Password (vault item) expiration date

Nail1684 · June 16, 2024, 7:33pm

… and that you could enter in your normal calendar app…

Jossk · June 16, 2024, 7:42pm

Sounds like you only need a calendar app for your passwords. It also sounds like you can do with your chosen calendar app.

Why are you here?

None of your or @Jan29 are conducive to this post.

Nail1684 · June 16, 2024, 7:55pm

Barely. I think the NIST recommendations were posted earlier. Passwords shouldn’t be changed too often, so I personally have no set date for that and decide from time to time. I reckon, to change all my passwords ever 1 to 3 or 4 years would be okay for me.

And that I can set in my chosen calendar app as easily as any appointment etc.

Thanks.

Jan29 · June 16, 2024, 7:59pm

Passwords shouldn’t be changed too often

Yes, but the problem is that some companies are forcing you to change your passwords regularly and the expiration date feature would be useful for that.
But we don’t need extra features for things that aren’t the purpose of that software.

Nail1684 · June 16, 2024, 8:04pm

Hopefully this will end some time in the future as this leads often to less secure passwords… And then: doesn’t this process initiates itself, when it is time and when you use the account then… so honest question: why do you need an expiration date for that, when the process is (mostly) offered to you by itself?

Jossk · June 16, 2024, 8:05pm

Yes, I agree the NIST recommendations are very sensible, and I try to follow when I can. Unfortunately, there are still too many companies that have the outdated password rotation requirements, and are resistant to change and following the current recommendation. Also, I have found password complexity requirements have gotten worse (farther away from the NIST recommendation) of late.

Jossk · June 16, 2024, 8:16pm

Dinosaur IT heads who would rather keep doing things the same way they’ve been doing it 20 years ago, instead of updating their process and requirements based on the current recommendations. Even though the shortcomings of the old method are well known.

Jan29 · June 16, 2024, 8:21pm

There are different use cases for that.

Some want to log in reliably every time and not be bothered with a password change, when they want to log in quickly.
Some bad implementations bring you into trouble if you don’t change the password in time.
If passwords are being used by several people, you don’t want several people trying to change the passwords at once.

Jan29 · June 16, 2024, 8:23pm

Dinosaur IT heads

It’s not about Dinosaur IT, they want to force us to use passkeys and similar systems.
That’s the reason why they’re bullying us with password change policies.

grb · June 16, 2024, 9:07pm

It is not an unreasonable feature request, there are some valid use cases, and Bitwarden developers have previously contemplated working on an implementation of this type of feature. If implemented, it would clearly be optional to use.

I’ve imposed a temporary “slow mode” for this thread, to encourage thoughtful contributions (and to discourage unnecessary tit-for-tat or misunderstandings).

serving_myself · June 23, 2024, 2:01pm

Someone’s already mentioned storing AWS tokens this way.
Obviously, there’re other SaaS systems that require periodic rotation.

On top of that, there’re use cases like storing a password for a GPG key that has an expiry date: in this case, Bitwarden could’ve reminded me that I should renew the key.

EVG2024 · June 26, 2024, 5:17pm

Dear Bitwarden Team,

I would like to propose a new feature for Bitwarden: time-limited or temporary passwords with customizable expiration handling. This feature would allow users to create passwords that automatically expire after a specified time period or on a specific date, with options for what happens after expiration.

Key features of this proposed functionality:

Integration with the existing password generator.
Option to set an expiration time when creating a new password entry.
Flexible time settings:
- Hours, minutes, seconds
- Days
- Specific date and time
Customizable expiration handling:
- Option to automatically delete the password entry from the vault upon expiration
- Option to keep the expired password in the vault but mark it as expired
- User-defined action to be taken upon expiration, set at the time of password creation
Automatic handling of expired passwords:
- Visual indication in the vault that a password has expired
- Reminder notifications before password expiration

Use cases for this feature include:

Temporary access for contractors or guests
Time-limited shared accounts
Enhancing security for sensitive accounts by forcing regular password changes
Managing one-time use passwords that should be automatically removed after expiration

This feature would add an extra layer of security and convenience for users who need to manage temporary access or want to ensure regular password rotations. The ability to preset the expiration handling would give users more control over their vault’s organization and security.

I believe this addition would make Bitwarden even more versatile and secure, further setting it apart from other password managers.

Thank you for considering this feature request.

grb · June 26, 2024, 5:51pm

@EVG2024 Welcome to the forum!

I propose to merge your post into the following feature request thread (since you are mainly proposing additional options to the main request of implementing expiration dates for vault items):

Please let me know if this is OK.

EVG2024 · June 27, 2024, 10:12am

Thank you for your response. I see that our requests are similar but have some key differences. While your suggestion focuses on adding an expiry date field and visual indicators, my proposal includes:

Integration with the password generator for creating time-limited passwords
Flexible time settings (hours, minutes, days, specific dates)
Automatic handling of expired passwords, including an option to delete them

Perhaps we could combine our ideas into a more comprehensive feature request that covers both visual indicators and automatic management of temporary passwords?

I’m also interested in following the GitHub issue you mentioned. Could you please provide the link to it? This might help us track the development of this feature more closely.

grb · June 27, 2024, 2:58pm

Yes, your ideas provide some more fleshed out details for the main feature request of allowing expiration dates to exist at all, so I have merged the requests.

I think you are referring to the GitHub issue mentioned in the OP of this feature request thread, which is this one:

Please note that this issue was closed in 2018, when all feature requests were relocated from GitHub to the Community Forum.

SFwdr · September 19, 2024, 2:59pm

Some passwords, such as one-time authorization codes for email login, have a time limit (maybe a few months). Can you support setting a password validity period for such passwords?

Nail1684 · September 19, 2024, 3:02pm

@SFwdr Do you mean for the Bitwarden password manager?

SFwdr · September 20, 2024, 4:39am

Yes, it would be best if it supports

Nail1684 · September 20, 2024, 9:10am

Okay, then 1. I changed the category of your feature request to “password manager” and 2. I guess your feature request is similar to the existing one Password (vault item) expiration date , right? (also @grb )

SFwdr · September 21, 2024, 5:21am

Yes. Thank you so much.