How to avoid fake security in password access management
October 28, 2019 / Knowledge

How to avoid fake security in password access management

When you’re logging in into any of your personal accounts, your password is hidden behind asterisks or dots. We are all used to it.

The primary reason for hiding them is to make sure nobody behind your back sees it on your phone or computer screen while you are typing it. It’s all simple and worry-free when a password is only for your personal use.

Yet, when it comes to password access management among team members or employees, the problem arises – how to share a password without people actually seeing that hidden text?

Sadly, at this point, there are no 100%-risk-free ways to do it, even though some companies state they do.

Shocking?

Let us quickly cover you with some background knowledge so you’re ready to stand against these fake security promises in password access management.

After you share a password without an ‘option’ to see it…

Let’s say you shared your password access to someone else being sure that another person didn’t see it during the sharing process. The person received your password, then used it for logging in. All this process went smooth without him taking a look – you’re calm. So far so good.

The problem is that once a password is used, it is now stored in the person’s browser (for example: Google Chrome, Firefox, Safari and Internet Explorer). From there, it can be revealed in easy multiple ways.

Let’s cover them.

Browser

Once a person saves your password into his browser (usually browsers even pop up a window asking “would you like us to save your password?”), he can then check ‘browser settings’ -> ‘passwords’ and see your passwords there.

Here’s how this list looks:

Of course, if a person’s computer itself is secured with a password, the browser will ask him to type in the password again, making sure it’s him. (That’s why we highly recommend you to use a password when logging in to your computer!)

But in this case, a person who has access to your password, can simply input his computer’s password and see it right here, in browser’s password list.

Most of the time browsers will even offer to show the password outright. Here’s an example on Chrome:

The same applies for Firefox. Edge browser even adds this eye symbol directly in the password field.

Developer’s tools

In short, developer’s tools (or DevTools) is a set of tools created for web developers to easily notice some problems in website’s code and to quickly resolve them.

Even though it might sound like a very technical thing to do, actually, DevTools can be reached and inspected by everyone (including you!) by pressing F12 on their keyboard when being on a web page. And they don’t need any IT or programming knowledge for it.

Try it yourself.

Go to any login page you know. Let’s take Facebook, for example.

Right-click with your mouse on the password field and press “Inspect element”.

Here, find a code line which says <input type=”password”>. You can simply find it by pressing CTRL+F and typing “input type=password”. The browser will show you where this line is.

Then double-click on the word “password” and type in “text” instead:

And see the hidden password in the password field in the login fields:

Third-party extensions

There are even some third party browser extensions created exactly for the purpose of showing hidden passwords, such as ShowPassword in Google Chrome Store or Show/hide passwords in Mozilla Firefox.

Why not to use them if a person really wants to see a hidden password?

Our approach – honesty over fake security

Our philosophy is to stay honest and transparent with PassCamp community.

That is why in PassCamp tool we have chosen to keep the shared password visible for all parties.

When you share a password, you know that all parties you have shared it with will be able to view it and there is no “fake security” or false sense of security when there isn’t any.

Solutions for fake security in password access management

In PassCamp, we offer you advanced security solutions to keep your passwords as safe as possible in the 21st century.

Permission control to team members

In this password manager, you have the ability to segment your team members with permissions granted. For example, you can assign “View” permission, so that they will only be able to use the password to access the account. Or, if you’re going on a holiday you can assign the “Edit” permissions so they can update the password while you’re gone.

Finally, we have the “Share” permission, which enables multi-tier sharing. This means that after you share a password with this permission to a colleague, he is able to share it further down the line.

A good example of this would be you sharing access to your company’s general email inbox to your marketing team lead with “Share permission”.  Then, he can share it further down the line with his assistants. That’s it – you don’t need to worry about distributing this password, because the marketing lead will be able to do that for you.

The best part, though, is that you can track every change and every share for each password in the history log, meaning that even if somebody changes your password, you can always see the previous versions and restore it if needed. Unlimited and easy sharing, while still keeping full control over your passwords!

Master password

You will need to remember only one password, which will unlock a list of others. Why to remember hundreds of similar insecure passwords if you can simply know one but super secure?

Password history powered by centralized blockchain technology

You can also see history records of all your passwords. If someone in your team changes a password, you are updated with all its edits and the newest version of it. Plus, you can always restore the old versions if needed, too!