Security Question Field

So similar to adding custom fields like Hidden, Text, Boolean, Linked.

Make another one for security questions.

So, Hidden, Text, Boolean, Linked, then Security Question.

The field would allow passphrase generation from the field like how the user can with passwords.

So, like a passphrase like “earpiece whacking unreal knoll sauna” with no special characters or numbers.

I think there are already similar feature requests:

1 Like

They seem similar.

I can’t tell if they are specifically talking about the same thing I am though.

The first one is about auto fill and the second one is about extensions and being able to add recovery questions like a password. Similar to how you can save passwords on the website itself through the extension and then being able to auto fill it later. But with backup codes and recovery codes.

I am asking specifically for a custom field, but not for recovery codes or backup codes. But for security questions: like “what is your mother’s maiden name” but to be able to input a random pass phrase that is generated from the field itself. Like a user can with the password field.

If my comment does seem to fit into any of the requests there, I wouldn’t mind if the comment was moved to one of those posted requests.

As I understand it, security questions like your example are (always?) kind of recovery / backup “codes”, because security questions are only relevant, if you loose access to the account.

Two remarks to that:

  1. For that reason, I personally wouldn’t save security questions in the same location (here: Bitwarden) as username/email and password (and 2FA or passkeys), because if I lost access to Bitwarden, then I would also loose access to the security questions and that wouldn’t be the idea, I guess…

  2. I think the last NIST guidelines discourage security questions… and probably with passkeys too… hopefully there will not be so many services left, that operate with “security questions”.

1 Like

I get that. But some companies require them to be used.

I have a service that makes me use SMS 2FA and also still asks a security question after successful code input. So they do use them as a multi-factor authentication as well. Sometimes it depends on the site. That have really bad security protocols. I’ve also had some work provider websites have this type of security.

Also writing them all down on a piece of paper would be nice. To have as a backup. But I use random passphrases, usually about 16 words. Some are also random words with special characters that are 100 characters etc, and trying to have them written down for all sites would be too much of a hassle. As I would have too much of a list to make and much to write.

So it’s not ideal to write it down all the time for my use case. I always make a backup of my vault though and store it on a physical USB and an end to end encrypted cloud provider.

I do agree though, security questions need to be obsolete by now. As, they’re incredibly insecure. But it seems some sites still insist on using them.

I didn’t say they have to be written down. I personally store such things (security questions, recovery codes/backup codes, TOTP seed codes/secret keys, …) in a KeePassXC database.

1 Like

Sorry, I just re-read what you said and I do see that you never mentioned writing anything down. Sorry about me getting that wrong.

That is what I get for reading things too fast and not rereading.

But I personally don’t see the need in having to run a separate password manager just so that I can store security questions. That seems a little counter-intuitive to me personally. As I like keeping things organized in one piece of software. Also just making physical backups will be all that is needed to restore the information than needing to use separate software.

TOTP on the other hand I do use Ente Auth and the new Bitwarden Authenticator.

But I can see why some people may prefer to go your route. But that is just not personally for me.

(Maybe if Bitwarden Authenticator were to get a notes feature to store recovery and other things to TOTP codes. That is as far as I would go in using separate software).

Arguably one shouldn’t store username, password, and 2FA code in the same location but BW allows it. I think it’s up to the user to understand their risk tolerance and threat vectors and make a decision.

So many sites, and corporate companies, still require regular password changes – which NIST stopped recommending eons ago. Companies are slow to follow NIST.

1 Like

I meant security questions, recovery codes/backup codes etc. And that is slightly different than “password + TOTP not in the same location” I think:

  1. password + TOTP not in the same location → goal: security (multiple factors…)
  2. (A) passwords etc. and (B) security questions/recovery codes etc. not in the same location → goal: account recovery → so if i lost A, I would need B… but if I store B besides A, then account recovery becomes impossible… therefore, this is not mainly a security quesion to store A and B in different locations, but for account recovery…

Here I didn’t say anything about 1., but I meant 2.

Maybe not eons (wasn’t it around 2017?!)… but I see your point.

1 Like

KeepassXC’s new-found ability to import Bitwarden password-protected JSONs might result in a change to your methodology. Now, it is easy to keep a complete (well, periodically updated) copy of your vault accessible and visible in two different applications, meaning if BW blows up, you know you will have access to more than just your recovery codes.

Do know that there are currently a few known limitations. Bitwarden does not export attachments. KeepassXC does not yet import Bitwarden passkeys (it is in development), and if you have organizational vaults, complexity quickly grows.

That said, I really like the idea that one can now verify the contents of a password-protected backup. Pretty much eliminates the one benefit I saw to unencrypted.

2 Likes

This problem is solved by vault backups.

Security questions for purposes of recovering a “forgotten” password are not relevant to Bitwarden users (if they have an emergency sheet and redundant vault backups). However, it is possible that an account password stops working as a result of some problem on the account server, or as a result of password expiration (necessitating account recovery using security questions instead). Also common are online services that require answers to security questions in addition to input of the password (e.g., when you log in from a new device). For these use-cases, there is no benefit of keeping the security questions outside the Bitwarden vault.

1 Like