Add report for "Password Age"

I would like to add to that, that the full quote of the new draft you spoke about is the following:

"3.1.1.2. Password Verifiers

6. Verifiers and CSPs SHALL NOT require users to change passwords periodically.
However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

…"

(part in bold → my emphasis)

So I don’t see a “contradiction” to your example, as one could - strictly speaking - assume that “people that used to work in the building” knowing the still-valid-PIN or whatever, are a situation of “evidence of compromise” and this is a reason to change the PIN/password or whatever.

The “… SHALL NOT … require … periodical changes…” is meant as “don’t do that periodical changes without evidence of compromise”. (my interpretative language…)

3 Likes

I’d agree with that.

And in the cases of a large building or a large number of buildings, the building manager (or management org) would have to assume without being notified, that people are changing status all the time from working there to not working there…
and therefore periodic password changes are needed…
leading to…
we need a way to report on this in BitWarden to find out which PINs / Passwords / secrets need changing.

1 Like

@koala1199 Just a short response: I didn’t argue against the feature request - I argued “against” periodical changes without evidence of compromise. :sweat_smile:

1 Like

Or, put an entry in their personal calendar to change the door code.

Even better, invest in a door badge system that gives unique authenticators for each person so that you can detect if someone entered beyond their authority.

yes there is all those “what abouts” and no doubt more work arounds not yet mentioned.
Unfortunately, humans being humans, the work around’s don’t in reality scale well across the spectrum of human decision making we have in the world.

Invest in door badge system. Easy to say, not so easy to justify at scale, let alone convince all the decision makers in Building Management and Owners Corporations across the world.
Not to mention the contribution to waste of precious resources of throwing out all the old access control systems, and further environmental waste manufacturing ever more hardware systems and plastic badges.

Far better to have a softcopy report in Password Management systems for people to simply run reports on the data they have entered into the Password Management system.
No waste, no environmental impact, no cost to the businesses, small cost to implement only once for Bit Warden, freedom of choice or not to run the report.

well, if someone knows a secret, but after a period of time a point is reached when they no longer have a reason to know the secret, is that then considered a compromise of the secret?

Context…while we don’t know when that point of time is reached, but we do know (the evidence) that when that point is reached, we will not be notified about it being reached.

Does it?

If neither your OS nor your Antivirus blocks a key logger, yet you fear one might have made it onto your system without your knowledge, then it seems to me your only defence is to change your passwords immediately upon each use. In all other cases the problem falls into the SHALL category of a detected breach,

The general notion behind changing passwords seems to be that attackers may be ‘half way’ through reaching your password, lessening the remaining search space, so a deft (but chance) switch to one they have previously examined will sidestep their future search. Firstly, this is highly improbable on a cost basis for the villain, and secondly just adding one more character to your password will destroy the search. In real terms there is no such thing as a half-guessed random password; it is found or it is not.

The real value of password changes without a breach lies in managing risk arising from carelessness. Otherwise password weakness, already identified by the Vault Health report, is far more important than age.

PINs are deterrents, rather like the lock on the door of your house, not security like a safe. Their management is a function of personnel change, apparent risk, and scheduled security actions.

Well, of course it can be. Either a point in time - or an event (like “no longer employed”) can be a “compromise”.

BTW, maybe “evidence (for compromise)” is not the best word in the end. A “strong suspicion” (well, at least if it has some reasoning and is not only/completely made up out of thin air) may be enough to initiate a change of credentials.

I don’t completely get what you are trying to say by that, so you maybe have to clarify on that… But that you “will not get notified of an event happening in the world and not knowing the exact point of time” is a problem, that no fixed expiration date in Bitwarden can solve. - And if it is not an “event” but a point in time you can know or “foresee” or maybe just assume/guess, then the workaround (as long as Bitwarden doesn’t have that function) could be to just schedule it as an regular event in your calendar (or a regular task), so that you regularly get notified.

Let’s say we have a similar number pad like this one, on the entry of a 30 year old office building. PIN codes needs to be entered for after hours access. There are 20 office suites in the building each with different owners. Some are owner occupied, and some are leased out to businesses. Obviously this mix changes over time as office suites are brought and sold.
Employees, cleaners, contractors for each office suite obviously change over time. We cannot force a person to forget a PIN, and the security people that set the PINs will not necessarily get any notification when a person no longer needs access.
There is also the risk of CCTV being compromised or a key pad being remotely filmed, and a PIN being compromised.

NIST looks to have been written in the context of long and complex passwords/secrets with MFA. In that context mandating not having periodic forced passwords changes makes sense, and I support that.

However, for key pads such as the one in the above situation, they are not within the context of long and complex passwords/secrets with MFA.
Same for lock boxes that store keys for gates and doors, or for alarm panels with a key pad.
True, key pads such as the one above could be replaced to have swipe cards/fobs or a step up from that to something like Salto locks that can also be opened with a Smart Watch, but that requires investment in changing the system, plus continual investment in swipe cards/fobs as they are lost or not returned. Not to mention having to get the new swipe card to the person, and geographically that might be tedious.

Once you think about the problem of managing many buildings with the above key pad spread across a geography, having a method to run an aging report in the password management system that holds the PINs becomes a more attractive idea than the alternatives.

I understand your scenario, yet for all my various cyclic tasks I have a distinct entry for each in my ToDo system, with intervals fixed or after completion.

Given you must schedule to run your aging report at the minimum applicable for any target, then link report entries to targets, haven’t you simply added a layer of indirection? When you run a possible Bitwarden report you still need to assess relevance for each target, assuming you manage more than one.

The need to change does not appear reliant on Bitwarden in any way, and using it so indirectly seems less apt than a target-related schedule. Event triggers fall outside either.

Does that scale for teams larger than one, perhaps the people in the teams change over time, perhaps they are remote from each other and dont see each other’s todo list.

BitWarden can have a name or other reference to link the PIN to the target (such as “Building Blah Suite 5”)
But at least 3 systems will always be needed.

  1. The security system where the PINs are changed. (unless the PINs are for key lock boxes)
  2. A database with the contact details of the people who need a new PIN.
  3. A secure password management system such as BitWarden to store the PIN, and which target the PIN is for.

In a building with 20 suites there would be at least 21 PINs (one for the people who need access to the common area only).
That is a long todo list (for multiple buildings), which arguably becomes a 4th system in the above list.

In short, the world is complex. Not every secret can be long, complex and have MFA. Not every system that is numeric only is going to be replaced with something more mature. Not every database (or file) that contains contact details of targets is going to have a ticketing system detailing when the PIN was last changed.

I maintain that the simplest for all concerned is to have a password aging report created in BitWarden as a feature, which exists in other password management systems.
Some people will never need the report and never use it.
For other people it will be useful.

Our solution is to schedule a recurring meeting for each of our recurring tasks. If someone does the task early, they cancel the one instance of the meeting. If not, we all join the meeting and either do it together or pick a volunteer.

What you are suggesting really is much more of a scheduling activity than a password management activity. Not saying that a method of reporting or sorting on password age is not a good idea; just that your example is not the raison d’être I would chose.

Yes, it scales, there are various software products for team-based scheduling.

I notice your requirement is becoming more niche by the moment, which does not bode well for it having priority. :slight_smile:

Regardless, my only true option is to vote for it or not. I raised the discussion to explore what might be appropriate and achievable, so I trust it is taken in that vein.

I will add a general rider though, that not every feature of every other bit of software is needful or cost-effective.

Cheers
M.

Honestly, I don’t see the distinction you make here.

The quotes of the relevant NIST drafts above talk about “change only when compromise is evident or strongly assumed” (my loose expression now)… And for this, it doesn’t matter if it we are talking about long and complex passwords or passphrases - or short and simple PINs or something like that. As long as there is no shred of evidence of compromise you don’t have to change any of that. (BTW, personally I would make an exception here, and maybe changing passwords etc. every few years might not be a completely bad idea… e.g. in 10 years we might consider a “strong password” to be different than today, so that has to be adapted with time, I guess… and so, BTW, there might be more reasons than “just compromise”, to change credentials…)

Again, that doesn’t mean I can’t see the benefits of this function for Bitwarden (meaning, this feature request) in general.

But - of course an exaggeration now - you make it sound like (in your scenarios), as if the best thing to be would be

  1. either to change that PIN every hour because there is so much “inherent” compromise
  2. or to don’t do what you do altogether, because there is so much “inherent” compromise… (and probably search for a more secure and different alternative, that is not so prone to multiple, fast and inherent compromise)

And again - no “event” (happening in the “outside world”) would be able to directly initiate a pop-up in your Bitwarden to inform you of compromise…

So it comes down to that you have to decide for yourself (= the human), how often you want to change the credentials… And then the only difference is, you have to program that “interval” into your calendar/“task manager” for now instead of being able to let Bitwarden do the “remember me”. (= workaround, as long as Bitwarden doesn’t have that function)

So again, I see that it would be more comfortable and in a way sensible for Bitwarden to have that function - but it doesn’t make much difference in the end, whether Bitwarden or your calendar/task manager does the “remember me” for your chosen interval.

1 Like

Before moving to Bitwarden I was a LastPass user. After the LastPass breaches I wanted to change my passwords for all of my accounts. I spent a great deal of time trying to keep track of updated credentials. Having such a report would have really simplified this.