Admin Password Reset
Admin password reset is available for Enterprise organizations on a current plan. Like login with SSO, password reset is not available to Classic 2019 Enterprise organizations.
Admin password reset allows designated administrators to recover enterprise organization user accounts and restore access in the event that an employee forgets their master password. Admin password reset can be activated for an organization by enabling the master password reset policy.
Individual users must be enrolled (either through self-enrollment or using the automatic enrollment policy option) to be eligible for password reset, as enrollment triggers the key exchange that makes admin password reset secure.
Admin password reset does not bypass two-step login or SSO. If a two-step login method is enabled for the account or if your organization requires SSO authentication, you will still be required to use that method to access your vault after password reset.
Admin password reset introduces a new RSA public/private key pair for all organizations. The private key is further encrypted with the organization's pre-existing symmetric key before being stored.
The key pair is generated and encrypted client-side upon creation of a new organization, or for an existing organization upon:
Navigation to the Manage → Members screen.
Updates to anything on the Settings → Organization Info screen.
Upgrades from one organization type to another.
When an admin password reset action is taken:
The organization private key is decrypted with the organization symmetric key.
The user's Password Reset Key is decrypted with the decrypted organization private key, resulting in the users's encryption key.
The user's encryption key and master password hash are replaced with a new encryption key and new master password hash, seeded from a new master password.
The user's new encryption key is encrypted with the organization's public key, replacing the previous Password Reset Key with a new one.
At no point will anyone, including the administrator who executes the reset, be able to see the old master password.
Admin password reset can be executed by owners, admins, and permitted custom users. Admin password reset uses a hierarchical permission structure to determine who can reset whose master password, meaning:
Any owner, admin, or permitted custom user can reset a user, manager, or custom user's master password.
Only an admin or owner can reset an admin's master password.
Only an owner can reset another owner's master password.
Events are logged when:
A master password is reset.
A user enrolls in admin password reset.
A user withdraws from admin password reset.
To activate master password reset for your enterprise organization, navigate your organization's Settings tab, select Policies from the left menu, and enable the master password reset policy:
Enabling the automatic enrollment policy option will automatically enroll new users in admin password reset when their invitation to the organization is accepted and will prevent them from withdrawing from admin password reset.
Users already in the organization will not be retroactively enrolled in admin password reset and will be required to self-enroll.
If you are automatically enrolling organization members in admin password reset, we highly recommend notifying them of this feature. Many Bitwarden organization users store personal credentials in their individual vault, and should be made aware that admin password reset could allow an administrator to access their individual vault data.
To enroll in password reset, select the Options menu next to your organization and select Enroll in Password Reset:
You can enroll in admin password reset for multiple organizations, if you choose.
Once enrolled, you can Withdraw from password reset from the same dropdown used to enroll:
Users in organizations that have enabled the automatic enrollment policy option will not be allowed to withdraw from admin password reset. Additionally, manually changing your master password or rotating your encryption key will not withdraw you from admin password reset.
To reset a master password for a member of your Enterprise organization:
In your web vault, open your organization.
Open the Manage tab and navigate to the Members section.
Hover over the user whose master password you want to reset, select the gear dropdown, and choose Reset Password:
On the reset password window, create a New Password for the user. If your organization has enabled the master password requirements policy, you will need to create a password that meets the implemented requirements (for example, min. eight characters, contains numbers):
Copy the new master password and contact the user to coordinate secure communication of it, for example by using Bitwarden Send.
Select Save to execute the password reset. Doing so will log the user out of their current sessions. Active sessions on some client applications, like mobile apps, may remain active for up to one hour.
When your master password is reset, you will receive an email from Bitwarden to inform you of this. On receiving this email, contact your organization administrator to obtain your new master password through a secure channel like Bitwarden Send.
Once you have regained access to your vault using the new master password, you will be prompted to update your master password again:
You are required to update your master password after a reset because a master password should be strong, memorable, and something only you know.