remy
January 25, 2024, 1:54pm
2
Hello,
Yes this is a known behavior. This is why we were reluctant to implement the UI RBAC for this, as it is trivial to bypass. See. One Click Login, without seeing the text password - #6 by remy
Our view is the “one click login” or “use password without seeing it” gives false expectations of security. There is no such thing as being able to use a password without having the ability to see them.
In practice a user who wants to see the password can replace <input type="password" to <input type="text" in the code to see it, or right click on a page > inspect > go to network tab and see the password being sent as part of the data.
We often hear “yes but my users don’t know this”, but for us it’s not a good enough business case. Of course we may reconsider if there are better arguments that we are missing.
I talked with the team yesterday on this, and they changed my opinion a bit. There is some merit in implementing a “use only” feature, in conjunction with disabling export, copy to clipboard, preview, etc features.
It makes it slower to “copy” the password, and at least slow people down when doing so.
The business case would be an admin in a company has people copying credentials locally and actively avoiding using the chosen solution of an organisation. This may help an admin drive adoption / enforce best practices. Not super high on my whishlist of things to do still, but it’s not off the table.
We would need to set expectations clearly though for the administrators, as we don’t want to encourage security theater.
Your proposed solution doesn’t solve the problem either, it would still be possible to view the data in clear in the console unter the network tab, clicking on the request, and select the payload tab, to view the data in clear.
The only way to solve this problem, would be to implement a proxy with deep packet inspection and replace the password there on the fly. This is the model used by Cyberark for example, but not something passbolt will implement (as we want to provide end to end encryption).
I hope this helps.
1 Like