How to See a User’s Password

In many cases, IT admins want complete control over the passwords set by employees in their organization. Administrative control over employee passwords is desirable for a number of reasons, three of which are outlined below:

  • Ensures that passwords for every user, across all applications in an organization are complex and secure.
  • Enables admins to take action to change or reset a password at their convenience.
  • Lessens the burden of off-boarding applications from an employee when they leave the organization.

Bitium offers this administrative control in many ways, but predominantly by way of giving admins visibility into employee passwords. With password visibility requirements enabled, admins can see the passwords for any business application configured by an employee within their organization.

Password visibility can be set as a requirement for all applications, some applications, or none at all. By default, Bitium does not require users to share their passwords with admins, as users are presented with a choice to opt out of this option.

In order for admins to see the passwords configured by their employees for specific application(s) or all applications, a couple conditions need to be first applied. These conditions include:

  • The password has to be “Managed”. This means the user gave admins permission to have access to the password (we will cover how a user can grant permission below). Any password that is given permission to view is considered Managed.
  • A policy has to be set for the application, giving all admins the ability to view and manage the password.

Managed Passwords

By default, Bitium does not require that users share their passwords with admins. For a specific application, users have the ability to “opt-out” of the option to give admins access to their password. This means that users can click to uncheck the requirement upon configuring the application in Bitium. As a result, not all applications may become “Managed” as some users may elect to opt out of allowing access to their passwords.

Unmanaged Apps

Enforce admin access to passwords for all applications.

To ensure that all passwords are Managed for every application, admins can enforce admin access to passwords for all applications. This means that users will not be able to uncheck the box upon configuring an application. To accomplish this, an admin simply needs to change the global setting for password sharing to required for new credentials.

You can find this setting here:

  1. Manage “your organization.”

  2. Click “Security.”

  3. Click “Security Settings.”

  4. Click “Change” for Users Sharing Credentials with Admins.

  5. Click the radio button for Required for new credentials

    Enforce Users Sharing Credentials

Enforce admin access to passwords for specific applications.

In some cases, IT admins may only want to Manage the passwords for specific mission critical applications in their organization – not all applications. Bitium allows admins to manage passwords, and enforce password visibility at the application level as well.

To enforce password visibility by application:

  1. Manage “your organization.”

  2. Click “Manage Apps.”

  3. Select the application you’d like to enforce password visibility on.

  4. Click “Settings.”

  5. Move the Require Admin Password Visibility toggle to ON.

    Enforce Users Sharing Credentials

In this scenario, admins will have access to any passwords configured for this specific application. For all other applications – unless configured similarly – password visibility will not be an enforced requirement for users.

Policies

Managed passwords are the first part of a two step process for obtaining visibility of a user password. Once passwords are converted to be Managed, a a policy needs to be set. A policy governs which admins or group admins can access that password once permission has been granted at the end-user level. Similarly, it governs what these admins or group admins are permissible do with the password (view the password, or assign the application).

To add the app to a policy:

  1. Manage “your organization.”

  2. Click “Security.”

  3. Click “Access Control Lists.”

  4. Click the “Admins” Access Control List.

  5. Click “Add Apps.”

  6. Select apps that are managed (apps that are not managed will say “You have 1 Unmanaged Credentials”). Click the eyeball for each application.

  7. Click “Done.”

    Add Managed Apps to Policy

Once a policy is established, all passwords configured by users for the applications you’ve added to the policy will be visible to admins in your organization. Now that the passwords are “Managed” and the app associated with these passwords has been added to a policy, an admin is now ready to see the password.

To see a user’s password:

  1. Manage “your organization.”

  2. Click “Manage Apps.”

  3. Select the application you’d like to view the passwords for.

  4. In the “Subscribers” tab, hover your cursor under Password Strength column to see the password for a specific user.

  5. Click “Show.”

    Click Show Password