Hiding Passwords
Methods of hiding passwords from end-users in the Keeper platform
Last updated
Was this helpful?
Methods of hiding passwords from end-users in the Keeper platform
Last updated
Was this helpful?
In many enterprise environments, it’s essential to hide passwords from end-users to maintain security and enforce access policies. This is especially relevant for access to web applications, cloud services, internal tools, and infrastructure. Keeper offers multiple methods to prevent users from viewing passwords while still enabling seamless access:
The Privacy Screen feature of Keeper is a front-end method of hiding a password from viewing within the Keeper vault, browser extension and mobile apps. Privacy Screen can be applied at the level, role policy level (based on specific record domains), and at the (template) level.
With this policy in place, passwords are not visible from the user interface serving as a deterrent from casual observation. This feature is commonly used to limit viewing of passwords for the non-technically savvy users.
In the Keeper Admin Console, the Team resource provides additional restrictions. The "Enable Privacy Screen" restriction is applied to any shared folder which the team has been added. Below is a screenshot of the "Client Services" team which has privacy screen enabled.
At the role policy level, the Privacy Screen enforcement policy is used in conjunction with the Generated Password Complexity policy to control the viewing (unmasking) of passwords based on a specified domain.
This feature can be enabled within the Generated Password Complexity settings by checking the “Apply Privacy Screen” box once a domain has been added.
From the Vault shared folder, any user or team with Privacy Screen activated can be added to a shared folder:
On the recipient side, any record with a matching URL will be locked, and the user cannot unmask to view the password.
On the browser extension, the password cannot be viewed:
Keeper Connections allow users to instantly and securely access assets within their target infrastructure, such as servers, databases, web apps and workloads directly from their Keeper Vault. Connections can be established without exposing the underlying credentials to the user, ensuring zero-trust and zero-knowledge access.
There are several use cases which support password hiding:
RDP Sessions
SSH Sessions
Database Sessions
To learn more about KeeperPAM Connections, see the below links:
Keeper Connection Manager (KCM) is a self-hosted, agentless remote desktop gateway that provides instant and secure access to desktops, servers, databases and web applications from a web browser. Sessions created through Keeper Connection Manager provide a passwordless experience for users across any protocol, including:
RDP, SSH, VNC, K8s
MySQL, PostgreSQL, SQL Server
Web Applications through Remote Browser Isolation
To learn more about Keeper Connection Manager:
Keeper’s Remote Browser Isolation (RBI) enables passwordless access to web-based applications by visually projecting secure browsing sessions from the Keeper Gateway directly into the user's vault. These sessions run in an up-to-date Chromium browser within a virtualized container, completely isolated from the local environment. With this approach, passwords are hidden from the end-user—credentials are securely injected via autofill, preventing exposure while still enabling seamless access. This protects users from malware, phishing, and other web-based threats, and eliminates the need for VPNs.
Remote Browser Isolation is an available connection protocol in the KeeperPAM cloud platform, and standalone Keeper Connection Manager.
To learn more about Remote Browser Isolation:
At the custom record type level, the Privacy Screen feature can be activated on the password field. For more information on record types, .