Shared Password Reveal Skip to main content
https://support.okta.com/help/answers?id=906f0000000hzvdias&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Kevin DenhamKevin Denham 

Shared Password Reveal

Would anyone know if there is any way to allow an admin, and only the admin to reveal the password on an app which uses the " Users share a single username and password set by administrator" option?  I'm hoping there is a beta feature or something support can toggle to allow this.

We're starting to amass quite a number of apps which use this method of authentication but unfortunately, no one, not even the administrator has access to the actual password.  This requires us having to log the actual password outside of Okta, which is fairly redundant.  

Given the relative simplicity of implementing a password manager I find it stunning that Okta doesn't have more options that assist in storing/grouping/sharing credentials.  As nice as SAML might be, it accounts for a very small fraction of apps in the real world.

Thanks.
Kevin DenhamKevin Denham
I forgot to mention, I meant in theory that no one has access to the actual password.  Finding out the plaintext password for any shared credential app is also stunningly easy.  That makes the lack of official support kind of silly, and gives a false sense of security when any savy end user can find out the password anyway.
Han Su KimHan Su Kim
In cases like this, why are you recording the password at all?  Isn't it safer and more secure to just have Okta hold that information, and you forget that information so that you have plausible deniability?  To share the cred, you share the app that you configure with specifically that cred and that cred alone.  There are other issues like people using change password links to lock others out of the shared account, but it still seems safer to just not remember what the password is in the first place for shared accounts.  
Kevin DenhamKevin Denham
Well, for one example.  Say I have an application that forces a password change every 3 months, and also requires the current password be provided to do so (which all good apps should do).  

That's one, but I could think of several others as well.  It's not very helpful when those who don't really have a solution to a problem instead turn to questioning the motives of those seeking the solution.  
Han Su KimHan Su Kim
Ah yeah if password rotations are being enforced for those apps then I can understand the need.  Great point.  
Rico JardineroRico Jardinero
Hi Kevin, I know this does not address your tactical need, but strategically speaking, you can do what we have done which is to set a policy (and SOP's, KB's, etc.) to plainly clarify that no shared passwords are allowed.  *and then knowing there will always be exceptions, state in a buried statement below your declaration that an exception policy can be request/approved and handled.  That way you grandfather in these apps you're having to deal with currently, but then all users, and more importantly your IT brethren on the applications side know, or will come to know, to include the requirement in any new app purchases. This is your safest bet to transition to no shared passwords.   *I know it's a bit of a cop out in regards to, "instead turn to questioning the motives of those seeking the solution." but, if you don't declare it as a standard, then your app engineers will continue to deploy solutions that rely on bad practices, such as shared passwords.
Vlad NikiforovVlad Nikiforov
Hi Kevin,

I have posted an idea (https://support.okta.com/help/ideas/viewIdea.apexp?id=087F0000000BEwE) (a change request effectively) for this - please upvote if you are still interested.

My understanding is simple: people, when they don't have a legitimate (albeit hard) way to access a password, would inevitably start cutting corners (say, saving passwords to files). To me, requiring MFA from an admin to view a password, possibly even with a notification to all other admins, should be enough to satisfy even the most sophisticated paranoid.