Browser: Auto-fill should not fill in password fields marked as `new-password`

This looks more like a feature request than a bug report so it should be posted to https://community.bitwarden.com :)

Auto-fill fills in password fields marked as new-password with an existing account's password (eg, ).

This is a bug. It is incorrect functionality that can lead to less secure accounts (multiple accounts on the same website using the same password).

It should either not touch it,

The bug can be fixed by doing this.

or (offer to) generate a new password that conforms to the field's requirements (maxlength, minlength, and pattern). If there are multiple new-password fields on a page, it should be an option to fill in the same new password for each (eg, a second new-password field to ensure it was "typed" correctly).

This would be a nice feature to have, and I can suggest it there at some point. But I'm more concerned about the buggy behavior right now.

I've experienced this bug as well. Hoping a fix comes soon.

While I agree that this can cause problems, I imagine there are times when people would still actually want to autofill the new-password field with a newly created or updated credential in their vault, so I am not sure what the best fix here is.

I agree with Kyle here. I often create a password entry in my vault before asking BW to auto fill the newly generated password in the password form.

While I agree that this can cause problems, I imagine there are times when people would still actually want to autofill the new-password field with a newly created or updated credential in their vault, so I am not sure what the best fix here is.

I agree with Kyle here. I often create a password entry in my vault before asking BW to auto fill the newly generated password in the password form.

What you're doing is a workaround for missing functionality, though. That missing functionality was suggested to be added at the same time to avoid the issue you're mentioning:

...generate a new password that conforms to the field's requirements (maxlength, minlength, and pattern).

Just to expand on my previous comment a bit, non-technical users shouldn't need to know the intricacies of Bitwarden and password storage/upkeep in order to use Bitwarden.

A user should be able to install Bitwarden, log in, and forget about it. With sites that are built to current standards, Bitwarden can already automatically fill in usernames, passwords, and far more. It can also update existing passwords once a new one is used. And there's no technical limitation (other than Bitwarden's code) keeping it from automatically generating and filling secure passwords of the proper length/format. With all three of those things (fill, update, and generating), users will no longer have to think about passwords (or know best practices); they only need to click the buttons to submit, with Bitwarden taking care of the technical things.

Ideally, there would be a standard that Bitwarden could take advantage of to automatically log in and update passwords on a regular basis to further simplify the process for users. But one thing at a time.

This issue is the one missing piece to greatly simplify the password process for non-techincal users. And with it in place, would encourage web developers to properly implement the autocomplete attribute. Users will no longer have to think about the max length, want to work around password change policies, worry about not using an old password, or get frustrated with different password complexity requirements on every site.

Ideally, there would be a standard that Bitwarden could take advantage of to automatically log in and update passwords on a regular basis to further simplify the process for users

Side note, there is a proposal being built for this : https://wicg.github.io/change-password-url/index.html

Ideally, there would be a standard that Bitwarden could take advantage of to automatically log in and update passwords on a regular basis to further simplify the process for users

Side note, there is a proposal being built for this : https://wicg.github.io/change-password-url/index.html

This appears more a way for password managers to send a user to the change password page, rather than automatically updating the password. It doesn't specify that the page has to conform to any other requirements, so the user may have to log in first, respond to 2fa, etc. The page may also have more fields on it that the password manager may or may not know how to respond to.

What I was talking about is something like:

PUT /change-password HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: CONTENTLENGTH

user_id=USERID&current_password=CURRENTPASSWORD&new_password=NEWPASSWORD

But this wouldn't cover password requirements (eg, length and special character requirements, allowed characters, etc) or all errors in the most user(bot)-friendly way (eg, reused/compromised passwords). A basic implementation that covers the majority of cases should be possible, and I'd love to see that. But it's still a ways off.

Bitwarden is way too agressive with its autofill. It should certainly respect the standard autocomplete="new-password" attribute. I had to put a dirty JS hack to prevent that autofill on a logged in user's profile page just to prevent the fill.

I totally agree with others that Bitwarden is NOT doing the correct thing here.

Both Google and Mozilla suggest to add a autocomplete="new-password" to inputs that require a new password to be generated e.g. if you have a new sign up form, or password reset form.

The intent is clear: create a NEW password - not prefill existing one from any password managers. The main selling point of a password manager is the ability to create unique passwords and have them fill, not re-use the same password with autofilling it across sites.

Bitwarden need to fix this and align the behaviour with what's expected with the intent of new-password.

• https://www.chromium.org/developers/design-documents/form-styles-that-chromium-understands
• https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#Preventing_autofilling_with_autocompletenew-password

@silverwind would you mind sharing how you fixed this with your dirty js hack?

I put a zero-width space between pass and word in the placeholder attribute so bitwarden's regex for string password does not match it anymore.

That doesn't seem to work for me. Why would bitwarden be looking at placeholder tag anyway?

Note that you can not have type=password which of course BW will detect too. To make it still hide typed characters like a regular password box, some JS is needed too to replace the typed text with placeholders.

@Crocmagnon

I agree with Kyle here. I often create a password entry in my vault before asking BW to auto fill the newly generated password in the password form.

The main problem is with autofilling on page load for new-password fields. Even if Bitwarden no longer did that, you could still create a pw in Bitwarden and have it autofill on demand.

Alternatively, Bitwarden could provide a similar behaviour to how Chrome does it when you right click/focus on a field it will provide you with an option to generate a password (and have it save to Bitwarden manager). That way it would:

1. Save a unique pw to Bitwarden automatically
2. Auto fill it

In terms of other password managers, LastPass provide's an option to allow sites to control it (somewhat) with the data-lpignore="true" added to the input field - however this only works if the user has turned on in their Settings > Advanced > Allow pages to disable autofill. This could of predated times before new-password was around though, as I personally think LastPass have gone against standards and introduced a very specific escape hatch only for their manager.

Either way, we need some way to prevent Bitwarden from autofilling on certain fields, and most browsers use new-password as the web standard way of doing it. If your concern is this may inconviences users who are use to a particular workflow, then it can be provided as an option in Bitwarden settings Allow sites to turn off autofill or something, with the setting being on by default.

@kspearrin what's your thoughts on this?

@cscharf any thoughts on this? It's causing big headaches for our users we're actually having to tell them to disable bitwarden. This needs more priority because it's interfering with signup forms, forgot/reset password forms etc. It's an urgent issue that needs to be addressed.

you could still create a pw in Bitwarden and have it autofill on demand.

As long as it doesn't interfere with the autofill on demand, I'm not against it :)

I'll take a look at this with priority this week, we'll figure out a way to best resolve the original ask without impacting those users negatively that rely on the current behavior and I'll post any questions on specific use-cases here as well. Thank you everyone for the feedback and insight!

Proposal (DRAFT) cc @kspearrin :
The following is my draft proposal for resolving this in the short-term until a larger effort can be established for creating password generation/suggestion functionality within the browser extension for "change password" and "create password" forms.

This is intended to solve for the following user stories:

1. As a Bitwarden user I want to be able to auto-fill new password fields on-demand by explicitly executing the auto-fill command so that I can populate new password credentials after I have already created them in my vault before taking that action.
2. As a Bitwarden user I want Bitwarden to not automatically auto-fill my existing password into a field designated as a new password on page load when I'm changing my password or creating a new user on the same site so that I don't accidentally create multiple users with the same password or continue to use an existing password when the intent was to change it.

Ultimately, the goal is to not "automatically" touch new-password autocomplete designated fields unless the user is explicitly running the auto-fill command.

Technical approach:

• Modify the loadPasswordFields() method inside of autofill.service.ts to take additional parameter/option for fillNewPassword, which for now must be explicitly set by the auto-fill command to true in order for autocomplete="new-password" fields to be included for consideration in the auto-fill service for passwords/logins.
• Modify the doAutoFillForLastUsedLogin() method inside of autofill.service.ts to pass the fillNewPassword option where it's set to true if being invoked by the explicit command.

Does anyone have an actual site they're experiencing this on that I can test and validate behavior against?

You could try it on:

https://accounts.google.com/signup
https://account.bbc.com/register
https://www.tiktok.com/signup/phone-or-email/email?lang=en

Any further progress on this @cscharf ? 😀

Hi @garygreen , yes actually, my apologies for not updating the thread and thanks for the nudge 😉 .

I believe I have this code-complete, however before being able to really start testing it x-browser the team and I have been at full capacity gearing up for our big release this month. I'll be able to get to testing this here soon in the next week or 2.

Works fine for me with autocomplete="new-password" attributes, thanks.

Now I think autocomplete="off" should probably also not autofill, only autocomplete="current-password" or absent attribute should. I know that off is intentionally being ignored because of some bad sites but maybe there could be an option to control filling of off.