Shared vault best practices — access control, rotation, and the offboarding problem

Shared vaults solve the 'how do we all know the Netflix password' problem elegantly. They introduce a more subtle problem: once someone has access to a shared credential, they have access to the credential — not just access through the vault. Removing a person from the shared vault stops them from retrieving the credential from the vault interface. It does not change the credential itself. If they memorised or saved the password before access was revoked, the revocation is partial at best.

Most shared vault guidance focuses on the access granting side: how to add members, how to set permissions, how to organise collections. Less attention goes to the access removal side, which is where the security complexity actually lives. For household shared vaults, this is usually a non-issue. For team shared vaults with contractor turnover, it is a genuine ongoing challenge.

The discipline that makes shared vaults actually secure is: rotate shared credentials when someone with access leaves. This is obvious in principle and consistently undone in practice.

The assumption 'removing someone from the vault is sufficient offboarding' conflates access control with credential control. Removing access from the vault prevents future retrieval. It doesn't address credentials already retrieved and potentially stored elsewhere. For administrative or financial accounts with significant consequences, rotation after any access removal is the complete offboarding action; vault removal alone is not.

A second assumption is that all shared credentials need the same access control model. Streaming service passwords are low-consequence: sharing broadly within a family or team creates minimal risk. Finance system credentials are high-consequence: restricting access to a small subset with explicit justification is appropriate. Using the same sharing model for all credential types creates either over-restriction or under-restriction.

A third assumption is that vault audit logs capture all relevant access events. Audit logs capture vault access — credential views and retrievals within the vault interface. They don't capture what happens after retrieval: whether the credential was copied, stored externally, or shared further. Audit logs are useful for compliance and incident investigation; they are not a substitute for rotation discipline.

The operational model for responsible shared vault management: (1) Categorise shared credentials by consequence level — low (streaming, Wi-Fi), medium (shared work tools), high (administrative accounts, financial systems). (2) Apply rotation triggers to medium and high: rotate on any access removal, any suspected compromise, and on a scheduled basis for high-consequence credentials. (3) Use the minimum access principle — share credentials only with members who specifically need them, not all members by default. (4) Document which accounts are shared and who has access, so offboarding checklists are based on actual access rather than assumptions.

Bitwarden's collection structure allows fine-grained access: different vault collections can have different member lists and permission levels. A 'Finance' collection with restricted membership and a 'General' collection with all members reflects the consequence-differentiated approach. Keeper's folder and record-level permissions support the same model.

One-time sharing — Keeper's One-Time Share and Bitwarden Send — is appropriate for temporary credential access: sharing a credential with a contractor who needs access for a specific project, with an expiry after project completion. This avoids adding the contractor to the shared vault and removes the offboarding question.

Shared vault best practices address the organisational and process layer. Technical access controls are effective only when accompanied by consistent process: rotation discipline, access reviews, and offboarding checklists. Vault management without process produces a false sense of security from having access controls that aren't actively maintained.