New from Bitwarden: Send

Secure one-to-one information sharing

Bitwarden has been my password manager since 1Password went subscription a few years ago. Don’t get me wrong I love 1Password but by comparison, it’s pricey. Bitwarden is free to use with Premium features for $10 a year. The free version will do everything most people need from a password manager.

This week Bitwarden introduced a cool new feature. Send for secure one-to-one information sharing. “Bitwarden Send is a lightweight utility used to share information with another person for a limited period of time. Bitwarden users can easily transmit a file or text, and rest easy knowing the sent information is protected with end-to-end encryption, and will not live forever. Users choose an expiration date for the Send link, after which it no longer works to access the information.”

“This new feature is available on all Bitwarden clients: Web Vault, mobile, browser extensions, and CLI, meaning users will always have a secure way to share sensitive information temporarily.”

About Send | Bitwarden Help & Support

Create a Send | Bitwarden Help & Support

This isn’t something that I will use all that often but it sure is good to know that Send is there for that rare occasion that I need it.

Did the Bitwarden Safari web extension disappear on your Mac?

Bitwarden Safari extension no longer works with the Bitwarden direct download application

Today I needed to login into a website so I opened Safari and went to open the Bitwarden extension and to my surprise, it wasn’t there. WTF!

Here is whats up: “Due to changes by Apple, Safari limits Web Extension use to only those obtained through Mac App Store downloads. As of the 2021-03-11 Release, users will not be able to use a Bitwarden Safari Extension obtained through a .dmg installation from bitwarden.com/download or any other non-App Store source. ”Safari Web Extension | Bitwarden Help & Support

According to Bitwarden Support Release Notes the Safari App Extension has officially been ported to a Web Extension for use with Safari 14 . Due to changes to Safari, Web Extension use is now limited to only those obtained through Mac App Store download. Release Notes | Bitwarden Help & Support

I unistalled the download version of Bitwarden and installed the Mac App Store version and all is good. A little advance notice on this issue would have been nice.

LastPass Free is changing and users aren’t going to be happy

Here’s what you need to know

LastPass is making some changes to LastPass Free that will most likely piss-off users who rely on LastPass as their primary password manager. The big difference is that LastPass Free users will have to choose between mobile or desktop for their unlimited device access, rather than getting the system on both.

Here’s What’s Changing

We’re making changes to how Free users access LastPass across device types. LastPass offers access across two device types – computers (including all browsers running on desktops and laptops) or mobile devices (including mobile phones, smart watches, and tablets). Starting March 16th, 2021, LastPass Free will only include access on unlimited devices of one type.

Also

In addition to this change, as of May 17th, 2021, email support will only be available for Premium and Families customers. LastPass Free users will always have access to our Support Center which has a robust library of self-help resources available 24/7 plus access to our LastPass Community, which is actively monitored by LastPass specialists. 

After March 16th, if you want to use LastPass on desktop and mobile you’ll need a Premium account. With this change, you may want to look into a different password manager. Bitwarden offers a Free account that you might want to consider.

Here are the instructions on how to export your vault from LastPass and import it to Bitwarden.

iMessage BlastDoor security

Over the past three years, security researchers and real-world attackers have found iMessage remote code execution (RCE) bugs and abused them to develop exploits that allowed them to take control over an iPhone just by sending a simple text, photo, or video to someone’s device.

As reported January 28, 2021 by ZDNet “With the release of iOS 14 last fall, Apple has added a new security system to iPhones and iPads to protect users against attacks carried out via the iMessage instant messaging client.”

“Named BlastDoor, this new iOS security feature was discovered by Samuel Groß, a security researcher with Project Zero, a Google security team tasked with finding vulnerabilities in commonly-used software.”

“Groß said the new BlastDoor service is a basic sandbox, a type of security service that executes code separately from the rest of the operating system.”

“While iOS ships with multiple sandbox mechanisms, BlastDoor is a new addition that operates only at the level of the iMessage app.”

“Its role is to take incoming messages and unpack and process their content inside a secure and isolated environment, where any malicious code hidden inside a message can’t interact or harm the underlying operating system or retrieve with user data.”

Firefox 85 adds supercookie protection. What about Safari?

In technology news today Mozilla announced that it has added built-in protection from supercookies to Firefox 85. “Firefox now protects you from supercookies, a type of tracker that can stay hidden in your browser and track you online, even after you clear cookies,” Mozilla explains in a blog post. “By isolating supercookies, Firefox prevents them from tracking your web browsing from one site to the next.”

With Safari being my main browser and Firefox being secondary I wondered if Safari might have the same protection from supercookie tracking? To my surprise, it does and has since 2018.

“Quietly and without fanfare Apple has rolled out a change to its Safari browser that munches one of the web’s most advanced “super cookies” into crumbs.” Apple burns the HSTS super cookie WebKit blog: Protecting Against HSTS Abuse

Mac security explained

Great show today on Mac Power Users podcast. David and Stephen go into detail explaining Mac security. I walked away from the show with a better understanding of Mac security and a better feeling about the security built into my Mac. I recommend listening to this episode if you would like a better understanding of Mac security.

Episode #570 Mac Power Users – Security Explained

From the beginning, Mac OS X was designed with security and privacy in mind, but over the years Apple has worked to make both the Mac’s software and hardware more even more so. This week, Stephen and David cover what’s what when it comes to Mac security.

Adobe Ends Flash Player Support, Recommends Uninstalling Immediately

Adobe Flash Player has always been a source of malware for Mac and PC users. Now is the time to remove it if you still have it installed. The below article also explains how to remove it.

Adobe Flash Player End of Life

Since Adobe will no longer be supporting Flash Player after December 31, 2020 and Adobe will block Flash content from running in Flash Player beginning January 12, 2021, Adobe strongly recommends all users immediately uninstall Flash Player to help protect their systems.

Bitwarden for Mac browser extension exposing passwords in clipboard managers

While using Alfred’s clipboard manager the other day I noticed passwords in the clipboard history. My first thought was how is this happening. I immediately went into Alfred’s Advanced Clipboard History Settings to make sure that I had added Bitwarden to the Ignore list and yes I had. So I figured this has to be some sort of an issue with Bitwarden.

After doing some testing I discovered that the issue is with the Bitwarden browser extension. When I copied a password in the extension the password was collected by Alfred’s clipboard manager even though I had it set to be ignored. This happened with both the Safari and Firefox extension. I then copied a password in the Bitwarden App and to my surprise, it was ignored. So this only happens with the browser extension.

I contacted both Alfred and Bitwarden regarding the issue. Here’s what they had to say:

Alfred Support:

Could you also take a look at Features > Clipboard History and ensure that the boxes for “Ignore Clipboard data marked as Concealed” and …”as Auto Generated” are checked, which they should be by default?

This ensures that if a password app (or any other app) correctly marks the copied data as concealed, which indicates its potentially sensitive information like a password, this is ignored by Alfred. However, if Bitwarden doesn’t mark the passwords as such, it’s impossible for an app like Alfred to guess what you’ve copied.

First, check whether Bitwarden offers you a setting to identify the data as Concealed, and if not, you may want to contact them to request this.

Cheers,

Vero

Bitwarden Support:

Thank you for supporting Bitwarden! I’d be happy to help.

This has been requested. Unfortunately, due to upstream limitations by our desktop application framework, the ability to mark data as “concealed” is not available at this time.

We have an open issue regarding this here: https://github.com/bitwarden/desktop/issues/90

Please let us know if there is anything else we can help with!

Regards,

Luc

While doing my research on this issue I noticed that others using different clipboard manager apps were having the same issue. So if you’re using a clipboard manager and Bitwarden you might want to check your clipboard manager history for passwords.

My workaround in Alfred is to remember to clear the clipboard history after I copy a password from the extension. Better yet if I need to copy a password I’ll do it from the app instead of the extension.

Results of one of the largest password re-use studies ever

Last month a Turkish student Ata Hakçıl studying computer engineering at the University of Cyprus did one of the largest password re-use studies ever. He analyzed more than 1 billion-plus leaked credentials from data breaches at various companies. These data dumps have been around for several years, and have been piling up as new companies are getting hacked.

Out of the 1 Billion credentials, 168,919,919 were passwords. The most common password 123456 was spotted 7 million times per billion credentials. The average password length was 9.5 characters and 87.96% of passwords didn’t contain special characters. And 34.41% of all passwords end with digits, but only 4.522% of all passwords start with digits.

Cool Stats

  • From 1.000.000.000+ lines of dumps, 257.669.588 were filtered as either corrupt data(gibberish in improper format) or test accounts.
  • 1 Billion credentials boil down to 168.919.919 passwords, and 393.386.953 usernames.
  • Most common password is 123456. It covers roughly 0.722% of all the passwords. (Around 7 million times per billion)
  • Most common 1000 passwords cover 6.607% of all the passwords.
  • With most common 1 million passwords, hit-rate is at 36.28%, and with most common 10 million passwords hit rate is at 54.00%.
  • Average password length is 9.4822 characters.
  • 12.04% of passwords contain special characters.
  • 28.79% of passwords are letters only.
  • 26.16% of passwords are lowercase only.
  • 13.37% of passwords are numbers only.
  • 34.41% of all passwords end with digits, but only 4.522% of all passwords start with digits.

Here’s my takeaway from this:

  1. Massive amounts of people need to start using a password manager. This would allow for longer and more complex passwords and eliminate the need to re-use them.
  2. Only 12.89% of passwords contain special characters and only 4.52% of passwords start with a digit. So pick a password that starts with a number and includes special characters to avoid brute forcers.

If you’re not using a password manager then get started now. I’m using is Bitwarden. Bitwarden is open source, simple to use and best of all it’s FREE.

If you would like to see if any of your passwords have been breached you can check them at HaveIBenPwned.