Exactly this, please add a report for people with Lastpass Imports so we can verify that we have changed them all. Its hard when you have 1000’s to do.
I’m migrating from lastpass too and this would be a big help.
I’d also like the feature plus add a notification for any passwords that have never charged since added to Bitwarden, if possible, since import.
I migrated from a manager that was compromised after being acquired. At the time, i didn’t delete after migrating to make sure everything worked and that I was happy with Bitwarden. Besides, who would let themselves be compromised a second time; right? Wrong, my understanding is the encrypted vaults were taken and now can be worked on at leisure.
IDK how many unchanged passwords still exist.
I would also welcome such a function.
I imagine either/or as follows:
1.) an automatic counter that starts counting when the password is created
2.) a small calendar function in which the expiration date of the password can be set, possibly with some defaults such as 6 months, 1 year, etc.
This function was inspired by KeepassXC
I can understand why this may seem like a helpful feature. However, I don’t think Bitwarden should implement it because it relies on an outdated understanding that you should update your passwords regularly when this practice isn’t recommended anymore.
I think the recommendation of which you speak is more about companies requiring arbitrarily (periodic) updates (“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)”) and not that users should never change their old passwords.
But isn’t the latest advice really that you should only change your password if you have a reason to believe that it has been compromised somehow?
Sure. So when a password manager gets breached (no longer hypothetically speaking), and one needs to update passwords on their 500+ accounts, wouldn’t in be nice to easily distinguish passwords recently updated (since the breach) vs ones that are 6 years old?
Bitwarden flagging known breached passwords is significant. This really isn’t about whether it’s right to change your password or not.
This is not necessarily the best example, because you don’t need to change all of your passwords if Bitwarden gets breached. However, this requires that you have used a strong and unique password for Bitwarden. I could even provide a copy of my encrypted vault to any cybercriminal, and it would still be safe because I can trust the encryption.
However, if a site where I have an account gets breached and whose encryption isn’t known, I would of course go and rotate my password.
Agreed, I’m just suggesting Bitwarden add an indicator when credentials have been discovered in a breach so you know when to rotate rather than having to do digging ourselves. I know this is way off from the OPs request so I’ll give it a rest.
This feature already exists.
Agreed, Mine is a terrible example. Nevertheless, LastPass was breached, my master password was <12 characters, iterations were low when I setup my account with them a decade ago, etc. And while I hope I’m the last one to make dumb decisions, I’m skeptical.
I admit I generally wouldn’t care about password age as I don’t generally rotate passwords for the fun of it. However, I still think a way to sort/view vault items by password age (last update date) would be beneficial for any user who suspects their credentials may have been exposed outside of publicly acknowledged, single-site, breaches (local/remote access to a device, lost/unsecured phone, compromise of an old vault, backup vault, password excel/text, other dumb user decisions, etc.)
You’re right, it does. I was referring to a notification in the app when you pull up that particular entry.
This is a no-brainer for any password manager.
I’d also like to be able to tag certain accounts for custom rotation reminders.
The NIST standard says this.
NIST Special Publication 800-63B
" Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator. "
The wording SHOULD NOT is defined here.
“The terms “SHOULD” and “SHOULD NOT” indicate that among several possibilities one is recommended as particularly suitable, without mentioning or excluding others, or that a certain course of action is preferred but not necessarily required, or that (in the negative form) a certain possibility or course of action is discouraged but not prohibited.”
We all know that key loggers / clipboard & screen scrapers exist and various forms of MFA are weaker than others.
Therefore if a password is never changed and the MFA for that password (in that system) can only ever be a weak MFA such as a SMS message, then the logic and desire for wanting to change passwords on a regular basis increases.
Some systems, applications and hardware don’t have and will never have MFA.
Essentially for some identity systems such as Azure it makes sense to never change a password. For other less mature systems, applications and hardware it makes sense to rotate them regularly.
Please add in functionality into BitWarden to report on the date that all passwords were created / edited.
Welcome, @koala1199 to the community!
Not perfect, but at the bottom of each vault entry is a record of when the vault entry itself was created / edited. Although not the same as the password field change date, it does set the upper bound for when the password was created/changed:
You quote the current released version, which is what we should follow today. We also need to prepare for the next version, currently in draft:
Verifiers and CSPs SHALL NOT require users to change passwords periodically.
The update both strengthens the stance and clarifies that it does NOT apply to users deciding for themselves to rotate their own password. SHALL NOT is an absolute prohibition, whereas the previous SHOULD NOT is simply advise.
Well that is interesting, that it is in the next version that periodic password change will not be allowed under NIST.
Does NIST have recommendations for or against changing PIN codes on physical access control systems or alarm systems for buildings etc?
I know people that keep those in Password Managers.
Some buildings have PIN codes that haven’t been changed in many years, even though the people (including contractors) that used to work in the building have long since moved on.
800-63 does not get into prescribing what authentication methods are appropriate for which use-cases.
Close. There is no prohibition against periodically changing your own password. The prohibition is against requiring others to periodically change theirs.