Show passwords with old age

daviddavo commented 2 years ago

Summary

Even if you didn't put an expiration date on a password, it would be nice to include on the health check passwords that have not been changed in over 2 years (for example, perhaps this could be customized)

Examples

Title	Path	Score	Reason
Work	Root	-90	Passwords is used 10 times Weak password Password has expired
e-mail	Root	-42	Passwords is 3.7 years old

Context

I have a lot of old passwords without an expiration date

mattesony commented 1 year ago

I made a branch for this since I'm interested in the same feature. A few thoughts:

It might be more useful to start with to add an age column somewhere to sort and comb through old passwords that way. No config required.
Changing the score gets a little weird because you have to change the score enough to get it to show up in the first place. Taking off 5 points per year beyond one (what I've got in the PR) doesn't always seem to be enough if password age is the only issue with an entry. I was reticent to bump up the penalty because if someone people doesn't care about age, it might mess with results in a way they don't like. Is there another mechanism that could be used, or maybe a checkbox somewhere to perform this check to begin with?

droidmonkey commented 1 year ago

In all technicality old passwords don't get less secure. In fact, NIST doesn't recommend rotating strong passwords anymore. If you want a certain account to "age" just set an expiration date for it. However, if you are using a long, complex password (15+ chars) then there is no sense in aging it out.

keepassxreboot / keepassxc