New eval user with a security question...

Customer forum for LastPass Enterprise

Moderators: admin, azitnay, anatoly_LP, chantieLP, JoeSiegrist, robyn

New eval user with a security question...

Postby john382 » Wed Apr 01, 2015 5:41 pm

I'm evaluating Enterprise and I'm a little confused. We wanted to give our team access to various vendor sites, without having to change vendor site passwords if we ever have an employee leave. I thought LastPass Enterprise would work for this, but so far I'm not having much success with testing.

1) I created a "User1" account with read only access. I added a website (GoDaddy) and checked "AutoLogin" and "Disable Autofill"
2) I jump to a browser as "User1" and visit GoDaddy's website. I click Sign In, and in the text fields on the login form I'm prompted to pick the login credentials I used in step 1 above. The sign in form populates, where I can then highlight the contents of the password field, paste it into notepad, and view the password. This somewhat defeats one of our primary goals, which is to keep our vendor logins from being viewed and shared by employees.

So now the question: Did I do something wrong in how I set things up, or does LastPass simply expose our passwords to users in this situation and there's nothing we can do about it? Thanks in advance for helping a newbie :D
john382
 
Posts: 2
Joined: Wed Apr 01, 2015 5:34 pm

Re: New eval user with a security question...

Postby jpenny84 » Wed Apr 01, 2015 11:46 pm

Since in the end, passwords still need to be inserted on webpages, savvy users can use advanced methods either in the browser or operating system to capture it. It's important to use a password specific to a particular site. If practical, maybe consider a policy to immediately change a password if someone leaves or is terminated. The change would be communicated automatically to the assignees, with minimal disruption.
jpenny84
 
Posts: 8679
Joined: Tue Mar 06, 2012 9:10 pm

Re: New eval user with a security question...

Postby john382 » Thu Apr 02, 2015 9:08 am

Thanks for the reply. We already do this (Unique passwords per vendor, changing them if we have employee turnover) so LastPass, while nice, really doesn't bring anything to the table that we're not already doing - which is a shame.

My hope was that it would automatically sign users in when they access a site by clicking a link in their vault, but not drop ANY variables into login pages if the user bypasses the vault and visits the site directly.

I thought choosing "AutoLogin" and "Disable AutoFill" when managing the site in the Vault shared folder would do that, but it doesn't. Passwords are still exposed.

The ability to set a sub-property on a website to "Require access via Vault only" when "AutoLogin" is enabled would be a huge step in the right direction IMHO. That way, if a user visits the website (bypassing their Vault) there are no usernames/password prompts offered at all on the site's login form.
john382
 
Posts: 2
Joined: Wed Apr 01, 2015 5:34 pm


Return to LastPass Enterprise

Who is online

Users browsing this forum: No registered users and 5 guests