For secure note, this seems like a bug / oversight to be honest. It does not make much sense not to protect the actual freeform text of secure note which is mostly the actual secret.
Thanks for the post @martin_pozor! It’s not a bug, but we understand the request to have further protection. I edited this title just a bit to reflect the request.
Also for “Card” & “Secure Note” login types.
Agree, you have to have an option to enter a password again to access chosen secure notes as cards and backup login keys.
Indeed I have no clue why it still shows content of the secure notes (@tgreer “it’s not a bug”).
Btw, it works as intended in the browser “Vault” just not in the Chrome add-on and in the mobile app.
As some others, it urges me to still keep my Lastpass for the time being eagerly waiting a step up from the current “MVP”.
Need it too, I loved this functionnality on Dashlane.
What do you mean its not a bug? Its like someone is saying Bitwarden app crashes and then you come in and like hey! its not a bug guys, everything is supposed to work this way! It is a bug.
Would like to see notes and other parts of items protected better as well.
Might be overkill, but for now and until we actually have “secure notes” I do the following with my “secure notes”:
- Encrypt the text/message via openssl
- Produce base64 encoding of encrypted text/message
- Store base64 text/message in Notes within bitwarden
“Master Password Reprompt” (MPR) feature needs revision to improve usability and security:
- Substitute master password re-entry with biometric reauthentication where possible. Major usability improvement.
- Separate, optional, short timeout for reauthentication, include options of 30 seconds, 1 min, 5 mins, 15 mins, 30 mins, 1 hour, 2 hours, 5 hours, etc. Usability improvement.
- Protection of all fields, not just obscured fields. Security improvement.
- Optional: Do not reauthenticate if user has just logged in. Usability improvement over LastPass’s implementation.
Rename feature to “Reauthenticate”, since it will no longer always reprompt for master password.
Initial implementation of reprompt fulfilled users’ requests, but the above features are necessary to round out the implementation, making it more usable and more secure.
I’m using my bitwarden account to store some important text strings as well and due to importance of this stuff i always check ‘request password’ box in secure note creation.
Since i want bitwarden to ask for password every time when i want to see a secure note it does ask as expected on browser version but i just noticed that bitwarden browser extension doesn’t ask for main password when i want to a secure note. I wonder why? Is it sth to do with me or bitwarden? If its sth on bitwardens side i belive this is a security issue, some people (like me) leave bitwarden unlocked for some period of time on our browsers and someone with bad intentions might just see our secure notes from our browser extension. But if this is something on my side i would like to know how to handle this. As i said before, bitwarden asks for main password on browser app, but doesnt do that on browser extension.
I also would like to point out that mobile app (which is unlocked with biometrics) doesnt behave like that either. If I unlock my bitwarden on phone and (very unlikely) leave it away for a certain amount of time thats just another security issue for my secure notes.
I would like this feature to be enabled on browser extension and mobile app. Also if thats possible i would like to use a different password then my main account password on secure note unlocking.
Since english is not my native, sorry for bad composition. Thank you.
Under no circumstances should Bitwarden ever display the contents of a login or secure note that is marked to require master password re-prompt before the password is re-entered. If this behavior was intentional, then it’s a design flaw uncharacteristic of an otherwise exceptional product. Hiding the contents of logins and secure notes from unauthorized viewing is just as important as protection from editing.
Think of a medium security scenario like home computer with family sharing a house. You don’t want to drive yourself crazy entering the master password every five minutes, so you set timeout to 15 minutes. You carefully set all high-security items such as bank logins to require re-prompt. Who would expect info like account, routing, pin and social security numbers to be visible anyway without having to re-enter the password???
Please fix this surprising oversight!