Show passwords with old age

keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.

https://keepassxc.org/

Other

21.43k stars 1.48k forks source link

Show passwords with old age #8020

Open daviddavo opened 2 years ago

daviddavo commented 2 years ago

Summary

Even if you didn't put an expiration date on a password, it would be nice to include on the health check passwords that have not been changed in over 2 years (for example, perhaps this could be customized)

Examples

Title	Path	Score	Reason
Work	Root	-90	Passwords is used 10 times Weak password Password has expired
e-mail	Root	-42	Passwords is 3.7 years old

Context

I have a lot of old passwords without an expiration date

mattesony commented 2 years ago

I made a branch for this since I'm interested in the same feature. A few thoughts:

It might be more useful to start with to add an age column somewhere to sort and comb through old passwords that way. No config required.
Changing the score gets a little weird because you have to change the score enough to get it to show up in the first place. Taking off 5 points per year beyond one (what I've got in the PR) doesn't always seem to be enough if password age is the only issue with an entry. I was reticent to bump up the penalty because if someone people doesn't care about age, it might mess with results in a way they don't like. Is there another mechanism that could be used, or maybe a checkbox somewhere to perform this check to begin with?

droidmonkey commented 2 years ago

In all technicality old passwords don't get less secure. In fact, NIST doesn't recommend rotating strong passwords anymore. If you want a certain account to "age" just set an expiration date for it. However, if you are using a long, complex password (15+ chars) then there is no sense in aging it out.

nevaran commented 2 months ago

Passwords with lenght of 9 were considered secure 20 years ago, now they can be cracked within seconds. Theres no reason not to add a password age feature to more easily manage security. Especially in a business environment where such stuff need to be more secure.

WhyNotHugo commented 2 months ago

@nevaran For this situation, you can add the "password strength" column to the main view and sort using that.

daviddavo commented 2 months ago

Perhaps saying that your password is less healthy just because it's old is not a good feature and is not recommended, but I still think adding a "modified password" date column would be useful.

Perhaps your DB got leaked (or you used your browser's password manager) and you want to rotate all passwords created before that date.

droidmonkey commented 2 months ago

That's #9108

nevaran commented 2 months ago

@nevaran For this situation, you can add the "password strength" column to the main view and sort using that.

It was just an example but its more in the case of "its old now and should be replaced" as per regulations and cybersecurity directives