New Raport section - "Old & unchanged" passwords


#1

Hi!

There are various options for checking password security inside Vault - Tools
What about adding tool for “Unchanged passwords”? or “Aged passwords”?

As we all know, database leaks happen all the time. It would come especially handy with services that contain personal information, but do not offer 2FA (and you can easily forget to change password every now and then).

Currently Bitwarden keeps track on when and how many times you have changed account X’s password. However, it would take lot of time to go over all accounts and check the last password change date.

What are your thoughts on this?


#2

I think it’s a decent feature to have, although not one that adds very much in the way of security if you use a strong, randomly generated password.

Assuming that a website properly encrypts passwords, even if the database was to be compromised your password would still be safe from brute force, dictionary or rainbow table cracking.

But as I said, it’s a decent feature which should be easy to implement, so I see no reason not to do it.


#3

Thanks for input - tou yook the words right out of my mouth :slight_smile:

It won’t polster security per se, but it could help to get overview of password health.


#4

+1 from me.

This was also mentioned in the password hygiene feature request but didn’t make it to the final feature release.

Now bit warden maintains and displays password history data this should be easier to implement on the frontend/s.


#5

In the meantime I use a manual workaround to generate quick info on my “old passwords” with the CLI. Figured I’d share it here for reference in case it’s useful to anyone else.

Pre-requisites:
-BitWarden CLI installed and configured: https://help.bitwarden.com/article/cli/
-jq installed (example for Linux: sudo apt install jq)

I then just run this command:
bw list items | jq -r '.[] | "\(.login.passwordRevisionDate) \(.login.username) \(.name)"' | awk '$2!="null"' | sort -r | less

This will output all items from your BitWarden Vault and pipe the JSON data through jq to filter on the specific items of interest. You’ll be presented with a list of all your logins sorted by the first column that contains the password modified date. If this value equals “null” it means that you’ve never updated the password for that item after initially adding it to your vault. Otherwise all non-null items are sorted by their date value.

FYI: I use awk '$2!="null"' to filter out items from the vault that do not have a username (Identity, Bank Card, and Secure Notes) since I couldn’t find a way with BW CLI to only list Logins.