Copy Passwords for Members
In the shared folder, I set it up so the Team Member can only Read/View History and Write/Create New. I didn't want the members to see the passwords, but I wanted them to be able to copy it (like they can do for the website and user name). BUT, it doesn't work - there is no copy button like I see for mine as the Admin. So I had to check "Reveal Passwords" so that they can copy, but I'd rather they didn't see them. Any suggestions?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @salklein,
Thanks for taking the time to write in. I'm sorry to be the bearer of bad news, but even if someone has only read access to passwords, and even if they don't have the "reveal passwords" permission, they'll be able to view the passwords if they're determined.
Not reveal, but copy?
So lets say that we gave folks the ability to copy passwords even when they don't have the ability to reveal them. What prevents them from pasting this password into a non-password field (or a text editor like Notepad or TextEdit)?
No "reveal passwords" permissions -- even without copy: still able to get passwords
So even if we lock down the ability to reveal the passwords in the password manager (I'm talking about any password manager at this point, not just 1Password), and don't give them the ability to copy them to the clipboard, they can still get them. How? A user may still obtain the password by examining a web page using the developers’ tools for their web browser. This permission may be used to prevent accidental disclosure and may help reduce the risk of ”shoulder surfing” and other social engineering attacks. It will not stop anyone who has any determination.
The "reveal passwords" permission should not be used in place of good termination policies/procedures (e.x. changing any credentials an exiting employee had access to). And again, this is regardless of what password manager you choose.
I hope that helps!
Ben
0 -
It helps a lot...but my question/suggestion is still the same. If the "reveal password" is not checked, how does the team member open the website if they can't copy the password?
Here are my thoughts on this:
I am computer savvy....but not tech savvy. So even though I could find out the password if I was a team member, I wouldn't know how on my own and could care less to find out. As long as I can copy and paste it, I'm good. But most of our team members are NOT tech savvy and some of them hardly know how to use the computer. I would still like not to reveal the passwords, if possible, for their own security. I find that those that don't like using the computer, don't care much about security. So even though I will ask them to keep these secure and not write them down, they may for convenience.
So again, why doesn't (or can you all change it in the future?) the "copy" button show up when the "reveal" button is blocked?
Thanks for your patience,
Sally0 -
@salklein Glad to hear Ben's reply helped! That's a good question too. The only way to use the password without the reveal permission is to fill it directly in a browser. So they could use the iOS extension or our desktop extensions to fill things directly and never interact or see the actual password. Now, if the website they're using has a "show password" option, that will change things a bit. And of course please do keep in mind what Ben said before — it's still possible to get the password even if you just directly fill it into the website.
All that being said, this is a very good point:
So again, why doesn't (or can you all change it in the future?) the "copy" button show up when the "reveal" button is blocked?
I can see how it'd be confusing when it says "reveal" actually means "reveal or copy". There's not a restriction on using the password, just seeing it. Since copying something to your clipboard would be a very easy way for you to see it, we covered that under the Reveal Passwords permission since it makes sense from a logical standpoint. Still, we can improve things. I'll forward your feedback to our development team and we'll look into making this better. Thanks so much for discussing things. :)
ref: B5-557
0
