cross-posted from: https://lemm.ee/post/33197502

The ports 80 and 443 are already used by Adguard Home. I didnt find any way to change those ports for Bitwarden.

cross-posted from: https://feddit.de/post/11733855

App can now be used to create and sign in with passkeys.

Some further context:

Right now the mobile apps are using a Framework called Xamarin which enables crossplatform mobile releases. Since it has become a roadblock for them (e.g. needed to wait for Microsoft to support passkeys in Xamarin) they are planning to switch to native apps (Swift for ios and Kotlin for android). Source

cross-posted from: https://sh.itjust.works/post/15450542

Going native: The future of the Bitwarden mobile app

Highly requested by the Bitwarden community, the new inline auto-fill menu greatly enhances the user experience, enabling users to fill login credentials faster than ever.

Hi everyone. I just noticed something odd. I believe, if I'm not mistaken, that I used to have Bitwarden's Vault as a Progressive Web App installed here on my system in the past, which I have since remove.

Today, though, I decided to reinstall it. So I opened up Bitwarden's website and sure enough, for my convenience, there was an “Install” icon on the address bar.

However! That seemed to have installed the Main Page, and not the vault page itself.

If I click “Login”, it will only open a new web browser tap to a login page, despite the fact that I'm already logged in.

Then I thought, fair enough, the “Install” icon was on the main page, the problem is, the Vault page's, doesn't seem to be available as a PWA, at all, as it doesn't have the option to be installed.

Was it all just a dream and I never had a Bitwarden Vault PWA, or something did change?

Hi mate,

I'm interested to know if it is possible to use a family plan in a self hosted Bitwarden instance.

Thanks

After spending all day setting up Bitwarden I ran into a roadblock getting the iOS app to work with it. I get an SSL error because my cert doesn't have the EKU value they want. I use OPNsense for my CA, and it doesn't have the ability to generate this value on a cert as far as I can tell. I really don't want to stand up another CA just to get this one app working. It's the only thing I've found a hard block on with using my internal CA in all my years of homelabbing.

The hilarious thing is that Safari on the same device will connect to my Bitwarden website with no issue - it thinks the cert is fine. Way to go, Apple.

This is mostly just a rant against Apple, but it would be nice if Bitwarden could bypass this by allowing you to trust your own cert inside the iOS app so you're not beholden to Apple's stupid requirements.

The fact that BW is open-source allowing the ability to self-host is a very awesome and unique feature. The fact that Dani Garcia ported the code and allowed you to host vaultwarden on a low-power device like a Pi or a small VPS is even more awesome. The fact that they both made it easy to install and run the service with Docker etc., and that there are a lot of guides on how to set the whole thing up is super awesome. You can play around, learn some things, and get control of your own data. It's all awesome. But none of that is a security feature.

BW started as a tool for enthusiasts, people who probably can review and compile source code, set up a server, and run services securely -- seasoned c/[email protected] folks. Maybe in their hands, a self-hosted instance of BW can come close to the security provided by the official service. If they are experts in the field, maybe they can make it even more secure. Maybe.

For most people visiting this sub today that is patently untrue!

Most self-hosting posts today are chock-full of comments asking how to register a domain or set up dynamic DNS, or asking what is Docker. Do you honestly think that these people are knowledgeable enough to set up their own BW service securely? Are they knowledgeable enough to evaluate the original team, their product, its source, and its security; to evaluate a completely different team, with a different source; to set up a secure server and host a service without succumbing to all the pitfalls of novice self-hosting; and to do it better than the guys at Azure?

Hell No!

The fact remains that for the greatest majority of people coming here, using the official BW service hosted by Microsoft remains the most secure way to use Bitwarden. That should be the default advice on this sub. To state or imply otherwise is misleading at best and a patent lie at worst. Please stop recommending self-hosting as a security feature. Please stop leading the lemmings off the cliff.

https://nvd.nist.gov/vuln/detail/CVE-2023-27706

Bitwarden Desktop v1.20.0 and above stores the biometric key in plaintext which allows a local attacker to decrypt the entire local vault if you are using Windows Hello and are not on the latest version. The Bitwarden Windows client before version 2023.4.0 is affected.

Details here: https://hackerone.com/reports/1874155

(shamelessly stolen from reddit)

Field value is linked to the item’s Username or Password. Given the right field name, Linked custom fields can be used to solve issues where your Browser Extension can’t auto-fill usernames and passwords for a particular site (learn more).

• Vault Timeout Policy: The Vault Timeout policy will apply a maximum Vault timeout duration for all members of your Organization (see here for details).
• Disable Personal Vault Export Policy: The Disable Personal Vault Export policy will prohibit non-Owner/non-Admin members of your Organization from exporting private Vault data (see here for details).
• Auto-scale Organization Seats: Teams and Enterprise Organizations will automatically scale up user seats as new users are invited. Organizations can set a limit on scaling to prevent the seat count from exceeding a specified number (see here for details).
• Custom Role - Improved Collection Permissions: Collection-management permissions for the Custom role have been expanded to include granular controls over whether the user can create, edit, or delete assigned or all Collections (see here for details).
• Admin Password Reset - Update Password after Reset: Passwords reset by an Admin must now be updated by the user they belong to immediately when they log in to Bitwarden (see here for details).
• Browser Extension - Autofill Span Elements: The Browser Extension can now auto-fill custom fields in the innerText of HTML elements (see here for details).
• Browser Extension - Automatic Biometrics Prompt: The Browser Extension can now automatically prompt for your biometric input when opened. You can toggle this behavior from the Settings menu (see here for details).
• Web Vault - Dark Mode: The Web Vault now has dark mode (see here for details)!
• CLI - generate Passphrase Options: The bw generate --passphrase command now includes the options --capitalize and --includeNumber (see here for details).