Bitwarden Brave Extension Captcha Fail

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

rfrazier

Well-known member
Sep 30, 2020
549
187
I am new to Bitwarden. I came over from Lastpass because I was having problems with it. I’ve imported my password database. I’m on the free plan. Unfortunately, I’m already instantly having problems. I can login fine with the Firefox extension. I can login fine on the website. But, I cannot login with the Brave extension. The captcha never appears and the extension just hangs up. I agree with what I’ve read elsewhere that putting a captcha on my password vault, without asking me, is a horrible idea. My master password is adequate to prevent credential stuffing. And, I can always add 2fa if I want more protection. If anyone can tell me how to get the Brave extension working, all suggestions are welcome. Based on other reading, I'm not the only one having problems with this. Has anyone else seen anything? Thanks in advance.

May your bits be stable and your interfaces be fast. :cool: Ron
 
@PHolder Interesting suggestion. I've posted the same message on the Bitwarden forum but so far no replies. On Brave, I have the shield settings set to block fingerprinting (strict), block cross site cookies, block trackers and ads (aggressive), and block all javascript I don't approve. I also have Privacy Badger, Ublock Origin, and Ublock Origin Extra. Could be something in there clogging up the works. But, what's funny is that I have Firefox set the same way, although some settings have different names. But, the extension works there, including the captcha. The world of computers certainly gets strange at times.

May your bits be stable and your interfaces be fast. :cool: Ron
 
I have the shield settings set to block fingerprinting (strict), block cross site cookies, block trackers and ads (aggressive), and block all javascript I don't approve.
I did a test with a portable install of Brave 1.34.80 with BitWarden 1.57.0 to see if I could replicate your results.

I added no extensions other than BitWarden, and in Brave Shields set fingerprinting=strict, tracker blocking=aggressive, cookie blocking=cross site, and script blocking=on. Tried to login to BitWarden and got no captcha, just like you said.

Changed script blocking=off, restarted Brave, tried BitWarden, and the captcha appeared. Repeated tests with script blocking alternating off/on, and the captcha either showed/didn't show, corresponding to the script blocking setting. Also tried changing fingerprinting, tracking, and cookie settings to no effect, so it seems script blocking alone determines whether the captcha shows.

I noted that once I passed the captcha test and successfully logged in to BitWarden, I could turn script blocking back on and BitWarden still worked fine (since it didn't need the captcha test on subsequent logins). So it looks like that's the workaround: temporarily turn script blocking off, log in to BitWarden, then you can turn script blocking back on.

Also noted BitWarden auto-fill did not work with script blocking turned on, although I could still cut-and-paste from the BitWarden vault into a webpage's user/password fields if I needed to. Nevertheless, most webpages were virtually useless with script blocking turned on anyway, so I don't see much use for the BitWarden extension with script blocking turned on.
 
@dg1261 Thanks for that research and intel. That's fascinating, as Spock would say. Just to clarify, I have all scripts blocked by default in the Brave site settings. On sites I trust, like GRC, I'll click the Brave lion in the toolbar and unblock scripts for that site. That does not, of course, unblock scripts for other sites that the one I'm on may pull in. The noscript interface over on Firefox is a bit more flexible, and lets me, for example, temporarily trust all the sites that Firefox is pulling into a web page. I wonder what scripts are being blocked, because I went into settings and approved hcaptcha.com, which seems to be where they're getting the captcha.

I really don't like the idea of a captcha between me and my vault. I've been using Lastpass for decades and it's been working. I used to pay (and may do so again) but it's been increasing in price and I let it lapse to the free plan for a while. The other day, I couldn't get in on my tablet at a time when I really needed to and I figured I'd try Bitwarden and ran into these problems. I've also read some random news of Bitwarden having some data integrity problems now and again, but don't know if it's a trend. Since Leo and @Steve had been raving about it, I thought I'd try it. I wonder if I can run both Bitwarden and Lastpass extensions at the same time and use one as a backup. I've already noticed one Lastpass feature that I like better than Bitwarden. I have every record in my vault set to require my master password again to access it. On the Lastpass extension, even if the extension is staying logged into the vault due to activity on the computer, I can set it to ask me for the password for the first site I access and then not do so again for 3 hours (or other time period). I also have a 15 minute inactivity timeout that locks the vault. Bitwarden lets me require the master password again the same way, but doesn't have the don't ask again for 3 hours (or whatever) function as far as I can tell. There were also some people on the forums complaining about lack of response to requests for help for problems and bugs. Hopefully, the people at Bitwarden are collecting enough revenue to run the organization properly. Gonna do more testing. Thanks again.

May your bits be stable and your interfaces be fast. :cool: Ron
 
You are using programs I am not familiar with. "in training"... are you a radiologist? Old and skeptical, I "cut my teeth" on XP. If you understand the "KISS rule", less can be MORE. I use Firefox; they have F Secure, the best security package bar none. Duck Duck Go is my anonymous search engine. UBlock Origin is my only ad blocker. Over the last decade, on my WordPress blog, I posted at least fifteen warnings pertaining to Google, and social media including Facebook, Twitter, and YouTube, (which I satirically call "CensorTube") over privacy and security issues. Many are unaware that Google is the CIA's bastard child!
 
I use Firefox; they have F Secure, the best security package bar none.
Firefox does not include any system security software. If you have received a security program bundled with your Firefox, then you made a potentially fatal mistake while acquiring it.
 
In their ad on section you can get F Secure. (I had also obtained F Secure free with my internet connection) F Secure has never caused problems and is real time protection. Thanks for you concern. :)
 
Last edited:
there are some whitelists to allow some sites to bypass your security settings. I had to allow some captcha sites to bypass the settings since these didn't work otherwise.

On the other subject, used to be a 1p user, and was quite happy until the changed storage methods. Can't blame them. Paid for their program once every 2 or 3 years. Their server is probably more secure than my computer, but still hate the idea of sending my passwords all over the internet. Supposedly there is a password on their end (?), and another on mine, besides my password to open the application.

Can't say which is better; 1p, lastpass, bitwarden, or enpass (which I'm currently using as it is local).
 
With F Secure, both from my internet provider, and recently an ad on for Firefox:
I used GRC's“Shields Up” UPnP Exposure Test and here are their results:
Checking the Most Common and Troublesome Internet Ports –

Your system has achieved a perfect “TruStealth” rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to “counter-probe the prober”, thus revealing themselves. But your system wisely remained silent in every way. Very nice.

Their “Determine the status of your
system’s first 1056 ports” obtained the same results.
Otherwise I wouldn't use any password manager, but my own list. It is just me, in my residence.