Thanks @tgreer.
I currently use both bitwarden and lastpass, its the only feature at least for me that lastpass has that I wish existed in bitwarden. I actually use lastpass more as I feel safer leaving my computer unattended as lastpass requires the reprompt
3 Likes
This is a strongly needed feature.
2 Likes
…and nothing happens since more than two years!
In the meantime, you could do partial passwords.
What goes in your password manager: T5cBKi4iVas8Sx
The real password: T5cBKi4iVas8Sx12345
Leave “12345” out of your password manager and when you log into that site add it to the end. This way you don’t have the real password exposed.
If anything, this is better because a software re-prompt is security by obscurity. Bitwarden decrypts your whole vault when you unlock it so doing a pop-up is not going to keep someone from doing a memory dump and getting your passwords that way. But if you did the partial passwords they would not have the whole password so you would be better off.
@dangostylver So… your idea is to basically have to remember a portion of the password that you then manually enter?
And I guess for security reasons the portion of the password that we need to remember should be unique for every website one logs in to (I mean if for Facebook and PayPal and eBay and Twitter I always just need to add 12345 to the password that’s auto filled by the password manager that’s not really safe right? I need something unique for each individual site - Facebook add 12345, Twitter add 54321, PayPal make it abcde, eBay ABCDE etc).
So… remind me how this is any different from not using a password manager and just going back to having different passwords for everything that we store in our heads? I mean doesn’t it completely defeat the purpose of a password manager, you know, the thing that manages and remembers your password so you don’t have to???
Seems like a huge step back to now have to remember what are - to all intents and purposes - unique passwords for each website again.
The most secure way of not having someone access your passwords it to not have passwords at all to be accessed to begin with, which basically maneas no online presence at all. For anything.
A balance between security and usability needs to be achieved and that’s the purpose of a password manager. It enables us to have different passwords for everything (as oppose to a single password for everything which is what most did before password managers) at the cost of a very very small risk of something going horribly wrong. You talk about memory dump that implies root access to the machine which realistically at that point you could also just have a keylogger (which would also work even if you don’t have a password manager).
The main benefit for me for things like password reprompt is so that I can - for example - on my computer at home leave my vault unlocked and still not have to worry about one of the kids buying something from eBay/Amazon/PayPal when I’m not looking because they still need an extra step to access the password! And yeah I know someone will say “just remember to always lock your computer before you leave the desk” or “remember to lock your vault” but when you’ve got 3 kids running around one painting the walls, the other running around without a diaper and the third trying to climb to the roof because he thinks he’s Superman and can fly… locking your damn computer is the last thing on your mind.
Just my two cents.
2 Likes
I wouldn’t do a unique pin for every account, that sounds crazy.
In the context of this discussion we don’t have a master password re-prompt yet and appending a pin or something at the end to the important passwords is a solution that works today.
If anything, it works better because if the password re-prompt is anything like what LastPass does then it’s a software block which is not hard to get around.
At the end of the day, you only need to remember your master password and the pin you put at the end. I would not do this to every account just like how you should not have a password re-prompt for every account either. If you’re going to have a password re-prompt for every account you may as well use the pin option to lock your Bitwarden vault instantly or after a few minutes.
Ultimately, the pin locking feature we already have is what you should use if you want a password re-prompt. It’s the same thing but works better because it locks your whole vault.
@dangostylver My point exactly: how can you talk about increased security when your pin is the same for all items? It basically means that if someone does a memory dump all they need to know is a single pin for all your “secured” items. If anything, it’s as secure.
You throw around phrases like memory dumps are easy and software blocks are not hard to get around yet here’s the hard truth: if I have root access to a computer… it doesn’t matter if you have a pin at the end or use a password manager or don’t use a password manage or have 8 char passwords or 68 char passwords - I will find out your password.
As a user… I would rather put my faith on a piece of software that is guaranteed (short of a crash or power outage) to go through a certain routine of tasks - some of them which may be time sensitive - than me as a user, a human being, a flawed and forgetful and imperfect thing.
As a programmer, I would rather put my faith in mechanisms I put in place to protect those exact same flawed users. And I’d do well to remember that not all users are the same: some can write 80 words a minute and it doesn’t matter if you hover over their keyboard as they type their master password/pin/whatever others write 5 words a minute and over the shoulder password theft is still a thing.
Trust me, it’s far far easier to coherce a user to divulge (willingly or not) their pin than it is to get root access to a computer…
Because the attacker would not know the PIN. Just like how an attacker doesn’t know your master password, but if they did they would have access to everything in your vault.
The pin is not being stored in the password manager, it’s something you know just like your master password. And since Bitwarden doesn’t have the master password re-prompt this is something you can do today.
If someone did come by your unlocked vault and tried to copy the password or login into something they would not be able to because they don’t know the PIN. Could they figure out the PIN? Maybe, but there is no guarantee they even know you used a PIN, and as far as they see they can’t log in. What is for sure is that they won’t have access right away which is better than what we have now.
+1 for this as a user thinking of switching from dashlane.
Not a critical feature but one that I use and has value to me.
1 Like
It would be good to know whether this feature is ever coming. It’s starting to feel like one of those things that simply never make it to the top of the implementation list.
2 Likes
It’s on our backlog as a to-do, we are moving along with quite a few tasks 
3 Likes
This is a nice little feature, so hopefully it will be implemented one day soon. Though this one is not a deal breaker for me.
1 Like
I just made the switch from LastPass and I can say that I would definitely use this feature. Still debating whether to clear my vault and revert to LastPass until this feature becomes available.
2 Likes
I’m in the same boat. I feel a bit unease that if I forget to lock my computer, someone could easily view my passwords in seconds. Usually, that does not happen, but I would feel safer knowing that a password is required for that.
3 Likes
Functionality like this would be important to me, too.
I don’t feel comfortable right now putting very sensitive & rarely used data (banking PINs, Google main account pw) into bitwarden because I’m afraid it would lay “bare” whenever I use bitwarden to log into a website.
By laying “bare” I mean accessible to anyone who gets their hands on my phone/PC while BW is unlocked, for instance.
I’d rather have this feature implemented using an additional, separate, passord, though, like here: Encrypted Folder within your Vault - #2 by Ablac
This might also be somewhat equivalent to supporting multiple accounts like here: Bitwarden discourages recommending it at work, by not supporting multiple accounts. Please release a separate client installer at least
5 Likes
This is an important issue for me. It’s the only thing stopping me from fully using Bitwarden and moving over from LastPass
1 Like
+1, just moved over from LastPass and this is a sorely missed feature gap.
2 Likes
This would be useful.
1 Like
This is a feature I’m missing enormously from LastPass. Would love to see this implemented ASAP.
2 Likes