Jump to content
parrishk

Remove "HiddenGoogleSecretKey" from HTML Source

Recommended Posts

While looking through the HTML source I noticed that each user's "HiddenGoogleSecretKey" is displayed in plain text.

 

Sure the admin already has privileged access to the system and "could" change/reset this value but I think it would be best practice for only the end-user to ever have access to the secret value.

 

Was this intended or is there not a concern for this value being visible to administrators?

 

image.png.f08cae4a3aa12cb3cb2b34da76f132be.png

 

image.thumb.png.003634de875fc4b53f9c2e84cfb05354.png

Share this post


Link to post
Share on other sites

Hi ParrishK,

 

We've just updated this in one of the latest builds, and the secret is no longer visible to Security Admins.  Please see screenshot below.  Security Admins can now clear the key, which will generate a new QR code the next time the user logs into Passwordstate.  We've made this change to YubiKey, One Time Password and Google Authenticator authentication types.

 

2019-04-16_7-56-07.png

 

 

If you can perform an upgrade this issue will be fixed:)

 

Regards,

Support

Share this post


Link to post
Share on other sites

×