I’m seeing the new “password at-risk” banner on multiple vault items where the passwords are 14–20+ characters long, randomly generated by Bitwarden, not reused anywhere. At this point I have more than eight such cases. And a couple of cases are paired with unique (and long!) usernames.
That makes this a signal-quality problem, not a hygiene problem.
“At-risk” currently collapses very different conditions into a single warning with no attribution: known exposure, reuse, or heuristic weakness. Those are not equivalent risks and should not prompt the same response.
Modern guidance, including NIST SP 800-63B, explicitly discourages arbitrary password rotation absent evidence of compromise. Labeling high-entropy, non-reused, manager-generated passwords as “at-risk” without explanation nudges users toward exactly that behavior.
If a password is exposed, say so. If it’s reused, say so. If it fails a heuristic test, say so.
But “trust us, rotate” is not risk management.
This feels like a UI shortcut that needs refinement. A simple reason code would immediately restore clarity and trust.