Bitwarden Glossary of Terms
General
Terminology | Definition |
|---|---|
Account | A Bitwarden account is the record defined by your username and master password (which only you know). Your Bitwarden account is used to access Bitwarden services and also contains information such as billing, settings, language preference, and more. |
Account switching | The Bitwarden feature for desktop and mobile clients that enables you to easily switch between multiple accounts, such as your personal or work accounts. Learn more. |
Personal account | A personal Bitwarden account is the record defined by your username and master password (which only you know) that is not associated with an Organizational vault or related to a company or business entity. A personal account is generally set up with a personal email address and contains vault items over which only you have ownership and control. |
Business account | A business Bitwarden account is the record defined by your username and master password (which only you know) that is associated with an Organization related to a company or business entity. A business account is generally set up with a business email address. A business account is governed by the associated organization. Any vault items or secrets contained within a business account should be considered proprietary to the related company or business entity. |
Admin | A user role within a Bitwarden Organization that has elevated permissions to manage users, collections, and organization settings. Admins can perform most administrative tasks but have more restrictions than Owners, such as not being able to manage billing or delete the organization. |
Admin Console | The administrative interface for managing a Bitwarden Organization. The Admin Console allows Owners and Admins to manage members, collections, groups, policies, integrations, billing, and other organization-wide settings. |
API key | The application programming interface (API) key is a specific identifying code for a user or program. The API key can be used to integrate other applications with Bitwarden for the uses of automation, monitoring, and more. The API key is a sensitive secret and should be handled carefully. |
Bitwarden Authenticator | A standalone mobile application that generates time-based one-time passwords (TOTP) for two-factor authentication. Bitwarden Authenticator can sync verification codes with Bitwarden Password Manager and works independently to secure accounts across any service. Learn More. |
Clients / Bitwarden client | The client, or client application, is the application that logs into Bitwarden. This includes the web, mobile, and desktop apps, the Bitwarden CLI, and browser extensions. Clients may be downloaded from the Downloads page. |
Claimed domains | The process of an organization proving their ownership of a specific internet domain (eg. mycompany.com). Domain verification allows for additional features to be activated, such as users being able to skip inputting the SSO identifier during the login process. Learn more. |
Cross-platform | The ability to access Bitwarden across multiple operating systems and devices including Windows, macOS, Linux, iOS, Android, and web browsers. Cross-platform compatibility ensures users can securely access their vault data from any device. |
Directory Connector | An application to sync users and groups from a directory service to a Bitwarden Organization. The Bitwarden Directory Connector automatically provisions and deprovisions users, groups, and group associations from the source directory. Learn more. |
Groups | A set of Organization members. Groups relate users together, and provide a scalable way to assign permissions, such as access to Collections, projects, or secrets, as well as permissions within each separate Collection. When provisioning new users, add them to a Group to have them automatically inherit that Group’s configured permissions. |
Master password | Also known as a Bitwarden password, main password, account password, or vault password. The primary method (or key) for accessing your Bitwarden account and data, the master password is used both for authenticating your identity to the Bitwarden service and for decrypting your sensitive data such as vault items or secrets. Bitwarden encourages users to establish one that is memorable, strong, and unique in that it is used only for Bitwarden. In 2021, Bitwarden introduced Account Recovery Administration (formerly Admin Password Reset), which enables Enterprise users and organizations to implement a policy that allows Administrators and Owners to reset master passwords for enrolled users. Learn more. |
Organization | An entity (company, institution, group of people) that relates Bitwarden users to shared Organization data such as logins within an Organization vault or a Secrets Manager Project for secure sharing of items. |
Owner | The highest-level user role within a Bitwarden Organization with full administrative control. Owners can manage all aspects of the organization including billing, user roles, policies, and can delete the organization. Organizations can have multiple Owners for continuity. |
Plan | Plans define the services that Bitwarden provides through licensing, including available features and number of users able to use the product. There are multiple types of pre-defined plans available for individuals or organizations to subscribe to. |
Policies | Policies are organization-wide controls that help an administrator keep a company secure by enabling additional settings for how their members (also called end users) use Bitwarden. These policies ensure a uniform standard of security. Learn more. |
SCIM | System for cross-domain identity management (SCIM) can be used to automatically provision members and groups in your Bitwarden organization.
|
Self-hosting | The deployment option that allows organizations to host and manage their own Bitwarden server infrastructure on-premises or in a private cloud environment. Self-hosting provides complete data sovereignty and allows for additional custom security, such as enforcing VPN usage. This is an advanced option and requires dedicated IT resources to maintain. |
Single Sign-On (SSO) | A session and user authentication service that grants employees or users access to applications with one set of login credentials that are based on their identity and permissions. Single Sign-On has multiple implementation options, and is widely compatible with Identity Providers (IdPs) allowing customers to leverage their existing solution. Learn more. |
Login with SSO | An implementation of Single Sign-On. With this method, the user is authenticated by an Identity Provider, then the user enters their Bitwarden password to decrypt their data. Learn more. |
SSO with Trusted Devices | A passwordless implementation of Single Sign-On. With this method, the user is authenticated by an Identity Provider and their data is decrypted through a process that utilizes a device encryption key stored on designated, trusted devices. Learn more. |
SSO with Customer Managed Encryption | An advanced passwordless implementation of Single Sign-On available to self-hosted organizations. With this method, the user is authenticated by an Identity Provider, then the user's encryption key is automatically retrieved from a self-hosted key server utilizing Key Connector, allowing for user data to be decrypted. Learn more. |
Subscription | The subscription is the transactional agreement between the customer and Bitwarden as part of the issuance of a license. Owners subscribe to plans at the agreed-upon fee on a recurring basis (monthly or annual) for the services provided by Bitwarden outlined in the plan. |
Bitwarden Password Manager
Terminology | Definition |
|---|---|
Access Intelligence | Advanced reporting that provides actionable risk insights to reduce credential vulnerabilities, resolve risks faster, and protect against breaches. It provides admins greater oversight into vault health, send notifications for priority applications, and uncover shadow IT. Learn more. |
Autofill | A software feature that automatically enters previously stored information into a form field. Using Bitwarden, you can autofill logins via browser extensions and mobile devices, and autofill cards and identities via browser extensions. Learn more. |
Bitwarden Send | A feature for securely transmitting sensitive information to anyone, whether they have a Bitwarden account or not. Send allows users to share text or files with end-to-end encryption, expiration dates, password protection, and automatic deletion options. Learn more. |
Biometric Unlock | An authentication method that uses biological characteristics such as fingerprint, facial recognition, or other biometric data to unlock your Bitwarden vault. Biometric unlock provides convenient access while maintaining security, and is available after initial login with your master password. |
Collections | A unit to store one or more vault items together (logins, notes, cards, and identities for secure sharing) by a business within a Bitwarden Organization. Learn more. |
Emergency Access | A premium feature that allows trusted emergency contacts to request access to your vault in urgent situations. After a user-defined waiting period, the emergency contact can either view vault items or take over the account, depending on the level of access granted. |
Individual vault / My Items | The Individual vault, labeled as My Items, is the protected area for every user to store unlimited logins, notes, cards, and identities. Users can access their Bitwarden Individual vault on any device and platform. Within a business context For users that are part of a Bitwarden Teams or Enterprise plan, an Individual vault is connected to their work email address. Individual vaults are often associated with, but separate from, an Organization vault. Note: the Individual vault / My Items location may be moved to be within the Organization vault with an enterprise policy. Within a personal context For users that are part of a Bitwarden personal or families plan, an Individual vault is connected to their personal email address. If part of a families plan or free two-person organization, the Individual vault remains separate from the Organization vault, but both are accessible by the user.
|
Inline Autofill | A feature that displays suggested vault items directly within fields on web pages, such as username and password, allowing users to fill credentials without opening the Bitwarden extension. Inline autofill provides a streamlined experience by showing relevant logins contextually where they're needed. |
Integrated TOTP | The built-in authenticator within Bitwarden Password Manager that generates time-based one-time passwords (TOTP) for two-step login. Integrated TOTP allows Premium and Organization users to store and autofill verification codes directly from their vault items without needing a separate authenticator app. |
Items / Vault items | Items are the individual entries that can be saved and shared in Bitwarden Password Manager such as logins, notes, cards, and identities. |
Lock / Locked | A vault state where the user remains logged in, but the vault data is encrypted on the device and inaccessible until unlocked. Unlock methods can use the master password, PIN, or biometrics. Locking provides security during periods of inactivity without requiring full re-authentication to the server. |
Logged out | A vault state where the user is completely disconnected from the Bitwarden service and must re-enter their email, master password, and two-step login to access their vault. Logging out removes all vault data from the device. |
Organization member / Members | An end user such as an employee or family member that has access to shared Organization items within their vaults, alongside individual items within their individual vault. |
Organization vault | The protected area for shared items. Every user (also called a “member”) who is part of an Organization can find shared items in their vault view, alongside individually owned items. Organization vaults allow administrators and owners to manage the Organization’s items, users, and settings. |
Two-step login / Two-factor authentication | An additional layer of security during the login process that requires a second form of verification beyond the master password. Two-step login methods include authenticator apps, email, hardware security keys, and other options to protect against unauthorized access even if the master password is compromised. |
URI (Uniform Resource Identifier) | The address or identifier associated with a vault item that tells Bitwarden where and when to offer autofill. URIs can be website URLs, mobile app package names, or custom identifiers, and can use different match detection methods to control autofill behavior. |
Vault / Vaults view | The secure storage area that provides a unified interface and tight access control to any item. |
Vault Health Reports | Security auditing tools that analyze vault items to identify weak, reused, exposed, or compromised passwords, as well as unsecured websites and inactive two-step login. Vault Health Reports, available in premium plans, help users and organizations improve their overall security posture by highlighting vulnerabilities. |
Vault timeout | The configurable period of inactivity after which Bitwarden automatically locks or logs out your vault. Vault timeout settings may be adjusted to match your preference of security and convenience by determining how long the vault remains accessible before requiring re-authentication. |
Bitwarden Secrets Manager
Terminology | Definition |
|---|---|
Access token | A key that facilitates service account access to, and the ability to decrypt, secrets stored in your vault. Learn more. |
Name | A user-defined label for a specific secret. |
Project | Collections of secrets logically grouped together for management access by your DevOps and cybersecurity teams. Learn more. |
Secret | Sensitive key-value pairs, like API keys, that your organization needs to be securely stored and should never be exposed in plain code or transmitted over unencrypted channels. |
Service account | Non-human machine users, like applications or deployment pipelines, that require programmatic access to a discrete set of secrets. |
Value | A user-defined field of a stored secret that is used in software or machine processes. This is the sensitive information that is managed by Bitwarden Secrets Manager and can include API keys, application configurations, database connection strings, and environment variables. |
Bitwarden Passwordless.dev
Terminology | Definition |
|---|---|
FIDO | FIDO is the acronym for Fast Identity Online. It represents a consortium that develops secure, open passwordless authentication standards that are phishing proof. The FIDO protocols, which were developed by the FIDO Alliance, include: UAF: Universal Authentication Framework U2F: Universal Second Factor FIDO2: a new passwordless authentication protocol that contains core specifications WebAuthn (the client API) and CTAP (the authenticator API) Learn more. |
Passkeys | Passkeys – the credentials derived from the FIDO2 standard for each website that a user registers to – enable users to create and store cryptographic tokens instead of traditional passwords. Today, passkeys are used to log users into an app or website with pre-authenticated device specific tokens. In the future, the process could be used with shareable or transferable cryptographic tokens. Learn more. |
Passwordless | Passwordless is the umbrella term used to describe a variety of authentication technologies that do not rely on passwords, including: something a user has (a security key, token, or device), something they are (biometrics), and passkeys. |
Cybersecurity Terms
Terminology | Definition |
|---|---|
Account takeover | A type of cyberattack where an unauthorized party gains access to a user's online account, typically through stolen credentials, phishing, or other compromise methods. Account takeovers can lead to data theft, financial fraud, and unauthorized access to sensitive information. Password managers and multi-factor authentication help prevent account takeover attacks. |
Credential stuffing | An automated cyberattack where attackers use lists of stolen username and password combinations from data breaches to attempt unauthorized access across multiple services. Credential stuffing exploits password reuse, making unique passwords for each account essential for security. |
End-to-end encryption (E2EE) | A security model where data is encrypted on the user's device before transmission to another intended user or to storage. Properly enacted, no third party, including the service provider, can access the unencrypted data. |
Multi-factor authentication (MFA) | A security policy that requires users to provide two or more verification factors to gain access to an account or system. MFA combines something you know (password), something you have (security key or phone), and/or something you are (biometrics) to significantly reduce the risk of unauthorized access. |
Password breach / Data breach | A security incident where sensitive information, including passwords and other credentials, is accessed, stolen, or exposed by unauthorized parties. Data breaches can result from cyberattacks, system vulnerabilities, or human error, and often lead to credential stuffing attacks when passwords are reused across services. |
Role-based access control (RBAC) | An access control method that assigns permissions to users based on their role within an organization rather than on an individual basis. RBAC simplifies permission management, enforces least-privilege access, and ensures users only have access to the resources necessary for their responsibilities. |
Hardware Security key | A physical hardware device used for authentication, typically supporting FIDO2/WebAuthn standards. Security keys provide strong protection against phishing and credential theft by requiring physical possession of the device for login, and are considered one of the most secure forms of multi-factor authentication. |
User provisioning / succession (deprovisioning) | The processes of creating, managing, and removing user access to systems and applications. User provisioning grants new users appropriate access when they join an organization, while deprovisioning ensures access is promptly removed when users leave or change roles, maintaining security and compliance. |
WebAuthn | A web authentication API and W3C standard that enables passwordless authentication using public key cryptography. WebAuthn is the foundation for passkeys and FIDO2 authentication, allowing users to securely authenticate to websites and applications using biometrics, security keys, or device-based credentials. |
Zero-knowledge architecture | A security framework where a service provider has no knowledge of the data stored on its systems because all encryption and decryption occurs on the user's device. In a zero-knowledge architecture, even if the service provider's servers are compromised, user data remains encrypted and inaccessible without the user's specific encryption keys. |