Working on password security for our team and found that even when I share the password with “Read Only” permission. The end user (to which the read only access to password is shared) is still able to see the password when Bitwarden is pasted on a website that has “show password” button in the password field.
Is there any solution for it? And how can we avoid it?
Hello @joshua_hacker and welcome to the community,
Unfortunately Bitwarden, and similarly other password managers can only control access within their own programming.
Once credentials are auto-filled, or otherwise entered into a form via a password manager, that data is effectively out of the control of the password manager at that point. As described in User Types and Access Control | Bitwarden Help Center
Hide Passwords prevents easy copy-and-paste of hidden items, however it does not completely prevent user access to this information. Treat hidden passwords as you would any shared credential.
Essentially any technically savvy enough individual could fairly easily gain access to these credentials once inserted by the password manager, i.e. such as with the use of f5 debug, or others.
Hence why it is preferred to have individual accounts where possible, and for those instances where needed sharing of accounts should be only done with individuals to whom you have some level of trust, as well as processes in place to rotate shared credentials i.e. in the event an employee who had access to these shared credentials leaves the business any items they had access to should be changed.
This may be possible to do at the browser level with an IT managed browser possibly.
I did some quick digging and found this article which may assist.