Password change and recovery key

I am testing deployment for Passbolt for my small business. I currently have 2 users testing it and they like it quite a bit so far as they have to share passwords for certain accounts that do not allow multiple logins. They had not used any other password managers besides the browser.

One user changed her passphrase. And some changes I made in our windows AD resulted in the passbolt extensions uninstalling and reinstalling requiring account recovery.

The user that changed passphrase could not recover her account with the new passphrase. However, after some time she found the original passphrase and could recover with that.

I am guessing if she exported the recovery key after passphrase change she would have been able to recover the account.

It might be good to put a bold large warning that the old recovery key will not work with a new passphrase and ask the user to download the new recovery key whenever they change their passphrase.

Another question is, can you recover the current account with any passphrase/recovery key combination? Or if they recover with their initial passphrase/key will that only restore the account to the state before they changed their passphrase and they would lose any changes made with the new passphrase?

1 Like

That might be a good question? Any answers?!

There is a warning before the passphrase change, that says:

Before getting started...

The passphrase is stored on your device and never sent server side. Changing your passphrase will only change it locally. If you have multiple browsers configured, the passphrase will need to be changed in all places individually.

[ ] Ok, I understand what I need to do.

We can adjust it of course if you have suggestions.

Unlike other password managers, the passphrase is only used to encrypt the private key locally, it is not used remotely. So in practice from a server perspective, it doesn’t matter what the passphrase is, only the private key comes into play.

This is why when you change the passphrase you need to download a new version of the private key that you can use for the account recovery, so that you know it’s encrypted with the latest version of the passphrase.

Let me know if that doesn’t make sense.

Would that text be more clear?

The passphrase is used to protect your private key locally. The passphrase is stored on your device and never sent to the server. 

Changing your passphrase will only update it on your current  device and browser profile. If you use Passbolt on multiple browsers or devices, you’ll need to update the passphrase in each one separately.

When you change your passphrase, a new backup of your key is automatically generated. This makes sure your backup file is always encrypted with your latest passphrase.

[✓] Ok, I understand what I need to do.

But I have to download it manually?

It’s downloaded automatically after you update the passphrase. There is then a message showing:

Your passphrase has been changed. Make sure you keep a backup of your secret key encrypted with this new passphrase. Keep this backup in a safe place, you will need it in case of emergency.

**Warning**: This recovery kit replace the old one.

You will need this recovery kit later to access your account (for example on a new device).
1 Like

Apologies, I thought I had email alerts setup for this thread but missed your replies.

Those warnings look good.

Unfortunately, some users no matter what will just not read the warning.

Am I correct that those users can still use their original key (that IT helped them save to a safe spot when setting up their account) and their original password to recover their entire account? Essentially the passbolt server does not care which key-password pair you use?