currently ‘secure notes’ are visible just by clicking on them in the vault, even if ‘require master password’ is checked. This seems like a major vulnerability for if you have say your cryypto wallet passphrases in there for example and anyone can see it if your vault is unlocked without even needing to re-authenticate. Please modify this so the specific notes marked as requiring reauth are not visible at all until the user puts the master pass back in to display them.
Also your warning on notes was a little concerning as well, maybe on notes that have that flag set, dont even decrypt them until the user reauths and then clear it from memory after so there arent alternative ways to easily spy on them.
No apparent progress on reauthentication for over a year. Personally I’m nearly ready to move back to Lastpass after typing in my master password a million times a day for the last year. Reauthentication needs to be biometric with its own timeout.
Requiring a re-prompt of the password on an item means the item contains sensitive info and none of the data aside from the name should be shown in the clear in the “view” mode without the password being provided.
As a user coming from LastPass this is a workflow / feature I relied on to protect important info from shoulder surfers and me leaving my system unlocked accidentally while getting a coffee.
This seems like a monumental oversight. I’m trying to migrate from lastpass but I have secure notes whose contents need to remain… secure. I would expect that checking the reprompt option wouldn’t allow viewing but instead it only seems to protect against editing, which isn’t the point!
Yep, it was an oversight. Lots are waiting for it to be fixed. Can’t keep things like answers to 2FA questions in the notes of a sensitive login since they can be viewed without the master password. Can’t use the “Secure note” feature, since the note is visible without the password. Lots to change once it’s fixed. Much easier to use.
There is a planned vault revamp that is currently on the roadmap which I believe will include updates to the Master Password Re-prompt.
I believe that covering the entire item, would mean that with Master Password Re-prompt enabled this would be required first before interacting or opening an item, such as Secure notes.
Preventing from easily viewing the note without first confirming re-prompt of the master password.
Secure Notes already have an optional checkbox for “Master password re-prompt”; it’s just that the note itself isn’t hidden behind the password reprompt. All it does is stop someone from editing the note. So the fix that is coming is to actually hide the note behind the master password reprompt, which is how it should have been in the first place.
This change is really not that difficult to implement, not sure why it is taking years. This is clearly not intended behavior and it shouldn’t take so long to respond a clear security flaw in bitwarden. Saying “it’s in the works” only means something if there is some action plan or ETA. It has been a very very long time with zero movement please fix this.
Thanks for the feedback @icefyre, the feature currently functions as originally requested, and the team will continue to improve the experience. There are many open feature requests, and the team is working on many different aspects of Bitwarden such as Manifest V3 support, rest assured your feedback has been passed along to the team.
With respect, requested by who? Lastpass absolutely nailed master password reprompt functionality, which just needed to be matched. Lastpass is obviously not the master of best practice security, but they did get this right. You will be receiving many more former Lastpass users now, so I think you need to expect more users that will demand equivalent functionality implemented in full.
And please consider renaming it to Reauthentication. Lastpass got the name wrong and you can beat them in this regard.
I do agree in this regard, perhaps a name change would be in order once the feature is revamped especially given if this will allow for additional verification methods as mentioned such as biometrics, etc.
