LastPass offers the ability to reset a staff member’s master password if/when they forget it. This is especially helpful for non-technical staff members that are being trained to use a strong master password for the first time (they often forget it starting out).
I think I remember reading somewhere that Bitwarden didn’t have the functionality because it would require Bitwarden to store information centrally, but I believe it can be done while adhering to the zero knowledge policy.
A new grouping (similar to “collections”) called “user collections” would be added. Each user would have a single “user collection” automatically created (and updated over time) that contains the user’s passwords and folder structure.
Groups would have an additional setting (like “Access Control”) named “Master Password Reset” with the following options:
- This group is an “owner” group and all members can reset the master password of anyone, including users also part of an “owner” group.
- This group is an “admin” group and all members can reset the master password of anyone who is not part of an “owner” or “admin” group.
- This group is a “user” group and members can reset their own master password.
All users’ “user collection” would be automatically shared with all “owner” groups, regardless of that user’s group affiliation.
All users who are not part of an “owner” or “admin” group would have their “user collections” shared with all “admin” groups.
Sharing with zero knowledge would be possible as the user’s old and new master passwords wouldn’t need to be sent to Bitwarden.
“User collections” would be encrypted similar to how “collections” are encrypted, in that the public keys of the users who have access to the collection are used to encrypt the contents saved by other users. Theoretically, this could also be used for functionality similar to “Super Admin - Shared Folders”. It would just need the GUI for it.
To “reset” a user’s master password, a user in an “owner” or “admin” group would simply encrypt the “user collection” they have access to with a new temporary password. The user would log in with the temporary password and be prompted to choose their new master password. Neither Bitwarden nor the “owner”/“admin” would know the user’s master password.
Users should also get a warning letting them know their passwords are shared with “owners”/“admins” in the organization. And an option to turn this off/on would be great.
Disclaimer: If I’ve gotten anything fundamentally wrong, my apologies. I’m just looking into migrating our company to Bitwarden from LastPass and would love to see this feature built in.