HACKER Q&A
📣 krn

How can E2E services like 1Password and Bitwarden offer password resets?


This is what I don't get: if there is a way for another user – a family member or a team administrator – to reset the password of your E2E account, doesn't it mean, that the employees of 1Password[1], Bitwarden[2], and Tresorit[3] can do the same at any time?

Then what is the entire purpose of such services, if their providers still need to be blindly trusted?

I believe that it's a required feature by many enterprise customers.

Maybe that's why B2C-focused Standard Notes doesn't provide any way to recover your account if the password is lost[4].

But what is stopping them from adding such a feature in the future?

[1] https://support.1password.com/recovery/

[2] https://bitwarden.com/help/admin-reset/

[3] https://support.tresorit.com/hc/en-us/articles/216114497-I-forgot-my-password

[4] https://standardnotes.com/help/6/i-ve-forgotten-my-password-what-should-i-do

  👤 wruza Accepted Answer ✓
Seems that they simply mediate private key (or password, or other crypto trick) exchange in case one of the connected accounts loses access. E.g. Bitwarden states that it must be a special type of account explicitly set up for that. You cannot recover a regular account.

https://bitwarden.com/help/forgot-master-password/

👤 moasda
Technically, the vault key is stored in several copies, each copy is encrypted by the personal key of a user in the group, or a recovery user to reset the vault key.

> Then what is the entire purpose of such services, if their providers still need to be blindly trusted?

Even if the provider doesn't have direct access to the vault key, you have to trust the provider at the moment you access your vault, because the server is controlled by the provider.

👤 Daedren
Seems to be opt-in in Bitwarden and 1Password's case, and all seem to be focused on a group aspect (family/teams/enterprise).

It must be someone else in that group to recover your account, the company themselves can't recover your account for you.

I found that those linked articles explained it pretty well.