I host a Bitwarden service for my computer-illiterate family. I managed to push them to use Bitwarden so this is a real win.
I now would like to ensure that I have a way to recover their passwords if something goes wrong (them forgetting their master password in the first place, but also unlikely bugs in Bitwarden).
To do this I would like to be able to dump their passwords in cleartext.
Note: I am really, really aware of what this means, security wise. I also understand that the user is supposed to be the master of their passwords and do not trust the server.
Everyone is fine with me having access to all passwords, there is no malicious or creepy intent here.
This my question: is this possible, or are the passwords only encrypted with the master password of the users? I expect that the answer is that this is not possible.
In that case would you have a better idea? I consider
either keeping a copy of their master password,
or having everyone save their passwords in an organization I am member of (one organization for each of them). The latter means that half of the passwords will still not be shared (and therefore recoverable by me) because they will statistically forget to do that half of the time.
Why I ask the question: I am a typical 24/7/365 online, all-encompassing computer support for my family (this includes setting up the time on the oven) so I would like to simplify my life. And yes, I really understand the security implications.
There is no way to extract the data from the database and decrypt it when someone loses its password.
That would be unsafe and unwanted in my opinion.
What you could do is create an organization and share passwords with that organization. This would mean everybody who is a member of that organization can see the shared passwords.
This is what I expected, thank you for the confirmation
That would be unsafe
This depends on the risk assessment, but generally yes - that would be unsafe
and unwanted in my opinion.
Well, I have a use case where it would be very much wanted
What you could do is create an organization and share passwords with that organization. This would mean everybody who is a member of that organization can see the shared passwords.
Would that work?
That was the second option (second bullet in the post) in the solutions I thought about so far. Unfortunately it is not possible AFAIK to force someone to store their passwords in an organization. And knowing my family, there will be a 50% success in the implementation
Well, that last one could be a feature request.
Somewhere in my memory it is stored that i have seen it somewhere.
But it is not within the main bitwarden_rs code maybe i have seen it in some fork.
You can export passwords from time to time from each individual account in Tools - Export Vault, if you really want that.
You can have the file as json or csv
Yes I know but this is not sustainable for my usecase. It is really oriented to a complete trust kind of support, where the users are not computer litterate. This is why I why I need to cover all the bases, this is the case for instance with nextcloud where I can control all their files and back them up accordingly (and email, etc.)
Bitwarden’s design philosophy is the opposite of “complete trust”, so it’s not really the right password manager for your use case. The simplest workaround I can think of with Bitwarden is to create an organization (say, “Passwords”) for your users, and each user has access to only one collection (say, “[Username]”) in that org. Each user’s password is saved in their user-specific collection, so you have access to it if needed. If your users are as computer illiterate as you say, they probably will never change their passwords either.
