0

I'm looking for a process to replace the status quo of notepad and Excel. We've tested a market-leading password manager. An issue that comes up with this is that the secure sharing password facility has some significant vulnerabilities. We want to allow a Manager to share access to her account with her PA (e.g.) without the PA being able to view the password or change it. The password manager offers this facility with password injection and shared folders within the app, but it has 2 big shortcomings:

  1. The PA cannot directly see the password in the password manager, but she can inject the password into a website (e.g. LinkedIn), then click on the view icon next to the password field and see the plaintext.

  2. Some websites offer a change password facility. The PA can inject the password in the "old password" field, then type whatever new password and confirmation she wants. To make matters worse, the PA has read-only on the password manager shared folder, so they lose the ability to write the password back.

Are there any options that allow account access to be shared, but do not reveal the password under any circumstances?

I suspect they all have the flaws above due to the way browsers, apps and web pages work, however it would be good to know if the above is technically possible to achieve.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Jay
  • 71
  • 4
  • Given that the PA should have legitimate access to these applications, why is it important that they don't learn the password? – Sjoerd Nov 11 '21 at 15:18
  • @schroeder Do we need both [tag:access-control] and [tag:access-management]? – Anders Nov 30 '21 at 08:27
  • @Anders This would be a Meta question to raise, but I would vote "yes" as there is a difference between network-level access control (ACL) and account/service access management, and with the current rethink on account access (zero-trust concepts) we might need a more specific tag for that. – schroeder Nov 30 '21 at 12:42
  • @schroeder Sounds reasonable! Just wanted to check that there was a thought and not just a mistake. I have no real opinion on the topic. – Anders Nov 30 '21 at 15:35

1 Answers1

1

Password managers manage passwords. So all the weaknesses you have seen will exist because they simply manage the strings.

What you want is an access manager. You want something where the PA logs into, but then gains access to the service under the Manager's account. This way, the access manager manages the password, not the user. It is then also possible to revoke the PA's access, when necessary.

For this, you are looking at a range of technologies:

  • PAM (privileged access management)
  • CASB (Cloud Access Service Broker)
  • or IAM (identity access management) more generally
schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 1
    Do you have some more specific examples or terms? When I search the internet for access manager or privileged access management I get lost in a meaningless infosec bullshit bingo bubble. "PAM refers to a comprehensive cybersecurity strategy – comprising people, processes and technology." – Sjoerd Nov 11 '21 at 15:28