LastPass offers the ability to reset a staff member’s master password if/when they forget it. This is especially helpful for non-technical staff members that are being trained to use a strong master password for the first time (they often forget it starting out).
I think I remember reading somewhere that Bitwarden didn’t have the functionality because it would require Bitwarden to store information centrally, but I believe it can be done while adhering to the zero knowledge policy.
A new grouping (similar to “collections”) called “user collections” would be added. Each user would have a single “user collection” automatically created (and updated over time) that contains the user’s passwords and folder structure.
Groups would have an additional setting (like “Access Control”) named “Master Password Reset” with the following options:
- This group is an “owner” group and all members can reset the master password of anyone, including users also part of an “owner” group.
- This group is an “admin” group and all members can reset the master password of anyone who is not part of an “owner” or “admin” group.
- This group is a “user” group and members can reset their own master password.
All users’ “user collection” would be automatically shared with all “owner” groups, regardless of that user’s group affiliation.
All users who are not part of an “owner” or “admin” group would have their “user collections” shared with all “admin” groups.
Sharing with zero knowledge would be possible as the user’s old and new master passwords wouldn’t need to be sent to Bitwarden.
“User collections” would be encrypted similar to how “collections” are encrypted, in that the public keys of the users who have access to the collection are used to encrypt the contents saved by other users. Theoretically, this could also be used for functionality similar to “Super Admin - Shared Folders”. It would just need the GUI for it.
To “reset” a user’s master password, a user in an “owner” or “admin” group would simply encrypt the “user collection” they have access to with a new temporary password. The user would log in with the temporary password and be prompted to choose their new master password. Neither Bitwarden nor the “owner”/“admin” would know the user’s master password.
Users should also get a warning letting them know their passwords are shared with “owners”/“admins” in the organization. And an option to turn this off/on would be great.
Disclaimer: If I’ve gotten anything fundamentally wrong, my apologies. I’m just looking into migrating our company to Bitwarden from LastPass and would love to see this feature built in.
This is something we have on our radar. The idea we plan to implement is to allow an organization to enable the ability for their user’s encryption keys to be transferred and held by the organization admins (via public/private key sharing, zero knowledge still). If an organization admin has access to that encryption key, they can then reset a user’s master password (which is basically just re-encrypting the encryption key for that user). This process is actually the basis for an “emergency access” feature, which we also plan to release for premium members along with admin password resets.
Is there any sort of roadmap for these features? I’m heavily considering Bitwarden for my company but I don’t know how well we would handle employees forgetting their passwords and losing everything.
I’m with bshaner here. I’m seeing a lot about Bitwarden that makes me want to move our company this way, but we need to ability to reset a password so someone doesn’t lose all their passwords when they forget the master password (because they WILL forget their master password).
@kspearrin has this been rolled out? Setting up new users now and want to make sure they can’t lose everything without the ability of an admin PW reset.
We found out that this is a real issue the hard way.
The only way to provide access again to a user right now is to delete the user and all the passwords…
We (Enterprise) are looking at Bitwarden excatly because it does not have this capability. LastPass is exactly how we don’t want it to be.
Please don’t do it.
No: You reset the passwords in the target systems and not in the PW manager.
What target system do I use to reset my enterprises Bitwarden user his password synced from active directory.
The user password is not sync from active directory and Bitwarden doesn’t have a “I forgot my password” function or a “reset user password” in the admin panel to send a recovery email to the user.
I voted for this as well. I would really like to see it implemented to help support family member use. I have some family members (senior parents and non technical types) who I would like to get onto a Bitwarden family plan, but they are likely to forget their master passwords (some have already with other password managers) so I would like to be able to reset their master passwords in some zero knowledge way. I dont want to have to record their master passwords in my vault for instance.
It would be a nice feature to require the admin (me) to reauthenticate before resetting, or retrigger a 2FA authentication. That seems prudent but not required, just a good idea.
Our organisation migrated from LastPass to Bitwarden recently. We are very happy with Bitwarden so far. But we know that it’s only a question of time until a user forgets the master password, since it happened multiple times when we used LastPass. In our world, this feature is very much needed. We now keep all employees master passwords written down on a piece of paper, sealed in an envelope and locked in a safe. If you ask me, this doesn’t feel like a solution that fits into all the technological advances in this day and age.
Any news about the emergency access” feature?
It’s on our roadmap for this quarter, or very early next depending on testing, etc.
Thank you for your answer! Is the roadmap public available?
Just went through estimates and planning on this with the team; there are some functional things we’ll be clarifying internally with the rest of the product team, however it’s on our board to start development work on this here in the next couple of weeks.