[Feature] Option for random password expiry presets

[ba32107]

Summary

As a user, I would like to be able to set a random expiry date for an entry, within a reasonable range.

Examples

In the Presets dropdown next to an entry's expiry, we could add In about ... options. For example:

• In about 1 year: this would set the expiry date to a random date between today + 11 months and today + 13 months
• In about 1 month: similarly, this would set the date to a random one in the range today + 3 weeks and today + 5 weeks

These are just examples, the exact rules would be up for discussion. Could be something as simple as, pick a date in the +/- 10% range of the base expiry value (e.g. 1 year).

Context

I frequently have multiple expired passwords (see https://github.com/keepassxreboot/keepassxc/issues/4624 why) at a given time. As a result, whenever I renew my passwords, I usually do 5-6 (or more) at once, and almost always set the same expiry preset for all of them. However, I don't want these new passwords to expire on the same date, so for each password, I set the preset, then manually go into the calendar and pick a random date before/after the preset date. I do this so each of my newly generated passwords will expire on a different date. These new presets could save these manual actions.

[stefan123t]

Dear @ba32107,

I assume you are trying to actually spread the password expiry over a longer period. So the preset would need to know which passwords you do not want to cycle at/around the same date.

I assume changing unrelated passwords is not the intent of your feature request. But having the VPN password and your Global User Account cycle on the very same dates feels indeed a bit risky.

So actually it would be good to have the expiry of eg. these two accounts separated by several weeks in order to also take e.g. some vacation / absence into account, where you could naturally not cycle the passwords.

Kind regards, Stefan

[michaelk83]

Assuming you use those passwords frequently enough, wouldn't this be a one-time issue? Once you set the expiry on different dates, the next time there would already be an offset between them. How about a DB-wide "Deduplicate expiry dates" function instead?

Another thing to consider is, this would only work if you have less than 365 passwords with expiry dates. It would be more useful to somehow automate password renewal. Something like this:

1. For each generated password, remember the password generator settings that were used to generate it.
2. Save the password renewal form URL along with the password.
3. The first time a password is used after its expiry date, after auto-typing the old password, automatically load the renewal form.
4. Generate a new password using the saved generator settings, and auto-type it into the renewal form.

[ba32107]

My passwords already have plenty of offsets between them. Ideally, yes, this would be a one-time issue, if I could renew every password right after they expire. However, I never notice when the passwords actually expire. By the time I realize I have one expired password, I already have at least five.

Then, I renew all of those passwords, and the preset always work from the current day - hence I run into the issue described in my first comment.

The whole reason this problem exists is because KeePassXC doesn't notify me of password expirations. I already raised this several times, but so far there is no solution for it (for example, see https://github.com/keepassxreboot/keepassxc/issues/4624)

[michaelk83]

I think automatic renewal will solve your problem, and would be more useful to other users. You would auto-renew each password when you need it, rather than when you remember to. I've created a separate feature request, linked above.

[xvallspl]

I'm working on automatic extension on password modification here: https://github.com/keepassxreboot/keepassxc/pull/6456

Maybe I can find a way to fit this feature request in there.

[ba32107]

Maybe I can find a way to fit this feature request in there.

That would be excellent, thank you

[ba32107]

I think automatic renewal will solve your problem, and would be more useful to other users

Thanks for the idea, agree that it would be useful. I see some difficulties with the implementation though: changing the password on many sites is not as simple as just having three text fields (old + new + new confirm). Sometimes you need to reauthenticate, sometimes it's a password reset link sent out by email. Not to mention all the passwords which aren't for web applications but for other uses. How would the auto-renewal work in that case?

I would personally prefer to renew my passwords manually. All I would really need is a simple notification that I have expired passwords in my database. Sadly this is not available yet (I did offer multiple times to implement it), so in its absence, the feature described in this issue would help my workflow a little bit.

[michaelk83]

I see some difficulties with the implementation

Let's continue this in #6500. I've replied there.