Is there any simple way to encrypt/decrypt notes with base64 so that I can copy and paste it in the bitwarden secured notes, till this feature is implemented?
One-way I know if to use the OneNote password protected section and save the notes there. I am looking for something simpler than this.
Iām not sure Iād trust a site like that with sensitive dataā¦ (though works otherwise)
That one looks ok - canāt see anything dodgy in the source code (and yes, best to download it)
I canāt believe that the team considers usersā votes in deciding when to fix this SECURITY VULNERABILITY (the ability to see the notes for a critical account that Iāve flagged for re-prompt). Security vulnerabilities should be prioritized separately and fixed in the NEXT patch.
I provide tech guidance to a large group of family and friends that are waiting on my go-ahead to switch from LastPass to Bitwarden. Thatāll happen when this vulnerability is fixed AND biometrics is made to work with re-prompt (thereās little point in having biometrics if I have to constantly type my crazy-long master password).
Can we please get a best guess of when the fix will be implemented?
Agreed, security vulnerabilities should trump everything else.
Looking at the items in-progress or planned, nothing else is a security vulnerability. So itās not a question of opinion.
This is only a security vulnerability if you allow other people to observe you while you are using Bitwarden (which by itself creates āsecurity vulnerabilitiesā beyond the ability to read your notes), or worse, if you allow other people to use your device while Bitwarden is unlocked (which violates fundamental opsec principles and puts you at risk of getting your vault compromised, whether this feature request has been implemented or not).
And you can always put your super-secret notes into custom hidden fields instead of in the Notes field, which will make them not be viewable if the reprompt option is enabled.
Thanks @grb for your suggestion to use custom hidden field. That helps, however hidden field does not support multi-line text. āSecure noteā type may have been chosen by user especially because it allows to save free-form (multi-line) text rather than individual values. Therefore, I think protecting the actual secure note is still required.
I would think protecting all information rather than having special hidden field makes more sense from userās perspective. I may be wrong of course, and I am aware the team must first weigh possible other user expectations.
It is not productive to argue about whether this is or not security vulnerability per se. In ideal word no one would observe user while working with secrets, but in reality, itās perfectly common that it will be seen. Passwords are not shown in plain sight by default for a reason for example. For same reason, this feature is important.
Lastly, while I understand there may be more important or wanted feature requests and issues to address, this may be always the case and I think people are starting to lose hope that this will be ever addressed. Addressing in priority order is important, but I think it would be useful to also weigh the low complexity of the change. As a software developer myself I am aware that features may not be as simple to plan and implement as it looks to users - but this issue really looks like low hanging fruit. I was happy to see @bw-admin 's message of the team actively working on this, but this was almost one year ago, and I cannot comprehend why this still has not progressed.
I love Bitwarden and I use its full potential on daily basis on all my devices. However, I cannot get rid of a bitter feeling of Bitwarden not listening to their users - ignoring simple request to fix the issue (it is highly questionable this should be classified as feature request, despite dismissing it as āworks as requestedā), downplaying userās reasons of its importance and dragging this for years, maybe forever.
I agree that this makes sense, and my understanding is that there are plans to modify the functionality along these lines.
My point of disagreement is that this missing feature would represent some kind of critical, all-hands-on-deck CVE ā or even that it is the most pressing of the submitted community request.
Furthermore, to provide additional context, my understanding is that in the past few years, the highest priority for Bitwarden developers has been to get the password manager ready for Manifest V3 (and deprecation of V2), which seems like it may require a complete redesign of much of the code-base from the ground up. Thus, there may not be a lot of developer time available to devote to new feature requests.
Any news on this? I just registered to the community to be able to vote on it.
Frankly, I find it totally mind-boggling, that in a project driven by very intelligent and security aware people someone really decided: āWell, letās build in a double master password prompt. And then make the highly, double-secured private notice still readably for anyone with access to the device. Itās a feature.ā
I mean, this should be an absolute core behavior, and a no-brainer.
From the usage standpoint, I am sure many people will store highly sensitive data in the āsupposed to be secureā notes, since for many things the āLoginā etc. feature is not suitable, formatting-wise.
If there are any people who really think having secure notes, but freely browsable, even with double prompt, is a good idea, why not use the feature in a more logical way:
Idea one:
No double master PW Prompt = Secure notes can be viewed while browsing in the password safe
Yes double prompt = The notes are actually secure, and you can only see them via double PM prompt.
(There will be a reason why someone checked that boxā¦)
Other, a bit more convoluted, solutions could be:
Have
āNotesā and āSecure Notesā that deserve the name. So anyone can have them as fit.
or
Maybe an option / tic box that needs to be set in the settings, secured by double opt-in, how to treat notes in that case. Something like āMake notes browsableā.
PS: Did not mean to attack someone, but I did not expect this. To be honest, I just fully migrated from Lastpass to Bitwarden because of the security issues, and was shocked to discover how this is handled. And wonder if I am really a minority here.
I quite like all of your ideas. The ānotesā and āsecure notesā idea in particular seems like a great implementation. I really do not want my secure notes to be viewable or copyable if I tick the master password re-prompt button. Same goes for passwords for logins; I donāt want them to viewable or copyable if the master password re-prompt box has been ticked.
Blockquote Hey @WashamDev the original request was to reprompt for part of the vault, it will be expanded
It has been OVER a year since this was requested and yet it still does not work, checking āMaster Password repromptā does NOT require you to enter it when LOOKING at a Secure Note, while it DOES on the Btwarden web-page, please expand this to extension.
Iāll save the need for a moderatorās intervention: Well @NubCake, as you are aware, the Bitwarden team prioritizes new features based on user votes! The great process thatās both transparent and democratic!
Regarding the master password re-prompt we have mentioned here since July 2021, which admittedly does have inconsistencies across different devices as you rightfully identified, it seems that our security concerns have been overshadowed by the preferences of the majority. This, of course, has led to the development of other features that have garnered more community interest.
So, as a result, we got a great āMobile settings reorganizationā in the October 2023 update of Bitwarden. This enhancement has transformed the way settings are navigated on mobile apps, presenting an interface that many find remarkably intuitive and user-friendly! Certainly the most beautiful thing you and I have ever laid eyes on! I cannot wait to upgrade my iOS app any longer!
For those curious, yes, I am experiencing a bit of frustration. This is because I posted here for the first time a year ago. We see this issue as a significant security concern, yet it seems we are the only ones who think this wayāor at least, we are not in the top-ranked issue, so, anyway.
Anyway, see you in 2024 (hopefully).
Whether this is seen as bug or feature, the fact that this is a common request and has been for 2+ years is not what I was hoping to see when I searched for a solution to my issue.
As a result of my lost-faith, I have disabled my subscription auto-renewal.
The hidden field in notes is not an acceptable workaround as mentioned by others, it does not support multi-line text. LastPass may have itās quirks around master password re-prompting, but nothing quite like this oversight.
At the minimum, the password re-prompt option in the secure notes should be renamed to something along the lines of ārequire password to overwriteā. As it stands, I believe this is a security issue as it lulls users into a false sense of security if they tick the box and do not check that it behaves as they assume it will.
Fingers crossed this is resolved in 2024.
Can someone tell us an ETA on this feature? I think itās been a long time people are waiting. Thanks.
