Require Re-prompt for entire item (view, edit, etc.)

For secure note, this seems like a bug / oversight to be honest. It does not make much sense not to protect the actual freeform text of secure note which is mostly the actual secret.

5 Likes

Thanks for the post @martin_pozor! Itā€™s not a bug, but we understand the request to have further protection. I edited this title just a bit to reflect the request.

3 Likes

Also for ā€œCardā€ & ā€œSecure Noteā€ login types.

3 Likes

Agree, you have to have an option to enter a password again to access chosen secure notes as cards and backup login keys.

1 Like

Indeed I have no clue why it still shows content of the secure notes (@tgreer ā€œitā€™s not a bugā€).
Btw, it works as intended in the browser ā€œVaultā€ just not in the Chrome add-on and in the mobile app.
As some others, it urges me to still keep my Lastpass for the time being eagerly waiting a step up from the current ā€œMVPā€.

5 Likes

Need it too, I loved this functionnality on Dashlane.

1 Like

What do you mean its not a bug? Its like someone is saying Bitwarden app crashes and then you come in and like hey! its not a bug guys, everything is supposed to work this way! It is a bug.

4 Likes

Would like to see notes and other parts of items protected better as well.

1 Like

Might be overkill, but for now and until we actually have ā€œsecure notesā€ I do the following with my ā€œsecure notesā€:

  1. Encrypt the text/message via openssl
  2. Produce base64 encoding of encrypted text/message
  3. Store base64 text/message in Notes within bitwarden
1 Like

ā€œMaster Password Repromptā€ (MPR) feature needs revision to improve usability and security:

  1. Substitute master password re-entry with biometric reauthentication where possible. Major usability improvement.
  2. Separate, optional, short timeout for reauthentication, include options of 30 seconds, 1 min, 5 mins, 15 mins, 30 mins, 1 hour, 2 hours, 5 hours, etc. Usability improvement.
  3. Protection of all fields, not just obscured fields. Security improvement.
  4. Optional: Do not reauthenticate if user has just logged in. Usability improvement over LastPassā€™s implementation.

Rename feature to ā€œReauthenticateā€, since it will no longer always reprompt for master password.

Initial implementation of reprompt fulfilled usersā€™ requests, but the above features are necessary to round out the implementation, making it more usable and more secure.

10 Likes

Hi all;

Iā€™m using my bitwarden account to store some important text strings as well and due to importance of this stuff i always check ā€˜request passwordā€™ box in secure note creation.

Since i want bitwarden to ask for password every time when i want to see a secure note it does ask as expected on browser version but i just noticed that bitwarden browser extension doesnā€™t ask for main password when i want to a secure note. I wonder why? Is it sth to do with me or bitwarden? If its sth on bitwardens side i belive this is a security issue, some people (like me) leave bitwarden unlocked for some period of time on our browsers and someone with bad intentions might just see our secure notes from our browser extension. But if this is something on my side i would like to know how to handle this. As i said before, bitwarden asks for main password on browser app, but doesnt do that on browser extension.

I also would like to point out that mobile app (which is unlocked with biometrics) doesnt behave like that either. If I unlock my bitwarden on phone and (very unlikely) leave it away for a certain amount of time thats just another security issue for my secure notes.

I would like this feature to be enabled on browser extension and mobile app. Also if thats possible i would like to use a different password then my main account password on secure note unlocking.

Since english is not my native, sorry for bad composition. Thank you.

4 Likes

Under no circumstances should Bitwarden ever display the contents of a login or secure note that is marked to require master password re-prompt before the password is re-entered. If this behavior was intentional, then itā€™s a design flaw uncharacteristic of an otherwise exceptional product. Hiding the contents of logins and secure notes from unauthorized viewing is just as important as protection from editing.

Think of a medium security scenario like home computer with family sharing a house. You donā€™t want to drive yourself crazy entering the master password every five minutes, so you set timeout to 15 minutes. You carefully set all high-security items such as bank logins to require re-prompt. Who would expect info like account, routing, pin and social security numbers to be visible anyway without having to re-enter the password??? :astonished:

Please fix this surprising oversight!

12 Likes

Itā€™s unreal this hasnā€™t been addressed yet. I was storing answers to secret questions in the Notes of a login, and they are visible without entering my master password. I tried moving the answers to a Secure Note, but that is also completely visible without entering my password. Oh, but requiring my master password stops someone from editing that Secure Note! Sigh. Thatā€™s not the point. This feature needs introduced ASAP. I canā€™t store sensitive text anywhere in Bitwarden right now. Makes me miss LastPass.

4 Likes

As already mentioned by others in the thread. This feature is one of the most important items. I personally can not fully depend on storing my secrets this way. there are items that are too sensitive to be left out without re-entering the password to view them.

1 Like

This is a vital, vital feature. Cannot believe it was implemented in the completely useless manner that it was. Otherwise fantastic product.

1 Like

Huge +1, any update on this @tgreer ? For GPG keys they can only be stored in the secure note section, and even on enabling password re-prompt the chrome extensions allow viewing it easily (only editing requires an actual password re-prompt on chrome extension, unlike for web vault which mandates password for viewing the password entry as well - which should be the ideal behaviour for chrome extension as well).

1 Like

Hi and welcome, @ashutoshsaboo!

Itā€™s definitely on the radar. Depending on the length of the GPG key, you could store it in a custom field of ā€˜hiddenā€™ type, which would require the master password to view/edit. Custom fields can store 5K characters :+1:

1 Like

Thanks @tgreer. The limitation is not about the 5K character limit, if iā€™m not wrong the custom field doesnā€™t support multi-line entries (with a \n), which is the challenge to storing some of these long keys in hidden fields vs notes. Is adding multi-line support to hidden field values on your roadmap? If you can support that, thatā€™d be really awesome! :slight_smile:

4 Likes

Iā€™d also like a setting to have this feature behave more similar to LastPass: after logging in, have it prompt the master password only when viewing or editing an item (whatever that item may be) but NOT when using the item, meaning it will still autofill the password fields just fine, without prompting for the master password. Iā€™d also like to have this setting be a global one, and not having to edit every single item in my vault (as it contains HUNDREDS of passwords)

Adding the master password re-prompt for the password field is a great feature and I use it all the time. I would also like to see this added for notes. In particular have two different notes sections, one secure and the other regular. Some items saved in notes are not important if someone else sees them but others are. For example OTP account recovery codes would be best saved in ā€œsecure notesā€, whereas an order number or a favorite vendor rep might be fine to have in ā€œregular notesā€.

This feature would increase the security for ā€œother sensitive informationā€ stored in a login record that would be considered as important as keeping the password behind an additional layer of security.

2 Likes