How to share password without revealing password?

ybc
ybc
Community Member

I don't think it's ok to share password by revealing them to people. This allows them to change passwords, or even email accounts tied to services.

Lastpass offers a "passwordless" sign in to mitigate this problem. It isn't a perfect solution, but at least better than (one-click-away)-plain text password sharing...

Please let me know what I'm supposed to do :)

Thanks


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • Hello @ybc! 👋

    If you're using 1Password Business then you can control whether your recipient is able to view a password by using the View and Copy Passwords permission. You can read more here:

    However, you should consider this feature to be a deterrent but not a guarantee that the people that you share the password with won't be able to ever view the password. Our permissions only apply to the 1Password apps and not to other apps like the browser. If they use 1Password in the browser to fill the password into a website then they could use a tool like Chrome's Developer Tools to view the filled password on the webpage. You can read more about the limitations of this permission here: How vault permissions are enforced in 1Password accounts

    I believe that the same limitations will apply to other password manager's implementation of this "hide password" feature as well.

    If you're using an individual account or 1Password Families then, at the time of writing, the View and Copy Passwords permission is not available for those accounts.

    -Dave

  • ybc
    ybc
    Community Member

    Hello @Dave_1P ,

    You're right, I was talking from a family account experience. I was looking into moving to a business account, in parallel to my family account. I assumed both would function the same, way, 100% my bad.

    By the way: what happens If I'm both in a family and business account? will both vaults appear in the same place for me?

    (To add to the limitations you provided, I just found out that changing 'password' to 'text' in the page's code, provides the password in clear :/)

    From a security point of view : there is no known way of sharing accounts in a business that doesn't imply (1) an implementation of multi-users from within the service/app I need to share or (2) actually sharing the passwords (with all the limitation you explained)?

    My issue is that I have plenty of trainees going through, I can't set up and revoke access from all the apps we use for each one of them.

    I'm thinking about these possibilities, but all have limitations:
    1/ changing all apps' passwords weekly (to limit sharing outside the organisation) : as costful in time as managing access within apps, without proper protection.
    2/ setting up computers with all apps' logins, giving them access through a VPN: they can still access passwords if they are determined to do so.

    Is there any other way?

    Thank you for your time

    Yves

  • @ybc

    Thanks for the reply. You should only share a password with someone that you trust to have that password. Otherwise it's best not to share it at all, even with View and Copy Passwords turned off. As our guide to vault permissions says:

    "A team member who is determined can easily overcome client-enforced permissions on their own device, so they’re most valuable as simple safeguards for people you already trust. A team member has to act deliberately and intentionally to violate these restrictions. These permissions shouldn’t be relied on to prevent hostile behaviour or enforce trust."

    It sounds like you're giving your trainees limited access to a lot of different apps/tools. A lot of business use a centralized identity and access management platform, such as Okta, to avoid having to assign, share, and manage passwords. That would likely be the best option but it would require work and support from all of the different apps and services that you use. You can find 1Password's guide to Okta here if you're interested: Configure Unlock 1Password with Okta

    Alternatively, I know that some businesses only allow access to their tools within a specialized environment that they control completely. For example, you could lock down the browser so that developer tools can't be used. You could setup this kind of locked down environment and then enforce that your trainees use a VPN to access the environment if they work remotely.

    These suggestions, and how to implement them, are outside of the scope of 1Password support but I hope that they help. 🙂

    -Dave

  • ybc
    ybc
    Community Member

    @Dave_1P
    great answer, thank you for this

  • I'm happy to help. 🙂

    -Dave