Share password without showing password
Is it possible to share a password with another user, keeping the password hidden? Similar to an existing feature on LastPass.com
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @andrefabricio,
Thanks for taking the time to contact us.
We have added that feature to 1Password for Teams.
However, do keep in mind that it only protects against casual or accidental password viewing/copying. Someone who is even slightly determined can simply edit the source on a page (or use a bookmarklet or extension to do it automatically) to change all the password fields on a page to plain text fields. You can see a bunch of extensions to do this with a simple Google search:
https://www.google.com/search?q=reveal+password+extension
This is true for any solution — not just 1Password. If someone can use a password to log in somewhere, they can view that password (and likely change it and lock you out as well).
An example story from our 1Password for Teams Security Design white paper (page 33):
The administrators have come to be wary of how the dog Patty (see Story 6 for background) treats data. They want Patty to have access to the password for the dog door (they want her to be able to leave and enter as she pleases), but they do not want Patty to give that password to any of her friends should her paws accidentally press the ”reveal” button.
And so, the administrators limit Patty’s ability to reveal the password. She can fill it into the website that controls the dog door (she lives in a somewhat unusual household), but she cannot accidentally press 1Password’s “reveal” button while her friends are watching. This is protected by client policy.
But Patty is a clever dog. When she uses 1Password to fill in the website, she then uses her browser’s debugging tools to inspect what 1Password has inserted. She gets the password, and she tells it to all of her friends so they may come and visit.
The house is overrun with Patty’s friends running wild, and the administrators have learned an important lesson that client policy controls are easily evaded.
If we can be of further assistance, please let us know. We are always here to help.
Cheers!
0 -
Hi @Jim A Syler,
Good question! It's a bit confusing because we're using the word "share" in two very different ways here:
In 1Password for Teams, when we say something is 'shared' with someone else, we're talking about permissions and access. For example, you can create a new vault in 1Password for Teams and choose who has access to that vault - when you give someone access to it, you're sharing a vault (and the items it contains) with them. You can set permissions for each user who has access to that vault - those permissions determine what a user is allowed to in that vault. The permission that Khad and the OP discussed above was whether or not a user can reveal a password field in an item in a vault (i.e. change it from black dots to plain text).
On the other hand, when you 'share' an item from your vault with someone else via email, text message, etc, you are really just sending them a copy of that item. Unless you choose to send it in plain text, it is sent in an obfuscated format that can be imported into 1Password when that person clicks on the link. Once imported, it works the same way for that person as it does for you - that person can reveal the password field if they choose to do so. There are no permissions involved here - you're simply sending them an exact duplicate of your item.
I hope that helps to clear up the confusion! If you have more questions about that or anything else, you know where to find us. ;)
0 -
@Jim A Syler This is a long-time pending issue. Don't be fooled by 1P sharing feature since it's not secure at all, as @Drew_AG points out. There has been some discussion about it (see this thread from 2014) but nothing has changed since then I think. Quoting @jpgoldberg from the same thread, it's a "temporary measure" which became "permanent". An ugly one in my opinion, because if you're not familiar with cryptography you could think you're securely sharing an item while in fact this is nothing better than sending it in plain text.
Regards
0 -
Thanks @juanii! :) Unless I misunderstood, I think @Jim A Syler's question was about whether or not the recipient can see the password in an item once they receive it via text or email and import it into 1Password (the answer: they can). But you do bring up a good point which is worth repeating: when you share an item (via text, email, etc), it is sent in an obfuscated format which, although not human-readable, is not encrypted, and can be imported by anyone with a copy of 1Password. That's why we strongly recommend using a secure channel to do that, as explained here: How do I share an item with another 1Password user?
0
