Bitwarden for Mac browser extension exposing passwords in clipboard managers

While using Alfred’s clipboard manager the other day I noticed passwords in the clipboard history. My first thought was how is this happening. I immediately went into Alfred’s Advanced Clipboard History Settings to make sure that I had added Bitwarden to the Ignore list and yes I had. So I figured this has to be some sort of an issue with Bitwarden.

After doing some testing I discovered that the issue is with the Bitwarden browser extension. When I copied a password in the extension the password was collected by Alfred’s clipboard manager even though I had it set to be ignored. This happened with both the Safari and Firefox extension. I then copied a password in the Bitwarden App and to my surprise, it was ignored. So this only happens with the browser extension.

I contacted both Alfred and Bitwarden regarding the issue. Here’s what they had to say:

Alfred Support:

Could you also take a look at Features > Clipboard History and ensure that the boxes for “Ignore Clipboard data marked as Concealed” and …”as Auto Generated” are checked, which they should be by default?

This ensures that if a password app (or any other app) correctly marks the copied data as concealed, which indicates its potentially sensitive information like a password, this is ignored by Alfred. However, if Bitwarden doesn’t mark the passwords as such, it’s impossible for an app like Alfred to guess what you’ve copied.

First, check whether Bitwarden offers you a setting to identify the data as Concealed, and if not, you may want to contact them to request this.

Cheers,

Vero

Bitwarden Support:

Thank you for supporting Bitwarden! I’d be happy to help.

This has been requested. Unfortunately, due to upstream limitations by our desktop application framework, the ability to mark data as “concealed” is not available at this time.

We have an open issue regarding this here: https://github.com/bitwarden/desktop/issues/90

Please let us know if there is anything else we can help with!

Regards,

Luc

While doing my research on this issue I noticed that others using different clipboard manager apps were having the same issue. So if you’re using a clipboard manager and Bitwarden you might want to check your clipboard manager history for passwords.

My workaround in Alfred is to remember to clear the clipboard history after I copy a password from the extension. Better yet if I need to copy a password I’ll do it from the app instead of the extension.

Results of one of the largest password re-use studies ever

Last month a Turkish student Ata Hakçıl studying computer engineering at the University of Cyprus did one of the largest password re-use studies ever. He analyzed more than 1 billion-plus leaked credentials from data breaches at various companies. These data dumps have been around for several years, and have been piling up as new companies are getting hacked.

Out of the 1 Billion credentials, 168,919,919 were passwords. The most common password 123456 was spotted 7 million times per billion credentials. The average password length was 9.5 characters and 87.96% of passwords didn’t contain special characters. And 34.41% of all passwords end with digits, but only 4.522% of all passwords start with digits.

Cool Stats

  • From 1.000.000.000+ lines of dumps, 257.669.588 were filtered as either corrupt data(gibberish in improper format) or test accounts.
  • 1 Billion credentials boil down to 168.919.919 passwords, and 393.386.953 usernames.
  • Most common password is 123456. It covers roughly 0.722% of all the passwords. (Around 7 million times per billion)
  • Most common 1000 passwords cover 6.607% of all the passwords.
  • With most common 1 million passwords, hit-rate is at 36.28%, and with most common 10 million passwords hit rate is at 54.00%.
  • Average password length is 9.4822 characters.
  • 12.04% of passwords contain special characters.
  • 28.79% of passwords are letters only.
  • 26.16% of passwords are lowercase only.
  • 13.37% of passwords are numbers only.
  • 34.41% of all passwords end with digits, but only 4.522% of all passwords start with digits.

Here’s my takeaway from this:

  1. Massive amounts of people need to start using a password manager. This would allow for longer and more complex passwords and eliminate the need to re-use them.
  2. Only 12.89% of passwords contain special characters and only 4.52% of passwords start with a digit. So pick a password that starts with a number and includes special characters to avoid brute forcers.

If you’re not using a password manager then get started now. I’m using is Bitwarden. Bitwarden is open source, simple to use and best of all it’s FREE.

If you would like to see if any of your passwords have been breached you can check them at HaveIBenPwned.

How Rob lost control of his bank accounts to a phone scammer

I’ve been following Rob’s blog for several years. I enjoy reading what he writes about. He is also the developer of a couple of Mac apps that I use.

I felt bad for Rob after reading his blog post about how he had recently lost control of his bank accounts to a phone scammer. His story is well worth reading. It may save you from falling for the same or similar phone scams.

How I lost control of our bank accounts to a phone scammer | The Robservatory

Holiday Sale: Save 50% on all Enpass password manager plans

This is directed at those of you who are in the market for a password manager. I’ve been using Enpass for several months and am very happy with it.

I’ll mention that Enpass moved to subscription a few weeks ago but they also have a lifetime license and with the sale you, can get a lifetime license for just $24.99.

A special deal for the Holidays: 50% off on all Enpass plans

Enpass will be on sale with a discount of 50% on all app stores – while you can get a lifetime license for only $24.99, you can also get an Enpass Premium subscription starting for as low as $0.49 per month. And, of course, the full-featured desktop versions of Enpass – macOS, Windows, Linux – are completely free.

Note that this is a limited time offer, starting from December 24, 2019 and valid till January 2, 2020. So, don’t wait and unlock the full version of Enpass at this special discounted price. Spread the word to help your friends and family members get started with safe and secure password management.

My choice for a Safari 13 content blocker on Mac

With Safari 13 my favorite Mac ad and tracker blocker uBlock Origin, along with a few other extensions, no longer work. Because of this, I have switched to Firefox as my main browser. That said there will still be times when I will want to use Safari and will want an ad and tracker blocker.

I tried Ghostery Lite but I had two issues with it. It doesn’t block YouTube ads and I didn’t like the way it handles space left behind by blocked ads.

For now, I’ve settled on Wipr. Wipr blocks all ads, trackers, cryptocurrency miners, EU cookie and GDPR notices, and other annoyances. I also switched to Wipr for Safari on my iPhone and iPad in place of BlockBear. BlockerBear was working fine but for consistency, I switched to Wipr.

Day One encryption

I have been using Day One for going on three years now. One concern I’ve had is that journals by default are encrypted but with Day One holding the encryption key. This means that someone at Day One might be able to access my journals. Journals with Standard encryption are also exposed to a data breach or security glitch. This has caused me to limit what I write in them.

Now, after reading Shawn Blanc’s ”Best Journaling App for iPhone, iPad, and Mac” on The Sweet Setup I’ve taken his advice and enabled End-to-end encryption for all my journals.

Shawn Blanc:

End-to-end encryption is not turned on by default for providing the best type of security for your journal entries, as users must maintain their encryption key at all times to unlock journals if necessary. As Day One’s FAQ puts it:

When using end-to-end encryption, it is essential you save your encryption key in a secure location. If you lose your key, you will not be able to decrypt the journal data stored in the Day One Cloud. You’ll need to restore your data from an unencrypted locally-stored backup.

We recommend turning on end-to-end encryption whenever you create a new journal to ensure your data is always kept safe and secure. Save your encryption key in an app like 1Password or a locked note inside Notes.app and never lose the key.

Now no one has access to my journals without the encryption key. I keep it in 1Password.