One-click automatic password changer (on the websites + in the vault)

any news for that feature ? i think its very important !

Yup - a vote from me too; various known leaks have led to my needing to change passwords a few times this year, and I’m aware that my long list of passwords here includes some very old logins from sites I no longer / very rarely use which are probably (still) duplicates. I used to be with Lastpass too, and have used the password changer there. I’d be much more likely to change passwords more frequently - especially on more sensitive sites like my financial account and medical records - it if was easier to do. It would also be nice to get warnings when details are published online - like https://haveibeenpwned.com/ - and maybe monthly reports of which passwords have not been changed for 6M.

Hi @gaz - that is a good list of suggestions. Regarding warnings about exposed passwords, Bitwarden already makes this really easy to check - see the link below:

Hi @dh024 - thanks for the link, but I was thinking of an active alert that would pop up as a message in the web vault or the browser add-in. I know I can do my own check from time to time, but being told there’s a problem is a more immediate notification!

+1 on this, Chrome and Edge are implementing this too.

This seems to be reliant on these innovations where web developers can help automate the process:
Help users change passwords easily by adding a well-known URL for changing passwords  |  Articles  |  web.dev (A well-known URL for password changes)
Password Form Styles that Chromium Understands
& HTML attribute: autocomplete - HTML | MDN (autocomplete attribute to specify exactly what each field is for)

Despite the complexity of doing it (which is reducing as Developers get on board with the above) making it sound like a lot of work & ultra premium, at the end of the day it is good practice to make password changes easy and good for the user & security.

It is such a problem where the web has been lacking on, and why Password Managers like BitWarden are so important in closing that gap. It should be a standard feature.

As mentioned before some competitors already offer this feature. Last time I used Lastpass, this was an option there: Lastpass to automatically login the websites and change my duplicate and exposed passwords.

LastPass user here. While I voted for this because it’s a nice feature that LastPass offers, there should also be an expectation that’s set. Of the 700+ passwords I have stored in my LastPass vault, there may be 15-20 that work with the automatic password change and it’s always the very popular sites like Facebook, Instagram, Amazon, etc..The ability to automatically change passwords on any site just wouldn’t be a reasonable expectation.

Correct, it wouldn’t be. But at the same time that isn’t a good reason not to implement because it still is immediately useful for the most popular sites especially for a basic user who might not even signed up to a ton of sites to begin with, and more sites will become supported as time goes on.

So we all agree that this feature would be great to have, with just the one drawback that it is impossible to build, as proven by the fact that even LastPass can only make it work for a couple of dozen sites.

How about we build a solution that does not involve the impossibly difficult task of interacting directly with change password pages. I suggest a solution that gives the user a simple interface containing the old and new password, and the ability to copy/paste the old and new password into the change password page of any given site, and update the password in the database when done. It’s totally doable, it will work for all websites, and it will not be hard for users to understand.

I wrote up a fairly detailed proposal for this a while ago, linking here:

That’s the neat part of the fact that Bitwarden is an open source project though!

Users could do the scripting (by following Bitwarden’s instructions) and then submit them for approval. That saves them a lot of work, and makes it so that users’s requested sites actually get implemented and kept up to date

This is my situation:
I have dozens of passwords in a notebook (yes, in paper). So, I am new to passwords managers. Then I choose Bitwarden for a try (yes, its free). Then, I add every site / password I have. But, I have some passwords repeated in some websites. So, I ask, I need to use the password generator to change my old passwords for strong new passwords, but, oh my God, there is a lot of work to do. So, this feature is required in Bitwarden. When I enter in any site, I ask to change the password in that website, then bitwarden software prompts a new password and I only have to add the suggestion and save it in bitwarden and in the website. That would be cool.

I think a naive implementation is provide a “change password” botton for each site, and click it helps to jump to the change password page of that website.

In the most ideal case, old password is filled automaticly by the browser plugin, and new password can be generated by just one click, and another click to confirm the change.

I agree that making the password changing process easier would be much more realistic. I had to put in quite a lot of work to get all my passwords changed when I saw all the repeated passwords after I got bitwarden premium. Perhaps combining this with an expiry date to remind you to change passwords regularly could be a good idea?

As a developer myself, I think the way to implement something like this would be to create a rules engine/framework that can follow steps to reset a password for a given site. My vision would be something like:

1. A user wants to automatically reset their password for a given site. That site is not yet in the list of “known sites” for Bitwarden, so they begin a “recording” session in Bitwarden that records the fields and URLs for resetting the password.
2. Recording is completed and tested with the user’s new passwords.
3. Recording is submitted for approval or some sort of voting process.
4. Recording receives enough votes or an approval and it is then added to the list of “known sites” for automatic password reset in Bitwarden.

This puts the power in the hands of the users, without needing any development knowledge. I am fully aware that building this is not trivial, but it’s also much simpler than manually coding every site.

Thoughts on whether or not this method would be viable and can be implemented? I have a very old, highly used password. It is used across nearly a thousand sites. I’d like to change it, but manually doing it for every site is too overwhelming, so it remains insecure. I briefly (read: incredibly briefly) considered importing my passwords back to LastPass just to automatically change this password in as many places as possible.

Feature Name - Auto password change

I know this is a long shot because it involves many stakeholders (most are external), but the implementation itself is not. This would be a great step forward in password hygiene and re-securing compromised accounts.

Feature:
I would like to request to have an API available where, by clicking the option “renovate password”, it would automatically communicate with the associated website, request a password change and attribute one. Since I already don’t know my password, I also don’t need to know what they’ve been changed to, as when a manual change is done.

• The benefits it brings are an always strong and secure vault, exponential increase in password hygiene, and the ability to quickly and seamlessly re-secure a vault that has potentially been compromised before the hackers are able to brute force even a single password.

I think if this feature were to be developed, it would instantly stand out among the other password managers, and since it would probably become a standard, it would make BitWarden an even bigger pioneer in this space. If we’re already considering websites having /.well-known/change-password, this would be the next natural step in the process, where they would simply add a snippet to include the API.

LastPass did have a feature like that for some major sites like Google and Microsoft.
I never used it, and it’s not there anymore. I do not know why…
On the other hand it feels like kind of easy for major sites and webapps.
You know the steps you have to take to change the password. And it could not be that hard to make a script that do all the steps. Then again if the site changes the behavior of the site, you would need to recreate the script.

A script, like you said, only works in a contained environment. An API would allow any website to easily implement the feature and have a password manager quickly change a password without having to go through the web interface. It would also greatly increase the website’s security as, in the event of having a leak of any sort, they could ask their users to change their passwords, which would be only a click away.

Again, this would allow virtually any website to be secure and allow its users to stay safe within a couple of minutes of a target, personal or business, being breached.

Hi, as a person who had a gig for a multinational security company that was creating a new product that was supposed to do this - I can tell you that it’s very difficult. Keep in mind that I worked at the bottom feeder department. However, the goal of our team was to record certain sessions on thousands of domains. Imagine the nastiest adult content to the most visited sites.

It was a nightmare. Every website behaves differently and has the password change on different pages. Popups were an issue. Email verification was an issue. Every iteration of the prototype seemed worse. Eventually, the project was scrapped, but my nightmares live on.

My take on this: Unless some standard is introduced about password change. I don’t believe it can be reliably done. Internet is a too wild, bug ridden place.

The purpose of using a Password Manager is so that passwords can be stored in a secure place and cannot be accessed from anywhere else.

It would be great if the passwords for some items could be automatically renewed at certain intervals for security reasons. This would help us add another level of security. On the other hand, two-factor authentication is not enabled on every platform, so this could be useful in such cases.

If there was such a feature, I would definitely prefer to have the passwords of my critical accounts auto-renewed according to the password policy.

In corporate use, hundreds of accounts can be stored and the number of users accessing the vaults can increase. In such cases, this feature would be preferred.

@F_Y Welcome to the forum!

I moved your post into this existing feature request as they seem “identical”.