I created a Bitwarden Emergency Kit

I recently created a simple document for storing Bitwarden account details. Following some requests for a Bitwarden Emergency Kit (though I know these requests are for an in-app creation feature), I decided to enhance the document’s design using BW’s colors and logo, and share it here.

This first version is a draft, and I would greatly appreciate any feedback to improve it.

Currently, I’m considering replacing the list of all two-step login methods with a larger box that would allow adding any relevant notes in a more free-form manner, keeping only the Authenticator App as a separate field, for which writing down the TOTP secret is probably recommended.

Additionally, if space allows, I am thinking of adding a section for the contact details of an/all Emergency Contacts.

You can find the repository on GitHub here.

For direct download of the current (v0) version of the Emergency Kit, click here.

And here’s a preview screenshot:


(screenshot redacted by mod)

1 Like

@Shai Thank you for making this contribution.

At a minimum, I would suggest also including a password for encrypted backup files.

It may also be helpful to include a username/password or PIN for the device where Bitwarden is installed (in case one does not have access to a selection of alternative devices that are unlocked).

For people who use 3rd-party authenticators that are password or PIN-protected, having the authenticator password (or hardware key PIN) on the emergency sheet may also be helpful — although technically, it is not needed to regain access to one’s vault, with the Two Step Login Recovery Code already there.

Finally, some people recommend including your email password/2FA on the emergency sheet, so that in case your vault is taken over (and the master password changed), you will at least have a chance of deleting the vault (if the attacker does not also change the account email address). In addition, in such a scenario (vault take-over), if you are able to log in to your email account and change its password before the attackers get to it, that will make if easier to reset passwords on accounts for which the same email account is used for recovery.

1 Like

@Shai Hi!

Some first feedback:

  1. Great idea - I like it!
  2. With the Bitwarden logo… I don’t know if that should be checked with Bitwarden because of copyright etc.?
  3. Vault adress = server region (US = .com / EU = .eu) ?
  4. Add a field for a Bitwarden-vault-export-password (especially since password-protected exports are a) recommended now and b) possible from most apps)
  5. Maybe creating an emergency access could at least be mentioned as an additional possibility?!
  6. Maybe mentioning to store the emergency sheet in more than one location could be mentioned.
  7. Regular exports (e.g. once a month or every quarter of the year) could be recommended or mentioned - maybe adding that in a calendar app. (people tend to forget these kind of things)
  8. Maybe fields for access to the Bitwarden email address (password, 2FA…) (if you only store that in Bitwarden, you might loose access to the email address in case of “emergency”… - with vault exports that risk is reduced, but better be safe than sorry…)
  9. And last but not least: it should be mentioned, that that emergency sheet must be up-to-date and for that: it must be changed with every change you may make (change of email address, master password, 2FA methods…) - obvious, but one tends to forget that…
  10. Maybe a Bitwarden-login-passkey with encryption (e.g. on a YubiKey or an Android phone) could be an additional method of accessing the vault. (yes, I know, it is still in Beta and only available for the web vault… but “for the future” it might get more wide-spread and only more important than now…)

PS: Additions after reading @grb s post I thought of three additional things:

  1. Maybe the Bitwarden PIN you (maybe) use for unlock (but not that important, since you can “reset” that by logging out).
  2. And for the future - whatever passkey User Verification will bring us :sweat_smile: - if there will be some kind of “passkey user verification”-PIN, that could then be added to an emergency sheet as well.
  3. PPS: And also important: double-check for errors when creating the emergency sheet! (nothing is more serious in case of emergency, if you find out that e.g. your master password misses a character or is otherwise wrong somehow…)
1 Like

Thank you both for your feedback; you raise some excellent points. My initial focus was on creating a single-page Emergency Kit because that is what most people are accustomed to. However, adding all this information, even with some rearrangement of the current layout, would likely result in a two-page Emergency Kit.

I wonder how people would feel about that. I’d be happy to create a new version incorporating more information if people don’t mind it being longer than a single page.

Regarding the logo, after reading the Trademark Guidelines, it is my understanding that this use case does not require special permission. If I am mistaken and someone from Bitwarden (I could only find @Max_Bitwarden to tag, so apologies in advance if you are not the right person) sees this, I’ll be happy to remove the logo.

I personally am a friend of “better complete than short and missing something” - but it’s your decision. And I would like one complete thing so that you don’t have to rethink it every time someone asks about the emergency sheet…

Honestly I have no idea how it is - I just wanted to raise this point before you get into trouble later. Especially if we here (and elsewhere) recommend your sheet then, perhaps…

My own reading of the guidelines suggests you may in fact be using the Trademarks improperly, since your emergency sheet design gives the appearance of being an official Bitwarden product/service. It may be safer to brand it as something like “ShaiTec™ Emergency Sheet for Bitwarden®. I suggest sending a PM to @bw-admin and @sj-bitwarden, or contacting Bitwarden customer support to ensure that your usage is allowed.

I would suggest making two versions, one minimalistic version that has only the username, master password, 2FA reset code, and backup file password, and one extended version that has room for additional information — or perhaps a two-sided design that has the minimal information on page 1 (so that page 2 can be left blank, if desired). For non-selfhosted users, there are only two servers to choose from, so omitting the server information from the minimalistic version will not cause too many problems.

Thanks, @grb.
I’ve contacted support to clear and rectify any potential issues with the use of the logo and brand colors and will take it from there.

@Nail1684
I agree with you about having complete information.

Having two versions might be a bit difficult to maintain over time, so grb’s suggestion of a hybrid version, with the first page including only the essentials and the rest on page two, makes a lot of sense I think.

3 Likes

Hi @Shai! Gary from Bitwarden here.
Thanks for this! Always helpful to have further advice for users to protect their Bitwarden accounts.
As this is a document you created, and not Bitwarden, we would recommend what @grb suggested and that you brand this at the top as something similar to
“ShaiTec™ Emergency Sheet for Bitwarden®” and refrain from using the Bitwarden logo since it is not an official Bitwarden document.
It is great to have contributions like this and we appreciate your enthusiasm and support for the Bitwarden user community. Thank you!!

4 Likes

Thank you for following up on this, @go12.
I’ve removed the file from GitHub but I can’t seem to edit the first post in this thread. If you could please edit it for me, removing the screenshot, that would be great.

I’ll post an updated and more generic version in the future.

@Shai Per your request, I edited the screenshot in your top post.

Thank you, @grb.
Appreciated.

1 Like

My respects you have known how to set boundaries, thank without seeming ungrateful and with a lot of respect and kindness, really my respects, I am CEO of my company (not SEO) and that is definitely something to admire, my respects.

1 Like