only ever present in the system clipboard. of course it's a user error, but this is annoying enough that it should be prevented as much as possible from happening.

what makes it worse is that in the 'create new login' panel one can choose to generate a password, but then one has to press the 'save' button to actually save the login with the generated password. this is easy to overlook: copy and paste the generated password, confirm new password on the web page; a new page loads and the bitwarden panel disappears - password lost except in the system clipboard.

i think bitwarden should find a way to avoid these user error traps. for instance, all generated and then clipboard-exported passwords could be saved in a 'password history' just so the user can try out the last ones when he realizes his mistake. this could be a rolling list limited to 100 entries or less.

Not sure I'm talking on the right project, but I think it would be great to be able to import a KeePass database.

Currently a paid customer and would love to see an audit trail for all entries. Would love to know who changed passwords, when, from > to, etc.

Re-prompt for your bitwarden master password before you:

Access an Identity
Access a Site's password
Access a Site
Access a Secure Note
Access a Form Fill
Log into a site

E.g. taken from LastPass

Last pass gives you the ability to store secure notes, useful for things like storing licence keys and other important unstructured information.

Move to .NET Core runtime for all projects so that the APIs can run cross platform. This will require that library dependencies all support the .NET Standard.

Currently this list includes:

• OtpSharp (https://bitbucket.org/devinmartin/otp-sharp/issues/19/net-core)
• DataTableProxy (tdietrich513/DataTableProxy#2)
• Sendgrid (https://github.com/sendgrid/sendgrid-csharp/issues/221)
• PushSharp (Redth/PushSharp#730)

Once these libraries are either 1) replaced with something else that supports the .NET Standard or 2) adopt it themselves, this project can also move to the .NET Standard for .NET Core.

I'd love to see FIDO U2F as a method for two factor authentication. Implementation is pretty straightforward, and increases security dramatically.

Currently there is about a 2 second timeout on login failure. I'd recommend using an increasing timeout based on IP address that prevents too many failed logins, and requires the user to wait 5 minutes after too many failed attempts. This is an important feature for a site that will host user passwords.

Created account using email with caps, for example [email protected].

Unable to login with [email protected], had to log in as [email protected].

Email authentication should not be case sensitive.

It would be nice to see an email 2-step authentification. Thank you for your great app.

Is there any guide how to install Bitwarden on premise?

Support for MySQL/MariaDB or PostgreSQL would be really beneficial as SQL Server is a bit daunting to get running without a decent amount of capital. Even SQL Express limits the host greatly, and given the project is built against .NET core it will probably hurt deployment to Linux/Mac.

Even SQL Server for Linux is still shaky at the moment.

Hello, I'm trying to remove my vault data as well and receive an error. It seems to run for a long time @ 1m 40s before displaying the error.

Errors have occured
An unexpected error has occured.

Maybe it's a simple script timeout, due to parsing size limits?

Dashlane has this feature and I think it would be good to have it in bitwarden as well.

https://www.dashlane.com/features/security-alerts

When I try to delete my account using the WebApp, after entering the correct password it takes a few seconds (30 in my case) after which I get an unhandled server error has occured response.

The masterPasswordHash gets sent to https://api.bitwarden.com/accounts/delete via POST, which will then result in a 500 response.

Looks like no data was deleted.

has there been any thought to using appveyor for continuous build/test/release? i've don some work for unicorn engine using appveyor, but i'd like to gauge interest before investing time for this project!

anyone who has the username/password combination gets full control over a vault. it's a little disconcerting that anyone from anywhere can start trying brute force attacks.

would it help security if

1. any first login from a new device would trigger an automatic email?

2. or better, designate a 'trust center' device or secret key file which is necessary for adding access from any new device in addition to the master password.
   that way, logins from trusted devices (identified by a stored secret key) would still be fast but the attack surface would be reduced.
   what happens if the trusted key or device is lost? then login with only the master password must still be possible but could be protected with a long waiting time (hours/day?)

3. maybe simpler, a mandatory long waiting time for first login of each new device.

(sorry if this is naive, not a security expert.
but i remember lastpass having at least email notification)

For added security, investigate enabling Transparent Data Encryption for data at rest. https://msdn.microsoft.com/en-us/library/dn948096.aspx?f=255&MSPPError=-2147217396

Please!

https://duo.com/product/every-application/supported-applications/apis
https://github.com/duosecurity

Kudos for respecting users' freedom and choosing the GPL for your project.

However, may I suggest switching to the AGPL for the server-side components? It's the same but for code which is used but not "distributed" in the usual sense.

https://www.gnu.org/licenses/licenses.html#AGPL

Right now the Equivalent Domains is sent from the client and stored on the server in plain text. This should be encrypted on the client the same as passwords/sites.

This isn't a huge security issue, but if the database was compromised then the list of domains would be available from each account. This list of domains would be ones that the user has accounts on creating a privacy issue.

It will be great add-on to provide notes feature.
Where you can enter small text notes and save it to Vault.
For example LastPass has this feature with name Secure Notes

Some websites logins require other details beyond a username and password. This might include company/account etc.

It would be great to have autofill and auto capture support for this type of form.
An example of such a form is available here:
https://sc3.omniture.com/login/

Not sure in which repository this belongs, probably in all of them. Bitwarden should get a security audit to find and squash any security issues that might hide somewhere. Obviously there is the problem of financing, so maybe this can be of help. Doesn't hurt to try it, right?

https://blog.mozilla.org/blog/2016/06/09/help-make-open-source-secure/
https://docs.google.com/forms/d/e/1FAIpQLScLwANEOvLBE6gnFVoiamqHOYzzkaChpdQJ7f0PlZGmfyy94w/viewform
https://wiki.mozilla.org/MOSS/Secure_Open_Source

Lastpass has a feature that's basically for emergencies, where you can set a timeout and a user to be granted access.

The user then at any time can request access, the owner gets an email. If they don't click reject in the email it opens up access after that time period. Like 48 hours for instance. This is for example useful if you get in a medical accident or die.

It would also be nice to restrict which sites they get access to (all or "selected").

https://helpdesk.lastpass.com/emergency-access/

New registrations should enforce minimum password rules. This does not appear to be working since it can register a new account with a simple password like "123".

After sharing a few sites, those specific sites no longer appear in the Firefox extension. Both when searching via the vault tab, and when visiting the site and looking at the current tab.

The affected logins are all there when logging into vault.bitwarden.com. They are also present in the Android app. I haven't tested any other apps or extensions.

Something I really miss in bitwarden is that I can't have a folder in a folder.
Maybe an idea to implement?

I would like to request the feature to store security questions as well as password. Many sites I visit now ask for security questions and I can never remember if I used upper case or lower case to answer the security questions. It would be great if bit warden could also store the questions and answers even if it didnt fill in the fields with them.

When a new collection is shared with a user it would be helpful to have an option as the user or the admin to automatically have the collection added as a folder.

I am looking at this as a new company about to use the product. I am likely to create a number of collections to be shared with the staff. The collections will already be in the groups the users would likely want the passwords managed as folders. As I can see most users when they are first shared their list of passwords to never move the logins into folders as its too much work when faced with a list of 100+ new logins.

I really like Lastpass' feature to restrict logins to only certain countries on an allowed list.

I see MaxMind free location tables https://www.maxmind.com used a lot for this though I'm sure there are probably others out there.

The only time I allow any other country might be if I'm on vacation and I definitely block all TOR login access.

One of the limitation of PBKDF2 is that it depends on many iteration of hashing to slow down computation. That isn't as effective a defense against password guessing when you factor in that it is possible for someone to build an ASIC or even GPU that can try multiple combinations simultaneously. The problem with ASIC sort of attack is that they don't have that much memory for each combination they could try in parallel. This is why some of the more recent password hashing algorithms -- including the PHC password hashing winner Argon2 do not rely on only iterations but also requiring a good amount of memory for each key derivation. Bottom line: Argon2 is not just CPU-hard, but also memory-hard. This is also true for another popular key derivation function scrypt which kind of inspired the idea of having the PHC competition in the first place.

It would be nice to explain what API that does exist, and how to interact with the encrypted blob that is the user's vault.

My end-goal: Create a cron job with pass-rotate that will change my passwords and update the vault, all automatically. Basically, I want to update my Github/Twitter/Facebook passwords more often, but it'd be nice to have my computer do that for me.

I've been trying to share many passwords with a collection. I noticed that the only area that allows doing it is the gear icon next to the password.

Users can sometimes lose their 2FA devices (common case seems to be people reset their phones and lose the 2FA app). Generate a backup code that a user can write down/print and later use in an emergency to disable 2FA on their account.

Some organizations have login credentials that are shared across multiple domains. For example, your apple id can be used to log into apple.com and icloud.com. The autofill services will only recommend logins for a single domain currently. Need to figure out a way to allow multiple domains to be associated with a site.

https://www.messenger.com is the official Facebook messenger web app and can be logged in using Facebook credentials.

Lastpass stores the previous passwords when one is changed. This is great especially if you accidentally overwrite the previous one or realize you need it.

This is most important for secure notes and the notes section of logins as it's possible for you to accidentally mess them up. This is important because usually they have security questions stored in them.

So an ability to see previous versions of them would be a very good feature.

Websites in both web and mobile should utilize the sites icon in the listing (and edit pages). Just like LastPass has.

Add ability for users to share items in their vault through folders and/or individual logins.

Design

Flow

1. User A creates Folder X.
2. User A decides to share Folder X with User B.
3. Random symmetric key is generated for Folder X.
4. Folder X key is encrypted using the public key for User A and User B.
5. User B logs in an obtains access to Folder X.
6. User B receives symmetric key B and decrypts with private key.
7. User B decrypts Folder X data with Folder X symmetric key.
8. User B adds Login Y to Folder X, encrypts with Folder X symmetric key.
9. User A can now access and decrypt with symmetric Key A from Folder X.

Comments

1. Every user has a public and private (asymmetric) key
2. Every share folder has a random generated symmetric key with a stored copy that is encrypted using the public key of each user that it is shared with.
3. Every share folder and it's share data is encrypted/decrypted using the folder symmetric key.
4. A folder's symmetric key can be re-generated as long as the logins and encrypted keys for each user are re-generated as well. This shouldn't ever really need to happen.
5. If a user needs to change their master password, their private key will just need to be re-encrypted. There should be no affect on the shared folder data or it's keys.

Issues

1. How will nested folders fit into this sharing scheme? Will all child folders be visible?
2. How will parent folders be handled when a child folder is shared?
3. How will individual login shares be handled?

I do apologize if there is already a feature request for this, I was not able to find it.

1Password includes TOTP support to generate the TOTP codes right in the App for sites which support TOTP (such as GitHub) so that I can pull both my password and TOTP code right out of the app, can this be added to bitwarden? No selfhosted password managers seem to include this.