Master password re-prompt on Secure Notes should hide content

At the moment, all “Master password re-prompt” does for Secure Notes is ask me for a password when I want to edit it. Since there is no password, this feature doesn’t actually protect any content.

I propose making this feature actually lock the note text itself. (Yes, I understand that this is a UI protection rather than an extra layer of crypto, but this would protect me against an attacker who happens upon my desk while I’m answering the door).

The “Master password re-prompt” feature should lock different item types differently:

  • Logins: passwords
  • Cards: numbers and security codes
  • Identities: license number, passport number, social security number
  • Secure Note: notes (maybe show the size when locked?)

This is related to Master password re-prompt on specified sub-fields, which would allow locking specific fields. That would be as simple as adding a lock icon by every item when in edit mode, respecting the defaults as outlined above. If you implement that feature, I’d suggest that custom items in Secure Notes should default to being locked when the note is locked. This isn’t part of my standalone request because it can’t be changed without this linked request.

Yes, 100% we need this. I was confused because I could still see my secure notes without the master password reprompt. Makes the feature completely useless.

2 Likes

I would really like this feature. Honestly, I thought it was a bug how it works now. The secure note can be easily read even with the re-prompt.

2 Likes

I hit this in the desktop app for Linux:

Version 1.29.1
Shell 14.2.0
Renderer 93.0.4577.82
Node 14.17.0
Architecture x64

Interestingly, this seems to work as intended in the web app.

1 Like

I was also very confused, completely agree with the others.

The note part on a secure note should act the same as a password on a login item (imho). It should be hidden by default, with a button to make it visible. When selecting the master password prompt option it should show only after entering your password. Again, just like a login item.

1 Like

Completely agree, this feature is broken the point of a password reprompt should be to prevent data disclosure, not to prevent content modification!

1 Like

So as a workaround for this, Secure Notes also supports hidden Custom Fields. With master password re-prompt enabled on the secure note, the note name, notes, and custom field name are all searchable, but for obvious reasons the hidden field data is not searchable. To view the hidden field data you are re-prompted for the master password as intended.

This comes with the drawback the currently custom fields are limited to 5000 characters, whereas notes support up to a max 10,000 character limit after encryption.
Of course anything larger can also use file attachments with a premium subscription which will also require master password re-prompt for those selected secure notes.

Another good option here would be to simply have the ability to hide a notes section either per entry as, or with master password re-prompt, or possibly a global setting if chosen, as Notes section is available for all item types currently with Notes, logins, cards, and identities.

Feature name

The notes that are secured with master password re-prompt or protected with a separate password / 2-step auth. Before that it is hidden and not accessible even the vault is open with master password.

Feature function

  • What will this feature do differently?
    Currently, when the vault is open all secure notes such as recovery phrases etc are available to be copied, but it is compromising security as it is very sensitive information and it should not be in open even we opened the vault to copy some website password.

  • What benefits will this feature bring?
    It will allow us to store recovery phrases on Bitwarden app.

1 Like

Feature name

  • Default hidden fields

Feature function

  • The requested feature is to change default settings for Secure Notes in such a way that the Note has hidden fields during the process of creation, instead of Plain Text unprotected fields for both NOTES and CUSTOM FIELDS.
  • This will allow to bring meaning to Password protection of the Secure Note. Otherwise, regardless whether the the Note is password-protected or not, the content of the Note is still visible.
1 Like

+1
Notes with password prompt should not be visible, even when vault is unlocked

Nice workaround but one of the downsides is that you can’t use lines to format the note. It is basically one long giant line which is pretty annoying. If they have support for custom hidden fields I really don’t see why they don’t prompt for the master password before showing the whole note. It doesn’t make any sense.

Hey everyone, the Master Password Re-prompt functionality is being revamped to cover the whole vault item, rather than just password fields :+1:t2:

4 Likes