Hello, this is my firstday with Passbolt and like to limit my expectation, let me know if this correct statement and understanding.
2.Current Passbolt CE, does not have autofill features
Do i get this correctly ?
Helllo,
Passbolt only manage password not protecting them as people can see the password via browser reveal password features
Passbolt assumes that if somebody can use a password then they should also be allowed to see them. While some solution create a distinction by “visually hiding” it to the user, we didn’t go down that route as it gives a false sense of security: it’s possible with little technical knowledge to view it anyway once it’s inserted in a page by for example changing the input type from password to text on the page (or by inspecting the content of the http request using the browser console).
Current Passbolt CE, does not have autofill features
Passbolt CE does have an autofill feature. However it requires manual input (you click on the password icon, click on a suggestion, click on “use on this page”), so it’s not 100% “auto-filling”. The reason behind it is to ensure the user has full control of where and when a password is entered in a page, to reduce the security risks associated with password entry.
I hope this helps,
You can find more information about passbolt security in the whitepaper here:
@remy thanks for the explanation but I’m wondering, wouldn’t it still be better if PassBolt could hide password from 99% of users and give a warning message to the person sharing the password and let them chose whether they want to take the risk or not? I used one of the most popular solutions similar to PassBolt and users are able to share login access without sharing the password values.
@benjamo yes this would be possible to limit the visibility by removing functionality in the UI, but it will not be an actual guarantee that the user can not view. Other password managers generally implement the feature because people ask for it not because of it’s actual security merit. They don’t make it clear that you’re not actually preventing people from viewing you’re just making it a little bit harder.
In the future we may support this, as this is often requested, but in my opinion it gives a false sense of security and I’d rather prioritize work on real security improvements 
There are other types of solutions (think expensive enterprise software) out there that really do provide solution for this, but it involves having a 3rd party agent (proxy) to replace/decrypt the password in transit, which leads to very different security models (e.g. not an end to end encryption model). It might be better to consider using something like this instead, if this goal is important for you.
@remy I understand and agree with your logic and that it may give a false sense of security. At the same time, from my observation, there has always been and always will be flaws in the security in the cybersecurity industry in general an in PassBolt in particular. There are mainly two approaches to as I see it:
It seems as though PassBolt is taking the first approach as it relates to all other features and aspects of the app and that you’re advocating for the 2nd option in this particular case only (or maybe not only here). I do agree that it may give a false sense of security but:
Overall I see more reasons to add the feature than handing the passwords on a silver platter to anyone the login access is shared with. I also see an opportunity for PassBolt to increase its potential audience from the current user base that is using PassBolt to simply store their own password and share passwords with a very limited circle of trusted individuals, to an additional potential audience who will use PassBolt as a tool to share logins / access without having to share the actual password… Just my two cents. Thanks for letting me know about the other types of solutions, I will look into it.
