For secure note, this seems like a bug / oversight to be honest. It does not make much sense not to protect the actual freeform text of secure note which is mostly the actual secret.
Thanks for the post @martin_pozor! It’s not a bug, but we understand the request to have further protection. I edited this title just a bit to reflect the request.
Also for “Card” & “Secure Note” login types.
Agree, you have to have an option to enter a password again to access chosen secure notes as cards and backup login keys.
Indeed I have no clue why it still shows content of the secure notes (@tgreer “it’s not a bug”).
Btw, it works as intended in the browser “Vault” just not in the Chrome add-on and in the mobile app.
As some others, it urges me to still keep my Lastpass for the time being eagerly waiting a step up from the current “MVP”.
Need it too, I loved this functionnality on Dashlane.
What do you mean its not a bug? Its like someone is saying Bitwarden app crashes and then you come in and like hey! its not a bug guys, everything is supposed to work this way! It is a bug.
Would like to see notes and other parts of items protected better as well.
Might be overkill, but for now and until we actually have “secure notes” I do the following with my “secure notes”:
- Encrypt the text/message via openssl
- Produce base64 encoding of encrypted text/message
- Store base64 text/message in Notes within bitwarden
“Master Password Reprompt” (MPR) feature needs revision to improve usability and security:
- Substitute master password re-entry with biometric reauthentication where possible. Major usability improvement.
- Separate, optional, short timeout for reauthentication, include options of 30 seconds, 1 min, 5 mins, 15 mins, 30 mins, 1 hour, 2 hours, 5 hours, etc. Usability improvement.
- Protection of all fields, not just obscured fields. Security improvement.
- Optional: Do not reauthenticate if user has just logged in. Usability improvement over LastPass’s implementation.
Rename feature to “Reauthenticate”, since it will no longer always reprompt for master password.
Initial implementation of reprompt fulfilled users’ requests, but the above features are necessary to round out the implementation, making it more usable and more secure.