One-click automatic password changer (on the websites + in the vault)

Change passwords in sites automatically with a click of a button

Possibility of auto change password, with one click, i enjoy this. Like Dashlane and Lastpass. Maybe necessary the script creation by community.

Discussion on HN:
https://news.ycombinator.com/item?id=18618193

I got interested in this after reading ctrl blog’s follow-up Bitwarden review. It would be a really useful feature but I believe that it would require too much resources to develop and maintain. LastPass have more resources than Bitwarden and they’re limited to only 80 websites!

That sounds like a horrible idea and would open up for hijacking. The Bitwarden team would have to dedicate resources to register with every service out there and carefully review each of the community submitted scripts.

This handles the password-change-form discovery but doesn’t specify anything that would be useful for automating password changes. The spec is also unclear on a number of things. E.g. what happens if the user is not logged in? Do you show a login form and then redirect to the change form? This behavior is undefined.

I could maybe see this being practical for us but rather impossible to account for every site type. Maybe for your top sites (microsoft, fb, google, twitter, amazon, ebay, etc.) and if phpBB, VBulletin, and other popular forum packages offer a uniform code structure to recognize. Other than that I couldn’t see much more capabilities. Even Lastpass’ can only do it for a handful of popular sites.

It would be great to be able to change all my passwords with one click instead of having to change them manually.

It’s not clear from your 1 sentence explanation how exactly proposed feature should work. Could you please fill the form and describe it deeper, provide some typical use-cases?

A Password Changer can automatically change the passwords for many of your saved websites by directly logging in to generating strong, unique passwords, then changing the passwords for those sites on your behalf.

Everything is done automatically. You will see the window showing the status of each password change and confirmations that your passwords were successfully changed.

An automated password changer sounds like a step above a premium feature.
A feature that you could set how often (either per saved login or for all passwords) you want your passwords changed. Also the feature should immediately and automatically change any password that has been compromised.

The Bitwarden software would have to know the site link where password changes are done from for each saved login.

For some sites this may not be possible as the sites want to send you a password or text to change your password, but it is possible for sites that only ask for the original password and the new password in order to change the current password.

I get exited thinking about this feature. If you didnt start using a password mgr as soon as you started using the internet, then its highly likely you have many sites with the same password, making many people more vulnerable. A feature like this could change all of that. Being the first software with such a feature, sounds like a game changer.

That’s a good idea.

I would like to change a few passwords from time to time, not all of them and not regularly, so a button to do that with an individual entry would be ideal.

This is a standard feature in LastPass Premium and Dashlane paid version.

Has anyone here actually used the automatic password changers in other password managers?

They’re not that great and only work for a few websites, most of which no one uses.

Every website is different and each must be programmed and kept updated because all websites change.

There is also the issue of where to change the password. For example, Dashlane does it on their server so that means your plaintext password exists outside your vault and on their server. Lastpass does it in the extension but it’s not as reliable as the conditions change because everyone’s web browsers are set up differently. That is why Dashlane does its sever side because they control the environment but that also means they see your plain text password when they do it.

Until websites adopt a standard for password managers to use to auto change passwords, this feature is not worth it.

Not only that, but this feature is not worth it once all your passwords are unique. Changing passwords often doesn’t help better secure you. You only need to change a password if you think it’s been breached or stolen. Until then the password can stay like it is because it’s unique.

As @dangostylver said, we will have to program each website.
But the power of bitwarden for me is the community, so we just have to create the generalized feature, including :

• pop ups asking for mail / sms verification
• auto totp login
• (other features?)

And then, the community could add more and more websites slowly but surely.

I think it will be a huge feature and a game changer for bitwarden. Because as i know, Dashlane’s password changer is not powerfull, because not a lot of websites are available and it’s impossible for them to implement all websites.
But imagine with our community of developers that we could manage more websites than Bitwarden’s competitors.

It’s a god feature request but we could redo the 1st post for description.. @mdc1022 may you edit it?

@dangostylver I used autochanger in LastPass. Yes, this was not great, but 80% of my site creds were successfully changed.
I vote for, nice feature.

I studied about the topic for a dissertation, and there have been proposals that the community could share the password lifecycle endpoints of sites, and these could be upvoted by the rest of community…

For trivial sites like Facebook, Instagram, and the sorts, this should be easy to do (although they change their sites quite a lot).

For other types of websites, say, country-specific, there could be like a voting system. Has its downsides, but hopefully common sense could prevail.

Maybe for US sites, this feature would work quite nicely, but for other countries, I’m afraid it would just give a sense of frustration and false hope. Hence the upvoting.

EDIT: i just saw carefully what @pierrebssr said in his post. Basically the same suggestion, and i agree, it seems to be a lot of work

If bitwarden created a list of the sites, had people vote, then they could prioritize which sites has auto password rotation. Another idea would be the use of javscript plugin per login.

I think this must have features, many topics in Reddit ask for it

Hopefully to consider it soon

Definitely, this is a game changing feature as long it works nice and smoothly, which is something LastPass and Dashlane struggle with. Also agree with the above, what differentiates Bitwarden from it’s competitors is the community, so this is a feature that the community could own and I can easily see Bitwarden quickly amassing support for many, many websites over the likes of LastPass and it’s auto-changer.

This topic comes up in search results most often so I wish to bring to your attention the ‘well-known’ schema draft, which has a topic separately:

You can find the current W3C draft here: A Well-Known URL for Changing Passwords - it may be worth for the team to at least keep an eye on the draft as it evolves. I agree this is a great case for a premium feature.

Oh yes, we’re watching