Hacker News new | past | comments | ask | show | jobs | submit login
Bitwarden releases “emergency access” feature (bitwarden.com)
388 points by madsmtm 43 days ago | hide | past | favorite | 150 comments

The pandemic has made me (re)evaluate how my family can get to my finances and online services. Such solutions can solve issues related to bank/trading account access and key documents but what about subscription services? All my subscription services from Netflix/Plex (less important) to VPN/Blackblaze (more important) are tied to my credit cards, which upon my untimely demise will be deactivated. My family will surely get locked out if I don't leave clear instructions on each of the services and how they can access them, etc. Then there is a technical aspect of taking over these service.

I'm curious on how others have planned around this?

edit: typo

Everything should be documented. We have a binder with checklists that walk you through gaining access to everything the other partner might need in the event of death (email accounts, domain registrar, bank and brokerage accounts, auto/home/life insurance, ongoing recurring bills of all sorts). Bitwarden databases are exported to paper, 3 hole punched, and put in the binder on a schedule. Both partners get setup with each other's 2FA OTP tokens. Have options? Agreement goes in the binder. Own real estate? Deeds, land trusts, LLC agreements, etc related to this go in the binder. If in doubt, print it out.

Either one of us can assume responsibility for the entire estate in about an hour or so, the only delay would be a life insurance benefit payout. If you have assets that your partner might not know how to facilitate liquidity for, or when to, pay someone you trust to manage that. Your gift to your family is when you leave the world, they can continue on without fumbling to wrap up loose ends.


This is a good approach, but it requires having a partner in the first place...

If you don’t have a partner, or one single person in your life who you trust absolutely, you can distribute this trust.

Collate this same information, encrypt it and then use [a key sharing algorithm](https://en.m.wikipedia.org/wiki/Shamir%27s_Secret_Sharing) to split this encryption key across a set of semi-trusted contacts.

I'm single and living alone, no family in the picture. I have a very small circle of friends I love and who I trust implicitly. With their permission I ask them if it's okay to share some important things with them, in case the worst happens. Spare keys, contacts, etc. etc.

Those friendships might outlive any romantic partnership I do have in future. So I don't think it has to be a partner specifically. Of course, there are still some things that you might not share as openly even with that trust in place, but that doesn't stop you from having a backup plan.

I downvoted this at first, but I've undone that and am going to respond.

If you have family, extremely close friends (as adults, life-long friends), these can be options. Consider keeping your 'binder' in a safe deposit box and setting up access via your bank.

If not, an attorney or even CPA may be able to keep this information for you.

An alternative is to have your attorney be responsible for executing your will, but keep everything else in the safe deposit box and put the instructions on how to access in the will. That way your attorney can access only if you die and they assume legal authority for exercising your will.

If you don't have anyone you will leave your assets to, the attorney will be the one liquidating your estate as per your will.

Couldn't you have that binder laying around in your home anyways? I imagine my family would be able to gain access to my home if I die (even though not one of them has a key).

Anyway does it needed unless partner or something exists?

If you have any 'estate' and any relatives, it is advisable to have a will to avoid painful / slow legal processes for those remaining.

Sure for my money, but my heirs aren't going to kill each other fighting over my netflix recommendations.

One might object to having different subscriptions to big corps draining your estate if you want eg. a charity to have it.

That's why you need to cancel the credit card when you die.

Not to spoil good ideas or be a negative Nancy...

What is the process for revoking this access in the event of a less than amicable split between partners?

well it's a checklist to change ownership to a list of deeds, would work exactly the same way, with the except being that's it's a third party whom distributes property ownership among the partners and not a unilateral transfer from both to one.

In an accident or disaster (house fire, flooding, earthquake, you name it), this binder will be gone. This binder should be in a secret manager.

Keep a copy in there if you want for convenience, I argue you’ll still want a paper backup somewhere. Opsec is hard, people are fallible.

“What was the password?”, “Where’s the Yubikey?”, etc. These are not the failure scenarios you want to encounter during a tragedy (speaking from experience).

Bank safety deposit box is probably a good option for backup, it's very unlikely that both your home and the bank will burn down at the same time.

My house, several of my friends' houses, my insurance agent's office, my vet, all burned down in the same wildfire a few months ago. Local banks were destroyed along with everything stored in them, and we nearly lost our kids' school. Standing at the remains of my house, looking around at the destroyed community, it looks like we were firebombed. Not modern precision strikes... WWII scale, wrath of god, miles of destruction firebombed.

Anyway, I'm just saying that things you think are safe, really aren't. It's inconceivable that two houses across town from each other would burn down on the same day, until they do. Probably not going to happen, but sometimes it does.

Thankfully, my wife grabbed the binder with accounts and passwords, along with the kids and pets, when she evacuated, while I was stuck on a backed-up freeway an hour away.

I've been very conscientious since then about keeping both a physical and digital copy of everything important. I would never trust digital alone, but a physical copy just isn't reliable enough.

What if you keep a digital backup in your car? The mobility of your car should spread the risk. If your house burns down during work hours your data will be safe.

Safety Deposit boxes are not trustworthy


A pile of papers will probably survive a lot better than a valuable object, at least.

The bank across the street from me is 100% burning up in the same fire as my apartment if the California wildfires get to me.

Fires are strange beasts. Sometimes one house in a street will survive completely unscathed and the rest all burn down to nothing.

A street is a firebreak. An earthquake might level you and them but a fire won't necessarily.

A lot of banks have been phasing this product out, but if your bank supports it, I highly recommend it. Usually, they’ll even allow you access with a drilling fee if you’ve lost the key but can show multiple forms of ID. Whether this is good or bad depends on your threat model.

What's a good, safe place to store the key?

Either on your keyring or in your fire safe. As I mentioned, if you lose it, you can get the lock drilled at the bank with sufficient ID. All trust waterfalls to meatspace trust providers, just like if you lose your Yubikey AWS support will reset your hardware 2FA with sufficient evidence you are you.

Just a note about safes... our community had a wildfire sweep through, and I have not heard of any fireproof safes actually working. Some were cracked open, or were so compromised they could be snapped apart by hand; some survived, but there were only ashes and melted metal at the bottom. I'm sure I didn't hear about the successes, only the failures, but still...

I don't want people to proceed with the notion that those safes are actually fire-proof. Consider them 'fire-resistant' safes that conditionally offer some extra protection.

Every single one of them probably "worked" as designed and marketed, or close enough. Safes don't claim to be fireproof and will clearly state something like "Fire protection for 1/2 hour at 1400F." Very few get into "Likely to survive the total burn-down of a home" territory.

Fire address AFAIAA are rated by time normally, so they'll be rated to withstand a fire for an hour - giving time for the fire services to extinguish it. A safe that survives a whole house burning to the ground seems like almost an impossibility.

Safety deposit box at a different bank

I think giving a USB key or login details with access info to your password manager to a trusted friend or family member might be preferable to having a paper binder that could be lost in a disaster situation.

You'd have to account for bit rot though

I recently looked at an old USB key that had some JPGs stored from ~5 years ago.

I was astonished to see that over 50% of the photos had some sort of bit rot that broke the JPG rendering. Many photos would display correctly at the top until the row where the damage occurs and then display grey for the remainder.

This definitely occurs more than you would think on USB keys.

You could generate parity files to guard against this. There was some discussion recently here about tools to do it. One example that is decent is https://github.com/brenthuisman/par2deep

even for personal safety you need layers of backups. my phone recently lost all data after it botched it's own update, and restoring some key has been a true pain. I've a binder with almost all of the important authenticator tokens or relative recovery codes, but some bank application do the otp setup on their own app side channel and required a lot of paperwork and calls to get it fixed.

Home safes are available that are fireproof, waterproof, and very durable. Theft is an issue, though.

A bank safety deposit box is a good backup plan for the home binder.

The benefit of the binder over (or in addition to) the secret manager is it maximizes the chances your family can successfully access your data. I've designated family members as the emergency access contacts for my password manager, but one member completely forgot I even used a password manager, or what it was called. They would never have looked for my data there in an emergency.

Interesting. Did anyone make a similar checklist for passwords and what not? I have something in a binder which is meant to be used in case of emergency, but it's a bit out of date and I wanted to revamp it.

Absolutely read that same book. One of the most useful I've read.

Having gone through an unexpected, young death where nothing was recorded, I’ve come to the opposite conclusion: anything significant enough to care about already has next-of-kin processes established such that the Right Person will be able to sort it out.

Indeed, when it comes to stuff like finances, at least where I live, touching them post-death creates issues when the legal channels confirming there’s no contest over next-of-kin haven’t been run to ground. In those situations, having a password means nothing.

This doesn’t mean you shouldn’t prep a will and have processes in place, but it gave me a lot of reassurance that I did not need to worry so much about this.

That's fine if you're single but incredibly selfish if you're not.

I think an accusation like that warrants some elaboration. Please describe why you think this is selfish.

It makes the whole thing the problem of whoever survives. By not leaving documentation, you pass the work of picking up the pieces to someone else. I think "selfish" might be a little strong, but it's not an indefensible position to take.

This depends on what we're defining as documentation vs access. My interpretation of the start of the GP was more about passing over actual login/access information, which especially for assets and finances really shouldn't be handed over this way.

Documentation in the form of "I have a bank account at Bank X, and a will at Lawyer Y (or, I don't have a will, but there are established protocols to handle this)" (even if only verbally) is different than "here's my username and password to my trading account in case I snuff it".

My wife and I recently had to settle an estate (pre-covid), and most subscription services are quite easy to work with. The estate we were dealing with was a bit of a mess, so we basically had nothing to go on except some bank/credit card statements. We were able to contact the banks, deactivate all the credit cards, and contact some services to request refunds for several months of service. We didn't have any trouble getting those refunds after providing the death certificate.

Obviously, it would have been much less of a hassle if we'd had the account information from the beginning, but there were much more annoying problems to deal with than deactivating Netflix.

If you're really concerned about this, make sure you have a will in place and beneficiaries defined on your financial accounts. That is probably just as important as making sure your dependents have immediate access to your money.

A day before a critical surgery I was told I had 50% chance of survival, being a single founder of my startup I had access to all the accounts, passwords, encrypted data (files, codes etc.) and had to find a way to transfer them to my shareholders if I die.

I settled for writing the master key in a physical file to be delivered to a trusted contact in case of my demise along with registering the fingerprint of my trusted contact to my smartphone(all of which has since been revoked). Bitwarden's Emergency Access addresses this problem in a much safer way.

I didn't think about credit card access then, but in my case I think shareholders could have legally taken over the startup and thereby getting access to all the online subscriptions; what wouldn't have been feasible was accessing the private encrypted data hence the 'need for secure key transfer after death'[1].

[1] https://www.needgap.com/problems/27-secure-transfer-of-encry... (Disclaimer: My problem validation platform where I had posted this problem a while ago).

So did you make it?

Not sure whether it's a serious or funny/GPT question,

But I did survive, but had to shutdown my startup anyways[2].


After my wife watched the show “Dead To Me” on Netflix, we had this exact same discussion. I ended up writing a “death document” on Google Docs and sharing it with her. It just outlines “here’s where everything is and this is what you do with it”. It was done kind of jokingly, but now that it’s written it actually makes me feel much better.

For passwords and such, she has a Bitwarden account too and we share all important passwords (finances, medical, etc) in a shared organization between the two of us.

Fun story about shared passwords in Bitwarden... I recently had to undo that process because I’m going through divorce. We aren’t at the point of severing everything yet but my ex took the liberty of using the shared Bitwarden passwords to sign into each of the utility (gas, electric, etc) accounts and change the passwords. Thus locking me out.

I had resisted doing anything with the shared passwords prior to this because the process to unshare an account is to delete it from the organization and make a new entry on your personal vault.

Ultimately the blame is on me but the process for unsharing is broken. I guess the moral is to just be careful about sharing accounts in a BW org if you ever expect you might have to undo all of them. It was about 15 accounts in all because we had also shared everything related to financial institutions and health care. I did take the time to change each of them as well since there was no way of knowing what may have been copied.

That sucks though I’m not sure your story supports “the Bitwarden process for unsharing is broken”. If you could remove shared passwords from someone else’s vault wouldn’t that just leave _you_ with access, effectively locking out your spouse?

You can’t unshare them from the organization. Say you create an entry for Bank of America. You then later share that entry with the “Family” organization. That entry now forever lives with that organization unless you delete it and then make a new entry again in your personal vault.

A more user friendly approach would be for the entry’s ownership to always remain with the original creator and simply share that entry with the organization. You could then later revoke sharing the entry with others or the organization. This is how almost every other file sharing works.

I’m sure there are underlying issues, especially since the goal is for it to be cryptographically secure, it’s just not a very user friendly system and as I said it’s ultimately my own fault what happened to me.

Yeah I understand, I’m just saying in this case that feature would allow you to lock out your spouse effectively

Which was exactly what my spouse did to me by having access to the password and then changing it with the utility company and not updating it in the password manager.

I think as another commenter said we’re complaining about the wrong piece of the flow. Important accounts like utilities should have a mechanism where as many users as necessary are tied to an address. In many households it will be one user but in some it might need to be 2, or in the case of roommates 2+.

We can have multiple users tied to our mobile phone service provider so why not the gas or electric?

Sounds like you can already do that with the "delete from org + recreate in personal" workflow, so an "unshare" button would just be streamlining that existing capability.

the larger (but difficult to fix) issue here is that these important services don't seem to offer a good implementation of a joint account. if two people live in the same house, they should both have access to the account with the utility company to view balances and make payments, but neither should be able to lock the other out without some formal process. having multiple people share the same credentials is an antipattern.

I actually put together a service that is focused on this issue called Fidelius Vaults (https://www.fideliusvaults.com). If you have a moment to look, I'd be curious to hear your feedback on whether it solves the problem you stated.

I really like this idea, but what's the longevity of the service? Do you have any sort of contingency plan if you die, or if you don't have the funds to maintain the service anymore?

ah, I dabbled in a same idea, but before "guardians" I had another step, which was contacting the "vault" owner after "keyholder" requests and before "guardians" approval allowing for the owner to veto access if needed be, as another layer of authorization.

glad to see things like these are cropping up, there's a need for sure.

Have one email account on your domain (example.com) and use that for everything important. Use a long random password for the account and don't 2FA it. Share that with your family. That's probably all they need to gain access and reset your other accounts.

If you 2FA the email account, you risk locking you and them out permanently for many services. I've written some about this. If you care to read it:


Also, if you 2FA other things and aren't really careful, you may lock them out even if they know the password and/or are able to reset it. That is by design.

This problem is growing larger every year as more sites enable or mandate 2FA. It's impossible for humans to manage this at scale.

I don't buy the "don't use 2FA" argument.

My partner knows how to unlock my phone. She can read the eventual SMS (I know, it's insecure, but still the only 2FA method in many US bansk), she will receive the email with the eventual password reset on the phone, she can use my authenticator apps. She also knows about my Yubikeys and where they are stored.

She also has access to my laptop, where backups for the above are stored.

Even with TOTP, it's trivial to set up the same key on more than one device at the same time.

And what the manual unlock codes?

What manual unlock codes? You mean the TOTP backup? It's documented. But she won't need if she has the rest.

I've written down all account credentials and passwords into a text file that sits inside a Veracrypted volume on an external hard drive with multiple copies including off-site. My wife knows the encrypted volume password (as her personal files are also within), and the location of the text file.

Still need to write a licence permitting her to release all my IP into the public domain.

I have shared document that has high level details: Savings accounts, investment, 401ks etc. That is known to my wife. We both use lastpass, so Im also using delayed access release* for wife (14 days) and for my brother (30 days, he lives in another country, were not particulary close).

If we travel together with wife on something like plane we ensure that our wills, that have the same information as above are shared with relatives.

* the wife can request access to my account. I'll get email notificarion. If I wont reject it in given time period the access will be given

I conceived this a little while ago and got a friend who is a developer to write it.


It's been a slow start but hoping it picks up and we can get it onto the Apple store.

My mother has the releaser email and the email itself goes to my partner.

I don't do anything with my online accounts; for assets I rely on beneficiary information and my will, and I expect that the online accounts will just die off (as CCs close, etc).

I've always wondered if I should do more. What are the downsides of relying only on wills and beneficiaries? What might I be missing with this super basic estate planning?

Their concern seems (to me) to stem mostly from how the rest of their family will be able to use the household services if they pass.

Should the family have to setup new netflix accounts with new watch history tracking because the primary account holder passed away? Given how long it would take for the cc's to get cancelled and netflix to notice, would it be smart for your kids or partner to get that kind of gut wrenching reminder of what was lost months after your death?

I know of two off the top of my head, probate and people fighting over your stuff

Could you elaborate?

What issues would simple wills and beneficiaries have in probate? And how does giving someone access to my passwords avoid those issues?

This question feels like a potential opsec danger zone.

Same question reformulated: “What’s the one thing you need to compromise to get into my entire digital domain?”

Keep everything in Lastpass notes or the notes of whatever password manager you use.

Then put the password to that somewhere safe for people to have.

Lastpass actually has emergency access contacts you can setup without having to share your master password.

safety deposit box at my bank with my accounts, passwords and 2FA recovery codes in a notebook

Bitwarden is just fantastic. It's open source, the interface is clean, works fine on all platforms for me and pretty much everything is free. If the devs browse here, thanks for making it.

I have been using Bitwarden for over a year now and there are still tons of UX bugs that annoy me.

In Firefox extension:

1. There is no memory. If you close the window, to copy the password, you have to re-search for the account to find the username.

2. If you open up bitwarden before the page is loaded, it says it can't find the password box to fill in. This is probably an extension limitation, but still annoying.


1. No memory. If I search for a username, I have to re-search for the password. It always opens up to the search screen (when I am using it via the password helper keyboard). 2. iOS the keyboard doesn't always show up to let me search for an account via password helper keyboard.

In general

1. You should be able to set a default username or email to automatically use when creating a new account. I hate having to type my email address in every time when creating the account on mobile. 2. When you're registering an account on a website, I first create it in Bitwarden with a password then I paste the password into the textbox to register the account. If the website rejects the password cuz of formatting, I gotta go back into bitwarden, edit and update the password with the new format. it takes like 5 clicks. ugh.

Thanks for listening.

Maybe you can use the sidebar instead of the toolbar button if you're annoyed by the 'no memory' issue.

This is what I figured out by accident that helped me overcome the memory issue. Ctrl + H on Firefox, click the top-left dropdown for Bitwarden.

> 2. If you open up bitwarden before the page is loaded, it says it can't find the password box to fill in. This is probably an extension limitation, but still annoying.

The sidebar trick above also helps this issue. When it can't find the password box you just click the "refresh" icon on the Bitwarden sidebar and it'll fill it in. This limitation may be by design so it doesn't have constant access to everything you browse, only allows a "snapshot" of the HTML to fill in when loaded (or refreshed) - complete guess though.

Opt-Shift-Y on MacOS

> 1. There is no memory. If you close the window, to copy the password, you have to re-search for the account to find the username.

Recently summarized the issue plus previous reports in here: https://community.bitwarden.com/t/unsaved-changes-are-lost-w...

I'd used LastPass before and believe their solution is plan obvious, it just works. So that's what I suggested Bitwarden to do: opening up a new tab with all the extension UI for data entry, instead of depending on the volatile state of a pop-up window.

EDIT: I misread and thought the issue was with the data entry! but now I understand that parent meant manually copying username & password from the extension to a website. While I never do that (autofill seems to work fine for me), the same proposed solution still applies, I guess.

> You should be able to set a default username or email to automatically use when creating a new account.

I think that might be a mobile limitation. Profiles address that problem but I'm not sure if Android or iOS give developers the ability to autofill profiles.

Bitwarden's UX is pretty poor but the way I see it is that's what $12 a year gets me. :)

> Bitwarden's UX is pretty poor

Hmm, I've tried LastPass, Enpass, a handful of Keepass clients I can't remember the name of and (shortly) 1Password, and I can't really find anything Bitwarden does that much worse than any of these. To be perfectly honest, they're all kind of clunky, IMHO.

> ...and I can't really find anything Bitwarden does that much worse than any of these.

I feel like I can think of a lot but I'll give you one that, to me, is Bitwarden in a nutshell:

What happens if you open your browser, go to https://news.ycombinator.com/login, and hit Bitwarden's autofill shortcut? Nothing, because you didn't log in to Bitwarden first. Pretty much every other password manager will ask you to log in and then they'll autofill.

Ah, I always use the toolbar button rather than the context menu shortcut, so it's a non-issue in my case, as it just will ask me to log-in there. Yeah, that would definitely be a better flow. Maybe I'm just "used" to it and am overlooking some irritants, I don't know.

Agree the UX is poor but I prefer this because there are tradeoffs involved in some of these choices. Auto filling, for example, caused a bunch of critical bugs with LastPass. As an extension, there’s always going to be limitations that I’d prefer security software not push.

Natively integrated password managers like Firefox or Chrome are in a much better position to push for UX but you can see they aren’t that much better either.

> 1. You should be able to set a default username or email to automatically use when creating a new account.

It's not a bad idea but you could also set up an identity, perhaps call it "New sign up", and it'll fill out the email address for you with two clicks - one to open Bitwarden, one to auto-fill.

This memory issue is also driving me insane. Why its so hard to fix ?

Just want to echo this. I've been using Bitwarden for about a year now, and a few months ago, my mum (not technologically literate) had her email hacked. Getting her set up with Bitwarden & teaching her how to use it was one of the easiest experiences I've had when introducing her to new software. Really well designed.

I recently set this up with my mom and dad too, and they have been enjoying the relief of only having to memorize one password. It is also much more secure since then their previous methods of reusing passwords.

How dependent is it on them as a service? If their website/service disappeared off the face of the earth tomorrow, would I still have access to my passwords locally?

I'm still hesitant to use any form of password management that relies on cloud services. I still like Keepass (with auto-updates disabled for security because their updater uses HTTP, of course), for my purposes. I can Sync my keepass file any number of secure ways that don't rely on a single provider.

> If their website/service disappeared off the face of the earth tomorrow, would I still have access to my passwords locally?

They provide a selfhosted alternative to their cloud service.

Not only that, there is a rust based birwarden server reimplementation that doesn't phone home (IIRC I believe the official self-hosted server needs an API key?), is compatible with all platform clients (at least for my needs). https://github.com/dani-garcia/bitwarden_rs

Your passwords are cached locally on the devices. You can export your vault too. If their public service goes down (or if you don't want to use it in the first place) you can stand up your own server (there are at least 2 common implementations) and point your clients at it.

As far as I know they only sync a data blob, so you would just not get any updates.

Yes. Only the sync stops working when offline.

I like it so much I proposed it to my boss and we set it up at work. Small team, around 20 people, but even the non techs got up to speed with it with just a 20-minute explanation.

I'm really happy to see this come to BitWarden. I switched from LastPass to BitWarden and this Dead Man's switch was the only thing I found missing. I actually kept my LastPass active just to provide instructions on how to get into my BitWarden in case of an emergency. I'm still not clear if both the granter and grantee need to be premium/paid subscribers or not. Hopefully I can grant emergency access to someone without a paid subscription... I guess I'll find out when I dig into it over the weekend.

I (premium user) have just tried this with my girlfriend (free user).

I can add her as a emergency contact and she can accept that. But she cannot add me as an emergency contact since it is a premium-only feature.

Nice! I was already satisfied using Bitwarden, and now I will no longer have to manually manage my ICE backup.

In the past I've kept an offline copy of my 'vault' on a few USB keys in a safe deposit, for my family in case of death or similar. I'm curious how others have solved this problem.

I periodically send my loved ones encrypted copies of my password vault. A copy of the decryption key is stored in my safe-deposit box, which they can access only after I am gone. This lets me update the contents of my password vault without having to visit the bank.

And actually, the safe-deposit box only holds one half of the decryption key. My loved ones have the other half in their respective safe-storage locations. This means a rogue bank employee can’t drill my box and do anything useful with the contents.

The password vault itself is a plaintext file that I decrypt and edit/grep as needed. I use the OpenSSL command-line tool for encryption and decryption. My loved ones either have this installed by default on MacOS, or have a Cygwin installation on Windows with which I have tested the commands. The safe-deposit box contains short and detailed instructions for use for my non-technical loved ones.

I also use the Google Chrome password manager with client-side encryption enabled. Whenever I change any important passwords, I’ll export its contents to my text file password vault.

I have a similar and opposite problem. I would be fine with all my secrets dying with me, but what i want to protect against is me going into a coma/for some reason I forget how to access my accounts.

How to securely manage it so that only I can open it if my biological self is there? I don't trust bank safe deposit boxes and I can't put a safe worth using inside my Apt.


I think you are going to have to rely on another human being (or perhaps a group of trusted individuals) even in that case. Depending upon what caused your incapacitation, you may or may not be able to actually retain and manage your secrets going forward. Put another way, if your wetware is damaged you may need a backup (aka trusted human) to handle your secrets on your behalf.

Shamir's secret sharing is the algorithm for splitting a key and requiring only a subset of pieces (so you can disperse it to 20 friends but only need 11 to agree to reform the key).

This would give you protection both against the amnesia route (where you fall unconscious, lose your memory but are totally fine afterwards) and the route where you're unable to manage your secrets at all (eg stroke resulting in longterm failure to maintain memories or make decisions).

You'd still, for the total lose route, need a replacement actor (someone acting on your behalf) to assemble and receive the key, and be the keyholder moving forward - and you would likely need to leave instructions with the flock of people having pieces of the key on how to select or confirm your future keyholder.

I think you are going to have to rely on another human being (or perhaps a group of trusted individuals) even in that case.

Not necessarily. Bank safe-deposit boxes are a secure place to keep secrets. To guard against rogue bank employees, encrypt the stored secrets and keep the key at home on a sticky note. If you ever hit your head and forget all your secrets, just present your ID to the bank teller, pull the secrets out of the vault, and decrypt them with the key on the sticky note.

In that situation I can see myself forgeting where I'd put the sticky note, or what it meant.

That’s why you write the whole plan down on yet another sticky note!

Haha, believe me, I can make this plan fail if I haven't had my morning tea or coffee, let alone serious head injury!

Perhaps just an old ipnone or android with a fingerprint sensor and another installation of bitwarden. You can keep the phone's passcode written down because its only use is to start the device. Then configure biometric log-in for bitwarden as an alternative to a distinct passphrase. In the event of a total blank, you should still have access as long as you retain a finger.

Requires a passcode before allowing biometrics

That's why I said write down the passcode and keep it with the device. The device itself isn't important because you're not keeping anything on it. Bitwarden encrypts everything itself. To my knowledge, once you enable biometrics in bitwarden, you will not need to use the master passphrase.

Not the person you responded too, but I imagine you could likely get a custom firmware to allow biometrics whenever, if you can replace the kernel, you can generally make the device behave however you'd like.

Here's the details on how it works:


Am I reading it right that this allows people to designate access to their password manager via email? I feel like I have to missing something, like a previous step that fingerprints the emergency contact's key or something.

(I get that we rely on email for stuff like this all the time, but your password manager is part of what protects your email account, which is why we rely on email as much as we do for resets).

They encourage you to verify the grantee’s fingerprint phrase:

> To ensure the integrity of your encryption keys, verify the displayed fingerprint phrase with the grantee before completing confirmation.


> The fingerprint phrase is an important security feature that assists in uniquely and securely identifying a Bitwarden user account when important encryption-related operations are performed (such as sharing).


While I make heavy use of a password manager, I still choose to memorize my email password, and not store it in a password manager, precisely because it is is relied on so much, and can be used to reset the majority of the passwords stored in the manager anyway.

I’m with you. I’ve memorized an odd password for entry into my Bitwarden and my ProtonMail account.

For very important passwords that are stored in a password manager, salting it with a memorized phrase is a good idea. That way, if someone gets access to my password manager, they still won't be able to access everything in there.

> On confirmation, the grantor’s Master Key is encrypted using the grantee’s public key and stored once encrypted. Grantee is notified of confirmation.

> When the request is approved or the wait time lapses, the public-key-encrypted Master Key is delivered to grantee for decryption with grantee’s private key.

I'm not quite sure how I feel about the way they're doing this. Whilst this is a feature a lot of people desire, the way that they're doing it makes it feel like it would be impossible to verify that they're not storing your Master Key, or transmitting it to someone else - i.e. backdoor.

At least, not with the level of detail I can find. [0]

[0] https://bitwarden.com/help/article/emergency-access/

I'm under the impression that the "encrypt master key with the receiver's public key" step is done on-client, so you could verify that the master key isn't being stored the same way you can very they're not sending the master key when logging into the web ui: looking at devtools and seeing everything that leaves the network.

It's a little too much to sort through on mobile, but I believe this is a reasonable place to start looking (this is the web app, the server might be worth a look too). As far as I can figure out, it's not part of the cli client.


Reminder: bitwarden isn't just an awesome service, it's also committed to open source!

> I'm under the impression that the "encrypt master key with the receiver's public key" step is done on-client

However, what would prevent them sending two public keys, one for your contact, and one for someone else? Or sending the wrong public key?

How is the key exchange itself verified other than "Bitwarden user"?

Those questions aren't answered.

They are answered right in the help article: https://bitwarden.com/help/article/emergency-access/#confirm...

"To ensure the integrity of your encryption keys, verify the displayed fingerprint phrase with the grantee before completing confirmation."

So keys aren't verified at all. That seems like something that needs more than a single sentence that comes _after_ they explain the confirmation process.

I use Lastpass, but I'm no longer a fan. So I am considering Bitwarden, but was wondering: What does this afford me that the built in Firefox password manager does not? Firefox now provides a method to generate passwords. Is there something else I am missing?

The built-in Firefox password manager does not work with other browsers (kind of obvious, no?). I use different browsers on different devices, and Bitwarden just works on all of them.

I switched from the Firefox password manager to bw a while ago, but at the time, Firefox didn't allow multiple users to share passwords (organizations). I share some passwords with my wife, that was enough to switch.

Password fill for every other app on your phone, and just generally decoupled from your choice of browser.

I’m also looking to move away from LastPass. Dropping this comment to get notified of replies.

This represents a dramatic escalation of side-channel attack vectors and surface area. It’s an unfortunate inevitability that this will not end well. Secure platforms never provide affordances for backdoors, especially backdoors tightly coupled to externalities. Bitwarden is further attracting unnecessary attention to itself from actors who have an interest in the collection of the volunteered emergency-trust relationships. Bitwarden would be well-advised to reconsider this feature.

I disagree. This is an extremely important feature. If something happens to me, I wouldn't want my family to have to jump through insane hoops to get access to my accounts for a bit of extra theoretical security. At this point something traumatic has already happened to them and this would just be another emotion burden. This could be for financial reasons, or say if I were missing, to communicate with my friends.

Let people who don't need it and don't want it turn it off, but for me I'd definitely have it on.

Unless I'm reading this wrong, this lacks a lot of granularity. I'd like to be able to only give access to a subset of my vault, not all of it. I'm of the opinion that my accounts should just disappear with me, apart for some things related to real life like utilities and the likes. Come to think of it, my GitHub account could be worth preserving too but right now I can't think of much else being worth it.

Here’s a list of password managers:


It has a column for Secure Sharing, but not one to show granularity.

Ones that make organization easy seem to choose to offer persistent sharing at the vault level (multiple vaults shared to nobody or to different sets of people), easy ways to move items between vaults, and flagging if you have multiple or OOS copies of items.

Careful, most seem to offer per-item share-as-a-copy that the recipient should store, which I wouldn’t consider as counting as the kind of sharing needed for this thread.

Just a friendly reminder that DMS is an excellent service as well. Just PGP encrypt a message and it'll get emailed out if you don't click a link on a set period. It is a painfully simple and inexpensive service.


My dad set me up with the equivalent feature to this on Dashlane. But it involved downloading their desktop app, which has all the usual anti-user behaviour - automatically adding to startup list, minimising to taskbar on quit, self updating without request, etc. So I ended up uninstalling it.

I hope that I get an email notification, or I find out through other offline means, if the feature ever gets activated. I hate that something which could have a significant impact on my life, potentially at a difficult time, appears to require running crapware on my own computer.

> Dashlane ... their desktop app, which has all the usual anti-user behaviour

They are going "web first" and eventually deprecating the desktop app, so you are going to need to reengineer that solution at oe point soon.

Appreciate the tip-off

Just a thought after having read through the comments, not all emergencies are the result of death, and, since pretty much any textual information can be stored in a Bitwarden vault, the kinds of emergencies could vary widely. A well-thought out use of the share/collection features might mitigate a lot of "emergency" situations though.

I do, however, look forward to the clichéd "you had her change the will just days before her death" in murder mysteries being replaced with "you signed her up for Bitwarden's emergency access just days before her death"…

I am not so sure about this. I think they should certainly allow emergency access to shut down all access but not necessarily give access to a trusted party. Life can change quite unexpectedly.

An alternative way to restore access to an E2EE app account could involve Shamir's Secret Sharing, I wrote some ideas about it would work:


This is timely considering Vitalik’s vocal support for Social Account Recovery: https://vitalik.ca/general/2021/01/11/recovery.html

It’s personally something I love to see.

LastPass has had a similar feature for some time now.


It's a good application and service that offers much on free accounts "but":

* there's still no way to keep fetching icons disabled across all devices and instances of bitwarden - each time I have to disable it; I just simply don't like such feature anywhere it's present

* there's no emptying the trash on desktop client and neither in browser addon

* logging in generates email on which your account is registered, which is a good security feature but sometimes it's just... annoying

* import exist only in the web vault interface, while export is present on desktop application and web vault

* despite of having vault unlocking to set with pin, I have to provide password

Still, it's my secondary choice for less important passwords for sites and apps since it works nicely on mobile and isn't limiting features like Enpass which is my main password manager.

> * despite of having vault unlocking to set with pin, I have to provide password

You can configure how it locks upon close.

And you still can't use Bitwarden in Firefox's private mode.

It's working fine for me here (Firefox private window on OSX).

I did have to go to the extension's settings and enable "Run in Private Windows".

Not sure why I'm getting down-voted. It doesn't work in Firefox's private mode. Nearly 4 years after the issue was raised. It was completely dismissed as "something Mozilla needs to fix" on multiple occasions.

It works, but you need to right click the field you want to fill and mouse over to Bitwarden.

That works, but the right click menu only includes logins. In addition, if your vault is locked, you can't unlock it without switching to a normal window.

Works, but unfortunately the vault has to be unlocked in a non-private window first.

So useful. I have been wanting this feature.

Applications are open for YC Summer 2021

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact