If an organizationhas enabled Master Password Reset policy for their organization, users may request a password reset from an administrator. The password reset from the members list allows an admin to complete this request. The feature provides a password generator for the admin to automatically generate a password - but the generator does not comply with settings from the Master Password Requirements policy.
Suggestion: Update password generator on member reset to make sure it complies with the Master Password Requirements policy for the organization.
Hi, I received a request from a user who had forgotten their master password, so I logged into the org, opened up the members list and used the hamburger menu to the far right of the user in the list, and selected ‘Reset password’ for the account. In the pop-up window, I hit the ‘generate’ arrow, clicked Save, and got an error saying that the new master password was not compliant with the organization’s Master Password Requirements policy. Our policy requirement is set to ‘Strong’ and the generated passwords do seem to be compliant in length and complexity, so it might be a validation issue on the particular form? Or maybe I was just unlucky with one generated password being interpreted as having a recurring pattern (but I would assume the generator wouldn’t create passwords that didn’t pass the compliance check though?)
Thanks for sharing! You can either share a bug report here with steps to reproduce for the team to investigate, or contact the official support team from the Bitwarden website.
