I wish to see this feature available as well.
my requirements:
I can set the frequently of password change reminder (3m, 6m, 9m, 1y). I can override the next password change date.
There are accounts that i hope to change frequently and some less frequently. So password policy should available for us to set. bw will notified us when we need to change password.
I can mark an account to have password changed soonest.
sometimes, we might need to use other people’s computer or public computer to do something. even though, we will logoff afterwards. But i wish to change the password as soon as i can.
So during login on to other’s computer, upon reading my password from bw, i wish to mark the account to have password change soonest. I can then change the password after back to my own computer, change them in 1-2 days, may be. etc.
Fine to split the request in two, add custom field date soon and add the “notification” functionality later.
Having a date field can have multiple purposes: expiration date, date created, date of purchase, DOB, etc. Not for all of them a reminder is wanted/needed.
For the custom date field: full date but preferably also: month/year (e.g. for cc expiration date)
Related: for the 1Password import, currently the date fields are imported as Epoch timestamps (e.g. -23395600 [before 1970] and 1434728860). That is not very useful. Would be great if they can be imported as date strings e.g. “March 8, 2021” or “2020-03-08”.
It would be cool if bitwarden could automatically remind the user after x days (say, 3 months, 6 months, a year, etc.) to change their password for a service. Pretty simple. It’d be disabled by default, and someone can turn it on if they want.
Many experts say that there is no use in changing the password. You should change your password only if your account is breached or the password is weak.
Interesting - I had not heard this advice before, and I am trying to think through whether there would be any disadvantage when generating/storing random passwords in a password manager like BW? Obviously, there is a small amount of time needed to do this on a regular basis, but are there other disadvantages? Or is this guidance more aimed at users trying to recreate memorable passwords, like David mentions above?
IF you are using a strong password (15+ chars, caps, small, numbers and symbols in a random order) it will take (statistical) on the order of 5000 years to crack. If the cracker is lucky, he might find it a year or two. Changing the password oftener will not materially affect the outcome. ( A new password might be cracked in two whereas the original one would have required 5000 years!)
Or… the old password might have been cracked in a year or two, as you originally suggested, and by updating it you may have extended it to 5000 years. It goes both ways with random passwords, I believe.
Essentially, the statistical expectation of how long it would take for a strong (e.g., random) password to be cracked is a function of the number of digits and how many characters are used per digit. So if you are trying to say that changing it frequently will not really affect that expectation, I would agree. But I still don’t see a significant downside to doing it, other than the effort required, right?
Remember there is one more requirement if you are never going to change a password but depend on the strength of the password. Every password has to be used at only one site! A strong password is more likely to be compromised by the site where one is logging on than by actually cracking it. (I have read that there are actually some sites that store passwords as plain text! Those are the sites that the hackers are really looking for. That and for the people who are using the passwords like ‘qwerty’ for every site that they log onto!)
That is the problem of changing passwords periodically. I have more than 100 of them. It is not a trivial task even using a password manager that can quickly generate complex passwords and do most of the grunt work in making the changes. When I have made password changes (mostly to replace weak passwords), I have always checked the new password immediately to verify that everything went down properly by logging into the site.
But you are right, there is no significant downside to doing changing a password but there is no significant upside to doing it either (unless the site itself is compromised). So why would anyone want to do it…
One of the downsides, for those of us who keep several copies of passwords, is that during/after each change one needs to update one’s records of passwords. In my case that involves updating records on a few local discs and those stored online, as well as updating my backup password manager. That is a hassle I can do without, unless there is a reason to change a password.
Many experts say that there is no use in changing the password. You should change your password only if your account is breached or the password is weak.
And amongst the reasons they recommend not regularly changing passwords is that it encourages weak/reused passwords.
And then there’s some (bad) websites that require you to change your password regularly. Also, it just reassures some people.
But if you’re using bitwarden, then I’m assuming your password looks like this: 62px7D1m&N0gQVDR$Bm$g0!NtAt*cj, as mine do.
This isn’t a feature to replace basic security advice, that still fully applies.
Remember there is one more requirement if you are never going to change a password but depend on the strength of the password. Every password has to be used at only one site! A strong password is more likely to be compromised by the site where one is logging on than by actually cracking it.
Of course. That was completely implied. I use unique passwords everywhere, and have been slowly phasing out any old passwords I used to use, which were all the same. (Sometimes it’s hard to do, because I forget which ones have the old password as I just use CTRL + SHIFT + L to autofill them.)
(Also, something to warn the user of identical passwords would be good too. Idk if that’s a suggestion or not, but it’s out of the scope of this feature request.) (I just checked and it’s a thing, but it’s premium only. Rip.)
Add a password / site login expiry date which is optional
There are a few websites / software programs that I use that:
either need logging in to every month / 3 months / 12 months
or that I like to change the password for occasionally
If you can add an expiry date to each record that is (optionally) flagged on BitWarden login to allow you to choose to login to the site or software and change the password or reset you usage counter for the site.
One reason I’m particularly interested in this feature is because I serve several clients at work, and for a couple of them I can’t reset my password after it expires. I know… it’s extremely stupid. So to save me a 30-60 minute call to my customer’s helpdesk for a password reset, I need to reset my password before it expires. Being able to search for passwords that will expire soon in Keepass is extremely helpful in this regard.
Being able to set a password expiration date and time (preferably with a timezone, too) and then being able to see what passwords will expire in X days or have already expired is an excellent feature to incorporate.
As it is now, I’m simply recording ISO 8601 date/time stamps in a custom field, but I can’t run any kind of report on that to say what’s expiring soon.
Also, BW has 1000s (?10s of 1000s?) of users, and oh about 15 staff/devs (I make this number up every time I post something like this: I really have no idea how big they are).
So, let’s all keep this in mind as we bombard them with feature requests and “Why isn’t my requested feature implemented yet?”. BW isn’t Microsoft (thank goodness). Priorities have to be made.
Hi All,
I guess that would be a very good plus a ‘reminder’ to change the passwords stored in the vault, kind of deadline or expiration notice, maybe with a day counter field?
Which password are you referring to? Your Bitwarden master password, or the passwords stored in your vault? It’s actually no longer best practice to routinely change passwords - both NIST and the NCSC recommend only changing your password if you suspect it has been compromised.
