I would like to voice my support for this feature.
While it is possible to export db as JSON and search it, I don’t feel comfortable in doing that unless I absolutely have to.
Additionally, I’d like the ability to search in the set of active passwords and search the set of old passwords since bitwarden does retain a list of all old passwords used on a website.
@bw-admin: What is the problem with implementing a password search? Does it pose a security risk that no one has yet mentioned? Is that risk worse than someone losing an exported file with all of their information?
Victim exposed credentials to scammer, got extorted, now I need to make sure that the compromised credentials are not used elsewhere. Isn’t this a very basic scenario? How come it’s easy to find compromised credentials by a 3rd party, but identifying internal breaches requires me to export the whole org vault and do a manual text search? I must be missing something.
For Feature Request topics (like this thread), the thread should be restricted to a single proposed new feature, to prevent confounding of the voting and discussion. In this thread, the topic is a proposal to use a password as a search term, to specifically locate vault items containing that password.
If you have other ideas for interesting new functions and features of Bitwarden, you should start a separate Feature Request topic (with a single proposed feature per topic, please).
For the same reason as many have posted, I’ve recently been notified one of the passwords I’ve used has been compromised, but I cannot tell which sites its been used on. A search option (without having to export which I believe adds considerable risk) would be a valuable addition.
I received a similar notification from Defender this morning. I was told that my info was found on the dark web (including email address and a password) but the web site was “unknown”. Being able to search by password would have been helpful.
I am not a Bitwarden employee, but I understand that they employ a relatively modest number of developers, whose time must be prioritized to address the most pressing needs. In addition, because security is of the utmost importance to Bitwarden, new feature proposals often undergo an extensive period of research to determine whether there may be any security repercussions associated with implementation of a new feature.
For context, some features that were recently released had been initially proposed 4–6 years prior to final release (e.g., account switching and inline auto-fill menus). Bitwarden’s current development roadmap is published here.
As Bitwarden is open-source software, the fastest way to circumvent Bitwarden’s development backlog for a feature that you want would be to make a code contribution. If you have no coding experience yourself, you could hire someone to do the programming.
More accurately, there is no way to search passwords within Bitwarden. It is easy to search passwords after export and thus to determine which, if any, match.
There are ordinary precautions which can be taken against leakage to things like caches and indexing facilities, depending on the OS, and using an encrypted USB so no retrievable trace is left. It appears that most people are not too troubled by these risks anyway, and not unreasonably given they were probably not mitigated during import from another product.
Since you have a paid account, you can run an Exposed Passwords Report to find which of your accounts still use a password that has been exposed in a breach.
Unfortunately, the exposed passwords list used by that tool to check is not entirely comprehensive/up-to-date. I’ve just setup a testing username/password combination that I know was breached, and is in breach reports from other providers (such as MyFICO), and BW is not flagging it.
Apparently this functionality has been requested since march 2020…bitwarden, can this get some attention? This is a major security feature, for 2 reasons:
when we get notified of a password breach, they will report “x username was found on the dark web, with password th********2" - and they don’t report where that came from! It would be great to be able to search the bitwarden password field for "th2”, and greatly narrow the list of websites we need to check out!
(note that some auto-formatting is messing with my asterisks…darn it! the first set of asterisks apparently turned on italics, and the “th2” is supposed to have an asterisk between the th and the 2…ie a wildcard.)
to ensure we don’t have duplicates, or to eliminate duplicates we already have, see where else a password has been used, either exact or similar.
Also, it doesn’t work to extract to a csv and search that, because a) you can’t limit that search to the password field, and b) you can’t search using wildcards (and even if you can, “a)” is still a limitation).
PLEASE PLEASE PLEASE add this feature!
The resolution of this difference of view (though not of the problem) lies in tools for pattern-matching, readily available even in some WP, but not everyone’s usual thing.
FYI, you can also use this report to find the item with the th*2 password, if you remember what th*2 stands for — if so, create a dummy vault item with this same password, and then the Re-Used Passwords Report will pick up the dummy item as well as the real item that uses this password.
Yes, you can limit searches to the password field, if you open the .csv file using Excel or any other spreadsheet app (e.g., Google Sheets or LibreOffice Calc). For more sophisticated search methods, export in .json format and use a tool like jq.
Thanks for your response!
Actually, I know about opening the file in excel and searching that, but I don’t like exporting this sensitive data, even with “permanent delete”…and this seems like such a simple thing for them to implement, we shouldn’t need to use external tools and such. I would even get a paid upgrade if this option was available there!
(And note that th(asterisk)2 was meant as a 4 character search term with a wildcard, if I wasn’t clear on that…again because if a tool reports finding your password on the dark web or something, they don’t tell you the whole password. one could have thinkpass2 or thankspass2, or multiple variations ad infinitum, and you don’t know which they’re talking about (a very simplistic example).)