As an administrator - I should be able to reset user's password

Hello,

I think that as an Administrator, I should be able to reset password of Passbolt users. Recently one user forgot their password, and despite having the recovery-kit we were unable to recover his password.

As a result, we had to remove his old account and create a new one. Luckily he didn’t store any private passwords there and all the other ones were shared to other users so it wasn’t a great loss, however I’m afraid that sooner or later a similiar issue will occur and I’ll be unable to help the user.

Best regards,
MW

Hi @Mateusz,
What you are describing is the ESCROW functionality which will come this year.
Since this feature is very sensitive in terms of security we need to bulletproof it in our specifications.
Also, this feature got some dependencies before being developed (like multi-account on the browser extension, to ensure a good user experience).
We will for sure communicate here on the forum about the progress, since this is one of the most requested feature.

For your issue, we advice our users to always share with a group in case someone forgot privkey or passphrase to reduce the risk of orphan in passwords.

Best,
Max

1 Like

Hi @max,
regardless of the ESCROW feature, I think it should be possible to generate a new private key without deleting the account, so group memberships and entitlements are preserved. This process could work like the invitation email, that is sent upon account creation. So the client can generate a new key pair, upload the public key and the next time someone from the shared groups logs in, the passwords will be re-encrypted.
Or am I missing a major showstopper here?

Kind regards,
Martin

1 Like

Hi @hrw1

Without the escrow feature, the issue becomes one user being in possession of another user’s key which goes against a basic principle of app security. The original post is about the admin taking action for another user. I think what you are describing is different, possibly this one As a logged in user I should be able to change my private/public key - #4 by passboltUser

Hi @garrett ,
that is also important indeed, but not what I meant. I was talking about reusing the onboarding process for existing users, like deleting and re-adding the user with the only difference, that group memberships and entitlements are preserved.
I hope I described it better now.

@hrw1 Ah, I see what you mean, yes I was misunderstanding.

If I understand correctly you are describing cloning a user account in something like a refresh of the account with no passwords at the end of the process, but all the other settings are retained like group, etc.

This actually seems like something the pro version can handle with LDAP feature where an org is handling group appointment outside of passbolt. Would you see it different than this?

See. Account Recovery (Escrow) - Functional Specifications - Google Docs