Password can be seen using Inspect Element


Yes this is a known behavior. This is why we were reluctant to implement the UI RBAC for this, as it is trivial to bypass. See. One Click Login, without seeing the text password - #6 by remy

Your proposed solution doesn’t solve the problem either, it would still be possible to view the data in clear in the console unter the network tab, clicking on the request, and select the payload tab, to view the data in clear.

The only way to solve this problem, would be to implement a proxy with deep packet inspection and replace the password there on the fly. This is the model used by Cyberark for example, but not something passbolt will implement (as we want to provide end to end encryption).

I hope this helps.

1 Like