Hacker News new | past | comments | ask | show | jobs | submit login

Can you elaborate on "There's no way to guarantee security of passwords stored in someone's personal vault"?



Sure! As an admin, you're unable to see any passwords in an employee's "Personal" vault. This is by design, so that user-specific passwords aren't visible to _anyone_ in the org except for that user.

However, this has a few downsides. All of those features I mentioned (alerts for re-used, leaked, weak, or old passwords) are visible to the owner of the private vault, but admins won't be aware of those issues. It requires trust and security training to make sure that those issues are handled appropriately for private passwords.

Also, if someone has edit access for a vault, there's no way to prevent them from moving credentials to their personal vault or exporting credentials. Most people won't know how to do that and won't bother... but it's always a risk.


Gotcha, okay! I thought you meant somehow there wasn't a way to guarantee the security of personal vaults in a vacuum, and that was... concerning.

This makes a lot more sense.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: