I believe this may be a bug.
If a user with read only access to a shared site goes to the ‘change password’ page of that site and changes the password, the browser extension displays the ‘Do you want to update this password in Bitwarden?’ message. The user can click the button to update the password, but it does not actually get updated in the vault.
I would expect that since it is the Bitwarden extension, not the user, updating the vault that the update would be allowed.
This is not a problem any password manager can solve. If the user cannot update the password in the password manager, then the user should not be allowed to change the password on the site in question. The user is effectively “locking out” all users of the password manager because it no longer has the current password the website is using.
However, users of websites almost universally can’t be prevented from changing their password, if you think about this ftom the website’s view.
I’m not convinced read-only entries help because anyone able to use a password can use it to change the password, and the last thing you want to do is to break the synchronization between your password manager and the website.
Bitwarden doesn’t control the password, the website does. Read-only just turns every user with access to that entry in their collectios into a DOS attack vector to lock out all of the other users with access to that entry.
I wish there was a better answer to give, but that isn’t the way things are now.
Short story: If you and I share a password and I change it but don’t tell you the new password, you are locked out. Enforcing read-only (not telling you the new password) doesn’t really help security as much as you might think.
If someone with access to a password changes it, Id want everyone else with shared access to know the new (working) password.
That makes a lot of sense, I hadn’t thought it through thoroughly.
Thank you for taking the time to explain the nuances.
For a solution, there are 2 practical ones.
One solution is to train all users to use the strong password generator in the password manager to generate a new password and let anyone with access to the password entry update the website and require them to also update the password manager entry when they update the password to keep them in sync.
The other, and possibly better, is instead of training everyone how to use the password generator and update the entry (or keep doing password resets until the website and password manager are in sync), is to train them to exit the password reset process and call a security/identity admin trained to go to the website in question, generate a new password, update the website’s password, and sync it with the password manager. Then the user can resume their use of the website like normal using the password manager.
It is a question of training everyone or one/a few in making sure the password is strong (follows your policy for that) and that any MFA (Multi-Factor Authentication) processes from the website get followed. For example, if the website sends an email with a password reset link in it, or a one-time code sent to a mobile number, someone will need to have access to the email account or the mobile phone to respond to your employee trying to reset the website’s password.
To me, this makes the latter, centralized process of “contact the password manager administrator to change a website’s password” the better option, since training users is simpler, and it works with websites that have MFA controls on password changes, which many do. You’ll need to be disciplined about centralizing the contact email (and mobile phone/SMS receiver) for these accounts to be your security/identity team (e.g. the password manager administrators). Unfortunately that also makes that person/team the point of contact for all of the other emails (“marketing”) the website sends out, or critical business emails (statements, invoices) and you have to be able to review and route those to the right persons within your organization.
When you share accounts/passwords, to that website, everyone in your organization is the same person from the website’s viewpoint.
Identity management for third-party credentials at scale just has no easy, low-cost (money or process) universal solutions. The next step up is to go with a federated identity service to translate between your users and the external website’s users.