I would like to voice my support for this feature.
While it is possible to export db as JSON and search it, I don’t feel comfortable in doing that unless I absolutely have to.
Additionally, I’d like the ability to search in the set of active passwords and search the set of old passwords since bitwarden does retain a list of all old passwords used on a website.
Definitely need this when getting notification of leaks of a password without a related site (e.g. combolists on the dark web).
@bw-admin: What is the problem with implementing a password search? Does it pose a security risk that no one has yet mentioned? Is that risk worse than someone losing an exported file with all of their information?
Just encountered this in an org context.
Victim exposed credentials to scammer, got extorted, now I need to make sure that the compromised credentials are not used elsewhere. Isn’t this a very basic scenario? How come it’s easy to find compromised credentials by a 3rd party, but identifying internal breaches requires me to export the whole org vault and do a manual text search? I must be missing something.
Hello everyone.
I think this feature is really good.
For Feature Request topics (like this thread), the thread should be restricted to a single proposed new feature, to prevent confounding of the voting and discussion. In this thread, the topic is a proposal to use a password as a search term, to specifically locate vault items containing that password.
If you have other ideas for interesting new functions and features of Bitwarden, you should start a separate Feature Request topic (with a single proposed feature per topic, please).
For the same reason as many have posted, I’ve recently been notified one of the passwords I’ve used has been compromised, but I cannot tell which sites its been used on. A search option (without having to export which I believe adds considerable risk) would be a valuable addition.
I made the corrections, thanks for the tips and feedbacks here.
Please add this feature to also search the password field.
I received a similar notification from Defender this morning. I was told that my info was found on the dark web (including email address and a password) but the web site was “unknown”. Being able to search by password would have been helpful.
I would like this feature to be added.
BITWARDEN, if you’ve ignored this feature for almost FOUR years, can you please at least tell us why!?! Security? Liability? Laziness?
@HoOn Welcome to the forum! I would suggest that you review the Community Guidelines, especially those that talk about respectful and constructive communication.
I am not a Bitwarden employee, but I understand that they employ a relatively modest number of developers, whose time must be prioritized to address the most pressing needs. In addition, because security is of the utmost importance to Bitwarden, new feature proposals often undergo an extensive period of research to determine whether there may be any security repercussions associated with implementation of a new feature.
For context, some features that were recently released had been initially proposed 4–6 years prior to final release (e.g., account switching and inline auto-fill menus). Bitwarden’s current development roadmap is published here.
As Bitwarden is open-source software, the fastest way to circumvent Bitwarden’s development backlog for a feature that you want would be to make a code contribution. If you have no coding experience yourself, you could hire someone to do the programming.
This needs to be added, and badly.
I was just notified that an account with one of my email addresses, but it only gives a partial password. I have close to a thousand saved passwords.
No way to search them means that I have no way of determining which, if any, of those thousand passwords match the partial sample I have.
And that means that Bitwarden, a product I use (and pay) to protect myself has effectively made it considerably harder to protect myself.
More accurately, there is no way to search passwords within Bitwarden. It is easy to search passwords after export and thus to determine which, if any, match.
There are ordinary precautions which can be taken against leakage to things like caches and indexing facilities, depending on the OS, and using an encrypted USB so no retrievable trace is left. It appears that most people are not too troubled by these risks anyway, and not unreasonably given they were probably not mitigated during import from another product.
Since you have a paid account, you can run an Exposed Passwords Report to find which of your accounts still use a password that has been exposed in a breach.
Unfortunately, the exposed passwords list used by that tool to check is not entirely comprehensive/up-to-date. I’ve just setup a testing username/password combination that I know was breached, and is in breach reports from other providers (such as MyFICO), and BW is not flagging it.
Apparently this functionality has been requested since march 2020…bitwarden, can this get some attention? This is a major security feature, for 2 reasons:
The resolution of this difference of view (though not of the problem) lies in tools for pattern-matching, readily available even in some WP, but not everyone’s usual thing.
@HTRon Welcome to the forum!
To find exact duplicates you can run the Re-Used Password Report.
FYI, you can also use this report to find the item with the th*2 password, if you remember what th*2 stands for — if so, create a dummy vault item with this same password, and then the Re-Used Passwords Report will pick up the dummy item as well as the real item that uses this password.
Yes, you can limit searches to the password field, if you open the .csv file using Excel or any other spreadsheet app (e.g., Google Sheets or LibreOffice Calc). For more sophisticated search methods, export in .json format and use a tool like jq.
Thanks for your response!
Actually, I know about opening the file in excel and searching that, but I don’t like exporting this sensitive data, even with “permanent delete”…and this seems like such a simple thing for them to implement, we shouldn’t need to use external tools and such. I would even get a paid upgrade if this option was available there!
(And note that th(asterisk)2 was meant as a 4 character search term with a wildcard, if I wasn’t clear on that…again because if a tool reports finding your password on the dark web or something, they don’t tell you the whole password. one could have thinkpass2 or thankspass2, or multiple variations ad infinitum, and you don’t know which they’re talking about (a very simplistic example).)