Before submitting this as an official feature request, I wanted to share the idea here to gather initial thoughts and see if others in the community are facing the same challenge—or have found alternative approaches.
Feature Request: Enforceable Password Complexity Policies for Vault Entries
Rationale:
Bitwarden currently does not offer a way to enforce password complexity standards on stored vault entries - unlike the enforceable policy available for master passwords. While we are aware of the Vault Health Reports that can retroactively identify weak passwords and allow follow-up with users, this approach is reactive, manual, and still permits weak credentials to be saved initially - leaving an unnecessary window of exposure. What’s missing is a proactive control mechanism that prevents weak passwords from being stored in the first place. Enforcing password complexity at the point of entry would ensure consistent adherence to organizational policies and significantly improve overall security posture by removing the dependence on user behavior and after-the-fact audits.
Feature Request:
Add support for enforceable password complexity policies for all stored vault entries.
Specifically:
The ability to define custom complexity requirements (e.g., minimum length, special characters, character types, etc.).
The ability to block or warn users - depending on configured policy - when attempting to save a password that does not meet the defined requirements.
Enterprise users already have the ability to configure the minimum length of passwords generated by the password Generator.
Thus, the best way to implement what you are asking for would be to block users from manually entering or modifying passwords (accepting only passwords produced by the Generator). By then setting an appropriate minimum password length, you will be able to ensure that passwords are sufficiently strong (e.g., a 24-character minimum for passwords and a 6-word minimum for passphrases would ensure that the entropy of generated passwords is in the range 72–152 bits, at a minimum).
The vault seems like the wrong place to enforce password rules. That belongs on the website itself. Also, current advise is that complexity is counterproductive.
Implementing rules on what one can store seems like a really good way to cause people to decide that using a vault in the first place does not work for them.
Did you ultimately submit this as a Feature Request? I wanted to also post the same thing. I do agree with DenBesten in that it would deter users from using vaults, but I think that is an issue that can be mitigated with training or security culture improvements. On his thoughts on where enforcement should occur, that is not always something admins have control over. Say a vendor decides to use some file sharing service you need to sign up for.. I’d rather the vault enforce the password requirement than rely on whatever the site requires. Yes, sites should require a good password policy, but I’d rather assume theirs is worse than mine.
I’d also say that maybe there can be different toggleable behaviors on what happens if a password is out of compliance. Maybe autofill simply wont work until a more compliant password is saved in the vault. Maybe the user just gets daily reminders to change the password. IDK the correct solution but I think having it as an option would be a game changer. Multiple Cybersecurity frameworks have a requirement for a password policy but there are very few tools that can encompass multiple IDP’s or Sites to show compliance. Often times, checking off that box on a Cybersecurity checklist that says we are compliant in 95% of accounts, and here’s the proof, have real world cost savings (Cyber Insurance), something Bitwarden can use to sell their product..
I just was about to ask the same question… And the same with the enforcement of special characters: what do you do when the service doesn’t allow any special characters?
And for enterprise accounts, I want to mention that there also is “Access Intelligence”: