Add logging of users that view or copy password

app:all

#1

Please add event logging when users in an organization view and/or copy a password from a vault.


#2

Download logs would be nice too :slight_smile:


#3

I could definitely see this for a business subscriptions. Auditing is a must. Though I believe this would be overkill for personal subscriptions.


#4

I would absolute urge you to implement this; it’s a deal-breaker for us, possibly preventing us from buying the product for our organization. I’ve stumbled on this thread to weigh in.

Considering the following future aspects of logging that info;

When a user leaves an organization, which passwords did he see? A ‘which passwords did a user see’-feature, that may result in a view where one or more of the following is possible; optional password expiration that can be forced, a notice to the owner, setting a flag on the password item, something, indicating that the passwords could/should be changed.

But, as a minimum, log when a user sees/copies a password. Optionally a view with a list of seen passwords for a given user.

If it only ends in the log, thats fine, but log it in a way it would be easy to sort/unique the list so you can go to the affected passwords.

Not least, @bitwarden - you’ve made an awesome product!


#5

Big FAT +1 from my organization on this request. I had hoped when beginning my evaluation that the event/audit logging would include this, and was disappointed to see that it did not. I also agree with the above comment that a view of account passwords which were accessed by a given user would be great for closing up any potentially open doors when that individual leaves the organization.


#6

+1 from another evaluator. If you want us to pay for an enterprise license, this is a must.


#7

I would love to be able to see exactly which passwords had been viewed recently in the event a member of staff were to leave. Would limit the number password we’d then need to change in order to keep us protected.


#8

It would be nice if password accesses by users were logged to the system log. I’m totally aware that this can be done only in an opportunistic way since offline accessible passwords may undermine the logging; nevertheless offline clients may also keep track and submit access logs when they are syncing again with the server.

There are several reasons why this feature is important to organizations:

  • Auditing -> Is there anybody accessing passwords that should not be accessed? (yes, in the first place this should be prevented by proper rights management but in reality people and duties inside an organization move really fast and this would make it easier for administrators to spot misconfigurations)
  • Unusual activities -> Is there anybody accessing a lot of passwords in a short time frame
  • This is actually a ISO 27001 control: A.12.4.1 states “Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed” and A.12.4.3 says “System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.”
  • staff leaving -> which credentials were viewed and definitely need to be changed. This also eases handling of ISO27001, A.7.3.1: “Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced.”

Access logs are a really important feature for lots of organizations. Please consider implementing this feature.


#9

Voting for this to be in the audit trail as well. I’ve converted my company over to Bitwarden and this is a feature that we really need.


#10

Please implement ASAP. This is a dealbreaker for us - we would love to use bitwarden if it included this.


#11

Our organization will be reviewing Bitwarden along with other password managers for business use within the coming months. The lack of this feature could prove to be a deal-breaker for us.
It would be nice with an indication of whether or not this feature is in the pipeline for a release in the near future. Can you shed some light on this @kspearrin?


#12

It is planned, but I can’t give an ETA. Sorry.


#13

I have the following client events to add:


        Cipher_ClientViewed = 1107,
        Cipher_ClientToggledPasswordVisible = 1108,
        Cipher_ClientToggledHiddenFieldVisible = 1108,
        Cipher_ClientCopiedPassword = 1109,
        Cipher_ClientCopedHiddenField = 1110,
        Cipher_ClientAutofilled = 1111,

Any others that might be worthwhile?


#14

Adding auditing for those actions alone would be sufficient at my company. Viewing and copying are the biggies.


#15

Hi, thanks for implementing these logs.
Another event that would be useful might be when clients sync the complete database so it becomes possible to reconstruct who and which client has theoretically had offline access to which passwords when the client doesn’t come back.