Security fallacy when sharing passwords?!??️🤔

emanueleinnocenzi

Hello,

I have noticed that when sharing apassword with an employee, when they go and click on launch and the target website gets launched on its login page, the the password gets autofilled with the classic black dots (•••••), so theoretically the employee cannot see it, but basically every website has the "show" option in the password field, that basically removes the black dots and shows the actual password.

I tested this with an employee and he was basically able to see my password after it got autofilled by the LastPass extension just by clicking on "show".

Is it normal for this to happen when using LastPass?

Doesn't this defeat the whole purpose of using LastPass to share passwords? I thought the point was that my employees can login to my accounts without knowing my passwords?

I believe I must be missing something here, hope somebody can enlighten me,

Thanks a lot!

Henry Eduardo Ortiz (3P)

Hello @enso1,

My name is Henry and I am happy to assist with your inquiry, and appreciate you contacting LastPass Support!

I am sorry about the issues you are having with the shared passwords. The hidden password will work while the password is within LastPass and it will not allow the user to copy the password either. Unfortunately, the view password option from websites does not depend on LastPass and therefore can't be disabled from our side. If the computers of your users are all managed by your company, there are methods to disable this option completely on the browsers.

As stated on our support article about password sharing:

When you share an item,regardless of whether or not you enable theAllow Recipient to View Passwordoption, you should be aware of the following:

• Savvy end users could potentially access the password if they capture it using advanced techniques, butLastPasswill never be able to access this data because it has been encrypted using their public key.
• It is also possible to obtain shared passwords using another password manager.

We recommend that you generate a secure password for the site that you’re sharing in order to avoid sharing any passwords that you’re uncomfortable with the recipient obtaining.

Please let me know if further assistance is required.

Thank you,
Henry | Customer Care