Is there any simple way to encrypt/decrypt notes with base64 so that I can copy and paste it in the bitwarden secured notes, till this feature is implemented?
One-way I know if to use the OneNote password protected section and save the notes there. I am looking for something simpler than this.
@jojobar Welcome to the forum!
Here is a Base64 encoder/decoder that you can use:
Iâm not sure Iâd trust a site like that with sensitive data⌠(though works otherwise)
How about this one (can be downloaded and run locally):
That one looks ok - canât see anything dodgy in the source code (and yes, best to download it)
I canât believe that the team considers usersâ votes in deciding when to fix this SECURITY VULNERABILITY (the ability to see the notes for a critical account that Iâve flagged for re-prompt). Security vulnerabilities should be prioritized separately and fixed in the NEXT patch.
I provide tech guidance to a large group of family and friends that are waiting on my go-ahead to switch from LastPass to Bitwarden. Thatâll happen when this vulnerability is fixed AND biometrics is made to work with re-prompt (thereâs little point in having biometrics if I have to constantly type my crazy-long master password).
Can we please get a best guess of when the fix will be implemented?
Agreed, security vulnerabilities should trump everything else.
Looking at the items in-progress or planned, nothing else is a security vulnerability. So itâs not a question of opinion.
This is only a security vulnerability if you allow other people to observe you while you are using Bitwarden (which by itself creates âsecurity vulnerabilitiesâ beyond the ability to read your notes), or worse, if you allow other people to use your device while Bitwarden is unlocked (which violates fundamental opsec principles and puts you at risk of getting your vault compromised, whether this feature request has been implemented or not).
And you can always put your super-secret notes into custom hidden fields instead of in the Notes field, which will make them not be viewable if the reprompt option is enabled.
Thanks @grb for your suggestion to use custom hidden field. That helps, however hidden field does not support multi-line text. âSecure noteâ type may have been chosen by user especially because it allows to save free-form (multi-line) text rather than individual values. Therefore, I think protecting the actual secure note is still required.
I would think protecting all information rather than having special hidden field makes more sense from userâs perspective. I may be wrong of course, and I am aware the team must first weigh possible other user expectations.
It is not productive to argue about whether this is or not security vulnerability per se. In ideal word no one would observe user while working with secrets, but in reality, itâs perfectly common that it will be seen. Passwords are not shown in plain sight by default for a reason for example. For same reason, this feature is important.
Lastly, while I understand there may be more important or wanted feature requests and issues to address, this may be always the case and I think people are starting to lose hope that this will be ever addressed. Addressing in priority order is important, but I think it would be useful to also weigh the low complexity of the change. As a software developer myself I am aware that features may not be as simple to plan and implement as it looks to users - but this issue really looks like low hanging fruit. I was happy to see @bw-admin 's message of the team actively working on this, but this was almost one year ago, and I cannot comprehend why this still has not progressed.
I love Bitwarden and I use its full potential on daily basis on all my devices. However, I cannot get rid of a bitter feeling of Bitwarden not listening to their users - ignoring simple request to fix the issue (it is highly questionable this should be classified as feature request, despite dismissing it as âworks as requestedâ), downplaying userâs reasons of its importance and dragging this for years, maybe forever.
I agree that this makes sense, and my understanding is that there are plans to modify the functionality along these lines.
My point of disagreement is that this missing feature would represent some kind of critical, all-hands-on-deck CVE â or even that it is the most pressing of the submitted community request.
Furthermore, to provide additional context, my understanding is that in the past few years, the highest priority for Bitwarden developers has been to get the password manager ready for Manifest V3 (and deprecation of V2), which seems like it may require a complete redesign of much of the code-base from the ground up. Thus, there may not be a lot of developer time available to devote to new feature requests.
Any news on this? I just registered to the community to be able to vote on it.
Frankly, I find it totally mind-boggling, that in a project driven by very intelligent and security aware people someone really decided: âWell, letâs build in a double master password prompt. And then make the highly, double-secured private notice still readably for anyone with access to the device. Itâs a feature.â
I mean, this should be an absolute core behavior, and a no-brainer.
From the usage standpoint, I am sure many people will store highly sensitive data in the âsupposed to be secureâ notes, since for many things the âLoginâ etc. feature is not suitable, formatting-wise.
If there are any people who really think having secure notes, but freely browsable, even with double prompt, is a good idea, why not use the feature in a more logical way:
Idea one:
No double master PW Prompt = Secure notes can be viewed while browsing in the password safe
Yes double prompt = The notes are actually secure, and you can only see them via double PM prompt.
(There will be a reason why someone checked that boxâŚ)
Other, a bit more convoluted, solutions could be:
Have
âNotesâ and âSecure Notesâ that deserve the name. So anyone can have them as fit.
or
Maybe an option / tic box that needs to be set in the settings, secured by double opt-in, how to treat notes in that case. Something like âMake notes browsableâ.
PS: Did not mean to attack someone, but I did not expect this. To be honest, I just fully migrated from Lastpass to Bitwarden because of the security issues, and was shocked to discover how this is handled. And wonder if I am really a minority here.
I quite like all of your ideas. The ânotesâ and âsecure notesâ idea in particular seems like a great implementation. I really do not want my secure notes to be viewable or copyable if I tick the master password re-prompt button. Same goes for passwords for logins; I donât want them to viewable or copyable if the master password re-prompt box has been ticked.
Blockquote Hey @WashamDev the original request was to reprompt for part of the vault, it will be expanded
It has been OVER a year since this was requested and yet it still does not work, checking âMaster Password repromptâ does NOT require you to enter it when LOOKING at a Secure Note, while it DOES on the Btwarden web-page, please expand this to extension.
Iâll save the need for a moderatorâs intervention: Well @NubCake, as you are aware, the Bitwarden team prioritizes new features based on user votes! The great process thatâs both transparent and democratic!
Regarding the master password re-prompt we have mentioned here since July 2021, which admittedly does have inconsistencies across different devices as you rightfully identified, it seems that our security concerns have been overshadowed by the preferences of the majority. This, of course, has led to the development of other features that have garnered more community interest.
So, as a result, we got a great âMobile settings reorganizationâ in the October 2023 update of Bitwarden. This enhancement has transformed the way settings are navigated on mobile apps, presenting an interface that many find remarkably intuitive and user-friendly! Certainly the most beautiful thing you and I have ever laid eyes on! I cannot wait to upgrade my iOS app any longer!
For those curious, yes, I am experiencing a bit of frustration. This is because I posted here for the first time a year ago. We see this issue as a significant security concern, yet it seems we are the only ones who think this wayâor at least, we are not in the top-ranked issue, so, anyway.
Anyway, see you in 2024 (hopefully).
Whether this is seen as bug or feature, the fact that this is a common request and has been for 2+ years is not what I was hoping to see when I searched for a solution to my issue.
As a result of my lost-faith, I have disabled my subscription auto-renewal.
The hidden field in notes is not an acceptable workaround as mentioned by others, it does not support multi-line text. LastPass may have itâs quirks around master password re-prompting, but nothing quite like this oversight.
At the minimum, the password re-prompt option in the secure notes should be renamed to something along the lines of ârequire password to overwriteâ. As it stands, I believe this is a security issue as it lulls users into a false sense of security if they tick the box and do not check that it behaves as they assume it will.
Fingers crossed this is resolved in 2024.
Can someone tell us an ETA on this feature? I think itâs been a long time people are waiting. Thanks.
For banks, I use login id/password type entry to store it.
In notes, I write all the secure details.
I mark it as âreprompt passwordâ
I would prefer it if the notes were not accessible until then.
