Workflow for changing passwords

[ee-usgs]

The problem with updating passwords on picky sites

I have several passwords on sites that have picky password requirements and frequently require me to change passwords. When updating a password on one of these sites, I don't want to replace my old password in KeePass because the site may reject it. I don't want to put the new password only into the new site, because that makes it hard to create a good password and hard to confirm that I have placed that same password into KeePass.

The 'hack' that I typically use is to first put the new password in the notes section of a KeePass entry. Its not the best practice, but at least that way I know I have the new password and still have preserved the old one.

If I'm interrupted during the process, its easy to forget to delete the new password in the notes and its unclear which password (the one in the note or the one in the pwd field) is correct.

How could this be better?

Add a 'Create New Password for this Entry' button that pops open a window similar to the New Password Generator. The new popup would display the old pwd and the generated new pwd and two buttons:

• I was able to switch to the new password (replace the old password with the new one)
• I was NOT able to switch to the new password (keep the old password)

If KeePass is quit or crashes, keep the old password with the date of the attempted change - Its unknown if the user was able to complete the change or not.

Examples

Context

I think this applies to anyone with website passwords. Every site has its own set of password requirements, so you never know if your new password will work. Having an actual workflow to change passwords would make this process safer and prevent less secure work-arounds.

[michaelk83]

Linking this to #6500 and #6520:

• This here is basically the current password generator with an extra field for the current password, and the Close button replaced by Save and Cancel. The trigger button for this dialog is basically the Renew button from Semi-automatic password renewal #6500.
• Auto-type: {NEWPASSWORD} action #6520 is just another way to launch the same dialog from the context of password renewal form auto-type (with some extra logic to handle the auto-type after this dialog is closed).
• Then Semi-automatic password renewal #6500 properly ties these into the auto-type context by adding the renewal auto-type settings and defaults, and then adds a bunch of UX enhancements on top of that: reminding the user to renew, integration with the DB reports (Add "Change Website Password" feature to database reports #6032), and so on.

[maximilianovermeyer]

In the meantime, you can just change the password of your entry and retrieve the old one from the history, if you need so. Seems easier than the workaround using the notes section.

[michaelk83]

May want to add an extra Open URL button here, in case the user forgot to open the website before launching the generator:

[ Cancel ]                        [ Open URL |▼] [  Apply  ]
                                  | www.main-url.com         |
                                  | www.2nd-url.com          |

(If the main button is clicked, it would open the main entry URL.)

[galzetta]

Few days ago I decided to take some time to go through old accounts and see which ones were still active, which were dead and also update all the passwords. It is a very cumbersome process right now. What I did was:

• For each entry, copy the current password
• Save it in an attribute called "old"
• Save the DB just in case I do some error and I do not want to lose my progress
• Generate a new password
• Go to the website and click on change my password
• Do "Copy attribute > old" to specify the old password
• Copy & paste the new password 2 times
• Save and hope the new password works, otherwise retry a couple of times
• If it works save the DB and try to login to double check

Note that I leave the old attribute there just in case, and override it if I have to change it again.

It would be way better to simply have something like you describe. The only addition I would request is optionally specifying the name of an attribute in which the old password should be stored.

It has appened to me multiple times where the AD syncronization failed/took a long time and so I needed the old password even days after changing it. Sure, you usually can contact IT and ask them to fix this, but it may take hours and you are cut off from the internal services until the sync is fixed. Having the ability to retain the old password in an attribute with a checkbox and a label would be awesome in these instances and, I believe, easy to implement.

(Yes, you can use the history but it's cumbersome having to restore the old entry, use the password, then restore the new entry, possibly multiple times until the sync of controllers is fixed. Way better to just let me use a custom attribute and use "Copy attribute" when I need it).

[maximilianovermeyer]

@galzetta
https://keepassxc.org/docs/KeePassXC_UserGuide.html#_history
Check your entries if you already use the history function. That meets all your needs.

[galzetta]

@maximilianovermeyer Are you dumb or do you eat rocks?

That's even worse than manually creating an attribute. I have to go to the history, restore the old version, use the password, then go back to the history and restore the new version every single time I need to use the old password. That's fucking awful.

I don't want to deal with history. I want the old password accessible with a right click from the current entry.

[maximilianovermeyer]

@galzetta Always glad to get in touch with gentle people like you. I have to admit that I skipped the part in parenthesis.
edit: Oh wait, that part wasn't even there when I opened the page.

Still, your workflow seems overly complicated. You copy every password to an attribute before changing it, just in case some sync fails? Why don't you just use history afterwards to restore the old password to an attribute if you really need it?

It would probably even be easier to just duplicate the entries in question and delete the duplicates after some days. No need to copy attributes or so, just decide which entry to use in the auto-type/browser extension pop-up.

Furthermore, you can tell KeePassXC to "Automatically save after every change" in "Application Settings -> General".