lmrdaddy

I hope it's okay to barge in, I just found out about this workflow: Everyone using this WF should be aware that it's based on "bw serve" which is not suited for a multi user machine. This is not a problem of the workflow itself but rather a problem of the used BW cli which allows full access to a BW account via its HTTP API without asking for any authorization whatsoever, once the server is started. Yes, it's only accessible from the local machine so it might be ok if you're willing to accept the risk (I don't because you're still exposing your secrets to everything that somehow manages to talk to localhost) if you're the only user using that machine, but if not, you should be aware of that. Again, this is not a problem of the workflow, but still, I can't believe this API even exists.

It is (in my opinion) still way better than not using a password management at all. I am not really in a position to judge that. The github issue is more than 4 years old, so I hope they learned something since then. Personally, I am using the Firefox extension without having investigated any closer, I'm trusting (perhaps wrongly so) that a security company does at least a few things right.

I guess they were referrring to So storing both the encrypted data and the en-/decryption key in the same unprotected storage ("plainly on disk") is indeed a horrible idea. Storing it in a place that is potentially vulnerable to direct access via malicious websites in case the browser itself is attackable via a browser vulnerability is another issue. The latter is the reason why it is generally not the best idea to use a browser's own password management feature.