Security report: Make it possible to ignore items

Hello,
Some website impose insane password rules (e.g. 4 character PIN or password must not be longer than x characters etc.)
These logins of course show up in the weak password report and clutter up the report. Would it be possible to either implement a feature where one could exempt those accounts from the report or maybe define password rules (e.g. can’t be longer than x characters etc.) and if Bitwarden detects that it will automatically exempt it or flag it differently in the report?

Thanks,
Uli

3 Likes

+1. This should be added to all reports. Especially those 4 PIN code pages are mostly exposed somewhere.
I also have some internal accounts (LAN) which use default passwords (e.g. test VMs) and are thus false positives.

1 Like

The security report is an awesome tool! However, the problem is that for some items it is not possible to make them “more secure”. As an example: If I store the 4-digit pin-code of a physical card in Bitwarden, it is not possible to make it more secure, as the card doesn’t allow more digits or letters. However, this makes the entry always show up as “known password” and “weak password”. It would be great if certain categories could be ignored for specific entries, so I can get the report down to “zero” entries. Otherwise, there will always be a long list of irrelevant entries in the report.
Another example are certain 2FA websites mentioned: Some of them only have SMS 2FA, and some don’t have 2FA in certain countries (like PayPal), so the entry cannot be removed from the report. So setting user-defined ignores would be very helpful.

I have some passwords which are weak and will remain like this forever. Example : the PIN of my credit card. Same applies for some reused passwords. And most of my PINs are exposed :slight_smile: Would be good to have the possibility to tag them as “waived”, eg by adding a custom field. This would make the whole list cleaner as it would only display the passwords I really need to take care of

I can second this for some other use cases, like internal systems or test labs that aren’t needing high security. I feel domains and external IPs, however, should not be allowed to do this, since some people may just dismiss it than change it to something secure.

If you’re using a PIN for a service like that, I’d suggest adding it to the notes or something instead so it bypasses the scan. I’m not sure if custom fields are included or not.

No, not doing foolish things like using PINs where real, strong passwords should be used.
Your workaround could do the trick, but it sounds weird to use a password manager to store data in custom fields to prevent them from being considered.
Overall : I would let it to the user’s responsibility to choose whether to waive weak passwords, i.e. don’t try to discover automatically “internal systems or test labs”.

No, not doing foolish things like using PINs where real, strong passwords should be used.

This is hugely varying on the system in place. For instance, Speedway’s member system uses pins for signing in on terminals for ease. Even if they didn’t, I wouldn’t want to type out Y2Tq$LoYNBqGrrXaqCY%nLxEJEhsmX*2xd^sEbvTyDKYq5k$CSG!pNumsqn$JSH8Q7@No8$cHxYuRpf%acawNbrcHSQvN%4@zm9tiM#NPBwS*&ngd!E6N96T2bUso#mv to get into my account (I generated that with Bitwarden :wink:), let alone have to remember that or pull it up to do so.
This is also used for their website’s authentication, though, which I despise greatly…

As for the letting user deciding this, I still stand in my position that domains and external IPs should not be allowed to ignore. An alternative way then would be to allow an organization to specify test/lab domains that can be whitelisted from scans as well, so then domains in a testing environment could be whitelisted from scans. That way some form of organization admin can control this and not just anyone that wants to ignore the warnings.

Agreed if we’re considering a corporate environment, which I hadn’t thought of !

Agree that all the PIN codes I have stored are making it a pain to go through the password reports.
I should be able to mark a code as excluded from the reports.

When viewing data breaches, it would be nice to be able to flag a breach as having been mitigated (similar to what LastPass offers) so it doesn’t keep showing up in the list.

Thanks!
— Jeff

3 Likes

You can opt-out your email here Have I Been Pwned: Opt-out

It will send you a verification email, and then when you click on the link in the email, you want to do Delete email permanently. That way, old breaches won’t show up but your email won’t be blacklisted from being searchable in new breaches.

So, is Bitwarden somehow integrated with Have I Been Pwned? I don’t want to opt out of HIBP because I like getting emails from them if a new breach shows up. I just want to be able to flag a breach in Bitwarden as having been “mitigated”.

Thanks!
— Jeff

1 Like

Hey @jbramwell the team is looking at ways to enhance the reporting/dashboard functionality, including options to dismiss resolved items, thanks for the feedback!

3 Likes

Please add this feature! My exposed and weak password reports end up getting clogged with many items that I have no ability to improve. It makes it much harder to see the items in the reports that actually matter.

1 Like