The Importance of the Personal Vault for Business Users

For good password practices to become habits, they need to become personal.

We’re humans after all. And not everyone is programmed to follow every rule to the fullest extent at work. Sometimes shortcuts are taken, rarely with bad intent, but often by taking the easiest path. In the world of sensitive information, this might mean sharing through less-than-secure channels to get the job completed quickly.

When it comes to passwords and sensitive information at work, the more every employee participates proactively, the stronger the security health of the company. Our customers have told us that one way to boost good password practices is to let employees have their own personal information vault space at work, providing a joint Bitwarden personal and business account. This could be for any set of credentials that the employee wants to be their own.

Since Bitwarden began, the personal vault has been just that, personal. Even in the context of joining an organization, the personal vault portion of your Bitwarden account remained only visible to you. No other person in the organization could access your personal vault. Should you lose your main password, the personal vault could not be recovered, only deleted and restarted from scratch. To date, not even the company administrator could help you regain access to your credentials.

This approach mirrors behavior in the Bitwarden Cloud for personal accounts. Bitwarden has no way to see your information as the vault contents are stored with a zero-knowledge encryption model. Should a Bitwarden individual user lose their Bitwarden password, there is no way for Bitwarden as a company to assist beyond deleting the account and restarting from square one.

Bitwarden supports a zero-knowledge encryption model, such that Bitwarden cannot see customer data, and personal vaults can remain personal if chosen, even from Organization administrators.

In the real world however, inevitably someone forgets their Vault password. Such is human nature.

As companies expand password management solutions for users, it sometimes makes more sense for Administrators to have the ability to reset user passwords and recover accounts than to wipe the account and start anew. We call this capability Account Recovery Administration (formerly Admin Password Reset) and it provides companies deploying Bitwarden an option for how they handle continuity of use with employees. For example, an employee might spend time setting up their Bitwarden account but within a few weeks forget their main Bitwarden password, triggering some frustration by having to delete their account and begin the process of populating their vault again. With this feature, that path can be changed to a password reset.

Coming soon, Bitwarden Enterprise customers will have an option to activate account recovery within their Organizations. This enterprise account recovery allows for continuity of use with a password manager, especially with the investment a company puts into onboarding and rollout.

At the same time, there are advantages in some organizations to not have the account recovery capability employed. In this mode, Organization administrators take a hands-off approach to personal vaults and end users are one hundred percent responsible to remember their main Bitwarden password.

Even better, Bitwarden allows the account recovery administration capability to be on, but not required. This lets users choose themselves. Do they prefer a scenario where the Administrator can reset their password, and also have visibility to their vault, or do they prefer a zero-knowledge approach with individual responsibility for their main Bitwarden password.

Since this is a new capability to Bitwarden, we want to detail our thinking on the implementation of this feature.

• This new capability remains consistent with the Bitwarden zero-knowledge encryption model.

• When the company sets a policy for account recovery administration, or an employee opts in, a public/private key exchange facilitates the option for an Administrator to reset a user password.

• All other Bitwarden security frameworks remain in place.

• This new feature will only be available on the current Enterprise plan

  • It will not be available in Teams or Family plans

• This new feature will not be available for individual users in the Bitwarden Cloud or self-hosted environments

• Account recovery is implemented as a Bitwarden Enterprise Policy

  • The policy is turned off by default

  • Turning on Bitwarden enterprise policies introduces additional options such as ‘automatic enrollment’ for new Organization members during the invitation acceptance flow

In order to understand the intended workflow of account recovery, let’s explore two scenarios.

• Company A has Enterprise plan in use today

  • Existing users have been part of the Organization for the last 6 months

  • Many users have personal vaults

  • To date personal vaults have been 100% personal and everyone understands that they are not accessible by Company Administrators

  • Company A applies Account Recovery Administration Policy

    • If the policy is Enabled

      • Existing users will see no changes

      • Existing users will not be automatically enrolled

      • New and existing users have a new option underneath their Organization membership to enroll in account recovery if desired

        • Users will also have an option to withdraw from account recovery

    • If the policy is Enabled with Automatic Enrollment

      • Existing users will be unaffected

        • Admins will need to go and do an audit and have those users self-enroll

      • Existing users will be made aware that the policy includes provisions for Admins to reset your password and if they choose, potentially gain access to your vault

      • Existing users who do not accept the policy still remain within the Organization

        • The Organization member list will show via an icon who has currently enrolled in the policy

        • Admins can manually remind users to enroll in the policy

        • Admins can manually remove users from the Organization if they do not enroll

          • Depending on company rules, users who leave the Organization may keep their personal vault, change the email to a personal address, and then rejoin the Organization with a new Bitwarden account using a company email address

      • New users will be automatically enrolled as part of the invitation process

• Company B completes a net new Enterprise deployment

  • Begins fresh without any existing users

  • Turns on account recovery

  • New users are invited to the Organization

    • When the user joins the Organization there will be a dialog during the invite accept process

      • If the policy is Enabled

        • Upon invitation acceptance users will have an option to enroll in account recovery

      • If the policy is Enabled with Automatic Enrollment

        • New users will be automatically enrolled as part of the invitation process

Which passwords can be changed?
The Account Recovery Administration policy only applies to the main Bitwarden master password. Administrators have no option to change other passwords within user vaults, such as passwords to third party sites.

What happens when Login with SSO is in place?
Bitwarden Login with SSO delegates authentication to the Identity Provider while retaining a Bitwarden password for decryption. The account recovery function only affects the Bitwarden master password, and does not affect passwords from the single sign on Identity Provider.

What happens with two-step login or two-factor authentication?
Any existing two-step login setup will not be changed. If an administrator resets the user’s Bitwarden password, any two-step login remains in place.

What are account takeover scenarios?
With access to reset a user’s Bitwarden password, an Administrator could gain access to the user vault if the user does not have two-step login enabled.

If an administrator resets a user’s Bitwarden password but two-step login is enabled, the administrator can lock the user out of their vault, but will not be able to log in directly as they will be stopped by two-step login.

If an administrator resets a user’s Bitwarden password and Force SSO authentication is enabled, the administrator will only be able to log in if they have the SSO credentials as well, usually requiring an email takeover.

Want to get started with your own Enterprise deployment? Start a free trial at bitwarden.com/pricing/business.

Looking for yourself? Create a Basic Free Account and get a fully featured password manager to help you stay secure.

Editor's Note: This article was originally written on May 27th, 2021 and was updated on July 18th, 2022. An additional update was made July 18th, 2023 to reflect the updated name of the account recovery administration policy.