TL;DR - Is using autofill to enter usernames/passwords safe, or should manual copy/paste be used instead?
Came across an article the other day on TechRadar, entitled "Hackers might be able to crack this top password manager and steal your logins." Solely discussed in this article was Bitwarden.
A more thorough analysis of this article, as well as discussions on both Bitwarden's community forum and Reddit, seems to suggest that the presented threat is not a Bitwarden flaw (as it seems the article would have you believe), but is instead related to how password manager autofill features function, meaning it's a problem shared by all password managers. Bitwarden isn't being "cracked" per the article title.
This nonetheless has renewed discussions on using autofill, and there appear to be two sides to this debate:
- Never use autofill and instead copy/paste credentials from password managers into login fields.
- There's no problem with autofill, and the discussed threat is so negligible, it's worth continuing to use the feature.
If understood correctly, the threat to using autofill lies in the potential for a website to be compromised with a malicious iframe containing hidden form fields. When using autofill, the password manager will complete these hidden fields within the malicious iframe. Hence, if avoiding autofill, and instead copy/pasting directly from the password manager, the threat is mitigated.
Generally speaking, is "that" the threat? If so, is using autofill to enter usernames/passwords safe, or should manual copy/paste be used instead?
Clarification would be most welcome!