The Bitwarden Blog
Password Sharing with Organizations
May 3rd, 2017
One of the most requested features since bitwarden came into existence is the ability to securely share passwords. Password sharing has many applications. To the personal user, you may want to do things like share a Netflix password with the entire family, or share your Amazon login with your spouse. If you are a company or some other type of organization, you may have hundreds of logins that need to be securely shared with users across teams and departments, each in their own unique way. Traditional methods of sharing passwords usually lead to bad password practices and quickly become a headache to manage.
We are excited to announce the arrival of password sharing features to Bitwarden!
To share passwords in bitwarden, you first need to create an organization. An organization is simply just an entity that relates users together that want to share logins. An organization could be a family, team, company, or any other type of group that desires to share logins in bitwarden.
Organizations in bitwarden come in various types of plans. To date we offer three organization plans: Free, Personal, and Teams. You can read more about the different limitations of these plans on our main website. In short, if you are a personal user, or are just wanting to try out bitwarden's sharing features the Free and Personal plans are for you. If you are a company or large organization, you'll need to purchase a Teams plan. We will continue developing additional business-oriented features into our Teams and Enterprise plans in the future (see more about the future below).
Collections allow you to group related logins within your organization that your wish to share. A simple personal organization for a family may only want to have one or two collections (ex. Parents and Kids), while a larger organization like a company may have many collections (ex. each department such as Sales, IT, Developers, Dev Ops, etc).
Collections listing for an organization
When you add a new user to your organization (see below), you can associate that user to one or more collections within your organization. Once the user has access to your organization, any logins that are placed into that's users associated collections will be available in their vault. When associating a user to a particular collection, you can also decide whether or not that user has write access to logins contained within it. Selecting the Read Only option will ensure that the user cannot edit any logins within that particular collection (they can just view and use them).
Note that collections are different than folders. Collections are a way to organize logins and limit user access within an organization's vault while folders are a way for individual users to organize logins within their own personal vault. An individual user may wish to further organize the logins being shared with them in their own vault into a personalized folder structure that makes sense just for them.
Once you've set up your organization's collections (you can also do this before setting up collections if you'd like) you're ready to start adding users to your organization. Adding new users to your organization involves a three step process: invite, accept, and confirm.
To invite a user to your organization simply enter their email address, select what type of user they are (normal user, admin, or owner) and select the collection(s) that they should have access to (you can change this later by editing the user). You can also designate a user as having access to all items for the organization and collection assignment will not be necessary.
Popup modal for inviting a new user to an organization
Once you invite a user they will receive an email where they will need to click a link to accept the invitation. After clicking the accept link the user will be prompted to create a new bitwarden account or log into the an existing account registered at that email address.
After clicking an emailed link, the invited user is prompted to accept the invitation to the organization.
After the user has successfully accepted the organization invite, an organization admin will then need to confirm the user from the same area in the web vault that you invited the user from (Organization Admin -> People). Only after the user is confirmed will they then have access to that organization and the items being shared with them.
After the user accepts the invitation, confirm the user from the options dropdown menu.
Now we're ready to start sharing logins. Sharing logins with an organization's users can be done in a couple of different ways.
First, from the organization's admin area you can add new logins to the organization vault. After adding a login to the organization vault, you can select which collections that login belongs to.
An organization's vault.
You may also already have logins in your personal vault that you want to "move" to an organization. After adding a login to your main personal vault like usual, simply select the Share option. From the share page you can select the organization and any collections for that organization that you have access to.
To move a login from your personal vault to an organization, select the Share option from your vault.
After placing a login into a collection, all users that also have rights to that collection will then have access to view or edit the login (unless they are limited with Read Only access to that collection).
You may be wondering, how are we able to share logins across users accounts in bitwarden while still maintaining our policy of never transmitting unencrypted vault data? The answer is public/private key, or asymmetric encryption. All sharing in bitwarden follows the same zero-knowledge principles that we have always followed, protecting you and your data with end-to-end encryption. No unencrypted data ever leaves your device(s).
A simple illustration of public/private key encryption. Source: Wikipedia.
Password sharing is just the first of many features that we plan to keep building related to organizations. In the future, expect to see many new features become available that will allow larger organizations to more easily and securely manage logins (and other types of items) for their users. Some of these include: user groups, active directory sync, audit logging, dashboards, and more!
Required application versions for password sharing:
- Web vault: 1.10.0+
- Mobile apps: 1.5.0+
- Browser extensions: 1.12.0+
As always, feel free to contact us if you have any questions or issues regarding organizations and/or password sharing in general.
Back to Blog