Whenever a ‘Password’ or ‘hidden custom field’ for a Login item is changed, the older entry is auto saved in Password History for that item and cannot be manually cleared.
When the bitwarden session is in an unlocked state, an individual with access can easily view that information and potentially data mine. While this password history feature have its benefits, it also have its flaws that opens an unnecessary exposure which should be secured.
Therefore, I request the feature to enable a forced master password re-prompt in order to view the password history details. This should hopefully be a simple task by leveraging the current Master Password re-prompt already in place to turn the feature on and off (i.e. Vault Items | Bitwarden Help Center).
I agree with this. Even on credentials set to prompt master password on sensitive fields, the password history is shown without asking for the password, so anyone could see the information there. The password history should respect the user’s choice of the checkbox for the master password prompt.
Totally agree. All sensitive/hidden entries (not limited to only password) under the history should be redacted and require re-entering master password to view when master password reprompt option is checked.
Am quite surprised this feature request is not getting more views and votes. Apparently folks seem more interested in new functionality than better, common-sense security improvements. This is a password manager tool; One would think these types of “security” enhancement requests would be more relevant and vital for all users of it.
There are two older feature request topics relevant to your proposal, which have gained more traction. Please let me know if you wish for your feature request (and its votes) to be merged into one of the following:
For the second one of these, please note that the current master password reprompt function applies to “hidden” items (passwords, custom fields of the “hidden” type, etc.), so if the password history is made “hidden” (as requested in that thread), then the master password reprompt would also be expected to be enforced for viewing the password history (as you’re proposing here). If it would help, I could revise the thread title of that second feature request after merging your post.
If my request (i.e. redacting both password and hidden fields in history which requires password reprompt to view) is a duplicate of the 2nd older feature request post you’ve mentioned, then by all means please merge it. Please note - prior to my initial posting, I did try to do a few searches across the category to see if others may have submitted similar requests but didn’t find any. Anyways, thanks for sharing this!