Do you think you should change your master password, say after a year?

Changing an account password periodically is not a bad practice.

Forcing users to change them periodically is a bad practice. It has been proven that when you force a periodic password change to your users, they end up choosing weaker ones. That’s why it is a bad practice.

My personal opinion is that, if you follow good password hygiene, you should change a password only when you have the slightest suspicion that it could be compromised.

However, changing a password periodically mitigates the risk for an account whose password could be compromised without you knowing it.

I find this logic (adding some characters to change a password) completely flawed.

If your password was compromised (or you want to mitigate the risk that it could be without your knowledge), it makes no sense at all not changing it for a completely new and different one.

If you add a couple of characters to an hypothetically compromised password, the new one will only be (at most) marginally better.

And, most surely, it will be trivial to crack for someone that has your previous one. Which defeats the purpose of changing it.

2 Likes

This is technically true, but in practice, it is unlikely to have any real security benefits (in most cases). The exceptions would be for situations in which damage can accumulate with repeated uses of the compromised credential (i.e., if the attacker can gain something by repeatedly using the stolen credential, while remaining undetected each time), or for scenarios in which the password rotation frequency is extreme (e.g., daily or hourly).

If the attackers’ wait time from the acquisition of the password until its use is Poisson-distributed with a mean time delay T, then rotating the password at an interval t will reduce the risk of an vault breach by a probability that is approximately equal to

pt /T

(approximation valid for small p only). Thus, to reduce the risk by a meaningful amount (say p < 0.01), then we need to set the rotation interval to a value

t < 0.01 T

Therefore, even if the average attacker were to wait a whole year (!) after stealing your master password before they try to breach your vault, you would need to rotate your master password twice a week for this to be an effective strategy.

1 Like

Thank you.
kpiris, my password has not been compromised. No reasons to believe it at least. I simply thought it would be stronger with 3 more characters, because I just read an article talking about the supposedly rught minimum lengtht for a password. No problem at all for the moment.

A few other thoughts to protect your vault that hopefully are not news to you.

  1. If you are not already using MFA to login to your vault, you should add it. Either Yubikey or TOTP are your best bets.
  2. Make sure you have an emergency sheet that includes your recovery code and if using TOTP, your TOTP secret key.
  3. Create an occasional backup/export.
1 Like

yes, good advice
I use MFA on many sites, absolutely.

I don’t have this emergency sheet, I have to deal with the problem.
I exported the vault to a USB key one year ago or so but it is no longer up to date,
I encrypted that key . it’s too complicated. I think I formatted the key recently!
all this is very time-consuming but yes it is important

QUESTION : What about passkeys?
are you using them or not at all?

1 Like

Just as a short note: Since a few months, if I remember correctly, it is possible to do also passwort-protected (encrypted) exports directly: Encrypted Exports | Bitwarden Help Center

Avoid the account-restricted option - and for “password-protected-export”: do note that export-password on your emergency sheet then as well.

Please clarify what you mean by that:

  1. Do you mean one or more passkeys as access to your Bitwarden account/apps? (Log in with Passkeys | Bitwarden Help Center)
  2. Or do you mean passkeys for your services/accounts and you think of storing passkeys for that in your Bitwarden vault? (Storing Passkeys | Bitwarden Help Center)

(of course, you can also mean both)