Unlimited history password

Feature name:

  • Unlimited history password

Feature Description

  • Think about this scenario:
    1. A user forgot their password on a website.
    1. The site tells the user that recovering the account requires an old password.
    1. The user does not remember the old password.
    1. User tries to verify password in Bitwarden.
    1. Bitwarden only allows 5 recent password versions.
    1. The user tests the 5 versions of the password, but cannot recover the account.
    1. The reason this problem is that a version of the password has been overwritten.
    1. User does not know the overwritten version.
    1. The solution to the problem would be to have unlimited password versions to avoid this problem.

Clients / Repos Affected:

  • Server
  • Web
  • CLI
  • Mobile
  • Desktop
  • Directory Connector

Timeline to completion (estimate):

ETA: Q4/2020

Unfortunately time travel is still in early alpha-stage… :wink:

4 Likes

Does what I said make sense?Its valid?Its true?Yes or no?

Yes, it does make sense. Just check the ETA date in your feature request.
The current year is 2021.

What is ETA / QA?

You estimated that this new feature could be ready in the 4th quarter of last year (2020):

image

ETA = Estimated Time of Arrival

I am still trying to wrap my mind around this scenario - whose website makes you remember your past 6 or more expired passwords??? Bizarre.

Perhaps the same ones that limit the amount of accepted characters without telling you.

Some ideas related to unlimited password history, other ideas include an unlimited history of passwords and fields.

  1. Another reference to the unlimited password history would be to compare it to the time machine feature present on Apple’s mac computers, where you have a full backup and can come back if there is a problem: Back up your Mac with Time Machine - Apple Support
  2. The cool thing about this is having a copy of everything that was done. This is useful to help prevent password loss. For example, passwords accidentally deleted or by physical(server) or human error. In addition to ensuring the integrity of users’ passwords.

Another reference to the password history that I can comment on is this: Be able to customize the number of entries in password history

Here he talks about a feature that customizes the number of entries in the password history

Thanks this is good info to have!

1 Like

Thanks for your feedback. There are other complementary and interesting ideas that we can mention:

Some initial conclusions from reading all these links and posts

  1. I think all these matters somehow involve an unlimited history of passwords, items, email, notes.
  2. I think it’s seriously important to merge it all into this as a smart history feature. Some believed that unlimited password history is a good feature, but it would have other additional features like changed email history, changed username history, and changed note history.
  3. How these fields are created at vault time. All these features are complementary in my view and essential.
  4. But since the post is about the unlimited password history feature, consider the links or ideas that talk about it.

idea

  1. In order to have an unlimited, reliable and secure password history, it would be necessary to offer the user the following options:
  • Option to clear password history in full or in part. That way, the user can select to remove all the passwords from the history or just the one that he wants to remove manually.
  • Option where you can set the amount of passwords to be displayed in the password history.
    If you think of the password as just a field to be used, filled in, these features I mentioned are the most essential.
  1. I don’t know if these features have been implemented, but for the most part they are interesting and as I said they are good, essential.

Interesting cases:

  1. Audit: Know the changed passwords. From the first to the last modification.
  • “Reasoning for this is that many places with strict security use password history as a way to recover an account (or in some instances just verify identity), but using good security practices by having entirely randomized passwords makes this basically impossible. Runescape is one great example, often requiring a previous passwords history, sometimes dating back to the beginning of the account (and often times wanting a list of all passwords you have).”
  1. Backup: With unlimited password history, we have a complete backup of everything we’ve done or changed, so it’s easy to go back to the newest or oldest version of the password, whether for auditing or security purposes.
  • Another reference to the unlimited password history would be to compare it to the time machine feature present on Apple’s mac computers, where you have a full backup and can come back if there is a problem. 1. The cool thing about this is having a copy of everything that was done. This is useful to help prevent password loss. For example, passwords accidentally deleted or by physical(server) or human error. In addition to ensuring the integrity of users’ passwords.
  • This feature is present in Evernote, where you have a history of what was changed in the note. If it’s something interesting and feasible, password history is also possible. It would be close to the Evernote feature that has a complete history of notes, but instead of notes, passwords. As far as this is possible, it may have additional features such as field history or notes.
  1. We will have the option to define the passwords that will be displayed, as well as the possibility to manually delete the password history or select everything to be removed. Our user freedom would be guarded.

  2. I’m not here to criticize anyone, I want everyone to gather ideas so that everything is interesting and within possibilities something good, viable and incredible. That way, we will always have something good and satisfying for everyone.

note

If the user wants to manually delete password history or make a full selection to remove all password history, he needs a confirmation screen to perform this action

other references, complementary ideas or similar

This is a great summary here, totally agree with you and thanks for writing this all up!

I also think deleting password history would be critical in this case, especially for organizations that might not want previous passwords to be viewable to people in which the passwords are shared with.

1 Like

Thanks for the feedback ;D @planedrop

1 Like

Hello All,

A larger password history would be useful if someone were to update/generate a new password field X times which cleared out the old password.

Though unlikely it could still be useful. I think rather than it being unlimited for everyone, making this available as a policy and allowing the admin to set the limit would be better. Alternatively, making it so you can pull the data via an individualized password history ‘audit’ report or something.

1 Like

Someone could merge all posts about unlimited history here. is an idea, whoever is interested, it would be a good idea. ;D

I can’t tell you how many times I’ve been afraid of loosing my current password when I use the password generator to update an account’s password, but the site keeps rejecting the newly generated password (without listing password requirements or indicating what I’m doing wrong - too many characters, unacceptable special characters, etc.)