First off, I like the thought behind the feature. Making me aware of the security reports, leaks, weakness, etc. in the UI directly without me having to navigate to the security reports themselves is very nice, imo.
What bugs me is the ambiguity of the message. If there are specific reasons for flagging the password as “at-risk” then it would be much better if that reasons was named directly in the message banner.
19 Likes
@Evnia I moved your comment into its own thread, because it proposes a change that is different from the feature request in which you had originally posted (Options to disable or dismiss permanent "Change at-risk password" warnings). Each feature request topic must include only a single suggestion (or else it becomes impossible to interpret the vote count).
1 Like
Thanks. Sorry, my bad.
1 Like
I’m seeing the new “password at-risk” banner on multiple vault items where the passwords are 14–20+ characters long, randomly generated by Bitwarden, not reused anywhere. At this point I have more than eight such cases. And a couple of cases are paired with unique (and long!) usernames.
That makes this a signal-quality problem, not a hygiene problem.
“At-risk” currently collapses very different conditions into a single warning with no attribution: known exposure, reuse, or heuristic weakness. Those are not equivalent risks and should not prompt the same response.
Modern guidance, including NIST SP 800-63B, explicitly discourages arbitrary password rotation absent evidence of compromise. Labeling high-entropy, non-reused, manager-generated passwords as “at-risk” without explanation nudges users toward exactly that behavior.
If a password is exposed, say so. If it’s reused, say so. If it fails a heuristic test, say so.
But “trust us, rotate” is not risk management.
This feels like a UI shortcut that needs refinement. A simple reason code would immediately restore clarity and trust.
4 Likes
@pcox Welcome to the forum! I moved your comment into this feature request topic, which is more relevant to your concerns.
It would be helpful if you could provide additional detail, to help us determine if there is a bug causing the false-positives that you are observing. For example, there is a known bug that causes the warning banner to be displayed when a copy of the login item (or an unrelated login item with the same password) is present in the Trash.
Agreed, I’ve just had this message and all it does is take me to my AppleId webpage! Totally useless and considering that Bitwarden generates all my passwords using complex password types of 12-14 in length, I don’t consider this warning to be of any use whatsoever! All this does is suggest Bitwarden password generation is crap. I want to know why it thinks there’s an issue. It’s just like saying “there’s a problem with your password” - what the hell does that mean?
Come on, this is causing unwarranted stress.
This interpretation would not be warranted. It is much more likely that your AppleID was found in a data breach, or (perhaps most likely) that you have a duplicate of the same password in another vault entry (perhaps in the Trash).
Until this feature request is implemented, you may be able to get some insight by logging in to the Web Vault and running the following reports:
If all reports come back negative (specifically, if your flagged AppleID password is not included in any of the three reports), please report back so that we can investigate whether there is a bug.
AppleId has had email address changed but not password and all other passwords are unique, so it would appear that a reused password is flagged even if only the email has been changed. As I’ve changed my email again lately this has now caused multiple flags, so I’m ignoring then all.
There is already a FR that could accomplish this (and more): Vault Health Dashboard - All Reports should do automatic lookups and alerts. Basically, instead of having a separate detection mechanism, leverage the existing reports to do the heavy-lifting. “Change at-risk password”, does not tell me much, but “Is on Reused passwords report” would be immensely helpful.
And, bonus, as new reports are added or improvements are made, the alert/warning would inherit them:
Agreed. This feature is basically useless unless I know “Why” my password is “At Risk”. Like, I appreciate Bitwarden for looking out for my “digital security health”, but “Change this because we said so” is not an acceptable prompt. 
2 Likes
Agreed. “Why” is a must-have. (It’s annoying that I can’t vote for this request. I created a community account just so I could do that.)
1 Like
For me the biggest problem is the “at-risk password” wording, which creates a false and inaccurate impression in users’ minds that their passwords have been compromised.
At-risk is a marketing weasel word, and lacks a clear accepted definition, but an informal survey of co-workers shows that most people assume this means their password has been compromised.
The scenarios which lead to this message range from “Your password has been stolen and is actively being used by malefactors” to “You created two entries in your vault for the same site.”
Clearly these are completely unrelated and not at all equivalent scenarios.
The use of scary terminology like “at-risk” should be reserved for situations where there’s genuine identifiable risk. Password found in a breach <> Password appears twice.
The number of different scenarios which can lead to this message being displayed are far greater than the fear induced by the message justifies.
3 Likes
This one caught me off guard and wasted a good chunk of my time thinking a password was legitimately compromised so creating a forum account just to chime in to push for a fix… “Vulnerable password.” or “at-risk” does not accurately communicate that it’s simply a reused password to the average user. Worse, it will likely desensitize them to the warning over time. Then, when there’s a real compromise, they’ll ignore it, and assume it’s a reused password somewhere in their BitWarden store. Think about it, we’re talking 100’s of impressions of the warning to a person’s brain using BitWarden over the year that aren’t actually compromised and far less real compromises in that same year.
My vote is to see a red exclamation with, “This password has been compromised. You are strongly urged to change it.” for a confirmed breach + not reused. If it’s a reused password, then I want to see a yellow warning message that says, “Re-used password. Another stored account has the same password.”. For the later, a value add would be a link to filter for the other accounts matching that password to make it easier to track down and confirm if it’s something I need to fix or if it’s as intended.
If the password is both confirmed compromised and reused, then I’d prefer the 2 messages to be shown separately in the same way. The reused so I know to find and jot down the accounts with same pass and then the compromised message to make clear I definitely need to login to each of those accounts and update them all to either new, unique, passwords or 1 new password across all the affected accounts.
2 Likes