Passwords Change Automatic Enforcement - Period Settings

Harward · September 9, 2022, 2:20pm

Greetings Friends,
Please advise if the feature - Passwords Change Automatic Enforcement - Period Settings i.e. every 72 days etc. is or has been considered.

Enhance Security On-line.

Thank you.

dh024 · September 9, 2022, 4:03pm

Hello @Harward!

Regarding your post, there is a feature request for tracking password expiry dates here:

Regarding whether or not password expiry should be enforced or not has been a heated topic of discussion here. Current thinking is that it is unnecessary if strong unique passwords are used (like what you would create in Bitwarden), and expiring passwords can actually cause more harm than good to those NOT using a password manager because it has been observed that people tend to make shorter, more memorable, and more guessable passwords if they have to change them frequently (and they tend to re-use them for different accounts, which is really bad).

There is a recent article in the Washington Post that describes the issues pretty well:

https://www.washingtonpost.com/politics/2022/08/18/mandatory-password-updates-are-passe/

Harward · September 11, 2022, 2:07pm

Thanks for your response.
About the comment in the linked article regarding creating weak passwords. Very valid. With Bitwarden password generator one can always create strong passwords.

grb · September 11, 2022, 3:04pm

Unfortunately, many employers, webmasters and service providers are not forward-thinking, and continue to enforce mandatory password updates. For such accounts (especially in the case of accounts that may be used infrequently compared to the password expiration frequency), it may be nice to have an (optional) indicator in the vault signaling that the password is expired.

If using password managers becomes ubiquitous in the future, then I could see potential benefits to reversing the trend – ultimately having the default design of login pages everywhere be equivalent to the currently existing password change pages – i.e., you would be required to change your password every time you log in (but the whole process would be automated by your password manager).

dh024 · September 11, 2022, 3:06pm

Yes - see the link to the feature request I posted above if you want to lend your support for such an indicator.

grb · September 11, 2022, 3:12pm

Personally, I don’t need it. I’m holding out for my vision of the future in which every password expires as soon as you use it!