Remove the json encrypted account restricted export format

Feature Requests Password Manager
, ,
1

I honestly think that Bitwarden should remove the json encrypted account restricted export format.

It has serious limitations that could result in users believing that they are covered by their backups when they are really not.

Let me post here what I just posted on reddit a while ago:

It has a lot more limitations than the DR scenario.

If you lose your master password, the only way to recover your account is to delete it, create a new one and restore a backup on it. An account restricted backup is useless in that case.

Account restricted backups cannot be used to easily recover a single (or several) items. Because you can not import them into a temporary new account, or into anything at all for that matter.

Password encrypted backups can be used for that (by either importing them into a temporary new bitwarden account or into a recent enough version of KeepasXC, for example).

If you have account restricted backups spanning several years in the past. And you, for whatever reason, need to rotate your account encryption key, then all those years of backups (every single one of them) have just become totally useless in an instant.

So, yes, I wish Bitwarden wouldn’t offer that kind of “backup”.

Because having no backups is bad. But believing that you have them and turning out they might not be usable when needed is even worse.

And there is a “funny” situation with those account restricted exports and having to rotate your account encryption key due to a device compromise:

If one of your devices where you have your bitwarden account logged in (locked or unlocked, doesn’t matter) is compromised. Then one of the recommended things to do is to change your master password rotating your account encryption key.

In this case, if you have past account encrypted backups, they have become useless to you but, ironically, keep being useful to the attacker that obtained your encrypted vault from that compromised device.

Because you will probably not have your account encryption key, but the attacker could obtain it if he was able to break your master password (or your unlock pin, if you made the mistake of unchecking the “ask for master password on device restart” option when setting your pin).

And that old account encryption key is all the attacker would need to decrypt the stolen vault from your compromised device or all those past account restricted exports.

One additional reason, IMHO, is the unwillingness from the Bitwarden team to fix reported bugs with that format. Like this one, reported by myself more than one year ago (I just tested a moment ago that it’s still present).

Thanks.

1 Like
2

I generally agree with this, but forgive me for playing devil’s advocate for a minute…

If I’m not mistaken, the above concern about vulnerability to an attacker would also be true for the password-protected export. So it seems that the chief issue with account-restricted exports is that they become useless when the account key is rotated or when migrating to a new account.

On the other hand, one advantage of account-restricted exports is that they don’t require you to generate, record, and recall a file password. In addition, the password-protected option requires at least 4 additional mouse clicks, creating a greater barrier and resistance to performing exports regularly. One good use for account-restricted exports would be to create exports with high frequency (daily or more than once a day) as insurance against user errors in editing or deleting vault data — basically, the exports would serve as a version control system, of sorts.

With Bitwarden’s expanded storage space for Premium users, one could even store a lifetime’s worth of such .json files as attachments in the vault itself (since the purpose of the exports would be version control rather than disaster recovery)…     :laughing:

3

Well, a less drastic measure (than removing the account restricted export altogether) would be to at least make the password-protected export the default / predefined choice…

1 Like
4

No, it would be not. Because the password protecting a json export is independent from your vault’s encryption key (and from your master password).

If a device of yours is compromised, your password protected json exports are not vulnerable to a master password bruteforce attack (if their password is different and not weaker, of course).

And, much more important, those password protected exports are still useful after you have rotated you account encryption key, as you also noted.

IMO, those advantages are marginal and not worth the multitude of problems that they can potentially cause to a user that does not fully understand how they work.

Only to render all of them useless the moment you decide/have to rotate your account encryption key. :roll_eyes:

5

Good point, I had forgotten that those exports use their own encryption key.

Agreed. And if nothing else, “account-restricted” should not be the default option.

1 Like
6

Wish I could use more than one of my few remaining votes on this one. There is nothing worse than a bad backup that you think is good.

As for default, my vote would be zip without password as it is most complete and least fragile.

7

… maybe I should make my feature request more precise now, but to clarify it here: I mainly aimed at the the choice when one already opted for JSON (encrypted), i.e. that the default would be changed for this situation:

2025-04-16--15-07-32-vivaldi_GrMszGmazL
2025-04-16--15-07-32-vivaldi_GrMszGmazL602Ă—601 36.3 KB