search

keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
https://keepassxc.org/
Other
20.8k stars 1.44k forks source link

Update the Expire-Date when the Password changes #2010

Open kronn opened 6 years ago

kronn commented 6 years ago

Expected Behavior

I would expect/like to see an automated change of the expire-date when the password changes.

Current Behavior

Currently, the expire-date seems independent of changes to the password.

Possible Solution

I suggest to either store a fixed date like now, or just a reference to a preset (3 months). If the password changes AND the expire-date is a preset, then the expire-date is recalculated according to the preset.

I consider this a feature of the client, so the chosen preset needs to be stored in a place that does not disrupt other clients using the same keepass-db.

Context

In some companies, I am forced to change the password every 3 months (with a grace period of 1 week or so). I vaguely remember other intervals. Some companies remind you, others just prompt you for a new password. In other circumstances, I choose to change certain passwords according to my own intervals.

Since I can set an expiry date, keepassxc helps me spot passwords that need to be renewed. When I then change the password, I need to manually adjust the expiry. If I could tell KeePassXC that it always needs to be renewed every three months, it could adjust the expiry automatically, saving me one step.

Debug Info

KeePassXC - Version 2.3.3 Revision: 0a155d8

Libraries:

Operating system: Ubuntu 16.04.4 LTS CPU architecture: x86_64 Kernel: linux 4.4.0-98-generic

Enabled extensions:

droidmonkey commented 6 years ago

This could be implemented with a checkbox next to the expiration setting that says "update on password change"

TheZ3ro commented 6 years ago

I think it's better to include this in #551. The password analyzer will detect the last time the password has changed

droidmonkey commented 6 years ago

551 is meant to operate over the whole database. This request is when I update an individual entry's password the expiry date (if set) should auto increment.

kronn commented 6 years ago

As developer, it feels somewhat wrong to use another cleanup-tool, semantically. Updating the expiry should be the consequence of updating the password.

As a user, I would want to have the password-change immediately and automatically update the expiry, if I set it to a given interval in order to not have to click more that I need to.

Personally, I would be fine with running a password analyzer over everything and have the expiry corrected. It would however feel like a workaround to me. If the analyzer would run in the background and could work on recently updated entries first, then it could feel like an immediate and automatic update. But those are big ifs and I do not want to bloat another feature with this request. Also, I have a little under 3 months before I am annoyed for 1 minute with the password-change again :-)

TheZ3ro commented 6 years ago

The fact is, if I have 40 company-related password that I need to change every 30 days, I will need to check the "update on password change" checkbox 40 times. Another thing is, where do you store the entry-specific option? In an entry additional attributes?

On the other hand, a database-wide option will enable this for every password in the whole database, even personal ones that doesn't need updates.

IMHO the entry-specific option seems the best solution if the user is willing to manually enable it for every required entry

kronn commented 6 years ago

@TheZ3ro Checking one checkbox is no big deal if I change the password. Right now, I need to update the expiry with multiple clicks and (maybe) some manual adjusting. And the one checkbox-click only needs to happen once. So if companies force me to change my password every three months, then I have set the checkmark on all applicable entries within three months. I would not dedicate time to only do this.

The database-wide option does not make sense to me as well, for the reasons you outlined.

michaelk83 commented 3 years ago

The fact is, if I have 40 company-related password that I need to change every 30 days, I will need to check the "update on password change" checkbox 40 times.

I think automatic update of the expiry date should be the default behavior (opt-out rather than opt-in, or not even opt-out). An old expiry date is not useful once it has passed, and if an expiry date was set at all, it's most likely the user intended the password to expire repeatedly (edit: the main exception to this if the expiry date was set only to force immediate renewal, such as with a temporary password).

The update interval can be calculated by subtracting the date when the password was last updated from its expiry date.

Kariton commented 2 years ago

Some addition to this request: allow REF links for expire dates.

Everything moves to the cloud and in my case I need multiple username -> same password combinations. (like one name, one DOMAIN\name, one e-mail etc.)

For me it is not sufficient to have one expire date on the parent entry.

This would be a nice addition for a "full impact" overview.