Does Emergency Access still work after I changed my Master Password?

Does Emergency Access still work after I changed my Master Password?

I am assuming it would, since the invitations and acceptance are email based, but access is key based.
That said, there are two email addresses associated with an account - or possible two - the login email and if chosen as a 2FA option, an email for 2FA verification. I am assuming BW uses the login email for invitation. Haven’t played around with this yet - since I would be giving takeover access. My current emergency access is: master password typed out and instructions left in my notes to an executor.

I’ve mixed feeling about that.
It’s often advised to change a (master) password regularly.
If that’s sound advise shouldn’t the recovery changed too?
That introduces another problem, I’m bound to forget updating recovery (if required)

You mentioning an executor brings up a memory. In his last will my uncle gave what’s on a certain bank account to certain people. When he died nothing was on that account because he moved the money to an account with better interest rates. But he never updated that info with his executor. So I think you should be very sure about what happens with your account when you change a master pass. Sounds like giving access to others is really important to you because you took legal steps to do so. And then it no longer works…

I don’t think that’s sound advice (at least not in regards to the master password). Mostly, you should only change you master password if you have reason to believe it may have fallen in wrong hands (e.g., you accidentally disclosed it, or you have found malware on a device on which you’ve used Bitwarden, or there is evidence that someone is in the process of accessing your vault); in such cases, you should also rotate your account encryption key. The only other reason to change you master password would be if you don’t like your current one, or want to make your current master password stronger.

Not sure exactly what you mean by “changing the recovery”? The emergency access option authorizes another Bitwarden account holder to initiate a process (in case of emergency) that will ultimately allow them to view or take over your vault. I suppose this does imply that at the time of authorization, a copy of the account encryption key is packaged (encrypted) in such a way that the emergency contact will later be able to unpack (decrypt) it using their own master password or account key.

This makes me curious about how this is implemented, actually.

It seems like it’s true that the special recovery key would have to be updated if you rotate your own account encryption key (but not if you change your master password without rotating the account encryption key!), and probably also if the emergency contact updates their master password and/or account encryption key.

I would be very suprised if the developers at Bitwarden have not already thought this through and automated the updating process for the recovery key so that it is transparent to the user. Nonetheless, it would be nice to get some official confirmation – by experimentation, or by the dev team (…perhaps @dwbit can ask them on our behalf).

1 Like

NNE: I have never changed my master password - I’ve used the same one for at least a decade. (Let me amend that - some years ago, I added to it, on the advice of this gentleman: https://theworld.com/~reinhold/diceware.html.) I use my master password in once place only - logging into BW - previously 1Password. I crafted it so long ago, there were few random dice ware calculators, and so I rolled dice against the word list. Never changed it. I honestly think the advice these days is if your password is “secure” in entropy and never compromised - don’t change it. Best wishes, W

Hey all, just to confirm, emergency access will still be available, it’s just important to ensure that is accepted and confirmed on both sides and not pending.

2 Likes