restricted users are able to change passwords?

Customer forum for LastPass Enterprise

Moderators: azitnay, admin, anatoly_LP, chantieLP, robyn, JoeSiegrist

restricted users are able to change passwords?

Postby info793 » Thu Aug 30, 2018 9:47 pm

I am in the trial for lastpass enterprise and Im a little confused.
I shared a password to a non admin user with restricted privileges. He was able to log into the website, go to the "change password" section of the website and change the password.
He now has the new password which locks me out. Is it really this easy to bypass? We tested this at a few different sites.
Am I missing something? I would assume that last pass would not auto fill a password in the "change password section of a website for a restricted user.
It makes it really easy for any employee to cause all kinds of damage. Has anyone else tried this or am I just missing a setting?
info793
 
Posts: 1
Joined: Thu Aug 30, 2018 9:20 pm

Re: restricted users are able to change passwords?

Postby FlyingHawk » Fri Aug 31, 2018 2:34 am

I've mentioned this quite a few times in other threads, it's a bad idea to rely on LastPass to restrict sharee's access to shared passwords. This is a fundamentally impossible feature.

First of all, yes, LastPass autofills all password fields, regardless of whether it's login page or change password page.

Second, it's trivially easy for anyone who's a bit tech-savvy to retrieve the autofilled password from the login page. Then it doesn't make a difference whether the change password page is autofilled or not.

If you want to share passwords, you must trust the sharee. No way around that.
If you need to shared access with an untrusted person, don't share passwords. Set up delegated access instead.
FlyingHawk
 
Posts: 740
Joined: Wed Mar 18, 2015 12:04 pm


Return to LastPass Enterprise

Who is online

Users browsing this forum: No registered users and 2 guests