Tips on resetting the pws for a couple of hundred sites with "weak" passwords

never paid any attn to last 15+ year’s of pw’s accumulated in first Roboform, then LastPass, and now imported to BitWarden.

So i looked at BW’s password report and saw 25 with very weak pw’s, 175 with weak pws, a dozen that reused pw’s.

Question: Even if I wanted to, many of these sites don’t have a way to remove me from their database.

Most sites for rese or pw change requires the new pw to be input twice. The well designed sites allow you to copy and paste to the second confirm field or at least have an eyeball for you to edit. But most have neither.

Try manually typing in a 25 long complex accurately

Know of keyboard macro util that would easily type in a copy of what i tell it? ie not “paste” but type?

I would just take the “work on it as you have time” approach, in this order of most-to-least important:

  • Critical, without 2FA
  • Non-critical, without 2FA
  • Critical, with 2FA
  • Non-critical, with 2FA

LP has a method of semi-automated password changing (go into the vault, click a button and supposedly it was smart enough to make a change in the background. I never trusted that it would work and so never tried it).

I suggest doing accounts in this order, that is do all Critical accounts before any non critical.
2FA is not all that and can often be circumvented.

  • Critical, without 2FA
  • Critical, with 2FA
  • Non-critical, without 2FA
  • Non-critical, with 2FA

Just my 2 cents.

HTH

Good point. I was assuming a secure 2FA such as hardware key.

Even with a hardware key, all it takes is a phone call to support and they will remove the 2FA (often).

I know they say they never will (e.g. BW) but I think they could and of course support staff are human. Some hackers are very good at convincing support staff that they are the legit account owner.

One of the standards organisations should produce a standard for changing passwords but there isn’t one so it is a manual task on each site at present.

The way to deal with this effectively is to start by generating and saving a new, random password in the Bitwarden vault item. Then, you can use auto-fill to quickly fill-in both of the new password fields on the password change form. The only snag is that the auto-fill function usually also fills in the new password into the “old password” field that is often present on a password change form. Thus, you need to clear the “old password” input field and type in or copy-paste the old password (you can copy it from Bitwarden’s password history, or with some foresight, you can copy it from the password field just before generating the new password).

Thus, the work flow would be something like this:

  1. Log in and navigate to the password change page.
  2. Open the vault item in the browser extension.
  3. Copy the old password to the clipboard.
  4. Click “Edit” in the upper right corner.
  5. In the password field, click :arrows_counterclockwise: to go to the password generator; OK the prompt about overwriting the password.
  6. Click “Select” in the upper right corner.
  7. Click “Save” in the upper right corner".
  8. Click the “Auto-fill” button below the item info.
  9. On the website’s password change form, delete the contents of the “Old Password” field and paste in the old password from the clipboard.
  10. Submit the form.

Depending on how quickly you can complete Steps 4-9 and what setting you have for the clipboard timeout option, you may find that the old password has been cleared from the clipboard. In this case, you can retrieve the old password from the Password History (which stores the 5 most recent passwords that were saved for each login item).