# Hiding Passwords ### Overview In many enterprise environments, it’s essential to hide passwords from end-users to maintain security and enforce access policies. This is especially relevant for access to web applications, cloud services, internal tools, and infrastructure. Keeper offers multiple methods to prevent users from viewing passwords while still enabling seamless access: * [Privacy Screen](#privacy-screen) * [KeeperPAM Connections](#keeperpam-connections) * [Remote Browser Isolation](#remote-browser-isolation) ### Privacy Screen The Privacy Screen feature of Keeper is a front-end method of hiding a password from viewing within the Keeper vault, browser extension and mobile apps. Privacy Screen can be applied at the [team](https://docs.keeper.io/en/enterprise-guide/teams) level, role policy level (based on specific record domains), and at the [record type](https://docs.keeper.io/en/enterprise-guide/record-types) (template) level. With this policy in place, passwords are not visible from the user interface serving as a deterrent from casual observation. This feature is commonly used to limit viewing of passwords for the non-technically savvy users. #### Team Level In the Keeper Admin Console, the Team resource provides additional restrictions. The "Enable Privacy Screen" restriction is applied to any shared folder which the team has been added. Below is a screenshot of the "Client Services" team which has privacy screen enabled.

Privacy Screen through Team Restrictions

#### Role Level At the role policy level, the Privacy Screen enforcement policy is used in conjunction with the Generated Password Complexity policy to control the viewing (unmasking) of passwords based on a specified domain. {% hint style="info" %} It is important to note that password masking is only visual in nature and the password is still stored in the user's vault and accessible via API communication and browser inspection. If the admin would like to enforce that users cannot inspect the web pages, we recommend using group policies to prevent users from opening the browser development tools. {% endhint %}

This feature can be enabled within the Generated Password Complexity settings by checking the “Apply Privacy Screen” box once a domain has been added. #### Record Type Level At the custom record type level, the Privacy Screen feature can be activated on the password field. For more information on record types, [see this page](https://docs.keeper.io/en/enterprise-guide/record-types).

#### Vault Treatment From the Vault shared folder, any user or team with Privacy Screen activated can be added to a shared folder:

Folder Shared to Team with Privacy Screen Activated

On the recipient side, any record with a matching URL will be locked, and the user cannot unmask to view the password.

Vault Recipient with Privacy Screen Activated

#### Browser Extension On the browser extension, the password cannot be viewed:

Privacy Screen activated in the Browser Extension

### KeeperPAM Connections Keeper Connections allow users to instantly and securely access assets within their target infrastructure, such as servers, databases, web apps and workloads directly from their Keeper Vault. Connections can be established without exposing the underlying credentials to the user, ensuring zero-trust and zero-knowledge access. There are several use cases which support password hiding: * RDP Sessions * SSH Sessions * Database Sessions To learn more about KeeperPAM Connections, see the below links: * [KeeperPAM Overview](https://app.gitbook.com/o/-LO5CAzoigGmCWBUbw9z/s/-MJXOXEifAmpyvNVL1to/) * [Connections](https://docs.keeper.io/keeperpam/privileged-access-manager/connections) * [Website page](https://www.keepersecurity.com/privileged-access-management/)

### Self-Hosted Connection Manager Keeper Connection Manager (KCM) is a self-hosted, agentless remote desktop gateway that provides instant and secure access to desktops, servers, databases and web applications from a web browser. Sessions created through Keeper Connection Manager provide a passwordless experience for users across any protocol, including: * RDP, SSH, VNC, K8s * MySQL, PostgreSQL, SQL Server * Web Applications through Remote Browser Isolation To learn more about Keeper Connection Manager: * [Documentation](https://app.gitbook.com/o/-LO5CAzoigGmCWBUbw9z/s/b7weUpu7VBcMnESSH8vG/) * [Connection Manager web page](https://www.keepersecurity.com/connection-manager.html)

### Remote Browser Isolation Keeper’s Remote Browser Isolation (RBI) enables passwordless access to web-based applications by visually projecting secure browsing sessions from the Keeper Gateway directly into the user's vault. These sessions run in an up-to-date Chromium browser within a virtualized container, completely isolated from the local environment. With this approach, passwords are hidden from the end-user—credentials are securely injected via autofill, preventing exposure while still enabling seamless access. This protects users from malware, phishing, and other web-based threats, and eliminates the need for VPNs. Remote Browser Isolation is an available connection protocol in the KeeperPAM cloud platform, and standalone Keeper Connection Manager. To learn more about Remote Browser Isolation: * [KeeperPAM RBI](https://docs.keeper.io/keeperpam/privileged-access-manager/remote-browser-isolation) * [Keeper Connection Manager RBI](https://docs.keeper.io/keeper-connection-manager/supported-protocols/remote-browser-isolation)