Hide password field from shared users

I was evaluating Bitwarden with a trial to see if it’s right for our company. I discovered users can EASILY view real password by simply changing one word in browser inspector. How do you fix this? Just remove the whole field from recipients view. There’s no reason they need to see a fake hidden password. Just remove the field entirely and problem solved. I would love to buy bitwarden, but this is a clear dealbreaker. We can’t afford to lose our lifetime apps to disgruntled employees. We may as well just use a spreadsheet if we are revealing passwords anyway.

Hi @Proxy, thanks for the feedback. Currently this is expected behavior and outlined in the User Types & Access Control Help Center article. Even if we hid the field, a user could still copy the field after it has been auto-filled into a website since it has then moved outside of the Bitwarden environment. I think this would be the case regardless of which password manager is chosen.

Prevents users from seeing or copying all passwords, TOTP seeds, or Hidden custom fields. Users with Hide Passwords active may only use items in the Collection via Auto-Fill.

Hide Passwords prevents easy copy-and-paste of hidden items, however it does not completely prevent user access to this information. Treat hidden passwords as you would any shared credential.

Let me get this straight. Because a user might still find a way to reveal the password, you decided to make it easier for them by just handing them the password field and code to reveal it? Why not just show the real password altogether and stop bothering with the dots? It’s so easy to find the password.

What good is all your security if it can be breached by changing one word? Showing the password field to the recipient is purely for decoration. I has no practical purpose.

Heylogin doesn’t have a password field. They still haven’t figured out how to prevent browsers from storing passwords, but they at least got rid of the password field. It seems like all password apps have irrational attachments to security flaws.

Hey @Proxy, the purpose of the Hide Passwords toggle is to reduce the ability for users to see or copy passwords, TOTP seeds, or Hidden custom fields within the Bitwarden environment, instead ensuring an auto-fill experience.

Regardless of the password manager, once a credential is pasted into a web form and outside of the Bitwarden ecosystem, a user can then manipulate the data, so removing the field from Bitwarden wouldn’t provide any additional protection and is why the following warning is included:

Hide Passwords prevents easy copy-and-paste of hidden items, however it does not completely prevent user access to this information. Treat hidden passwords as you would any shared credential.

If HeyLogin hasn’t figured out how to stop browsers from storing passwords, then it is just pasting in the password like Bitwarden does. No security benefit there.

And if HeyLogin is just hiding the password from the user, that doesn’t improve security whatsoever if they still have access to it. That was actually the argument you made above! Honestly, I don’t understand your logic here at all.

Besides, most users want to be able to see their personal passwords, which is why Bitwarden allows it. The obscuring dots are just there to prevent other people from eavestropping on your screen. It makes perfect sense for most users to be able to reveal their passwords when they want to see them. They do call these apps PASSWORD managers, after all. I suspect you are looking for something entirely different.

1 Like

Allowing browsers to store passwords = bad
Giving recipients access to password field needlessly = also bad

My logic is pretty sound when you think about it. What is illogical, however, is showing recipients an obscured password field when they literally have no good reason to view it. It’s an unnecessary security risk.

Why are you people so irrationally dedicated to your decorative password field? You’ve made a pretty good case that your app is not secure. So, thank you for talking a potential customer out of a sale. But, what I can’t understand is why you want to keep this field so badly?

You’re essentially saying, “Well, a burglar might smash a window, so we may as well leave the keys in the door.” :man_facepalming:

@Proxy it’s much easier to just auto-fill the password and then copy the field, than it is to inspect/modify the web code, so I don’t really follow this narrative.

@dwbit Bitwarden doesn’t have auto-login? Auto-login would prevent users from copying from the text field on outside sites.

Hello @Proxy

I believe the main issue here is in how the underlying technology works.
I had never heard of HeyLogin prior to today but giving their website a quick overview it seems like a solid product with a dedicated and passionate developer behind it.
I believe the majority of security conscious individuals would agree that any form of password management software that aids in keeping good password hygiene is invaluable, regardless of the product.

Overall though it seems that the underlying mechanics of how HeyLogin works differs from Bitwarden and act more as an SSO provider rather than a simple password manager.

Bitwarden does offer auto-fill capabilities, but cannot auto login to a website. Even HeyLogin requires some form of user interaction to “complete” the login process on a page.

Another thing you may do within the Bitwarden system would be to set certain logins with Hide Passwords* which would prevent users from easily viewing the password field, but can still be extracted by the means explained previously such as with Inspect Element in the browser.

The big reveal - Hidden Passwords! | Bitwarden Blog.

1 Like

It seems more like you’re wanting SSO from what you’ve been describing. Bitwarden offers SSO, but if you’re needing dedicated SSO, Okta might be more what you’re wanting. But yes, no matter what you do, if a password is exposed to an end-user’s device, it will also be visible in some way, no Password Manager can avoid that. Even if you attempt to disable the context menu from right-clicking the field (which LastPass does), all someone has to do is just view the source using the option from the normal browser menu, or the dedicated hot-key for that browser and the source will pop open in a new window/tab with the password visible.

1 Like

I did find it strange Bitwarden is not auto-logging into sites for me. I’ve yet to successfully log in with Bitwarden to anything during my test.

All other password apps that I have tried have auto-login without the need for further user interaction. But, they do all have other problems. Here’s a list:

  • Lastpass Family Plan (shows the actual password to recipient)
  • Passwordboss (has the Bing virus)
  • Heylogin (Safari stores passwords, Require intrusive browser extension)
  • Keeper (shows the actual password to recipient)
  • Passcamp (shows the actual password to recipient)

The only reason I want a password app is allow team members access to apps without them being able to view passwords. Is this simply impossible? Bitwarden came close, but the obscured password field is on display needlessly, and now I am learning you have to copy and paste real passwords to log in? Not good.

I’ll check out Octa, but it’s looking like we may just need to use a spreadsheet and manually change all our passwords whenever the team changes.

Hey @Proxy, I definitely wouldn’t recommend storing your passwords in a spreadsheet, which exponentially increases your threat surface.

@dwbit The only reason I need a password app is to hide real passwords from recipients. If no app does this, a spreadsheet will provide the same security for free. :man_shrugging: