Require Re-prompt for entire item (view, edit, etc.)

Thank you for your efforts, much appreciated. I love the product as well!

That makes sense. I still don’t know why this feature is taking so long to implement. There is no way that the way it is implemented right now matches the actual requirement. Would be great if the team could give a rough timeline by when they expect this feature to roll out.

Hey @icefyre thanks for the continued feedback, the team is working on many roadmap items and there is no specific ETA on this enhancement at this time, please keep in mind there are many open feature requests at any time for the team to consider, and development time is required for items like supporting new browser extension standards (Manifest V3 etc…)

Bitwarden is also built in part by the community and if anyone is interested in contributing a pull request, they can propose it here: Pull Requests - Bitwarden Community Forums

I’m shocked that this SECURITY VULNERABILITY (the ability to see the notes for a critical account that I’ve flagged for re-prompt) is being handled as an insignificant feature request to be implemented when convenient. This should be fixed within weeks, not years. It has prevented me from migrating to BitWarden since July of 2021.

1 Like

Thanks for the feedback, the feature is currently working as originally requested. The team is currently working on the 2022 roadmap including manifest V3 support. Rest assured your feedback has been passed along to the team.

I am deeply concerned that this request has not been given the priority it deserves. It represents a significant security risk that cannot be overlooked. As other posters have mentioned, there are password managers that have successfully implemented this feature, so there is no reason why it cannot be done in this case.

The fact that the request has been dismissed as “working as originally requested” is even more concerning, as it suggests that the internal R&D team has not fully appreciated the seriousness of the security implications of not implementing measures to hide and conceal these notes fields when the “require master password” option has been selected. This is far from “working as intended”. It is outright irresponsible and careless.

Rather than deflecting attention from the issue by talking about other features, it is important that the team demonstrate a real commitment to addressing security issues in the product. This means bumping up the priority of implementing this relatively straightforward feature, and showing users that their security concerns are being taken seriously.

Any attempt to rationalize or justify a decision not to pursue this feature is simply an indication of how little the team cares about addressing significant security issues. I urge the team to take this matter seriously and do everything possible to prioritize fixing this issue. It is essential to recognize that avoidant and dismissive responses, coupled with a lack of a clear timeline for implementation, will only serve to undermine user confidence in the product. The “kicking the can down the road” mentality is a poor strategy when it comes to addressing security concerns, and failure to do so may result in the loss of user trust and ultimately lead to people seeking out more secure alternatives.

In closing, It is essential that the team takes this issue seriously and demonstrates a real commitment to improving the security of the product.

4 Likes

Can someone please explain to me the nature of this request? It’s not clear from the OP. Is the issue that secure notes are not encrypted? I thought they were. Or, is the issue that you should be able to keep them encrypted after you have decrypted the vault if you also have a Master PW re-prompt set?

It’s NOT about encryption but about hiding them from plain sight until master password is re-prompted.

Please see Vault Items | Bitwarden Help Center

All the vault data, including Secure Notes are fully encrypted so no worry there.

I believe the nature of this request is that the current feature of Master password re-prompt was originally implemented to prevent editing, copying of the password, auto-fill, etc.

However the current implementation still allows for a vault item to be viewed even if requiring reauthorization.
Such things like the TOTP generated code (not the seed), and notes fields would still be visible without requiring a reprompt.

Okay, so it’s still secure equally to all other fields (encryption and unlocking vault initially). It’s just that if the field has sensitive information, the expectation of posters is that it remain unviewable until the re-prompt has been entered. But, BW’s design is scoped to preventing editing, pw copying, auto-fill; viewing is still permitted. My memory is that LastPass may have also blocked viewing until you entered a re-prompt. I can see how posters would logically assume it should be unviewable. Thanks.

A difference to Lastpass is that Bitwarden has “hidden” field in notes. Lastpass has only one text field and in order to hide it you have to enable Master password re-prompt. In Bitwarden, when you have Master password re-prompt enabled, you need to provide password when viewing hidden fields while other type fields can be seen all time.

I don’t know should whole note be hidden or not, after finding this feature I didn’t anymore miss much lastpass-like functionality.

(I more miss the feature to set reathentication timeout so that I don’t need to be typing master password all the time.)

There is a feature request for that!

Yes, this seems like an oversight and I support work on this to make sure “view item” is also a protected item.

This behaviour is also present for password items that require re-prompt, and you can view secure notes and other custom fields without re-entering the master password.

Just of note, currently the Hidden Custom Field type does require the Master Password Re-prompt for view or copy, similar to the password for an item.

Though as described a rework of this feature that should resolve this request is currently projected on the roadmap.
So looks like many things planned to come :slight_smile:

Thanks, Kent! I’ll take a look!

It’s around 21 months since Master Password Reprompt was implemented and coming up to 2 years since I moved from LastPass. Really appreciate the fast tracking of the initial Master Password Reprompt implementation, not so much the feature oversights and the long wait to get them addressed.

With 422 votes as at 28-Mar-2023, I can’t believe that Vault Item Labels (tags), currently in implementation, is the most important thing to be done. Besides security patches, surely Require Re-prompt for entire item (view, edit, etc.) (93 votes) and Adding Biometric/PIN authentication with Master password re-prompt (73 votes) are the most important things on the list. It makes me question the voting system.

The three top vote-getting feature requests that are not yet implemented have over 600 votes each, so while the two requests you have called out may be the “most important” to you, these are not necessarily the most important features to other users. In any case, the voting results are not binding to Bitwarden — they will use these data as one factor among other considerations when developing the roadmap.

Is there any simple way to encrypt/decrypt notes with base64 so that I can copy and paste it in the bitwarden secured notes, till this feature is implemented?

One-way I know if to use the OneNote password protected section and save the notes there. I am looking for something simpler than this.

@jojobar Welcome to the forum!

Here is a Base64 encoder/decoder that you can use:

I’m not sure I’d trust a site like that with sensitive data… (though works otherwise)