It would be cool if bitwarden could automatically remind the user after x days (say, 3 months, 6 months, a year, etc.) to change their password for a service. Pretty simple. It’d be disabled by default, and someone can turn it on if they want.
Interesting - I had not heard this advice before, and I am trying to think through whether there would be any disadvantage when generating/storing random passwords in a password manager like BW? Obviously, there is a small amount of time needed to do this on a regular basis, but are there other disadvantages? Or is this guidance more aimed at users trying to recreate memorable passwords, like David mentions above?
IF you are using a strong password (15+ chars, caps, small, numbers and symbols in a random order) it will take (statistical) on the order of 5000 years to crack. If the cracker is lucky, he might find it a year or two. Changing the password oftener will not materially affect the outcome. ( A new password might be cracked in two whereas the original one would have required 5000 years!)
Or… the old password might have been cracked in a year or two, as you originally suggested, and by updating it you may have extended it to 5000 years. It goes both ways with random passwords, I believe.
Essentially, the statistical expectation of how long it would take for a strong (e.g., random) password to be cracked is a function of the number of digits and how many characters are used per digit. So if you are trying to say that changing it frequently will not really affect that expectation, I would agree. But I still don’t see a significant downside to doing it, other than the effort required, right?
Remember there is one more requirement if you are never going to change a password but depend on the strength of the password. Every password has to be used at only one site! A strong password is more likely to be compromised by the site where one is logging on than by actually cracking it. (I have read that there are actually some sites that store passwords as plain text! Those are the sites that the hackers are really looking for. That and for the people who are using the passwords like ‘qwerty’ for every site that they log onto!)
That is the problem of changing passwords periodically. I have more than 100 of them. It is not a trivial task even using a password manager that can quickly generate complex passwords and do most of the grunt work in making the changes. When I have made password changes (mostly to replace weak passwords), I have always checked the new password immediately to verify that everything went down properly by logging into the site.
But you are right, there is no significant downside to doing changing a password but there is no significant upside to doing it either (unless the site itself is compromised). So why would anyone want to do it…
One of the downsides, for those of us who keep several copies of passwords, is that during/after each change one needs to update one’s records of passwords. In my case that involves updating records on a few local discs and those stored online, as well as updating my backup password manager. That is a hassle I can do without, unless there is a reason to change a password.
Many experts say that there is no use in changing the password. You should change your password only if your account is breached or the password is weak.
And amongst the reasons they recommend not regularly changing passwords is that it encourages weak/reused passwords.
And then there’s some (bad) websites that require you to change your password regularly. Also, it just reassures some people.
But if you’re using bitwarden, then I’m assuming your password looks like this: 62px7D1m&N0gQVDR$Bm$g0!NtAt*cj, as mine do.
This isn’t a feature to replace basic security advice, that still fully applies.
Remember there is one more requirement if you are never going to change a password but depend on the strength of the password. Every password has to be used at only one site! A strong password is more likely to be compromised by the site where one is logging on than by actually cracking it.
Of course. That was completely implied. I use unique passwords everywhere, and have been slowly phasing out any old passwords I used to use, which were all the same. (Sometimes it’s hard to do, because I forget which ones have the old password as I just use CTRL + SHIFT + L to autofill them.)
(Also, something to warn the user of identical passwords would be good too. Idk if that’s a suggestion or not, but it’s out of the scope of this feature request.) (I just checked and it’s a thing, but it’s premium only. Rip.)