Standard team plan - can passwords be hidden from your teammates?

holacat
holacat
Community Member
edited October 2017 in Business and Teams

Hi there, I was wondering if you would be able to hide the passwords from your teammates what are you subscribe to the standard team plan? Thanks!

Comments

  • Lars
    Lars
    1Password Alumni

    Hi @holacat -- thanks for the question, but I'm not sure what you're asking us. From whom do you want to be able to hide passwords? And in which vault(s)?

  • holacat
    holacat
    Community Member

    Sorry about the typo! I was wondering under the standard team plan, would you be able to hide passwords from your teammates or is that a feature that only comes with the pro plan? Thanks!

  • Lars
    Lars
    1Password Alumni
    edited October 2017

    @holacat - no worries! I just wasn't quite certain what you meant. Removing users' ability to reveal passwords (keeping them concealed) is indeed part of the Pro plan in 1Password Teams.

    Having said that, a few words about concealing and revealing passwords. Within the context of our own code, we can do things like have the server tell each individual client not to allow their user to reveal passwords, and the individual 1Password clients will respect that because we control both ends of the code. However, it's basically impossible in general to both share an item with someone and simultaneously NOT share it with them.

    What I mean here is that even with the Pro plan, although we can enforce your wishes to conceal resource passwords from specific users, if you're sharing a resource with that user (i.e. - they can use the username (or email) and password combo to log into a site), then if they really want to, they'll be able to reveal that password, even if you as an admin make it so they can't do so within 1Password itself.

    How? Rather easily: if Teammate X has access to Login Y, but you've removed their ability to see the password, they can just copy it out of 1Password and paste it into Login Y's password field (where it will still be an obfuscated set of dots or asterisks), and then use a small browser-based javascript tool to reveal the pasted password within the browser. Such tools are trivial, free, and available everywhere on the web. Here's one you can use to verify this for yourself.

    Because this revealing of the password happens entirely within the user's browser, not only can 1Password not prevent this from happening (we can't control what users do in the browser), we would not even know it had happened. So, while using the permissions control available in the Pro plan to prevent revealing passwords can be helpful for casual situations like shoulder-surfing in coffee shops or other public spaces, it's not in any way an ability to prevent users from knowing a password that you allowed them access to. Put more simply: if you share something with someone, it's shared. Just some food for thought.

This discussion has been closed.