<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7V0NSAVOkta Classic EngineAdministrationAnswered2025-08-04T09:00:34.000Z2016-02-03T16:11:41.000Z2018-03-26T17:37:21.000Z

aehr1 (aehr1) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
Shared Password Reveal
Would anyone know if there is any way to allow an admin, and only the admin to reveal the password on an app which uses the " Users share a single username and password set by administrator" option?  I'm hoping there is a beta feature or something support can toggle to allow this.

 

We're starting to amass quite a number of apps which use this method of authentication but unfortunately, no one, not even the administrator has access to the actual password.  This requires us having to log the actual password outside of Okta, which is fairly redundant.  

 

Given the relative simplicity of implementing a password manager I find it stunning that Okta doesn't have more options that assist in storing/grouping/sharing credentials.  As nice as SAML might be, it accounts for a very small fraction of apps in the real world.

 

Thanks.
  • 6 answers
  • 2.19K views
BrianS.86777 and 7194e like this.

  • aehr1 (aehr1)

    I forgot to mention, I meant in theory that no one has access to the actual password.  Finding out the plaintext password for any shared credential app is also stunningly easy.  That makes the lack of official support kind of silly, and gives a false sense of security when any savy end user can find out the password anyway.

  • Han SuK.47827 (Customer)

    In cases like this, why are you recording the password at all?  Isn't it safer and more secure to just have Okta hold that information, and you forget that information so that you have plausible deniability?  To share the cred, you share the app that you configure with specifically that cred and that cred alone.  There are other issues like people using change password links to lock others out of the shared account, but it still seems safer to just not remember what the password is in the first place for shared accounts.
    Expand Post

  • aehr1 (aehr1)

    Well, for one example.  Say I have an application that forces a password change every 3 months, and also requires the current password be provided to do so (which all good apps should do).  

     

    That's one, but I could think of several others as well.  It's not very helpful when those who don't really have a solution to a problem instead turn to questioning the motives of those seeking the solution.
    Expand Post

  • Han SuK.47827 (Customer)

    Ah yeah if password rotations are being enforced for those apps then I can understand the need.  Great point.

  • g3aea (g3aea)

    Hi Kevin, I know this does not address your tactical need, but strategically speaking, you can do what we have done which is to set a policy (and SOP's, KB's, etc.) to plainly clarify that no shared passwords are allowed.  *and then knowing there will always be exceptions, state in a buried statement below your declaration that an exception policy can be request/approved and handled.  That way you grandfather in these apps you're having to deal with currently, but then all users, and more importantly your IT brethren on the applications side know, or will come to know, to include the requirement in any new app purchases. This is your safest bet to transition to no shared passwords.   *I know it's a bit of a cop out in regards to, "instead turn to questioning the motives of those seeking the solution." but, if you don't declare it as a standard, then your app engineers will continue to deploy solutions that rely on bad practices, such as shared passwords.
    Expand Post

  • Vlad Nikiforov (Customer)

    Hi Kevin,

     

    I have posted an idea (https://support.okta.com/help/ideas/viewIdea.apexp?id=087F0000000BEwE) (a change request effectively) for this - please upvote if you are still interested.

     

    My understanding is simple: people, when they don't have a legitimate (albeit hard) way to access a password, would inevitably start cutting corners (say, saving passwords to files). To me, requiring MFA from an admin to view a password, possibly even with a notification to all other admins, should be enough to satisfy even the most sophisticated paranoid.
    Expand Post
This question is closed.
Loading
Shared Password Reveal