Require Re-prompt for entire item (view, edit, etc.)

Hey! I’m also interested in having a status update about this enhancement, which is essential IMHO.

1 Like

Requiring a re-prompt of the password on an item means the item contains sensitive info and none of the data aside from the name should be shown in the clear in the “view” mode without the password being provided.

As a user coming from LastPass this is a workflow / feature I relied on to protect important info from shoulder surfers and me leaving my system unlocked accidentally while getting a coffee.

2 Likes

This seems like a monumental oversight. I’m trying to migrate from lastpass but I have secure notes whose contents need to remain… secure. I would expect that checking the reprompt option wouldn’t allow viewing but instead it only seems to protect against editing, which isn’t the point!

1 Like

Yep, it was an oversight. Lots are waiting for it to be fixed. Can’t keep things like answers to 2FA questions in the notes of a sensitive login since they can be viewed without the master password. Can’t use the “Secure note” feature, since the note is visible without the password. Lots to change once it’s fixed. Much easier to use.

3 Likes

Is there an update for this? This is a very important security feature. The same option should be there for secure notes as it is for passwords.

2 Likes

There is a planned vault revamp that is currently on the roadmap which I believe will include updates to the Master Password Re-prompt.

I believe that covering the entire item, would mean that with Master Password Re-prompt enabled this would be required first before interacting or opening an item, such as Secure notes.
Preventing from easily viewing the note without first confirming re-prompt of the master password.

Thanks for the summary @cksapp! I don’t have an specific ETA for this one right now, but I’ll be sure to share updates as they become available. :+1:

Yes, and again this would be something optional (tick the box if you want that note protected by an additional password reprompt)

This is to protect the most sensitive notes (just like passwords) in the case where someone is accessing a machine that’s still logged into Bitwarden

Secure Notes already have an optional checkbox for “Master password re-prompt”; it’s just that the note itself isn’t hidden behind the password reprompt. All it does is stop someone from editing the note. So the fix that is coming is to actually hide the note behind the master password reprompt, which is how it should have been in the first place.
image

Hey @WashamDev the original request was to reprompt for part of the vault, it will be expanded :slight_smile:

2 Likes

This change is really not that difficult to implement, not sure why it is taking years. This is clearly not intended behavior and it shouldn’t take so long to respond a clear security flaw in bitwarden. Saying “it’s in the works” only means something if there is some action plan or ETA. It has been a very very long time with zero movement please fix this.

Thanks for the feedback @icefyre, the feature currently functions as originally requested, and the team will continue to improve the experience. There are many open feature requests, and the team is working on many different aspects of Bitwarden such as Manifest V3 support, rest assured your feedback has been passed along to the team.

With respect, requested by who? Lastpass absolutely nailed master password reprompt functionality, which just needed to be matched. Lastpass is obviously not the master of best practice security, but they did get this right. You will be receiving many more former Lastpass users now, so I think you need to expect more users that will demand equivalent functionality implemented in full.

And please consider renaming it to Reauthentication. Lastpass got the name wrong and you can beat them in this regard.

Thanks for the feedback @Caign, rest assured it has been passed along to the team.

I do agree in this regard, perhaps a name change would be in order once the feature is revamped especially given if this will allow for additional verification methods as mentioned such as biometrics, etc.

@dwbit. Another concern with the Master Password re-prompt pertaining to the “Card” type of entry… I don’t think anyone addressed the concern with displaying the last 4 digits of the card number on the “Cards” summary display when the Master Password re-prompt is set to Yes for a specific card(s). I noticed this behavior when adding Social Security Numbers as cards - it displays the last 4 digits of the SSN on the summary display. My take is that it should hide (or asterisk out) the 4 digits of the card in the summary display IF the Master Password re-prompt is set to Yes for that card. One of the most common identity challenge questions is “what’s the last 4 digits of your Social Security Number?”.

Note that I got around this problem in my case by adding " 0000" to the end of the SSN number, so it would display " 0000" on the card summary screen.

Attached are a couple of screenshots to show you what I mean. In the example, the SSN is “123-45-6789”.

Here’s the edit details form - previous post would only allow me to select 1 screen capture.

Thanks for the feedback @Thlucas it has been passed along to the team :+1:

Thank you for your efforts, much appreciated. I love the product as well!

That makes sense. I still don’t know why this feature is taking so long to implement. There is no way that the way it is implemented right now matches the actual requirement. Would be great if the team could give a rough timeline by when they expect this feature to roll out.