My feature request was closed without fully reading it.
It was assumed I was referring to “hide passwords” and I was not.
I know you already have “hide passwords” and “read only”. That is not what I asked for.
I would like a 3rd option, that allows an admin to hide the passwords AND allow copy/paste.
You “hide passwords” does not currently allow copy/paste and auto-fill is not good enough when the
password is not URL based.
I do not want to give visible passwords to my team, but they still need to be able to use them,
and currently they cannot unless it is URL based and the URL is actually on the item as well.
There are many other times that passwords are not URL based, so your auto-fill extension won’t work.
This would give an admin a 3rd option that would work for those cases.
If they can copy/paste the hidden password, what is to stop them from pasting the password into a text editor, which would allow them to view the password in plain text?
Just as @grb said, this will not grant you any security.
There is no such thing as “some security”.
Your only option is to hope for auto-type (it seems your use-case are desktop apps?) and hope the implementation limits the output window to the window you wanted.
But… even if this is the case, there are easy tools like WinSpy etc. or the developer tools in browsers.
You better get a team you trust in and change passwords regularly.
To be honest, that is your only option.
I hoped I could recommend the usage of a TOTP as it was harder to leak, but I just tested it and it is just as easy as changing the input’s (field’s) type from “password” to “text”. Same goes for the password field.
The real request should be to not populate these fields if they are readonly/hidden.
Even the auto-fill option of the chrome extension doesn’t stop someone from stealing a password. The browser still allows someone to “remember password” which then allows them to look at what that password is from the chrome settings.
It would be no different than this. Keeping honest people honest.
If someone really wants to find out what the password is, they will find a way.
