Disclaimer
- I am not and have never worked for Bitwarden, and I don't have and have never had any insights. I am a user of Bitwarden and all in this article is based on my observation and information provided by Bitwarden support.
- I do not think Bitwarden is a bad product, or by no means want to suggest migrating off, or not to onboard. Look, mistakes happen. On contrary, I've been using it for a couple of years and found it good and I plan to keep paying for my subscription.
Goals
- Give other users facing the same problem a quick solution in StackOverflow/Reddit style.
- Learn from the error how to roll out changes without affecting users.
How to solve this
Missing items (logins, notes, cards) are the items in your organization(s) with no Collection(s) assigned.
To solve this:
- Login to Bitwarden in a browser with your admin account.
- Open the Admin console. To do that, click the nine dots/squares icon next to your profile picture on the top right corner and click the "Admin console" on the popup that appeared.
- Choose the organization the items you want to make visible are in on the left pane.
- On the Filters section click the "All items". Now, on the table to the right of the Filters section you will see all your items, including Collections each item is in. The missing items are the items that are not in any collection, in other words, items for which the Collections column is empty.
- Add items into at least one collection. I did not find a good way to identify items not in any collection and do mass add, so the only obvious way I see is to click 3 vertical dots on the item's row, choose the Collections item on the drop down, and assign one or multiple Collections. Repeat for each item.
So, what happened and what can I do not to make the same mistake
OMG I lost my passwords
Today I tried to login to GitHub. I opened the site in a browser, clicked the Sign in button, and suddenly found that the Bitwarden shield Chrome extension has no numbers on it - Bitwarden did not have any details on the site. Wait, it worked before, how come it isn’t working now! Wait, what? There was the 2nd factor for the site stored in Bitwarden, have I completely lost access to my GitHub?. That must be some mistake. So, I opened Bitwarden app on my phone and found the login was not there either. I started checking other items in my vault, I still had some items, so it's not "everything" that is gone, but I also found that several other items that I had used recently or I was pretty sure had been there were missing. I was also sure I had not deleted anything from there.
Ok, am I hacked then? Unlikely, as I use Yubikey as a 2nd factor, so someone either had to obtain physical access to my device AND my Yubikey, or it could've been some sophisticated malware. But why would one want to delete some items from my vault and not the others? So, I swept that option away.
Ok, then what? I logged in to Bitwarden site with my account, and tried to search for the missing items there. The UI showed what I had seen in my Chrome extension, but no missing items. However, there I found the Trash folder, it was empty. The Trash folder contains any items removed within the last 30 days, and some of the missing items had been in use just a few days ago, so even if they had been deleted it still had to be there.
Ok, it's time to ask for help. I sent an email to the support. They asked me whether the items were in an organization, said this can be due to flexible collections that we are currently in the process of rolling out
, pointed me out to the documentation and suggested to check Collections and permissions.
I did that and found that the items had not gone (phew), but they were still not visible.
Terminology and sharing model
Bitwarden sharing is based on Organization model. A person has an account with Bitwarden. Apart from a personal vault under the account where a person keeps their personal items, a person's account can be added to multiple organizations - their company's org, an open-source project contributor's org, a family org, etc. Each of these organizations keep items that belong to the org. However, not all users in the org should have access to all the items in the org, and they may also have different levels of access (edit, view, etc). To control this Bitwarden uses a "Collection" concept. Collection is a union of 3 things - items, users and access, so it dictates which users have specified level of access to which items.
So, what happened
In the past, the system allowed to add items to an organization without adding them to any collections. I don't know whether it was a bug or a feature, but that worked for me just fine and I tend to drop most of my logins to my Family org, adding those I want to share with my family members to corresponding collections, and keeping the rest outside of any collections. It was working for me either because I created those or because I was an admin, but I could see them just fine until today. Today, Bitwarden rolled out the new model to my account/org, and all the items that had not been explicitly added to any collection appeared in a virtual "unassigned" collection (my speculation, you cannot see it in the interface), and the access to the virtual collection got revoked from everyone including the admin. So, since the account got no permissions assigned (even the view) for those items, they disappeared from the list on my devices.
Lessons we can learn
These lessons are not recommendations for Bitwarden developers as Bitwarden may have some obligations and restrictions that prevent them from being applied directly (for example data collection). They are rather generic to a product and require taking product specifics into account.
- Observability, observability, observability. Without the right metrics developers go blind through mine fields, deadly traps and surrounded by hungry predators. Having metrics is vital. In this particular case metrics like "avg number of items available to a user" or more specific to the case "number of items in the unassigned collection" would allow to detect the problem either before rollout or on an early stage of it. We should be careful collecting different things though, metrics can be sensitive, for example - can collection of these metrics be considered as collecting user data? By some - sure, it will be. So, we should collect necessary metrics, but we need to be transparent on what is collected and why it's necessary.
- Know your system, but expect that users will not use it in the way you expected. What is the behavior now and what it will be after the change - now, it allows to use items not in collections, after the change, it will not. You expected users to put all the items in an org to at least one collection, but does the system allow items to be not in any collection? If so, what's the behavior? That's not what you put into design in the first place, but if that's possible (the system allows it to) - people will do it and you need to deal with this.
- Preserve the state of things. The state of the items that are not included in any collection is "they are visible and editable by an admin", make sure it will remain after the change. All the items have to be in an explicit collection? Fine, have the updater create "uncategorized" collection, add admin account to it and assign "view and edit" permission and add all the items that are not in collections to the new collection.
- Make sure the system allows to do only what it's supposed to and all the places have consistent behavior. We have a new requirement - items cannot exist outside a collection. Change the tooling to prevent removing it from all the collections. The Chrome plugin requires at least one collection to be chosen to move an item to an organization. However, the web UI in admin interface allows admins to uncheck all the collections, and thus remove it from any collection, wait, this contradicts the Chrome extension logic.
- Create tooling. I have a few hundred items in my org. Some have thousands. How are we supposed to move them to a collection? One by one? Your users will curse you, give them a tool.
- Communicate. Let users know that you've developed a new feature, or that you're going to make permission management more flexible. They will love to hear this. This requires some changes? They need to learn how to manage permissions in a new way? At least they will be ready and know what's going on, instead they find out that the old way is not working any longer and they have to learn the new way when they need to make changes ASAP. Things may go wrong. That's fine. But we should not surprise users, especially in a bad way.