For secure note, this seems like a bug / oversight to be honest. It does not make much sense not to protect the actual freeform text of secure note which is mostly the actual secret.
5 Likes
Thanks for the post @martin_pozor! Itās not a bug, but we understand the request to have further protection. I edited this title just a bit to reflect the request.
3 Likes
Also for āCardā & āSecure Noteā login types.
3 Likes
Agree, you have to have an option to enter a password again to access chosen secure notes as cards and backup login keys.
1 Like
Indeed I have no clue why it still shows content of the secure notes (@tgreer āitās not a bugā).
Btw, it works as intended in the browser āVaultā just not in the Chrome add-on and in the mobile app.
As some others, it urges me to still keep my Lastpass for the time being eagerly waiting a step up from the current āMVPā.
5 Likes
Need it too, I loved this functionnality on Dashlane.
1 Like
What do you mean its not a bug? Its like someone is saying Bitwarden app crashes and then you come in and like hey! its not a bug guys, everything is supposed to work this way! It is a bug.
4 Likes
Would like to see notes and other parts of items protected better as well.
1 Like
Might be overkill, but for now and until we actually have āsecure notesā I do the following with my āsecure notesā:
- Encrypt the text/message via openssl
- Produce base64 encoding of encrypted text/message
- Store base64 text/message in Notes within bitwarden
1 Like
āMaster Password Repromptā (MPR) feature needs revision to improve usability and security:
- Substitute master password re-entry with biometric reauthentication where possible. Major usability improvement.
- Separate, optional, short timeout for reauthentication, include options of 30 seconds, 1 min, 5 mins, 15 mins, 30 mins, 1 hour, 2 hours, 5 hours, etc. Usability improvement.
- Protection of all fields, not just obscured fields. Security improvement.
- Optional: Do not reauthenticate if user has just logged in. Usability improvement over LastPassās implementation.
Rename feature to āReauthenticateā, since it will no longer always reprompt for master password.
Initial implementation of reprompt fulfilled usersā requests, but the above features are necessary to round out the implementation, making it more usable and more secure.
9 Likes
Hi all;
Iām using my bitwarden account to store some important text strings as well and due to importance of this stuff i always check ārequest passwordā box in secure note creation.
Since i want bitwarden to ask for password every time when i want to see a secure note it does ask as expected on browser version but i just noticed that bitwarden browser extension doesnāt ask for main password when i want to a secure note. I wonder why? Is it sth to do with me or bitwarden? If its sth on bitwardens side i belive this is a security issue, some people (like me) leave bitwarden unlocked for some period of time on our browsers and someone with bad intentions might just see our secure notes from our browser extension. But if this is something on my side i would like to know how to handle this. As i said before, bitwarden asks for main password on browser app, but doesnt do that on browser extension.
I also would like to point out that mobile app (which is unlocked with biometrics) doesnt behave like that either. If I unlock my bitwarden on phone and (very unlikely) leave it away for a certain amount of time thats just another security issue for my secure notes.
I would like this feature to be enabled on browser extension and mobile app. Also if thats possible i would like to use a different password then my main account password on secure note unlocking.
Since english is not my native, sorry for bad composition. Thank you.
4 Likes
Under no circumstances should Bitwarden ever display the contents of a login or secure note that is marked to require master password re-prompt before the password is re-entered. If this behavior was intentional, then itās a design flaw uncharacteristic of an otherwise exceptional product. Hiding the contents of logins and secure notes from unauthorized viewing is just as important as protection from editing.
Think of a medium security scenario like home computer with family sharing a house. You donāt want to drive yourself crazy entering the master password every five minutes, so you set timeout to 15 minutes. You carefully set all high-security items such as bank logins to require re-prompt. Who would expect info like account, routing, pin and social security numbers to be visible anyway without having to re-enter the password??? 
Please fix this surprising oversight!
11 Likes
Itās unreal this hasnāt been addressed yet. I was storing answers to secret questions in the Notes of a login, and they are visible without entering my master password. I tried moving the answers to a Secure Note, but that is also completely visible without entering my password. Oh, but requiring my master password stops someone from editing that Secure Note! Sigh. Thatās not the point. This feature needs introduced ASAP. I canāt store sensitive text anywhere in Bitwarden right now. Makes me miss LastPass.
4 Likes
As already mentioned by others in the thread. This feature is one of the most important items. I personally can not fully depend on storing my secrets this way. there are items that are too sensitive to be left out without re-entering the password to view them.
1 Like
This is a vital, vital feature. Cannot believe it was implemented in the completely useless manner that it was. Otherwise fantastic product.
1 Like
Huge +1, any update on this @tgreer ? For GPG keys they can only be stored in the secure note section, and even on enabling password re-prompt the chrome extensions allow viewing it easily (only editing requires an actual password re-prompt on chrome extension, unlike for web vault which mandates password for viewing the password entry as well - which should be the ideal behaviour for chrome extension as well).
1 Like
Hi and welcome, @ashutoshsaboo!
Itās definitely on the radar. Depending on the length of the GPG key, you could store it in a custom field of āhiddenā type, which would require the master password to view/edit. Custom fields can store 5K characters 
1 Like
Thanks @tgreer. The limitation is not about the 5K character limit, if iām not wrong the custom field doesnāt support multi-line entries (with a \n), which is the challenge to storing some of these long keys in hidden fields vs notes. Is adding multi-line support to hidden field values on your roadmap? If you can support that, thatād be really awesome! 
4 Likes
Iād also like a setting to have this feature behave more similar to LastPass: after logging in, have it prompt the master password only when viewing or editing an item (whatever that item may be) but NOT when using the item, meaning it will still autofill the password fields just fine, without prompting for the master password. Iād also like to have this setting be a global one, and not having to edit every single item in my vault (as it contains HUNDREDS of passwords)
Adding the master password re-prompt for the password field is a great feature and I use it all the time. I would also like to see this added for notes. In particular have two different notes sections, one secure and the other regular. Some items saved in notes are not important if someone else sees them but others are. For example OTP account recovery codes would be best saved in āsecure notesā, whereas an order number or a favorite vendor rep might be fine to have in āregular notesā.
This feature would increase the security for āother sensitive informationā stored in a login record that would be considered as important as keeping the password behind an additional layer of security.
2 Likes