Add "Hide Passwords" option to collection permissions

I know it’s facade, but so is for example most database security on LOB apps. Usually db pass is 2-way encrypted in some configuration file, and with a little bit of knowledge someone may disassemble the app and find out decryption algorithm. But it’s good enough for most people. I want to switch my company from LastPass in January, and so far Bitwarden was my top contender, but lack of this option is a dealbreaker for me as well :frowning:

1 Like

RE: The original post by kspearrin: “Obviously the password could easily be inspected with developer tools…”

FWIW, in our environment, we restrict developer tools via group policy, so that may be an option for some.

I came here to make a similar suggestion, but for personal use. I hadn’t considered the developer tools vulnerability, but it’s true that most people wouldn’t know how to do this.

I recently converted to Bitwarden from using Chrome as my password manager (I know, I know), and I did appreciate that the passwords reveal feature required your macOS credentials.

If Bitwarden had the OPTION to require your OS credentials (or Bitwarden PIN) to reveal and copy passwords to clipboard, I would be comfortable setting a very high auto-lock timeout (e.g. OS restart, never) on my personal devices. This would lead to a notably more efficient experience.

Obviously, there are some vulnerabilities to this, but I’d be comfortable with this trade-off on my personal device. If this were implemented as an optional item, perhaps a warning could be associated that explains the risks and appropriate use cases.

While I can totally understand the reticence to approaching this feature — I had the same concerns regarding the issue of it creating a false sense of security — I think there is still a lot of value to this feature.

My recommendation is to simply add a big old pop-up warning box making it clear that this feature is only meant to prevent copying and visually inspecting a password. It is designed as an enterprise permission feature and is not suitable as a security feature.

It definitely seems this feature request is carrying some momentum! It’s on our roadmap, but please keep voting and providing any usability recommendations as well.

2 Likes

Many of the reasons to not allow copying/seeing passwords are trivial to get around. Any modern browser will just allow you to save the password anyway, then they could see/copy the password. The main benefit I see is not being able to copy the password helps enforce best practice of letting the tool fill in because the clipboard is open for almost any application to view at any time. Even applications that can sniff key-presses won’t be able to see the password.

Apparently this feature is going to be added in the next few weeks depending on demand. Preventing casual copying or writing of passwords is essential in a company environment where passwords are being shared. We will also use a Windows Group Policy to remove the native browser password manager so Bitwarden will be the only option.

1 Like

As you all can probably tell from the subtle banner - the server portion of this is going live this Friday night. We’ll ship the clients out in the following days.

1 Like

This feature is officially released on the Web vault :slight_smile:

https://bitwarden.com/help/article/user-types-access-control/

2 Likes