Would it be possible to implement a feature where Bitwarden captures the security questions and the answers on pages at signup?
Feature name
- Security questions tracking
Feature function
- Generate, store, and autofill âsecurity questionâ answers per site.
- Generated answers should be both length and language configurable: e.g., N English words that are minimally M letters long.
- Flag re-used âsecurity questionâ answers across sites.
Related topics + references
No citations, but my understanding is that âsecurity questionsâ are basically bad passwords: if actual answers are used, they can be researched; if false answers are generated, itâs the âunique password per siteâ problem all over again.
Isnât security questionsâ main purpose to authenticate yourself when you forget your password, for example? I have never seen a website where it would constantly ask you for it. Considering that you are using a password manager, you wonât forget your random generated passwords.
I guess I see your point here. You want to generate unique answers so that they canât be guessed, right? Let me make a suggestion: using bitwarden password generator, I just generated 2 answers for you:
- 2$V7x&8!ri!24z6$kqT9
- reliably-overbill-brigade-oblivious-radiator
You can write notes to each item in your vault, just write them there. Since they will be saved, there is no need for you to remember them, therefor there is even no need to be a passphrase, 2$V7x&8!ri!24z6$kqT9 will do a perfect jobâŚ
Edit: just realized something and actually giggled a little:
What was the name of your first dog?
Answer: 2$V7x&8!ri!24z6$kqT9
Iâm more thinking from a risk assessment standpoint than a functionality standpoint. Iâve seen âsecurity questionsâ used as a backdoor form of authentication for 1, (as you mention) when youâve forgotten your password or 2, phone conversations, typically with banks via the phone. In this case, a string of words is much more useful than the example you mention in your edit.
I guess I see your point here. You want to generate unique answers so that they canât be guessed, right?
No; I want unique answers so if theyâre stolen from site #1, they cannot be used at other sites. If the answer to âWhat was the name of your first dog?â is â2$V7x&8!ri!24z6$kqT9â at 100+ sites, then Iâve got a problem.
And because Iâm generating unique answers per site, then I need an easy way to store them, and to have them automatically filled out in forms if itâs required, and to also audit âhey, you havenât filled out your âsecurity questionâ fields - do you need to update them?â and similar risks.
So what I want is functionality that makes it as easy as passwords to generate, store, fill, and audit âsecurity questionâ answers as passwords. Nobody would take seriously a modern password manager where you had to (say) open an app and tap 3 levels in to copy your password instead of having a browser extension just fill it in for you; likewise, I am hoping that âsecurity questionâ functionality can be pushed to a similar level of ease.
Yes, I understood you perfectly. This is what I meant by âuniqueâ, but didnât really specify. Sorry for the misunderstanding, my bad.
I agree with everything you say, but there is something else: Without doing any kind of research, I honestly thought that this form of authentication is dying. I mean itâs pretty obvious that itâs just bad. There are this many questions that can be asked, and people are often answering honestly, which is bad. If instead the answers are made up, they become like 2nd passwords and are often forgotten (also, people are already bad enough at making good passwords). I didnât think someone would want a feature like that, considering all the alternatives:
- e-mailing you somekind of link/code
- sending a message on your pone with a code (or even calling)
- other 2FA, including authenticator app, physical key, fingerprint, etc
With phone conversations, security question is indeed the most viable, but how often does that happen? On how many sites do you use this method? Why do you prefer it? I am just trying to make some logical conclusions and understand your point of view. You are welcome to correct me.
Well, now weâre in anecdata, so grab your favorite salt shaker.
I find itâs fairly common as a password recovery method, and my bank uses it for phone authentication.
I agree that âsecurity questionsâ should be phased out for the solutions you mention, but I am pessimistic thatâll happen in the next 10 years. Thereâs too much security theatre associated with it. That said, Iâm not a security researcher, so I donât have any data to back up this impression.
Bitwarden will generate 3+ random words in the Password Generator. You can use it to generate suitable answers to such ridiculous questions and store them in Bitwarden.
Yes! I was planning on using that feature.
My hope is to have that more smoothly integrated into the UX, but I realize itâs hard to detect whatâs a security question field.
I have only come across these ridiculous âsecurityâ questions when using primitive forms of communication like telephones. The ridiculous questions and answers can live in the notes area of an entry.
I get that we all want to âsolveâ people problems by suggesting workarounds but that is not the real purpose of a feature request. I see this type of response all the friggin time in this forum and its not helpful it just shuts down the requester. The request is not outrageous, it has good utility, you may just not personally see it as very interesting (though would probably use it if it was there because adding multiple note entries after going to a separate part of the UI to generate responses would be fâing dumb)
I also would like to be able to add an arbitrary number of security question fields to entries and generate custom responses. Maybe, since identifying which entry goes with a given prompt, instead of trying to auto fill answers there could be an easy to access list of questions (additional icon in the main UI for URIs that have then defined) that when clicked on copy the answer to the clipboard for manual pasting. These are sometimes needed because sites are not perfect and can get out of sync or have bugs. If they decide you are locked out (bug, your accident, or a brute force attempt) you have to have that crap to get a password reset.
Feature name
- Quick recovery question and answer add to notes
Feature function
Many sites now require you to provide X # of recovery questions and answers. If you put random answers (like you should) then you need a place to document it. The notes section in a login is a great place for it.
I realize it is hard to automatically extract questions/answers from websites since there is no standard markup for this but I have an idea that would work.
In the right click context menu, if you right click on a field, BW would have an option to say âcopy field/element valueâ that would copy the value of the field. That would allow you to quickly paste it into the notes.
Or make it a two step process where they first right click on the question field and then right click on the answer field and BW takes the values of both and inserts it into the notes field.
I agree that support for âsecurityâ questions would be useful. However, I suggest storing the answers custom fields instead of in the notes section, so that the values can be easily copied & pasted.
May I ask, is those custom fields a part of the export when doing backups? Thinking about both Jason and CSV exports. I know text in notes is exported, but is custom fields also that?
Thanks for response, and sorry for basic questions
Yes, custom fields are included in both CSV and JSON exports. However, in a CSV export, all custom field types are converted to âtextâ type fields (i.e., if re-importing an exported CSV file, any custom fields that were originally configured to be âhiddenâ, âlinkedâ, or âbooleanâ fields will now all be âtextâ fields).
Iâm okay with that. It might get messy if you use custom fields for other things but thatâs okay. That does make me think of another feature idea: being able to group custom fields.
Making your own custom item types is on the roadmap Let me know if that satisfies this feature request.
@bw-admin can you provide any more information on how that will be implemented? It may or may not address this Feature Request depending on exactly what will be possible to do with the custom templates feature.
Iâm guessing that the following workflow (from OP) would still not be available:
Yeah, a place to put the data is one thing.
This FR was to make it easier to copy the value of the secret question fields.
Just a thought.
Custom hidden fields are perfect for any value you need to copy, in my opinion. Each one can have a label too.
Yes, agreed. But that is not what this feature request is for.