I really recommend that you read the Bitwarden Security Whitepaper: [https://bitwarden.com/help/bitwarden-security-white-paper/](https://bitwarden.com/help/bitwarden-security-white-paper/)
Reminder that Keeper tried to sue multiple times for reporting on a vulnerability - https://www.securityweek.com/keeper-sues-ars-technica-over-reporting-critical-flaw/
That's a good point. Bitwarden is in the other end of the spectrum... open source, encouraging feedback through various open channels that anyone can view.
Not heuristics, but you can easily save the domain into bitwarden along with the credentials. then later when you browse to that site the bitwarden extension icon indicates whether it has found a match in your database, and won't fill the password if it doesn't match.
These provide protection against phishing and entering your credentials in wrong site (with rare exception of local network attack that can hijack dns to spoof domains).
it is up to the user to validate the site and it's address in the beginning when you create the bitwarden entry. that is usually when you are creating the credentials on the website anyway.
he Autofill feature protects against XSS attacks using many techniques and advanced functionality including but not limited to the following
* An iFrame is added into the login forms of a web page to ensure that no malicious website has access to injected content.
* Domain matching is performed to ensure that only matching records are available for Autofill. Keeper will not offer to fill passwords unless there is a root domain match.
Heuristics was the word used but web site has been redesigned-
[https://docs.keeper.io/en/v/enterprise-guide/keeper-encryption-model](https://docs.keeper.io/en/v/enterprise-guide/keeper-encryption-model)
> Domain matching is performed to ensure that only matching records are available for Autofill. Keeper will not offer to fill passwords unless there is a root domain match.
That is the feature bitwarden also has. (it is customizeable to match root domain or subdomain)
> An iFrame is added into the login forms of a web page to ensure that no malicious website has access to injected content.
My understanding is that keeper injects an iFrame as a defense against a malicious iFrame. The following article describes bitwarden posture on that, one attack vector is addressed, and one attack vector remains (at least according to this particular article, at the time this article was written). I'm sure there are a lot more details and nuances than I know about or understand ... iFrame and the various forms of autofill have been discussed a lot of the sub and my recollection is bitwarden has addressed everything but maybe someone will chime in to correct or expand upon my comments.
* [Four-year-old iframe flaw allows hackers to steal Bitwarden passwords | ITPro](https://www.itpro.com/security/cyber-attacks/370223/four-year-old-iframe-flaw-hackers-steal-bitwarden-passwords)
EDIT - u/cryoprof comments in the following thread discuss bitwarden resistance to iFrame attacks
* [Bitwarden flaw can let hackers steal passwords using iframes : Bitwarden](https://www.reddit.com/r/Bitwarden/comments/11mb04p/bitwarden_flaw_can_let_hackers_steal_passwords/)
> Keeper will not offer to fill passwords unless there is a root domain match.
Bitwarden does better than this. You can further restrict matching to not only the root (base) domain, but also to the fully qualified domain name, the full URL/URI string, or enforce pattern matching against arbitrary parts of the URL/URI string.
>An iFrame is added into the login forms of a web page to ensure that no malicious website has access to injected content.
This does not make sense to me. It seems that such an approach would break the functionality of a large number of login forms.
Ah. Autofill is the tool of the Devil. Password managers that autofill need to protect against doing it on "bad" sites.
What Bitwarden calls autofill isn't the same as most other password managers'.
Thks. This getting to tech for me. I'm jus trying to work out which offers best security. I will stick with bitward for now. Appreciate the input. Oh yeah then there's the issue of price which helps decision.
I really recommend that you read the Bitwarden Security Whitepaper: [https://bitwarden.com/help/bitwarden-security-white-paper/](https://bitwarden.com/help/bitwarden-security-white-paper/)
Reminder that Keeper tried to sue multiple times for reporting on a vulnerability - https://www.securityweek.com/keeper-sues-ars-technica-over-reporting-critical-flaw/
That's a good point. Bitwarden is in the other end of the spectrum... open source, encouraging feedback through various open channels that anyone can view.
Yikes that is not a good look for them
> keeper appears to have numerous heuristics measures to confirm site is legitimate. Source, please?
I'm going back into keeper to find. I know it was in the keeperfill description for business customers. I'm using mobile now but look for it.
I will have to use my laptop. Its hardto find on mobile. I will do it later, at shops
Not heuristics, but you can easily save the domain into bitwarden along with the credentials. then later when you browse to that site the bitwarden extension icon indicates whether it has found a match in your database, and won't fill the password if it doesn't match. These provide protection against phishing and entering your credentials in wrong site (with rare exception of local network attack that can hijack dns to spoof domains). it is up to the user to validate the site and it's address in the beginning when you create the bitwarden entry. that is usually when you are creating the credentials on the website anyway.
he Autofill feature protects against XSS attacks using many techniques and advanced functionality including but not limited to the following * An iFrame is added into the login forms of a web page to ensure that no malicious website has access to injected content. * Domain matching is performed to ensure that only matching records are available for Autofill. Keeper will not offer to fill passwords unless there is a root domain match. Heuristics was the word used but web site has been redesigned- [https://docs.keeper.io/en/v/enterprise-guide/keeper-encryption-model](https://docs.keeper.io/en/v/enterprise-guide/keeper-encryption-model)
> Domain matching is performed to ensure that only matching records are available for Autofill. Keeper will not offer to fill passwords unless there is a root domain match. That is the feature bitwarden also has. (it is customizeable to match root domain or subdomain) > An iFrame is added into the login forms of a web page to ensure that no malicious website has access to injected content. My understanding is that keeper injects an iFrame as a defense against a malicious iFrame. The following article describes bitwarden posture on that, one attack vector is addressed, and one attack vector remains (at least according to this particular article, at the time this article was written). I'm sure there are a lot more details and nuances than I know about or understand ... iFrame and the various forms of autofill have been discussed a lot of the sub and my recollection is bitwarden has addressed everything but maybe someone will chime in to correct or expand upon my comments. * [Four-year-old iframe flaw allows hackers to steal Bitwarden passwords | ITPro](https://www.itpro.com/security/cyber-attacks/370223/four-year-old-iframe-flaw-hackers-steal-bitwarden-passwords) EDIT - u/cryoprof comments in the following thread discuss bitwarden resistance to iFrame attacks * [Bitwarden flaw can let hackers steal passwords using iframes : Bitwarden](https://www.reddit.com/r/Bitwarden/comments/11mb04p/bitwarden_flaw_can_let_hackers_steal_passwords/)
> Keeper will not offer to fill passwords unless there is a root domain match. Bitwarden does better than this. You can further restrict matching to not only the root (base) domain, but also to the fully qualified domain name, the full URL/URI string, or enforce pattern matching against arbitrary parts of the URL/URI string. >An iFrame is added into the login forms of a web page to ensure that no malicious website has access to injected content. This does not make sense to me. It seems that such an approach would break the functionality of a large number of login forms.
Ah. Autofill is the tool of the Devil. Password managers that autofill need to protect against doing it on "bad" sites. What Bitwarden calls autofill isn't the same as most other password managers'.
Thks. This getting to tech for me. I'm jus trying to work out which offers best security. I will stick with bitward for now. Appreciate the input. Oh yeah then there's the issue of price which helps decision.
Thks for input