Bitwarden Brave Extension Captcha Fail

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.
  • A Patch for SpinRite 6.0's Division Overflow
    Please see my blog posting for the whole story!

Status
Not open for further replies.

rfrazier

Well-known member
Sep 30, 2020
547
188
I am new to Bitwarden. I came over from Lastpass because I was having problems with it. I’ve imported my password database. I’m on the free plan. Unfortunately, I’m already instantly having problems. I can login fine with the Firefox extension. I can login fine on the website. But, I cannot login with the Brave extension. The captcha never appears and the extension just hangs up. I agree with what I’ve read elsewhere that putting a captcha on my password vault, without asking me, is a horrible idea. My master password is adequate to prevent credential stuffing. And, I can always add 2fa if I want more protection. If anyone can tell me how to get the Brave extension working, all suggestions are welcome. Based on other reading, I'm not the only one having problems with this. Has anyone else seen anything? Thanks in advance.

May your bits be stable and your interfaces be fast. :cool: Ron
 

rfrazier

Well-known member
Sep 30, 2020
547
188
@PHolder Interesting suggestion. I've posted the same message on the Bitwarden forum but so far no replies. On Brave, I have the shield settings set to block fingerprinting (strict), block cross site cookies, block trackers and ads (aggressive), and block all javascript I don't approve. I also have Privacy Badger, Ublock Origin, and Ublock Origin Extra. Could be something in there clogging up the works. But, what's funny is that I have Firefox set the same way, although some settings have different names. But, the extension works there, including the captcha. The world of computers certainly gets strange at times.

May your bits be stable and your interfaces be fast. :cool: Ron
 

dg1261

Member
Oct 22, 2020
16
14
I have the shield settings set to block fingerprinting (strict), block cross site cookies, block trackers and ads (aggressive), and block all javascript I don't approve.
I did a test with a portable install of Brave 1.34.80 with BitWarden 1.57.0 to see if I could replicate your results.

I added no extensions other than BitWarden, and in Brave Shields set fingerprinting=strict, tracker blocking=aggressive, cookie blocking=cross site, and script blocking=on. Tried to login to BitWarden and got no captcha, just like you said.

Changed script blocking=off, restarted Brave, tried BitWarden, and the captcha appeared. Repeated tests with script blocking alternating off/on, and the captcha either showed/didn't show, corresponding to the script blocking setting. Also tried changing fingerprinting, tracking, and cookie settings to no effect, so it seems script blocking alone determines whether the captcha shows.

I noted that once I passed the captcha test and successfully logged in to BitWarden, I could turn script blocking back on and BitWarden still worked fine (since it didn't need the captcha test on subsequent logins). So it looks like that's the workaround: temporarily turn script blocking off, log in to BitWarden, then you can turn script blocking back on.

Also noted BitWarden auto-fill did not work with script blocking turned on, although I could still cut-and-paste from the BitWarden vault into a webpage's user/password fields if I needed to. Nevertheless, most webpages were virtually useless with script blocking turned on anyway, so I don't see much use for the BitWarden extension with script blocking turned on.
 

rfrazier

Well-known member
Sep 30, 2020
547
188
@dg1261 Thanks for that research and intel. That's fascinating, as Spock would say. Just to clarify, I have all scripts blocked by default in the Brave site settings. On sites I trust, like GRC, I'll click the Brave lion in the toolbar and unblock scripts for that site. That does not, of course, unblock scripts for other sites that the one I'm on may pull in. The noscript interface over on Firefox is a bit more flexible, and lets me, for example, temporarily trust all the sites that Firefox is pulling into a web page. I wonder what scripts are being blocked, because I went into settings and approved hcaptcha.com, which seems to be where they're getting the captcha.

I really don't like the idea of a captcha between me and my vault. I've been using Lastpass for decades and it's been working. I used to pay (and may do so again) but it's been increasing in price and I let it lapse to the free plan for a while. The other day, I couldn't get in on my tablet at a time when I really needed to and I figured I'd try Bitwarden and ran into these problems. I've also read some random news of Bitwarden having some data integrity problems now and again, but don't know if it's a trend. Since Leo and @Steve had been raving about it, I thought I'd try it. I wonder if I can run both Bitwarden and Lastpass extensions at the same time and use one as a backup. I've already noticed one Lastpass feature that I like better than Bitwarden. I have every record in my vault set to require my master password again to access it. On the Lastpass extension, even if the extension is staying logged into the vault due to activity on the computer, I can set it to ask me for the password for the first site I access and then not do so again for 3 hours (or other time period). I also have a 15 minute inactivity timeout that locks the vault. Bitwarden lets me require the master password again the same way, but doesn't have the don't ask again for 3 hours (or whatever) function as far as I can tell. There were also some people on the forums complaining about lack of response to requests for help for problems and bugs. Hopefully, the people at Bitwarden are collecting enough revenue to run the organization properly. Gonna do more testing. Thanks again.

May your bits be stable and your interfaces be fast. :cool: Ron
 
You are using programs I am not familiar with. "in training"... are you a radiologist? Old and skeptical, I "cut my teeth" on XP. If you understand the "KISS rule", less can be MORE. I use Firefox; they have F Secure, the best security package bar none. Duck Duck Go is my anonymous search engine. UBlock Origin is my only ad blocker. Over the last decade, on my WordPress blog, I posted at least fifteen warnings pertaining to Google, and social media including Facebook, Twitter, and YouTube, (which I satirically call "CensorTube") over privacy and security issues. Many are unaware that Google is the CIA's bastard child!
 

PHolder

Well-known member
Sep 16, 2020
1,063
2
472
Ontario, Canada
I use Firefox; they have F Secure, the best security package bar none.
Firefox does not include any system security software. If you have received a security program bundled with your Firefox, then you made a potentially fatal mistake while acquiring it.
 
In their ad on section you can get F Secure. (I had also obtained F Secure free with my internet connection) F Secure has never caused problems and is real time protection. Thanks for you concern. :)
 
Last edited:

a viewer

Well-known member
Sep 30, 2020
65
16
there are some whitelists to allow some sites to bypass your security settings. I had to allow some captcha sites to bypass the settings since these didn't work otherwise.

On the other subject, used to be a 1p user, and was quite happy until the changed storage methods. Can't blame them. Paid for their program once every 2 or 3 years. Their server is probably more secure than my computer, but still hate the idea of sending my passwords all over the internet. Supposedly there is a password on their end (?), and another on mine, besides my password to open the application.

Can't say which is better; 1p, lastpass, bitwarden, or enpass (which I'm currently using as it is local).
 
With F Secure, both from my internet provider, and recently an ad on for Firefox:
I used GRC's“Shields Up” UPnP Exposure Test and here are their results:
Checking the Most Common and Troublesome Internet Ports –

Your system has achieved a perfect “TruStealth” rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to “counter-probe the prober”, thus revealing themselves. But your system wisely remained silent in every way. Very nice.

Their “Determine the status of your
system’s first 1056 ports” obtained the same results.
Otherwise I wouldn't use any password manager, but my own list. It is just me, in my residence.
 
Status
Not open for further replies.