Add report for "Password Age"

Hi!

There are various options for checking password security inside Vault - Tools
What about adding tool for “Unchanged passwords”? or “Aged passwords”?

As we all know, database leaks happen all the time. It would come especially handy with services that contain personal information, but do not offer 2FA (and you can easily forget to change password every now and then).

Currently Bitwarden keeps track on when and how many times you have changed account X’s password. However, it would take lot of time to go over all accounts and check the last password change date.

What are your thoughts on this?

4 Likes

I think it’s a decent feature to have, although not one that adds very much in the way of security if you use a strong, randomly generated password.

Assuming that a website properly encrypts passwords, even if the database was to be compromised your password would still be safe from brute force, dictionary or rainbow table cracking.

But as I said, it’s a decent feature which should be easy to implement, so I see no reason not to do it.

Thanks for input - tou yook the words right out of my mouth :slight_smile:

It won’t polster security per se, but it could help to get overview of password health.

2 Likes

+1 from me.

This was also mentioned in the password hygiene feature request but didn’t make it to the final feature release.

Now bit warden maintains and displays password history data this should be easier to implement on the frontend/s.

1 Like

Request: to add a “Old/Expired Passwords Report” on the Bitwarden Web Vault tools list. This will show a list of passwords that have not been updated in a certain amount of time. This is a feature that mostly all password managers have but seems absent on Bitwarden.

Sidebar Concept:

Reused Passwords Report
Expired Passwords Report
Unsecured Websites Report

Report Concept:
Show passwords that have not been updated in [Dropdown menu] days
[Dropdown items: 10 days, 15 days, 20 days, 30 days, 90 days, 120 days]

  1. Google…last updated 95 days ago
  2. Amazon…last updated 107 days ago
  3. Foo…last updated 591 days ago
3 Likes

How old is this request? It only shows as “April 25” but who knows what year? I was directed to this suggestion when I started to post a thread asking if there was any way to get a password age report. I’d like to be able to review such a report on a weekly basis, as a guide to changing passwords after they reach a certain age.

  1. :wink:

2019

In the meantime I use a manual workaround to generate quick info on my “old passwords” with the CLI. Figured I’d share it here for reference in case it’s useful to anyone else.

Pre-requisites:
-BitWarden CLI installed and configured: Password Manager CLI | Bitwarden Help Center
-jq installed (example for Linux: sudo apt install jq)

I then just run this command:
bw list items | jq -r '.[] | "\(.login.passwordRevisionDate) \(.login.username) \(.name)"' | awk '$2!="null"' | sort -r | less

This will output all items from your BitWarden Vault and pipe the JSON data through jq to filter on the specific items of interest. You’ll be presented with a list of all your logins sorted by the first column that contains the password modified date. If this value equals “null” it means that you’ve never updated the password for that item after initially adding it to your vault. Otherwise all non-null items are sorted by their date value.

FYI: I use awk '$2!="null"' to filter out items from the vault that do not have a username (Identity, Bank Card, and Secure Notes) since I couldn’t find a way with BW CLI to only list Logins.

4 Likes

It would be great if I can check the list of old passwords so I can periodically update them.

The ability to sort the vault by last password change time is also acceptable.

(This is a supported feature in LassPass).

Is there any reason you would want to update them periodically? This is against current NCSC and NIST guidance.

I would advise checking for leaked/breached passwords on a regular basis and changing those.

1 Like

The guidance probably did not account for two things:

  1. there are too many incompetent companies that may be leaking user data without knowing, or (rare but I’m certain is happening) choose not to disclose data leaks
  2. the guideline is for corporate password change, where employees are likely not allowed to use a password manager so have to use passwords that are memorable (read: easier to guess). Enforcing a periodic password change policy means the employees will likely just modify the prefix/suffix of a memorable password to be compliant.

Or if we put it in the other way: what’s the downside of allowing Bitwarden users to change their password every month as long as they use long randomly generated password?

2 Likes

There’s no downside to doing this in conjunction with a password manager, I just think it’s unnecessary. I personally wouldn’t use it but I’m all for new features that others will find useful.

This may not have a lot of votes, but certainly seems to be requested on a semi regular basis. Here are other related posts I came up with with a couple of quick searches.

https://community.bitwarden.com/t/old-passwords-report/9633

Edit: Forgot the last post like this i updated (another 8 votes there)
https://community.bitwarden.com/t/new-raport-section-old-unchanged-passwords/4197

2 Likes

I like to change may passwords often. I feel it would be useful to have a “Password Age Report” in the Vault Health Reports for Premium Users.

Bitwarden already tracks the last time a password was updated so I would assume it wouldn’t be to difficult to create a report that show the service name and the password age in days.

This would make it much easier to recognize passwords that are very old and should be changed.

4 Likes

Out of interest, why do you change your passwords?

Companies I’ve worked for have always enforced a “90 day rule” regarding passwords used for business purposes. Having an age report would make it easier to identify passwords that need to be changed.

Also I feel that regularly changing my passwords is an extra security measure, if a password to a service I do not use often was compromised the attacker could have access to that service until I changed the password. By changing the password frequently I feel it limits the time an attacker could continue to access a compromised account.

These are just my thoughts, no facts.

This is similar to “Password (vault item) expiration date” and a few other duplicate topics. However, those suggest a more persistent reminder rather than an on-demand report. A report tool seems pretty useful too!

1 Like

Mmmm, there’s https://www.bountysource.com
So maybe we can found this FR

Totally on board with PRs for new stuff!

If you all decide you’d like to contribute code for this function - please open a thread in the GitHub contributions category and we can discuss the feature/function and scope.

Rock on guys!

This would be a great addition to the Tools section. Just have an ability to select a custom threshold value for showing expired password. Ie. a few pre-selected values and a custom value in terms of N days/months/years.

Also: if there will be a feature for setting a expiration duration on a per password basis, it would then override this master threshold selection.