diff --git a/resources/sql/autopatches/20150621.phrase.1.sql b/resources/sql/autopatches/20150621.phrase.1.sql
new file mode 100644
--- /dev/null
+++ b/resources/sql/autopatches/20150621.phrase.1.sql
@@ -0,0 +1,2 @@
+ALTER TABLE {$NAMESPACE}_passphrase.passphrase_credential
+  ADD authorPHID VARBINARY(64) NOT NULL;
diff --git a/src/__phutil_library_map__.php b/src/__phutil_library_map__.php
--- a/src/__phutil_library_map__.php
+++ b/src/__phutil_library_map__.php
@@ -1267,6 +1267,7 @@
     'PassphraseConduitAPIMethod' => 'applications/passphrase/conduit/PassphraseConduitAPIMethod.php',
     'PassphraseController' => 'applications/passphrase/controller/PassphraseController.php',
     'PassphraseCredential' => 'applications/passphrase/storage/PassphraseCredential.php',
+    'PassphraseCredentialAuthorPolicyRule' => 'applications/passphrase/policyrule/PassphraseCredentialAuthorPolicyRule.php',
     'PassphraseCredentialConduitController' => 'applications/passphrase/controller/PassphraseCredentialConduitController.php',
     'PassphraseCredentialControl' => 'applications/passphrase/view/PassphraseCredentialControl.php',
     'PassphraseCredentialCreateController' => 'applications/passphrase/controller/PassphraseCredentialCreateController.php',
@@ -1286,6 +1287,8 @@
     'PassphraseCredentialTypeTestCase' => 'applications/passphrase/credentialtype/__tests__/PassphraseCredentialTypeTestCase.php',
     'PassphraseCredentialViewController' => 'applications/passphrase/controller/PassphraseCredentialViewController.php',
     'PassphraseDAO' => 'applications/passphrase/storage/PassphraseDAO.php',
+    'PassphraseDefaultEditCapability' => 'applications/passphrase/capability/PassphraseDefaultEditCapability.php',
+    'PassphraseDefaultViewCapability' => 'applications/passphrase/capability/PassphraseDefaultViewCapability.php',
     'PassphraseNoteCredentialType' => 'applications/passphrase/credentialtype/PassphraseNoteCredentialType.php',
     'PassphrasePasswordCredentialType' => 'applications/passphrase/credentialtype/PassphrasePasswordCredentialType.php',
     'PassphrasePasswordKey' => 'applications/passphrase/keys/PassphrasePasswordKey.php',
@@ -4779,6 +4782,7 @@
       'PhabricatorPolicyInterface',
       'PhabricatorDestructibleInterface',
     ),
+    'PassphraseCredentialAuthorPolicyRule' => 'PhabricatorPolicyRule',
     'PassphraseCredentialConduitController' => 'PassphraseController',
     'PassphraseCredentialControl' => 'AphrontFormControl',
     'PassphraseCredentialCreateController' => 'PassphraseController',
@@ -4798,6 +4802,8 @@
     'PassphraseCredentialTypeTestCase' => 'PhabricatorTestCase',
     'PassphraseCredentialViewController' => 'PassphraseController',
     'PassphraseDAO' => 'PhabricatorLiskDAO',
+    'PassphraseDefaultEditCapability' => 'PhabricatorPolicyCapability',
+    'PassphraseDefaultViewCapability' => 'PhabricatorPolicyCapability',
     'PassphraseNoteCredentialType' => 'PassphraseCredentialType',
     'PassphrasePasswordCredentialType' => 'PassphraseCredentialType',
     'PassphrasePasswordKey' => 'PassphraseAbstractKey',
diff --git a/src/applications/passphrase/application/PhabricatorPassphraseApplication.php b/src/applications/passphrase/application/PhabricatorPassphraseApplication.php
--- a/src/applications/passphrase/application/PhabricatorPassphraseApplication.php
+++ b/src/applications/passphrase/application/PhabricatorPassphraseApplication.php
@@ -63,4 +63,22 @@
     );
   }
 
+  protected function getCustomCapabilities() {
+    $policy_key = id(new PassphraseCredentialAuthorPolicyRule())
+      ->getObjectPolicyFullKey();
+
+    return array(
+      PassphraseDefaultViewCapability::CAPABILITY => array(
+        'caption' => pht('Default view policy for newly created credentials.'),
+        'template' => PassphraseCredentialPHIDType::TYPECONST,
+        'default' => $policy_key,
+      ),
+      PassphraseDefaultEditCapability::CAPABILITY => array(
+        'caption' => pht('Default edit policy for newly created credentials.'),
+        'template' => PassphraseCredentialPHIDType::TYPECONST,
+        'default' => $policy_key,
+      ),
+    );
+  }
+
 }
diff --git a/src/applications/passphrase/capability/PassphraseDefaultEditCapability.php b/src/applications/passphrase/capability/PassphraseDefaultEditCapability.php
new file mode 100644
--- /dev/null
+++ b/src/applications/passphrase/capability/PassphraseDefaultEditCapability.php
@@ -0,0 +1,12 @@
+<?php
+
+final class PassphraseDefaultEditCapability
+  extends PhabricatorPolicyCapability {
+
+  const CAPABILITY = 'passphrase.default.edit';
+
+  public function getCapabilityName() {
+    return pht('Default Edit Policy');
+  }
+
+}
diff --git a/src/applications/passphrase/capability/PassphraseDefaultViewCapability.php b/src/applications/passphrase/capability/PassphraseDefaultViewCapability.php
new file mode 100644
--- /dev/null
+++ b/src/applications/passphrase/capability/PassphraseDefaultViewCapability.php
@@ -0,0 +1,16 @@
+<?php
+
+final class PassphraseDefaultViewCapability
+  extends PhabricatorPolicyCapability {
+
+  const CAPABILITY = 'passphrase.default.view';
+
+  public function getCapabilityName() {
+    return pht('Default View Policy');
+  }
+
+  public function shouldAllowPublicPolicySetting() {
+    return true;
+  }
+
+}
diff --git a/src/applications/passphrase/policyrule/PassphraseCredentialAuthorPolicyRule.php b/src/applications/passphrase/policyrule/PassphraseCredentialAuthorPolicyRule.php
new file mode 100644
--- /dev/null
+++ b/src/applications/passphrase/policyrule/PassphraseCredentialAuthorPolicyRule.php
@@ -0,0 +1,48 @@
+<?php
+
+final class PassphraseCredentialAuthorPolicyRule
+  extends PhabricatorPolicyRule {
+
+  public function getObjectPolicyKey() {
+    return 'passphrase.author';
+  }
+
+  public function getObjectPolicyName() {
+    return pht('Credential Author');
+  }
+
+  public function getPolicyExplanation() {
+    return pht('The author of this credential can take this action.');
+  }
+
+  public function getRuleDescription() {
+    return pht('credential author');
+  }
+
+  public function canApplyToObject(PhabricatorPolicyInterface $object) {
+    return ($object instanceof PassphraseCredential);
+  }
+
+  public function applyRule(
+    PhabricatorUser $viewer,
+    $value,
+    PhabricatorPolicyInterface $object) {
+
+    $author_phid = $object->getAuthorPHID();
+    if (!$author_phid) {
+      return false;
+    }
+
+    $viewer_phid = $viewer->getPHID();
+    if (!$viewer_phid) {
+      return false;
+    }
+
+    return ($viewer_phid == $author_phid);
+  }
+
+  public function getValueControlType() {
+    return self::CONTROL_TYPE_NONE;
+  }
+
+}
diff --git a/src/applications/passphrase/storage/PassphraseCredential.php b/src/applications/passphrase/storage/PassphraseCredential.php
--- a/src/applications/passphrase/storage/PassphraseCredential.php
+++ b/src/applications/passphrase/storage/PassphraseCredential.php
@@ -17,17 +17,27 @@
   protected $isDestroyed;
   protected $isLocked = 0;
   protected $allowConduit = 0;
+  protected $authorPHID;
 
   private $secret = self::ATTACHABLE;
 
   public static function initializeNewCredential(PhabricatorUser $actor) {
+    $app = id(new PhabricatorApplicationQuery())
+      ->setViewer($actor)
+      ->withClasses(array('PhabricatorPassphraseApplication'))
+      ->executeOne();
+
+    $view_policy = $app->getPolicy(PassphraseDefaultViewCapability::CAPABILITY);
+    $edit_policy = $app->getPolicy(PassphraseDefaultEditCapability::CAPABILITY);
+
     return id(new PassphraseCredential())
       ->setName('')
       ->setUsername('')
       ->setDescription('')
       ->setIsDestroyed(0)
-      ->setViewPolicy($actor->getPHID())
-      ->setEditPolicy($actor->getPHID());
+      ->setAuthorPHID($actor->getPHID())
+      ->setViewPolicy($view_policy)
+      ->setEditPolicy($edit_policy);
   }
 
   public function getMonogram() {