RDM can see password from Lastpass
Hello,
We have two accounts in Lastpass. Account A has all rights. It shares some folders with account B, which has only the right to use the passwords but can not see them. Now if I create a credential entry in RDM, which uses the login of account B and add this credential to a server entry, it is possible to see the password with the "view password" buttom. Why is this possible? From my point of view this should not work, or am I wrong?
Regards.
Patrick
All Comments (3)
Hi,
You need to disable the reveal password right. You can do it per user or as Admnistration->Data Source Settings policy.
David Hervieux
Hi David
Thanks for the fast answer. What I don't understand, the Lastpass account which we are using, cannot view any password which are shared with the account. If I logon with it in Lastpass, I can use all passwords, but when I try to see them Lastpass does not show them. So with this Accunt it should not even be possible to somehow see the passwords.
So what I don't get, why can RDM show the passwords, if the account itself has no rights to see them. Are you some how outsmarting the block function of Lastpass?
Here's a screenshot from Account A which shares the passwords with Account B which has only Use but now View rights.
I know the reveal passwort function (we also use user groups on which we disabled that) but I'm just intrested, why RDM can read and display the password from a lastpass account, which should be able to do that.
Best regards.
Patrick
lastpass-hide.jpg
Hi,
I suspect that the LastPass limitation is only UI.
David Hervieux
