I have one login where Bitwarden shows me a “Change at-risk password” warning when I select it. It’s also a link that just takes me to the homepage of the service. What’s the reason for the warning? I have checked all reports, but that login is not part of any of them.
@Frettman Welcome to the forum!
Are you a member of an organization with an Enterprise plan?
What Bitwarden app or browser extension are you seeing this in, and what is the version of the app/extension?
Are you using an Apple device?
Hello and welcome to the community 
This appears to be a brand new feature for both enterprise and premium users. Please see this document and let us know if the conditions (a weak, re-used, or exposed password) for triggering the warning are accurate:
2 Likes
I have a Premium account, no organization. I see this warning in the Windows app (latest version) and in Bitwarden Web.
I’ve seen that page. But like I said, according to Bitwarden’s reports that password is neither weak, re-used or exposed.
1 Like
I came here to make a similar comment. The feature is nice to have but to be useful it needs a reason code or similar.
I just saw one of mine that is flagged and I believe it’s because it’s reused – I know it’s reused and being reused in this case is not in and of itself a security issue. And yet there is still ambiguity as to why it’s flagged.
So in my case a reused password is not a security risk whereas a leaked password is very much something I’d address immediately. It would be nice to see unambiguously which issue the password exhibits. There’s no need to change a password if …it does not need to be changed.
9 Likes
As has been suggested, a reason would be good as well. Especially as there seems to be a minor issue with the Reused password report when you have the same account in both a personal vault and Enterprise vault, they show as reused twice.
To be super useful, it would be good to be able to dismiss “at risk” on an account/login/reason basis - we do have a couple of actually reused passwords for good reasons. They are though strong and internal.
Otherwise, yes this is a good new feature.
5 Likes
I came here to raise this problem, too.
The “Change at-risk password” is too generic, we need to know why BW thinks the password needs to be changed, so that we can take an informed action.
It appeared to me in the desktop app (on Linux) and in BW web vault, but NOT in the browser extension (Firefox and Chrome).
The password that has been flagged is a strong password used for an internal server at work, so I was VERY worried when I saw that.
Like others said, it is reused on purpose.
I was expecting that clicking on the “change at-risk password” banner would show an explanation, instead it took me to the login page of the service.
That password is NOT part of the “exposed passwords” report.
Thank you
Cris
6 Likes
@Cris70 Welcome back!
I agree, it should show the exact reason…
The browser extensions are probably still on a 2025.11.x version – the new “Change at-risk passwords” warning is part of the 2025.12.0 Release. (and version 2025.12.0 is now available in the Chrome web store)
In general, passwords that show up on the “Change at-risk password” warning, can be
- weak
- re-used
- exposed / breached
And when a password now already is shown as “re-used”, like in your example – if there is no further distinction, if that password would also get breached/exposed, that probably would go undetected then. That’s not ideal.
4 Likes
@tezboyes Welcome to the forum!
Not only would this be “good”, I would consider such an option to be essential.
I have just created a feature request topic to propose this:
I encourage everybody to support the feature request by voting for it (and by describing any use-cases that I have not already covered in my OP). New forum participants need to have their membership status promoted from “new member” to “basic member” to get voting privileges; promotion is automatic after you have spent some time (<30 min) on the forum reading various topics and comments of interest to you.
2 Likes
Where do I turn it off?
1 Like
It cannot be turned off. Please add your vote to the feature request for giving users the option to dismiss or disable the “at-risk” warnings.
I reset my AD admin credential this morning because of this new feature.
Six sites I use authenticate with my AD user/pass including our IDP. Not all of them have SAML so I save the same creds in Bitwarden. I’m getting the at-risk password alert from it’s own checking of one password used on multiple vault items, which in this scenario, it’s really just one AD-authenticated account. I would vote for the option to disable/dismiss but I see that thread is locked.
Edit: It’s a good feature! Not to be discouraging to the devs that implemented it. Just asking for a tweak for different scenarios, I’d like to be able to hide it on a per-credential or per-site basis.
@PRNG12 Welcome to the forum!
The feature request thread (Options to disable or dismiss permanent "Change at-risk password" warnings) is not locked. However, you are probably seeing that you are unable to vote, because you are a new user. New forum participants need to have their membership status promoted from “new member” to “basic member” to get voting privileges; promotion is automatic after you have spent some time (<30 min) on the forum reading various topics and comments of interest to you.
In the meantime, you could add a comment to the feature request thread to describe your use-case and reasons for supporting the request.
1 Like
Edit: It’s a good feature! Not to be discouraging to the devs that implemented it. Just asking for a tweak for different scenarios, I’d like to be able to hide it on a per-credential or per-site basis.
I agree, it’s a great feature but I’m frankly surprised it shipped the way it did. Even the lightweight iOS built in Passwords app at least tells you why a credential was flagged.
Could just be bad timing for me, but this issue in conjunction with a recent export bug I’ve encountered at nearly the same time has been the first time where I’m feeling not 100% about Bitwarden. Love the product, but little issues like this make the releases feel rushed. Ok, back on topic …
This is happening to me as well. There are hundreds of passwords in my vault, and many many dozens of them are flagged like this all of a sudden. HIBP says no, but the (handy, thanks for that!) tool here showed that some of the “compromised” accounts are just leftover templates from old imports that have passwords like “undefined” and “password”. Not sure what the others are flagged for, all my passes are generated according to what I believe to be best practice - all unique, generated and substantial. Yet almost everything in the vault is flagged.
Were it everything, I would think somehow my wallet and keys leaked, but it isn’t.
This isn’t a complaint in any way, just wanted to add to the discussion.
This is happening to me aswell. I changed a couple of the passwords already but then i checked them again and some of them are again marked as “at risk”. Is this feature buggy at the moment?
Problem is happening only in Chrome and FF extension on Linux.
Edit: I think this might be happening, because i have logins for websites as well as for mobile apps that use the same account, i.e. the amazon.com login is the same as the amazon.android login.
@Evnia Welcome to the forum!
The reasons why a password is flagged have been summarized above, and in the feature request thread (requesting the option to disable/dismiss the warnings):
In your case, it seems that the reason is #2 from the list above:
One work-around would be to store both URIs (amazon.com and amazon.android) in the same login item. If there is reason you prefer not to do that, then I would suggest that you explain your use-case by posting a comment in the feature request thread.
2 Likes
I tested this on one example and it didn’t work. I am fairly certain that none of my passwords got leaked so I still tend towards the double use thing. Maybe it just doesn’t update the flag dynamically, once the password has been flagged as doubly used. Which would make sense.