[justin_oaks]

I reviewed BitWarden about a year ago for my company. Ultimately the reason I rejected it was that I couldn't find a way to reset another user's master password. It is certain that users will forget their master password and need to have it reset.

Perhaps it has changed since, or maybe it was just hard to find. Oh well, too late now.

We ended up using 1Password. My only real complaint with it is the need to create a vault for sharing something from one user to another. That means that if any two people in the company want to share, they need to get an admin involved so the admin can create the vault.

[tracker1]

With bitwarden, the account's data may be encrypted against the passphrase afaik... Also, you can setup shared groups for passphrases that are meant to be shared and the way the browser extension works, you need to enter it each restart to use it, so it should be more common.

The whole point of a password manager is so you only have to remember one passphrase. Suggesting an actual sentence and not having byzantine passphrase requirements will help. My fiance is really bad with this one, I admit that I don't have much empathy here.

[storedbox]

Bitwarden is end-to-end encrypted. So, password "resets" aren't really a thing without also resetting the vault as a whole.

[developer2]

Yeah. While I can understand wanting to be able to reset a user's password as an administrator of other users (eg. an IT department supporting those who forget their master password), it's also a security problem to allow such a feature. Basically, all user accounts under an organization would need to be encrypted with two separate passwords: the user's, as well as the IT/admin/company "master key". Having all users' passwords encrypted with a master key password to allow resets means all users' passwords across the entire organization can be compromised by a single IT employee's master key password.

Personally, I'm ecstatic that there is no recovery process to reset or recover a Bitwarden master password. No security questions. No email reset. No one-time use login codes (which would need to be stored somewhere not encrypted by a user's secret key in order to verify). Again, I can understand why an IT department would want that, but all that does is open up attack vectors that are very easy for an attacker to abuse.

The whole point of the master password is it's the ONE AND ONLY password you cannot forget or lose. One... lousy... password.