Bitwarden for Mac browser extension exposing passwords in clipboard managers

While using Alfred’s clipboard manager the other day I noticed passwords in the clipboard history. My first thought was how is this happening. I immediately went into Alfred’s Advanced Clipboard History Settings to make sure that I had added Bitwarden to the Ignore list and yes I had. So I figured this has to be some sort of an issue with Bitwarden.

After doing some testing I discovered that the issue is with the Bitwarden browser extension. When I copied a password in the extension the password was collected by Alfred’s clipboard manager even though I had it set to be ignored. This happened with both the Safari and Firefox extension. I then copied a password in the Bitwarden App and to my surprise, it was ignored. So this only happens with the browser extension.

I contacted both Alfred and Bitwarden regarding the issue. Here’s what they had to say:

Alfred Support:

Could you also take a look at Features > Clipboard History and ensure that the boxes for “Ignore Clipboard data marked as Concealed” and …”as Auto Generated” are checked, which they should be by default?

This ensures that if a password app (or any other app) correctly marks the copied data as concealed, which indicates its potentially sensitive information like a password, this is ignored by Alfred. However, if Bitwarden doesn’t mark the passwords as such, it’s impossible for an app like Alfred to guess what you’ve copied.

First, check whether Bitwarden offers you a setting to identify the data as Concealed, and if not, you may want to contact them to request this.

Cheers,

Vero

Bitwarden Support:

Thank you for supporting Bitwarden! I’d be happy to help.

This has been requested. Unfortunately, due to upstream limitations by our desktop application framework, the ability to mark data as “concealed” is not available at this time.

We have an open issue regarding this here: https://github.com/bitwarden/desktop/issues/90

Please let us know if there is anything else we can help with!

Regards,

Luc

While doing my research on this issue I noticed that others using different clipboard manager apps were having the same issue. So if you’re using a clipboard manager and Bitwarden you might want to check your clipboard manager history for passwords.

My workaround in Alfred is to remember to clear the clipboard history after I copy a password from the extension. Better yet if I need to copy a password I’ll do it from the app instead of the extension.

Results of one of the largest password re-use studies ever

Last month a Turkish student Ata Hakçıl studying computer engineering at the University of Cyprus did one of the largest password re-use studies ever. He analyzed more than 1 billion-plus leaked credentials from data breaches at various companies. These data dumps have been around for several years, and have been piling up as new companies are getting hacked.

Out of the 1 Billion credentials, 168,919,919 were passwords. The most common password 123456 was spotted 7 million times per billion credentials. The average password length was 9.5 characters and 87.96% of passwords didn’t contain special characters. And 34.41% of all passwords end with digits, but only 4.522% of all passwords start with digits.

Cool Stats

  • From 1.000.000.000+ lines of dumps, 257.669.588 were filtered as either corrupt data(gibberish in improper format) or test accounts.
  • 1 Billion credentials boil down to 168.919.919 passwords, and 393.386.953 usernames.
  • Most common password is 123456. It covers roughly 0.722% of all the passwords. (Around 7 million times per billion)
  • Most common 1000 passwords cover 6.607% of all the passwords.
  • With most common 1 million passwords, hit-rate is at 36.28%, and with most common 10 million passwords hit rate is at 54.00%.
  • Average password length is 9.4822 characters.
  • 12.04% of passwords contain special characters.
  • 28.79% of passwords are letters only.
  • 26.16% of passwords are lowercase only.
  • 13.37% of passwords are numbers only.
  • 34.41% of all passwords end with digits, but only 4.522% of all passwords start with digits.

Here’s my takeaway from this:

  1. Massive amounts of people need to start using a password manager. This would allow for longer and more complex passwords and eliminate the need to re-use them.
  2. Only 12.89% of passwords contain special characters and only 4.52% of passwords start with a digit. So pick a password that starts with a number and includes special characters to avoid brute forcers.

If you’re not using a password manager then get started now. I’m using is Bitwarden. Bitwarden is open source, simple to use and best of all it’s FREE.

If you would like to see if any of your passwords have been breached you can check them at HaveIBenPwned.

GoodLinks for read-it-later

I have been trying a new read-it-later and bookmark manager app GoodLinks by Ngoc Luu the developer of 1Writer.

In my opinion, GoodLinks is one of the best read-it-later apps out there. The reading experience is excellent. Articles and reading position sync between devices via iCloud. And best of all it’s a one time purchase for iPhone, iPad, and Mac.

Since it’s a relatively new app it’s missing a few features. One big one for me is that there is no way to import saved bookmarks from other apps. I would like to use GoodLinks as my bookmark manager as well as read-it-later but until import is available that will have to wait. I have too many bookmarks in Raindrop.io to move individually. I’m sure this feature will be added soon.

As a side note, GoodLinks for the Mac requires Catalina.

If you would like to learn more about GoodLinks check out this MacStories review by John Voorhees: GoodLinks Review: A Flexible Read-it-Later Link Manager Packed with Automation Options – MacStories

FoodNoms food tracking app

As you will recall I had gained a couple of pounds over the winter and wanted to lose them. Once I had done that I wanted to maintain a specific weight. For me, the easiest way to do this has always been tracking calories. Calories in and calories out.

What I’ve found after doing this for a couple of months is that counting calories makes me make better food choices so that I stay within my Recommended Daily Intake (RDI). Based on my age, weight, height, and activity level my RDI is approximately 2000 calories per day to maintain my current weight. Prior to counting, I was eating between 1000 and 1500 calories more than my recommended daily requirement.

With all that said, I’m trying a new food tracking app FoodNoms that Casey Liss mentioned in Episode 385 of Accidental Tech Podcast. It’s taking a few days to get used to it because it works differently than the app that I’m used to using. But, the more I use it the more I’m liking it and I think I’ll be sticking with it. By the way, the app walks you through the calculation to determine your RDI.

If you’re interested in getting a handle on your weight you should give the app a try. There’s a free version of the app which is what I using. There’s also FoodNoms Plus which is a subscription. I think most people could probably get along with just the free version.

John Voorhees did a nice review of the app over on MacStories. Go check it out FoodNoms: A Privacy-Focused Food Tracker with Innovative New Ways to Log Meals – MacStories.

Sling TV holding prices while YouTube TV raises prices

Yesterday I was reading M.G. Siegler’s article about YouTube TV’s June 30th, 2020 30% price increase. He also speaks to how streaming tv is becoming bundled just like cable tv.

Coincidentally, that same day I got an email from Sling TV telling its users that our price is not going up and that our current price is guaranteed for the next 12 months. After reading Siegler’s article that was good news because I figured Sling might follow in the footsteps of YouTube TV.

If you’re not happy with YouTube TV’s price increase you might want to take a look at Sling. They’re offering:

Year Price Guarantee for all new and existing customers. For customers who sign up for SLING TV or who have an existing account by August, 1, 2020 SLING TV will automatically guarantee their current price on any SLING TV service through August 1, 2021 (that’s just $30 per month for SLING Orange or SLING Blue).

No charging brick? You’ve got to be kidding!

There’s a rumor going around that Apple won’t be including a charging brick with the new iPhone 12. That means when I buy a new iPhone I’m going to have to buy a charger as an add-on purchase to be able to use it. I don’t know about you but this is just wrong and it feels like Apple nickel-and-diming us to improve their margins. The thought of this just pisses me off. Apple this is stupid!

You have to ask yourself why would Apple do this? M.G. Siegler wrote about this subject over on his blog 500ish.com.

None of those points are false, but let’s be honest here, that’s not why Apple is doing this. Here’s the breakdown in terms of order of importance as I see it:

1) Margins. The next iPhone’s margins are going to be under assault due to the ‘5G’ components, amongst other new technology. And COVID has altered the supply chain immensely. The charger may not seem like a huge margin savings, but it adds up in aggregate. Also, there’s up-sell opportunities galore with the new faster charging bricks — or, even better, Apple’s inevitably still-forthcoming wireless charging solution.

2) Shipping. You know what else adds up in aggregate? Shipping these units from China. If Apple can make these boxes more svelte, they’ll pack more in. This helps the environment, in a way, but it helps the bottom line even more.

3) Transitions. The next iPhone — the one after this one — is already rumored to forgo wired charging entirely. If that’s the case, it may make some sense to move people beyond the notion of including a wired charger in the iPhone box now. Force more customers to get ready for the wireless charging revolution.

4) Environment. This is on the list. But it’s the last item on the list. Not the first item on the list.

I know that all sounds cynical, but come on, that is clearly what is happening here. It’s not all point number one, but it’s a combination of all four points with the first one being the most important in terms of deciding what to do here. They could have made this change at any point over the past few years with the same rationale. Yet they’re doing it this year.

Again, I’m sitting here shitting on a decision that is a rumor. But the source (which is a second source, no less) would seem to be credible enough that this is likely going to happen. And so maybe there’s still a chance to affect the outcome. Not within the boxes themselves — that ship has undoubtedly already sailed, even if the shipping containers haven’t yet — but perhaps there’s an opportunity to offer a power brick as a free add-on for those who want/need one at the time of an iPhone purchase.

Again this is just stupid to sell a product without being able to fully use it out of the box. And that’s exactly what Apple appears to be doing if the rumor is true.

Three finger swipe to undo

I had been writing an article in Ulysses for the last couple of days and was just about done with it. Last evening while lying in bed I was reviewing it on my iPhone and I noticed something that I wanted to change. So I selected the change and deleted it. Unknowingly I had somehow selected the text of the entire article and everything I had written was gone. Ah Shit!

I couldn’t figure out a way to get what I’d written back. I checked for a Ulysses backup but to my surprise, Ulysses doesn’t backup external files and folders and the article was in a Dropbox folder. Next, I tried a google search for a Ulysses undo action and again no luck. So at this point, everything that I’d written was gone.

This morning I was listening to an episode of Accidental Tech Podcast and Casey Liss happened to mention three-finger swipe for undo. I don’t remember in what context he mentioned it but it sure got my attention. I immediately thought I wish I had known this yesterday. It would have saved my ass.

Here’s how it works. Swipe left with three fingers on the active app to undo your last actions. To redo your last action, swipe right with three fingers. This works on iOS and iPadOS.

The Sweet Setup has a good article on text formatting gestures that you can find it here.

Hey controversy from a user perspective

As you have probably seen this past week, there has been a lot of controversy over the Hey.com email app being rejected from the Apple App Store.

Here’s some background on what the brew haha is about.

The Verge

Apple is threatening to remove Hey.com from the App Store if the ambitious new email service doesn’t begin offering an in-app subscription and sharing a cut of its revenue, according to an executive at Basecamp, which makes Hey.

David Heinemeier Hansson, the CTO of Basecamp, said that Apple is acting like “gangsters,” rejecting a bug fix update and asking the company in a phone call to commit to adding an in-app subscription to prevent it from being removed. “I was taken aback by how brazen that threat was,” Heinemeier Hansson told The Verge. “I thought you were supposed to wrap the threats in euphemisms or something. But it was pretty clear.”

In an email to The Verge, Apple said that it requires all developers to follow strict guidelines around business models. The company declined to comment specifically on Hey, but said that App Store review guidelines require an in-app purchase option if an app wants to offer access to content purchased on another platform. Apple suggested the call to Hey’s team was not out of the ordinary, saying it always works with developers to bring them into compliance. Apple also told Protocol that the app shouldn’t have been approved in the first place.

The developer community has been very vocal in siding with the app’s developer. But there’s another side to this story. I view this situation from a user perspective rather than a developer. So the question is how does Apple’s operation of the App Store affect me?

Ben Brooks wrote a piece about the controversy which I was intrigued by. It sums up how I as a user feel about the situation.

Hey, Controversy – The Brooks Review

FOCUS ON USERS

Apple employs an extremely simple, but effective business strategy: focus on making the best experience for users, and you will make loads of money. Amazon, Google, Uber, and many others copy this. But Apple is king of this strategy.

If Hey.com, or any other developer, wants an exception to the rule, then you need to prove that the best thing for the user is to grant that exception. Allow me to explain in two cases.

NETFLIX

You cannot sign up for Netflix in the Netflix app, and Apple allows this and they say the do because it is a content consumption app. Which is likely a good cover-your-ass statement. The real reason: not having Netflix on the App Store would be objectively worse for users than Apple bending the IAP subscription rule.

Or put another way: if Android has a Netflix app, and iOS does not, then iOS is likely to lose more iOS users and thus profit than they would if they just waived rule and allowed the app. So even though the Netflix app is not an ideal user experience, it is the best Apple can do and Apple clearly feels not having Netflix on the iPhone is worse for the user than bending the IAP rules.

HEY.COM

Now what Hey.com is saying: users have to subscribe on our website. What Apple is saying: that’s a worse user experience.

Stop there, because I know a ton of you agree with Hey.com, but I need you to be realistic as an iOS user. Is your argument that, as a user, the best experience is to use Safari to sign up and pay for Hey.com, and then further to always have to go to their website to manage that auto-recurring subscription? Is that really the argument? I think not.

Because that’s the worst user experience. The best is to have the App Store manage it, it makes signing up easier, safer, and faster. It makes management way easier.

So Apple, in looking at this says: it is objectively worse for users to bend the IAP rule, and by blocking Hey.com we are not likely to lose any meaningful amount of users. There are plenty of other options, so no, we will not make the experience worse for users.

Hey did not prove their case, and Apple sided with the users. You are also a user. Do you really want all these subscription based apps to start punting you to a website to sign up? Or do you actually find IAPs the best way to pay for subscriptions?

Yeah… Apple clearly agrees with you, that IAP subscriptions are way better than web subscriptions. And that’s why Hey.com got rejected, and frankly was always rolling the dice.

Ben’s article is well written and worth reading in full. You can find it here.