One Click Password Changer

I studied about the topic for a dissertation, and there have been proposals that the community could share the password lifecycle endpoints of sites, and these could be upvoted by the rest of community…

For trivial sites like Facebook, Instagram, and the sorts, this should be easy to do (although they change their sites quite a lot).

For other types of websites, say, country-specific, there could be like a voting system. Has its downsides, but hopefully common sense could prevail.

Maybe for US sites, this feature would work quite nicely, but for other countries, I’m afraid it would just give a sense of frustration and false hope. Hence the upvoting.

EDIT: i just saw carefully what @pierrebssr said in his post. Basically the same suggestion, and i agree, it seems to be a lot of work

If bitwarden created a list of the sites, had people vote, then they could prioritize which sites has auto password rotation. Another idea would be the use of javscript plugin per login.

2 Likes

I think this must have features, many topics in Reddit ask for it

Hopefully to consider it soon

Definitely, this is a game changing feature as long it works nice and smoothly, which is something LastPass and Dashlane struggle with. Also agree with the above, what differentiates Bitwarden from it’s competitors is the community, so this is a feature that the community could own and I can easily see Bitwarden quickly amassing support for many, many websites over the likes of LastPass and it’s auto-changer.

This topic comes up in search results most often so I wish to bring to your attention the ‘well-known’ schema draft, which has a topic separately:

You can find the current W3C draft here: A Well-Known URL for Changing Passwords - it may be worth for the team to at least keep an eye on the draft as it evolves. I agree this is a great case for a premium feature.

3 Likes

Oh yes, we’re watching :slight_smile:

5 Likes

any news for that feature ? i think its very important !

Yup - a vote from me too; various known leaks have led to my needing to change passwords a few times this year, and I’m aware that my long list of passwords here includes some very old logins from sites I no longer / very rarely use which are probably (still) duplicates. I used to be with Lastpass too, and have used the password changer there. I’d be much more likely to change passwords more frequently - especially on more sensitive sites like my financial account and medical records - it if was easier to do. It would also be nice to get warnings when details are published online - like https://haveibeenpwned.com/ - and maybe monthly reports of which passwords have not been changed for 6M.

Hi @gaz - that is a good list of suggestions. Regarding warnings about exposed passwords, Bitwarden already makes this really easy to check - see the link below:

https://bitwarden.com/help/article/reports/

Hi @dh024 - thanks for the link, but I was thinking of an active alert that would pop up as a message in the web vault or the browser add-in. I know I can do my own check from time to time, but being told there’s a problem is a more immediate notification!

+1 on this, Chrome and Edge are implementing this too.

This seems to be reliant on these innovations where web developers can help automate the process:
https://web.dev/change-password-url/ (A well-known URL for password changes)
Password Form Styles that Chromium Understands - The Chromium Projects
& The HTML autocomplete attribute - HTML: HyperText Markup Language | MDN (autocomplete attribute to specify exactly what each field is for)

Despite the complexity of doing it (which is reducing as Developers get on board with the above) making it sound like a lot of work & ultra premium, at the end of the day it is good practice to make password changes easy and good for the user & security.

It is such a problem where the web has been lacking on, and why Password Managers like BitWarden are so important in closing that gap. It should be a standard feature.

As mentioned before some competitors already offer this feature. Last time I used Lastpass, this was an option there: Lastpass to automatically login the websites and change my duplicate and exposed passwords.

LastPass user here. While I voted for this because it’s a nice feature that LastPass offers, there should also be an expectation that’s set. Of the 700+ passwords I have stored in my LastPass vault, there may be 15-20 that work with the automatic password change and it’s always the very popular sites like Facebook, Instagram, Amazon, etc…The ability to automatically change passwords on any site just wouldn’t be a reasonable expectation.

2 Likes

Correct, it wouldn’t be. But at the same time that isn’t a good reason not to implement because it still is immediately useful for the most popular sites especially for a basic user who might not even signed up to a ton of sites to begin with, and more sites will become supported as time goes on.

So we all agree that this feature would be great to have, with just the one drawback that it is impossible to build, as proven by the fact that even LastPass can only make it work for a couple of dozen sites.

How about we build a solution that does not involve the impossibly difficult task of interacting directly with change password pages. I suggest a solution that gives the user a simple interface containing the old and new password, and the ability to copy/paste the old and new password into the change password page of any given site, and update the password in the database when done. It’s totally doable, it will work for all websites, and it will not be hard for users to understand.

I wrote up a fairly detailed proposal for this a while ago, linking here:

That’s the neat part of the fact that Bitwarden is an open source project though!

Users could do the scripting (by following Bitwarden’s instructions) and then submit them for approval. That saves them a lot of work, and makes it so that users’s requested sites actually get implemented and kept up to date

2 Likes

This is my situation:
I have dozens of passwords in a notebook (yes, in paper). So, I am new to passwords managers. Then I choose Bitwarden for a try (yes, its free). Then, I add every site / password I have. But, I have some passwords repeated in some websites. So, I ask, I need to use the password generator to change my old passwords for strong new passwords, but, oh my God, there is a lot of work to do. So, this feature is required in Bitwarden. When I enter in any site, I ask to change the password in that website, then bitwarden software prompts a new password and I only have to add the suggestion and save it in bitwarden and in the website. That would be cool.

I think a naive implementation is provide a “change password” botton for each site, and click it helps to jump to the change password page of that website.

In the most ideal case, old password is filled automaticly by the browser plugin, and new password can be generated by just one click, and another click to confirm the change.

I agree that making the password changing process easier would be much more realistic. I had to put in quite a lot of work to get all my passwords changed when I saw all the repeated passwords after I got bitwarden premium. Perhaps combining this with an expiry date to remind you to change passwords regularly could be a good idea?

As a developer myself, I think the way to implement something like this would be to create a rules engine/framework that can follow steps to reset a password for a given site. My vision would be something like:

  1. A user wants to automatically reset their password for a given site. That site is not yet in the list of “known sites” for Bitwarden, so they begin a “recording” session in Bitwarden that records the fields and URLs for resetting the password.
  2. Recording is completed and tested with the user’s new passwords.
  3. Recording is submitted for approval or some sort of voting process.
  4. Recording receives enough votes or an approval and it is then added to the list of “known sites” for automatic password reset in Bitwarden.

This puts the power in the hands of the users, without needing any development knowledge. I am fully aware that building this is not trivial, but it’s also much simpler than manually coding every site.

Thoughts on whether or not this method would be viable and can be implemented? I have a very old, highly used password. It is used across nearly a thousand sites. I’d like to change it, but manually doing it for every site is too overwhelming, so it remains insecure. I briefly (read: incredibly briefly) considered importing my passwords back to LastPass just to automatically change this password in as many places as possible.