Reset password - from admin page

Hi,
I’d like to request a feature - where the admin can reset the password of a given user, from the admin page. So when the user tries to login again - a screen requesting a new password will be shown. For extra security (so that the admin, or any other person trying to login to the account with reset password) the 2FA (if it is setup and used by the given user) could be used, to authenticate the user who wants to set a new password.

Thanks

@zakimakarena, that isn’t possible.
The password is used to encrypt and decrypt the vault, no way to reset it without the original password. Also, if such a way would be possible, it would make bitwarden a whole less secure.

Also, for something like this you probably need to look at upstream bitwarden.com

@BlackDex I know that it would make bitwarden less secure if there is no 2FA in place, but that would be on the users to take care of.

But I didn’t know that the password was used to encrypt and decrypt the vault, I can see that the reset password is just not possible now.

Thank you for the clarification

The issue is that the password is used to encrypt the data, not that it is used to identify the user.

There are ways to implement this with ‘break glass’ functionality (e.g. the server stores a copy of the user’s key encrypted with the admin’s key) - but they require additional steps that are not as far as I know built into bitwarden client/server.

The use of OTP does not support the same dual purpose (identification and encryption), since the server has to be able to generate the same code to validate that yours is correct. This would therefore mean that during the reset process (at least) the server would be able to decrypt all your data, which breaks the design of solutions like bitwarden.

Separating the key from the password (which can be done with something like SSO, but that’s a much bigger task) would allow this to be done.

SSO is not a solution. It can only be used for account verification. You still need a master password to decrypt the vault.

Password reset is an enterprise feature for Bitwarden. It requires that the user opt in (Enterprise policy can automatically opt in on account creation). When opting in the ‘break glass’ functionality is created by encrypting the key used to encrypt vault items with the public key corresponding to a private key the admin can gain access to when logged in to their account. On the encryption side, this feature is very similar to Emergency Access.