Request To Add Reset Password Feature Using Recovery Code

Dear Bitwarden Employees,

I have noticed that Bitwarden does not have a password reset option. I do have some concern over this. What if the password hash database files get corrupted. Then user’s may unfairly get locked out of their accounts.

Tutanota has a system where you can reset your password as long as you posses a recovery seed: (https://tutanota.com/blog/posts/secure-password-reset/)

What do the Bitwarden employees think of Tutanota’s system of password resetting. The recovery seed is only known to the user and is a second key that can decrypt the private key used for decrypting the user’s information?

Emergency Access will allow users to reset the master password. This probably will be the only way for a user to initiate reset.

Source:

1 Like

Even IF this feature would become reality a user should NEVER rely upon any software to be the end all to their digital lives! OpSec (not my user here, LOL) dictates that all users backup their vault data by exporting it to an encrypted secure location ------- PERIOD!!

Then should the unthinkable happen, and even if any software solution the Bitwarden team comes up with fails, YOU have taken responsibility and are all good! In that case delete your account and recreate it using the same email account. Then simply import your saved export and in under 5 minutes its like it never happened.

Dear OpSec,

Sure. I agree with this. Still, a recovery feature like Tutanota’s on Bitwarden would have been nice.

The reset framework in Emergency Access will eventually allow us to bring some-sort of password reset functionality. We have it as a backlog item and are giving it the utmost consideration, naturally due to the sensitivity of the feature.

Dear Trey Greer,

Alright. Thanks for confirming the Emergency Access feature.

If the encrypted header data got corrupted, the data is lost anyway. There is no recovery. Nearly all encrypted systems work this way. One way to reduce this risk is to keep multiple copies of the critical data in several locations. For example, your encrypted harddrive might keep these data at different offsets of the HD as it would be unlikely for all of those locations to become corrupted without the entire HD being a lost cause anyway.

Tutanota has a system where you can reset your password as long as you posses a recovery seed: (Encrypted email service Tutanota now supports a secure password reset.)

I do like the concept that Tutanota has for this recovery process. As long as it remains zero-knowledge, I would like to have some sort of “password recovery” process.

This idea doesn’t make any sense to me?

If you’re writing down your recovery code to be able to reset your master password then just write down your master password instead?

Fair point. Its something people complained about on Tutanota’s Reddit page: https://www.reddit.com/r/tutanota/comments/g7nx67/password_reset_tutanota_encryptionsecurity/