Ability for owner/admin to reset user's master password (for accounts managed by an organization)

LastPass offers the ability to reset a staff member’s master password if/when they forget it. This is especially helpful for non-technical staff members that are being trained to use a strong master password for the first time (they often forget it starting out).

I think I remember reading somewhere that Bitwarden didn’t have the functionality because it would require Bitwarden to store information centrally, but I believe it can be done while adhering to the zero knowledge policy.

Idea

A new grouping (similar to “collections”) called “user collections” would be added. Each user would have a single “user collection” automatically created (and updated over time) that contains the user’s passwords and folder structure.

Groups would have an additional setting (like “Access Control”) named “Master Password Reset” with the following options:

  • This group is an “owner” group and all members can reset the master password of anyone, including users also part of an “owner” group.
  • This group is an “admin” group and all members can reset the master password of anyone who is not part of an “owner” or “admin” group.
  • This group is a “user” group and members can reset their own master password.

All users’ “user collection” would be automatically shared with all “owner” groups, regardless of that user’s group affiliation.

All users who are not part of an “owner” or “admin” group would have their “user collections” shared with all “admin” groups.

Zero knowledge

Sharing with zero knowledge would be possible as the user’s old and new master passwords wouldn’t need to be sent to Bitwarden.

“User collections” would be encrypted similar to how “collections” are encrypted, in that the public keys of the users who have access to the collection are used to encrypt the contents saved by other users. Theoretically, this could also be used for functionality similar to “Super Admin - Shared Folders”. It would just need the GUI for it.

To “reset” a user’s master password, a user in an “owner” or “admin” group would simply encrypt the “user collection” they have access to with a new temporary password. The user would log in with the temporary password and be prompted to choose their new master password. Neither Bitwarden nor the “owner”/“admin” would know the user’s master password.

Users should also get a warning letting them know their passwords are shared with “owners”/“admins” in the organization. And an option to turn this off/on would be great.


Disclaimer: If I’ve gotten anything fundamentally wrong, my apologies. I’m just looking into migrating our company to Bitwarden from LastPass and would love to see this feature built in.

This is something we have on our radar. The idea we plan to implement is to allow an organization to enable the ability for their user’s encryption keys to be transferred and held by the organization admins (via public/private key sharing, zero knowledge still). If an organization admin has access to that encryption key, they can then reset a user’s master password (which is basically just re-encrypting the encryption key for that user). This process is actually the basis for an “emergency access” feature, which we also plan to release for premium members along with admin password resets.

9 Likes

Is there any sort of roadmap for these features? I’m heavily considering Bitwarden for my company but I don’t know how well we would handle employees forgetting their passwords and losing everything.

2 Likes

I’m with bshaner here. I’m seeing a lot about Bitwarden that makes me want to move our company this way, but we need to ability to reset a password so someone doesn’t lose all their passwords when they forget the master password (because they WILL forget their master password).

2 Likes

@kspearrin has this been rolled out? Setting up new users now and want to make sure they can’t lose everything without the ability of an admin PW reset.

We found out that this is a real issue the hard way.
The only way to provide access again to a user right now is to delete the user and all the passwords…

Any news on this?