Every password shared? (newbie question)

I have noticed that every login in my vault has the ‘shared’ icon next to it. I have not taken any actions I thought would share these, so wonder if it’s normal?

Here is my setup; I created myself an account, imported all my data from lastpass, subscribed to a family plan, created an organisation, added a family member to that organisation.

It seems that all passwords in my vault now also appear in the family organisation vault (but not shared to other family users).

Is that default behavior, perhaps because I own the organisation please, or has something shared all these (I can’t find an unshare if that is the case)?

Thanks anyone who knows :slight_smile:

What you’re explaining sounds odd. Sharing should NOT be done automatically.

I do not know your level of adaptability to new software, nor what you actually did, so I can only assume.

IF you created the organization FIRST, then it is possible that you went to the organization’s “Tools” section and imported the credentials inside there with the “Import Data” function.

IF you created the organization after you imported your credentials BEFORE creating your organization, then the only “normal” explanation is that you went through the following steps:

  • You went to your vault
  • You selected all the items inside it (manually clicking each or using the gear at the top of the vault and choosing the “Select All” option)
  • Perhaps you wanted to move them somewhere, but you pressed the share button which is placed right next to it, and then chose a collection then saved the changes.

This is a very long process to go through by mistake, so I find it unlikely to happen.

If you are sure none of those scenarios happened, it could be a bug.

The reason why the other user may not see the credentials could be because you didn’t accept them once they joined the organization (you have to go back to the “Manage” tab and approve them). It could also be because they are added in a different collection than the one where your credentials are shared with.

From the top of my head, those are the two possibilities, and if none of those hold, it could be a bug.

Regardless, I suggest you don’t change your vault too much because the “un-sharing” option is as good as non existent when you have many items to un-share. I suggest you import again your credentials to bitwarden to your personal vault before you start fiddling around and arranging your them.

I have briefly detailed below the way the system works for seeing where your password is shared, adding users to organization, and managing users from an organization in a normal scenario, with the current Version 2.18.2 of the web vault which is likely the one implemented for you as well.

Seeing where the item is shared
I will start with this, because I believe this is what you need the most.

  1. You go to your personal vault (because you don’t see it in the organization, but it should be there as well) and pick an item that you see as being shared.
  2. You go to the gears from the right side of the item, and open your options.
  3. If the item is shared, you should see the option “Collections, as opposed to a item that is not shared which should have the option “Share” and the option “Clone” (to clone a shared item you must be inside the organization vault).
  4. Selecting the “Collections” option should open a window which shows what collections the item belongs to. If the item belongs to a collection, you should see a blue check mark in the check box of the collection, otherwise it should be empty.

Adding users:
I assume you already did it, as you’re saying that the invited user can already see some of the shared passwords, the ones you were expecting to see. But I will detail it if you want to check it again.

  1. You invite X from your organization’s “Manage” tab
  2. X accepts your invitation, by going to the received email and logging in to their vault. If the user did not do that yet, you can see the option to resend the invitation and the option to remove them at the next step.
    3.You go to your organization in the “Manage” tab, where you can see the users you have invited and manage them. Above all users you should also see a message about confirming users. You then press on the gear icon at the right of the invited user (email) and select “Confirm”. If you see “Remove” instead, it means the user is already accepted.

Managing Users:

  1. You go to your organization and in your “Manage” tab, you can see the list of users.
  2. You choose one by clicking their email, and an “EDIT USER” panel should open.
  3. With that panel open, you can see and manage their access to the organization. You must select the collections which they are able to view at the bottom if you didn’t do so yet and you want them to see anything or something else.

Some of this may sound harsh but it is not meant that way:

  • Again import your passwords from Lastpass.
  • Always check your backups; especially if you are about to delete your original data.
  • Why did you delete it if you were not sure about it ?

Thanks @Peter_H so very incredibly helpful. I can’t thank you enough. Really.

Searching other people’s experiences I can see this has happened to others, going back years. The interface is not clear at all at the point when ‘ownership’ transfers from the user to the organisation. There is a shared icon, but no way of displaying or controlling or revoking that shared status. It’s not at all clear when doing a backup, that items that you shared (and therefore ‘ownership’ was transferred) won’t be included in that backup. The concept of ‘Sharing’ something is well understood, if what actually happens in the background is ‘ownership transfer’ it’s naturally going to cause confusion IMHO.

1 Like