Are Custom Fields a secure place to store notes?

I’m trying to understand how “Custom Fields” are used by BitWarden. If they can autofill when their field name matches a field on the website url then isn’t it possible that you could find yourself in a situation where a regex or basename matching url would cause BitWarden to expose confidential information from the Custom Fields? I’m thinking of a case where I have created a custom field that I don’t plan to ever auto-fill but just to hold some info. If there happens to be a field on a page matching the name I chose then my data is going to be posted to the site.

Hello @SteveH1057 - welcome to the forum!

You are correct that if your custom field name matches a field on a form, there is a chance that Bitwarden could attempt to autofill it on a web page you have loaded. But here are two suggestions to avoid this:

  1. Turn off the auto-fill capability for that login item in Bitwarden. If that is not practical, then:

  2. Make the name of the custom field something that will never be encountered on a web page - for example, you could use the password generator to create a long (e.g., 48 character) random string and paste that in as the name.

Thanks @dh024
That’s exactly what I thought might happen. I know it’s unlikely but seems like there should be something in the help docs describing when you might want to use a Note rather than a Custom Field to store sensitive data.

Gotcha. And that’s the great thing about Bitwarden - if you would like to see a change in the docs, they are very open to suggestions from the community.

At the bottom of the help page for Custom Fields (or any help page, for that matter), you can click on the button that says Make a Suggestion to this Article an upload your suggested amendment. I think your idea would be a great addition!