Reports old "Exposed passwords" #855

New Issue

Closed

opened 2026-02-04 23:06:24 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2026-02-04 23:06:24 +03:00

Owner

Copy Link

Originally created by @mcfrojd on GitHub (Nov 1, 2020).

Subject of the issue

The report of exposed passwords still shows me passwords that have been changed.
Is the old passwords stored i db for the "updated password counter"?
And if so, is the report generator including these passwords when generating the report?
Or am i missing some "purge" function that "cleans" the database from old changed passwords?

Your environment

• Bitwarden_rs version:
  Server Latest 1.17.0
  Web Latest 2.16.1

• Install method: Docker-compose
• Clients used: Android app, chrome app
• Reverse proxy and version: Nginx Reverse Proxy Manager 2.3.1
• Version of mysql/postgresql:
• Other relevant information:

Steps to reproduce

When in my web vault, running the tools/report exposed passwords, the report shows me password entries with old (exposed) passwords.
When i click them in the report it shows the old password, and if i click the entry in the vault i see the new changed password (changed 2 month ago)

Expected behaviour

The report should not generate warnings on passwords that have been changed in the vault.

Actual behaviour

Im guessing the old passwords are still stored somewhere and the report generator can still find these old passwords and keeps warning me about them.
I cant see the old password anywhere in the web vault, but if i use search and type in my old exposed password i get a list of entries that have had that password before i changed them, but i cant see that old password when i open the items from the list

Relevant logs

Originally created by @mcfrojd on GitHub (Nov 1, 2020). <!-- # ### NOTE: Please update to the latest version of bitwarden_rs before reporting an issue! This saves you and us a lot of time and troubleshooting. See: https://github.com/dani-garcia/bitwarden_rs/issues/1180 # ### --> <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them. Remember to hide/obfuscate personal and confidential information, such as names, global IP/DNS addresses and especially passwords, if necessary. --> ### Subject of the issue The report of exposed passwords still shows me passwords that have been changed. Is the old passwords stored i db for the "updated password counter"? And if so, is the report generator including these passwords when generating the report? Or am i missing some "purge" function that "cleans" the database from old changed passwords? ### Your environment <!-- The version number, obtained from the logs or the admin diagnostics page --> <!-- Remember to check your issue on the latest version first! --> * Bitwarden_rs version: Server Latest 1.17.0 Web Latest 2.16.1 <!-- How the server was installed: Docker image / package / built from source --> * Install method: Docker-compose * Clients used: Android app, chrome app * Reverse proxy and version: Nginx Reverse Proxy Manager 2.3.1 * Version of mysql/postgresql: <!-- if applicable --> * Other relevant information: ### Steps to reproduce <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults) and how did you start bitwarden_rs? --> When in my web vault, running the tools/report exposed passwords, the report shows me password entries with old (exposed) passwords. When i click them in the report it shows the old password, and if i click the entry in the vault i see the new changed password (changed 2 month ago) ### Expected behaviour <!-- Tell us what should happen --> The report should not generate warnings on passwords that have been changed in the vault. ### Actual behaviour <!-- Tell us what happens instead --> Im guessing the old passwords are still stored somewhere and the report generator can still find these old passwords and keeps warning me about them. I cant see the old password anywhere in the web vault, but if i use search and type in my old exposed password i get a list of entries that have had that password before i changed them, but i cant see that old password when i open the items from the list ### Relevant logs <!-- Share some logfiles, screenshots or output of relevant programs with us. -->

OVERLORD closed this issue 2026-02-04 23:06:25 +03:00

OVERLORD commented 2026-02-04 23:06:33 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Nov 2, 2020):

Hello @mcfrojd,

All this is done client-side via the web-vault which we do not maintain.
For items regarding the web-vault behaving not as expected you are better of going to https://github.com/bitwarden/web/

@BlackDex commented on GitHub (Nov 2, 2020): Hello @mcfrojd, All this is done client-side via the web-vault which we do not maintain. For items regarding the web-vault behaving not as expected you are better of going to https://github.com/bitwarden/web/

OVERLORD commented 2026-02-04 23:06:36 +03:00

Author

Owner

Copy Link

@sichkarmg commented on GitHub (Nov 5, 2020):

Mcfrojd Sorry I could not wait long, I have the same problem.
https://github.com/bitwarden/web/issues/690

@sichkarmg commented on GitHub (Nov 5, 2020): Mcfrojd Sorry I could not wait long, I have the same problem. https://github.com/bitwarden/web/issues/690

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#855