First off, I like the thought behind the feature. Making me aware of the security reports, leaks, weakness, etc. in the UI directly without me having to navigate to the security reports themselves is very nice, imo.
What bugs me is the ambiguity of the message. If there are specific reasons for flagging the password as “at-risk” then it would be much better if that reasons was named directly in the message banner.
8 Likes
@Evnia I moved your comment into its own thread, because it proposes a change that is different from the feature request in which you had originally posted (Options to disable or dismiss permanent "Change at-risk password" warnings). Each feature request topic must include only a single suggestion (or else it becomes impossible to interpret the vote count).
Thanks. Sorry, my bad.
1 Like
I’m seeing the new “password at-risk” banner on multiple vault items where the passwords are 14–20+ characters long, randomly generated by Bitwarden, not reused anywhere. At this point I have more than eight such cases. And a couple of cases are paired with unique (and long!) usernames.
That makes this a signal-quality problem, not a hygiene problem.
“At-risk” currently collapses very different conditions into a single warning with no attribution: known exposure, reuse, or heuristic weakness. Those are not equivalent risks and should not prompt the same response.
Modern guidance, including NIST SP 800-63B, explicitly discourages arbitrary password rotation absent evidence of compromise. Labeling high-entropy, non-reused, manager-generated passwords as “at-risk” without explanation nudges users toward exactly that behavior.
If a password is exposed, say so. If it’s reused, say so. If it fails a heuristic test, say so.
But “trust us, rotate” is not risk management.
This feels like a UI shortcut that needs refinement. A simple reason code would immediately restore clarity and trust.
1 Like
@pcox Welcome to the forum! I moved your comment into this feature request topic, which is more relevant to your concerns.
It would be helpful if you could provide additional detail, to help us determine if there is a bug causing the false-positives that you are observing. For example, there is a known bug that causes the warning banner to be displayed when a copy of the login item (or an unrelated login item with the same password) is present in the Trash.
Agreed, I’ve just had this message and all it does is take me to my AppleId webpage! Totally useless and considering that Bitwarden generates all my passwords using complex password types of 12-14 in length, I don’t consider this warning to be of any use whatsoever! All this does is suggest Bitwarden password generation is crap. I want to know why it thinks there’s an issue. It’s just like saying “there’s a problem with your password” - what the hell does that mean?
Come on, this is causing unwarranted stress.
This interpretation would not be warranted. It is much more likely that your AppleID was found in a data breach, or (perhaps most likely) that you have a duplicate of the same password in another vault entry (perhaps in the Trash).
Until this feature request is implemented, you may be able to get some insight by logging in to the Web Vault and running the following reports:
If all reports come back negative (specifically, if your flagged AppleID password is not included in any of the three reports), please report back so that we can investigate whether there is a bug.
AppleId has had email address changed but not password and all other passwords are unique, so it would appear that a reused password is flagged even if only the email has been changed. As I’ve changed my email again lately this has now caused multiple flags, so I’m ignoring then all.
There is already a FR that could accomplish this (and more): Vault Health Dashboard - All Reports should do automatic lookups and alerts. Basically, instead of having a separate detection mechanism, leverage the existing reports to do the heavy-lifting. “Change at-risk password”, does not tell me much, but “Is on Reused passwords report” would be immensely helpful.
And, bonus, as new reports are added or improvements are made, the alert/warning would inherit them:
Agreed. This feature is basically useless unless I know “Why” my password is “At Risk”. Like, I appreciate Bitwarden for looking out for my “digital security health”, but “Change this because we said so” is not an acceptable prompt. 
Agreed. “Why” is a must-have. (It’s annoying that I can’t vote for this request. I created a community account just so I could do that.)