LogoLogo
Enterprise Guide
Enterprise Guide
  • Getting Started
  • Start Your Trial
  • Resources
  • Keeper for Teams and Small Business
  • Keeper Enterprise
  • Implementation Overview
  • Domain Reservation
  • Deploying Keeper to End-Users
    • Desktop Applications
      • Launch on Start Up
    • Forcefield
    • Browser Extension (KeeperFill)
      • Mac
        • PLIST (.plist) Policy Deployment
          • Jamf Pro Policy Deployment - Chrome
          • Microsoft Intune Policy Deployment - Chrome
      • Linux
        • JSON Policy Deployment - Chrome
      • Windows
        • Group Policy Deployment - Chrome
        • Group Policy Deployment - Firefox
        • Group Policy Deployment - Edge
        • SCCM Deployment - Chrome
        • Intune - Chrome
        • Intune - Edge
        • Edge Settings Policy
        • Chrome Settings Policy
      • Virtual Machine Persistence
    • Mobile Apps
      • IBM MaaS360
    • Optional Deployment Tasks
    • IE11 Trusted Sites
  • End-User Guides
  • Keeper Admin Console Overview
  • Nodes and Organizational Structure
  • Risk Management Dashboard
  • User and Team Provisioning
    • Custom Invite and Logo
      • Custom Email - Markdown Language
    • Simple Provisioning through the Admin Console
    • Active Directory Provisioning
    • LDAP Provisioning
    • SSO JIT (Just-in-Time) Provisioning
    • Okta Provisioning
    • Entra ID / Azure AD Provisioning
    • Google Workspace Provisioning
    • JumpCloud Provisioning
    • CloudGate Provisioning
    • OneLogin Provisioning
    • Microsoft AD FS Provisioning
    • API Provisioning with SCIM
      • Using SCIM API Provisioning
    • Team and User Approvals
    • Email Auto-Provisioning
    • CLI Provisioning with Commander SDK
  • SSO / SAML Authentication
  • User Management and Lifecycle
  • Email Address Changes
  • Roles, RBAC and Permissions
    • Enforcement Policies
    • Security Keys
  • Delegated Administration
  • Account Transfer Policy
  • Teams (Groups)
  • Sharing
    • Record and File Sharing
    • Shared Folders
    • PAM Resource Sharing
    • One-Time Share
    • Share Admin
    • Time-Limited Access
    • Self-Destructing Records
    • Hiding Passwords
  • Creating Vault Records
  • Importing Data
  • Record Types
  • Two-Factor Authentication
  • Storing Two-Factor Codes
  • Security Audit
    • Security Audit Score Calculation
  • BreachWatch (Dark Web)
  • Secure File Storage & Sharing
  • Reporting, Alerts & SIEM
    • Event Descriptions
    • Splunk
    • Sumo Logic
    • Exabeam (LogRhythm)
    • Syslog
    • QRadar
    • Azure Monitor
    • Azure Sentinel
    • AWS S3 Bucket
    • Devo
    • Datadog
    • Logz.io
    • Elastic
    • Firewall Configuration
    • On-site Commander Push
  • Recommended Alerts
  • Webhooks
    • Slack Webhooks
    • Teams Webhooks
    • Amazon Chime Webhooks
    • Discord Webhooks
  • Compliance Reports
  • Vault Offline Access
  • Secrets Manager
  • Commander CLI
  • Keeper Connection Manager
  • KeeperPAM Privileged Access Manager
  • Keeper Forcefield
  • KeeperChat
  • Keeper MSP
    • Free Trial
    • Getting Started
    • Fundamentals
    • Consumption-Based Billing
      • Secure Add-Ons
      • Existing MSP Admins
    • Onboarding
    • PSA Billing Reconciliation
    • Join the Slack Channel
    • Next Steps
    • Offboarding
    • Commander CLI/SDK
    • Account Management APIs
    • Provision Family Plans via API
    • MSP Best Practices
  • Free Family License for Personal Use
    • Provision Family plans via API
    • Provision Student plans via API
    • API Troubleshooting
      • API Parameters
      • API Response Codes
      • API Explorer - Swagger
  • Keeper Security Benchmarks and Recommended Security Settings
  • IP Allow Keeper
  • Keeper Encryption and Security Model Details
  • Developer API / SDK Tools
  • On-Prem vs. Cloud
  • Authentication Flow V3
  • Migrating from LastPass
  • Training and Support
  • Keeper SCORM Files for LMS Modules
  • Docs Home
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • Overview
  • Privacy Screen
  • KeeperPAM Connections
  • Self-Hosted Connection Manager
  • Remote Browser Isolation

Was this helpful?

Export as PDF
  1. Sharing

Hiding Passwords

Methods of hiding passwords from end-users in the Keeper platform

PreviousSelf-Destructing RecordsNextCreating Vault Records

Last updated 24 days ago

Was this helpful?

Overview

In many enterprise environments, it’s essential to hide passwords from end-users to maintain security and enforce access policies. This is especially relevant for access to web applications, cloud services, internal tools, and infrastructure. Keeper offers multiple methods to prevent users from viewing passwords while still enabling seamless access:

Privacy Screen

The Privacy Screen feature of Keeper is a front-end method of hiding a password from viewing within the Keeper vault, browser extension and mobile apps. Privacy Screen can be applied at the level, role policy level (based on specific record domains), and at the (template) level.

With this policy in place, passwords are not visible from the user interface serving as a deterrent from casual observation. This feature is commonly used to limit viewing of passwords for the non-technically savvy users.

Team Level

In the Keeper Admin Console, the Team resource provides additional restrictions. The "Enable Privacy Screen" restriction is applied to any shared folder which the team has been added. Below is a screenshot of the "Client Services" team which has privacy screen enabled.

Role Level

At the role policy level, the Privacy Screen enforcement policy is used in conjunction with the Generated Password Complexity policy to control the viewing (unmasking) of passwords based on a specified domain.

It is important to note that password masking is only visual in nature and the password is still stored in the user's vault and accessible via API communication and browser inspection. If the admin would like to enforce that users cannot inspect the web pages, we recommend using group policies to prevent users from opening the browser development tools.

This feature can be enabled within the Generated Password Complexity settings by checking the “Apply Privacy Screen” box once a domain has been added.

Record Type Level

Vault Treatment

From the Vault shared folder, any user or team with Privacy Screen activated can be added to a shared folder:

On the recipient side, any record with a matching URL will be locked, and the user cannot unmask to view the password.

Browser Extension

On the browser extension, the password cannot be viewed:

KeeperPAM Connections

Keeper Connections allow users to instantly and securely access assets within their target infrastructure, such as servers, databases, web apps and workloads directly from their Keeper Vault. Connections can be established without exposing the underlying credentials to the user, ensuring zero-trust and zero-knowledge access.

There are several use cases which support password hiding:

  • RDP Sessions

  • SSH Sessions

  • Database Sessions

To learn more about KeeperPAM Connections, see the below links:

Self-Hosted Connection Manager

Keeper Connection Manager (KCM) is a self-hosted, agentless remote desktop gateway that provides instant and secure access to desktops, servers, databases and web applications from a web browser. Sessions created through Keeper Connection Manager provide a passwordless experience for users across any protocol, including:

  • RDP, SSH, VNC, K8s

  • MySQL, PostgreSQL, SQL Server

  • Web Applications through Remote Browser Isolation

To learn more about Keeper Connection Manager:

Remote Browser Isolation

Keeper’s Remote Browser Isolation (RBI) enables passwordless access to web-based applications by visually projecting secure browsing sessions from the Keeper Gateway directly into the user's vault. These sessions run in an up-to-date Chromium browser within a virtualized container, completely isolated from the local environment. With this approach, passwords are hidden from the end-user—credentials are securely injected via autofill, preventing exposure while still enabling seamless access. This protects users from malware, phishing, and other web-based threats, and eliminates the need for VPNs.

Remote Browser Isolation is an available connection protocol in the KeeperPAM cloud platform, and standalone Keeper Connection Manager.

To learn more about Remote Browser Isolation:

At the custom record type level, the Privacy Screen feature can be activated on the password field. For more information on record types, .

see this page
Website page
Connection Manager web page
team
record type
Privacy Screen
KeeperPAM Connections
Remote Browser Isolation
KeeperPAM Overview
Connections
KeeperPAM RBI
Documentation
Keeper Connection Manager RBI
Privacy Screen through Team Restrictions
Privacy Screen through Role Policy
Privacy Screen through Record Types
Folder Shared to Team with Privacy Screen Activated
Vault Recipient with Privacy Screen Activated
Privacy Screen activated in the Browser Extension
KeeperPAM Connections
Keeper Connection Manager
Remote Browser Isolation