[vitus]

> What I found was a lot of people made security assumptions and never revisited those assumptions. Or never fully did.

I appreciate that KeePassXC has a feature to audit your passwords (Database -> Database Reports -> Health Check), which tells you which of your passwords are weak / should be changed.

https://keepassxc.org/blog/2020-08-15-keepassxc-password-hea... for more details (the threshold for "good" has since been bumped from 65 -> 75). The score corresponds to bits of entropy, with penalties for things like password reuse.

(It also has HIBP integration if you want to perform a one-off check that none of your important passwords have been compromised.)

[JohnTHaller]

Underrated feature, really. And most folks don't even know it's there. It also shows your health level on each password entry in the normal vault lists as a color square and when you open your entry as a colored line.

[therealdrag0]

Doesn’t LastPass have this as well?

[vitus]

Seems like it (the "Security Dashboard"). In fact, it looks like it uses the same standard library for calculating entropy (zxcvbn). I didn't know offhand, since I've never used LastPass.

My point is that if your password manager allows you to readily identify which of your passwords are insecure / have been compromised, that's a very useful tool to revisit any previous security assumptions you may have had.

[lxgr]

If that feature were to be implemented truthfully, it would have to report “go and change all of these; we were compromised and your master password was probably not secure enough” (i.e. based on the master password’s strength in addition to that of stored passwords).