There are various options for checking password security inside Vault - Tools
What about adding tool for “Unchanged passwords”? or “Aged passwords”?
As we all know, database leaks happen all the time. It would come especially handy with services that contain personal information, but do not offer 2FA (and you can easily forget to change password every now and then).
Currently Bitwarden keeps track on when and how many times you have changed account X’s password. However, it would take lot of time to go over all accounts and check the last password change date.
I think it’s a decent feature to have, although not one that adds very much in the way of security if you use a strong, randomly generated password.
Assuming that a website properly encrypts passwords, even if the database was to be compromised your password would still be safe from brute force, dictionary or rainbow table cracking.
But as I said, it’s a decent feature which should be easy to implement, so I see no reason not to do it.
Request: to add a “Old/Expired Passwords Report” on the Bitwarden Web Vault tools list. This will show a list of passwords that have not been updated in a certain amount of time. This is a feature that mostly all password managers have but seems absent on Bitwarden.
Report Concept:
Show passwords that have not been updated in [Dropdown menu] days
[Dropdown items: 10 days, 15 days, 20 days, 30 days, 90 days, 120 days]
How old is this request? It only shows as “April 25” but who knows what year? I was directed to this suggestion when I started to post a thread asking if there was any way to get a password age report. I’d like to be able to review such a report on a weekly basis, as a guide to changing passwords after they reach a certain age.
In the meantime I use a manual workaround to generate quick info on my “old passwords” with the CLI. Figured I’d share it here for reference in case it’s useful to anyone else.
I then just run this command: bw list items | jq -r '.[] | "\(.login.passwordRevisionDate) \(.login.username) \(.name)"' | awk '$2!="null"' | sort -r | less
This will output all items from your BitWarden Vault and pipe the JSON data through jq to filter on the specific items of interest. You’ll be presented with a list of all your logins sorted by the first column that contains the password modified date. If this value equals “null” it means that you’ve never updated the password for that item after initially adding it to your vault. Otherwise all non-null items are sorted by their date value.
FYI: I use awk '$2!="null"' to filter out items from the vault that do not have a username (Identity, Bank Card, and Secure Notes) since I couldn’t find a way with BW CLI to only list Logins.
The guidance probably did not account for two things:
there are too many incompetent companies that may be leaking user data without knowing, or (rare but I’m certain is happening) choose not to disclose data leaks
the guideline is for corporate password change, where employees are likely not allowed to use a password manager so have to use passwords that are memorable (read: easier to guess). Enforcing a periodic password change policy means the employees will likely just modify the prefix/suffix of a memorable password to be compliant.
Or if we put it in the other way: what’s the downside of allowing Bitwarden users to change their password every month as long as they use long randomly generated password?
There’s no downside to doing this in conjunction with a password manager, I just think it’s unnecessary. I personally wouldn’t use it but I’m all for new features that others will find useful.
This may not have a lot of votes, but certainly seems to be requested on a semi regular basis. Here are other related posts I came up with with a couple of quick searches.
Edit: Forgot the last post like this i updated (another 8 votes there)
I like to change may passwords often. I feel it would be useful to have a “Password Age Report” in the Vault Health Reports for Premium Users.
Bitwarden already tracks the last time a password was updated so I would assume it wouldn’t be to difficult to create a report that show the service name and the password age in days.
This would make it much easier to recognize passwords that are very old and should be changed.
Companies I’ve worked for have always enforced a “90 day rule” regarding passwords used for business purposes. Having an age report would make it easier to identify passwords that need to be changed.
Also I feel that regularly changing my passwords is an extra security measure, if a password to a service I do not use often was compromised the attacker could have access to that service until I changed the password. By changing the password frequently I feel it limits the time an attacker could continue to access a compromised account.
This is similar to “Password expiration date” and a few other duplicate topics. However, those suggest a more persistent reminder rather than an on-demand report. A report tool seems pretty useful too!
If you all decide you’d like to contribute code for this function - please open a thread in the GitHub contributions category and we can discuss the feature/function and scope.
This would be a great addition to the Tools section. Just have an ability to select a custom threshold value for showing expired password. Ie. a few pre-selected values and a custom value in terms of N days/months/years.
Also: if there will be a feature for setting a expiration duration on a per password basis, it would then override this master threshold selection.
