Enhanced support for "Security Questions" and Answers (e.g., capturing, generating, autofilling)

Would it be possible to implement a feature where Bitwarden captures the security questions and the answers on pages at signup?

Feature name

  • Security questions tracking

Feature function

  • Generate, store, and autofill “security question” answers per site.
  • Generated answers should be both length and language configurable: e.g., N English words that are minimally M letters long.
  • Flag re-used “security question” answers across sites.

Related topics + references

No citations, but my understanding is that “security questions” are basically bad passwords: if actual answers are used, they can be researched; if false answers are generated, it’s the “unique password per site” problem all over again.

1 Like

Isn’t security questions’ main purpose to authenticate yourself when you forget your password, for example? I have never seen a website where it would constantly ask you for it. Considering that you are using a password manager, you won’t forget your random generated passwords.

I guess I see your point here. You want to generate unique answers so that they can’t be guessed, right? Let me make a suggestion: using bitwarden password generator, I just generated 2 answers for you:

  • 2$V7x&8!ri!24z6$kqT9
  • reliably-overbill-brigade-oblivious-radiator

You can write notes to each item in your vault, just write them there. Since they will be saved, there is no need for you to remember them, therefor there is even no need to be a passphrase, 2$V7x&8!ri!24z6$kqT9 will do a perfect job…

Edit: just realized something and actually giggled a little:
What was the name of your first dog?
Answer: 2$V7x&8!ri!24z6$kqT9

2 Likes

I’m more thinking from a risk assessment standpoint than a functionality standpoint. I’ve seen “security questions” used as a backdoor form of authentication for 1, (as you mention) when you’ve forgotten your password or 2, phone conversations, typically with banks via the phone. In this case, a string of words is much more useful than the example you mention in your edit.

I guess I see your point here. You want to generate unique answers so that they can’t be guessed, right?

No; I want unique answers so if they’re stolen from site #1, they cannot be used at other sites. If the answer to “What was the name of your first dog?” is “2$V7x&8!ri!24z6$kqT9” at 100+ sites, then I’ve got a problem.

And because I’m generating unique answers per site, then I need an easy way to store them, and to have them automatically filled out in forms if it’s required, and to also audit “hey, you haven’t filled out your ‘security question’ fields - do you need to update them?” and similar risks.


So what I want is functionality that makes it as easy as passwords to generate, store, fill, and audit “security question” answers as passwords. Nobody would take seriously a modern password manager where you had to (say) open an app and tap 3 levels in to copy your password instead of having a browser extension just fill it in for you; likewise, I am hoping that “security question” functionality can be pushed to a similar level of ease.

2 Likes

Yes, I understood you perfectly. This is what I meant by “unique”, but didn’t really specify. Sorry for the misunderstanding, my bad.

I agree with everything you say, but there is something else: Without doing any kind of research, I honestly thought that this form of authentication is dying. I mean it’s pretty obvious that it’s just bad. There are this many questions that can be asked, and people are often answering honestly, which is bad. If instead the answers are made up, they become like 2nd passwords and are often forgotten (also, people are already bad enough at making good passwords). I didn’t think someone would want a feature like that, considering all the alternatives:

  • e-mailing you somekind of link/code
  • sending a message on your pone with a code (or even calling)
  • other 2FA, including authenticator app, physical key, fingerprint, etc

With phone conversations, security question is indeed the most viable, but how often does that happen? On how many sites do you use this method? Why do you prefer it? I am just trying to make some logical conclusions and understand your point of view. You are welcome to correct me.

Well, now we’re in anecdata, so grab your favorite salt shaker. :slight_smile:

I find it’s fairly common as a password recovery method, and my bank uses it for phone authentication.

I agree that “security questions” should be phased out for the solutions you mention, but I am pessimistic that’ll happen in the next 10 years. There’s too much security theatre associated with it. That said, I’m not a security researcher, so I don’t have any data to back up this impression.

Bitwarden will generate 3+ random words in the Password Generator. You can use it to generate suitable answers to such ridiculous questions and store them in Bitwarden.

1 Like

Yes! I was planning on using that feature.
My hope is to have that more smoothly integrated into the UX, but I realize it’s hard to detect what’s a security question field.

1 Like

I have only come across these ridiculous “security” questions when using primitive forms of communication like telephones. The ridiculous questions and answers can live in the notes area of an entry.

I get that we all want to “solve” people problems by suggesting workarounds but that is not the real purpose of a feature request. I see this type of response all the friggin time in this forum and its not helpful it just shuts down the requester. The request is not outrageous, it has good utility, you may just not personally see it as very interesting (though would probably use it if it was there because adding multiple note entries after going to a separate part of the UI to generate responses would be f’ing dumb)

I also would like to be able to add an arbitrary number of security question fields to entries and generate custom responses. Maybe, since identifying which entry goes with a given prompt, instead of trying to auto fill answers there could be an easy to access list of questions (additional icon in the main UI for URIs that have then defined) that when clicked on copy the answer to the clipboard for manual pasting. These are sometimes needed because sites are not perfect and can get out of sync or have bugs. If they decide you are locked out (bug, your accident, or a brute force attempt) you have to have that crap to get a password reset.

Feature name

  • Quick recovery question and answer add to notes

Feature function

Many sites now require you to provide X # of recovery questions and answers. If you put random answers (like you should) then you need a place to document it. The notes section in a login is a great place for it.

I realize it is hard to automatically extract questions/answers from websites since there is no standard markup for this but I have an idea that would work.

In the right click context menu, if you right click on a field, BW would have an option to say “copy field/element value” that would copy the value of the field. That would allow you to quickly paste it into the notes.

Or make it a two step process where they first right click on the question field and then right click on the answer field and BW takes the values of both and inserts it into the notes field.

I agree that support for “security” questions would be useful. However, I suggest storing the answers custom fields instead of in the notes section, so that the values can be easily copied & pasted.

2 Likes

May I ask, is those custom fields a part of the export when doing backups? Thinking about both Jason and CSV exports. I know text in notes is exported, but is custom fields also that?

Thanks for response, and sorry for basic questions

Yes, custom fields are included in both CSV and JSON exports. However, in a CSV export, all custom field types are converted to “text” type fields (i.e., if re-importing an exported CSV file, any custom fields that were originally configured to be “hidden”, “linked”, or “boolean” fields will now all be “text” fields).

1 Like

I’m okay with that. It might get messy if you use custom fields for other things but that’s okay. That does make me think of another feature idea: being able to group custom fields.

Making your own custom item types is on the roadmap :+1: Let me know if that satisfies this feature request.

@bw-admin can you provide any more information on how that will be implemented? It may or may not address this Feature Request depending on exactly what will be possible to do with the custom templates feature.

I’m guessing that the following workflow (from OP) would still not be available:

Yeah, a place to put the data is one thing.

This FR was to make it easier to copy the value of the secret question fields.

Just a thought.

Custom hidden fields are perfect for any value you need to copy, in my opinion. Each one can have a label too.

Yes, agreed. But that is not what this feature request is for.