in ,

Ask HN: What's the best corporate password manager ?, Hacker News

            

                  

LastPass is the worst piece of software I have ever worked with. We had a lot of trouble making sense out of its sluggish user interface and confusing terminology and more.
BitWarden is my choice, it’s cheaper than alternatives, the UI is simple and easy to understand. It’s open-source and battle-tested. You may want to self-host as well.

)

            

                  

1 Lastpass created more chaos than solving issues. in our company. Multiple dashboards that interfere with each other, horrible overview causing outdated / wrong rights, users having to restart several times before new passwords showing up, bad mobile support and much more.

            

                  

Upgraded from LastPass to BitWarden around this time last year. Amazing piece of software. I can’t recommend it highly enough!

            

                  

I’m still rocking Keepass after nearly ten years now. I’ve tried Lastpass, and found it clunky / fiddly in comparison.

            

                  
My experiences: Team Password Manager.

https://teampasswordmanager.com/ Self hosted. LDAP / AD auth, and LDAP groups. It has some extensive auditing logs, so management can see exactly who changed what and when. Custom fields, pretty good permissions system. Concepts of “projects” rather than folders can be counter-intuitive. Cheap, and support is also pretty cheap. Worth a look just to evaluate to see if it will fit with your corporate culture.

Bitwarden. Fantastic software. I haven’t used the corporate integration side of it at all. I protect mine with a U2F hardware key. Highly recommended.

            

                  

> manage access to probably ~ services our employees use everyday
Is single sign-on an option, instead? Something like Okta is a much better experience for less technical users (and, well, engineers too) where possible, and also lets you trivially manage credentials access as people on / off board (no need to rotate credentials if you’re worried folk may have written them down on paper somewhere with malicious intent). That said, it doesn’t help folk with personal credentials management, which can be useful for good security policy in addition.

1password is my favorite to have around for services that don’t support SSO. I like it so much I pay for a family account, even.

            

                  

Certainly for a company between people, 1Password is great. As an added bonus, you can give staff a 1Password families account for free.

Not totally relevant to the question, but how well does it scale to enterprise? I found the need to create and manage individual access to vaults to be complicated, even at a few users. I can’t imagine how you’d manage s of passwords accessed by combinations of s of users, including third-parties, contractors, etc. Are there any better password management solutions in the enterprise space?

            

            

            

                  

While 1Password is fantastic, their CLI is the worst CLI I’ve ever seen. Basically unusable.
You should just be able to say “give me the password for yahoo.com” but you can’t actually do that.

I wanted to use it to get npm 2FA on the command line and just gave up completely.

)

            
                  

I’ll chuck another vote in for Okta . It even has admin or user managed password settings if you want it to behave like a password manager for sites that have shared accounts or don’t support SSO. It’s not a core feature so it’s not as good as a password manager for managing ad-hoc secrets, but it’s good enough for most web apps.

            


                  

1 for SSO. I doubt all 2017 services could use SAML or OpenID but you could get a ton of coverage. A password manager is not required here because it is much better to control access with SSO. The user can have one password, preferably just logging into their workstation, and then SSO will sign them into whatever apps they are allowed to. Much easier than having a password manager keeping – 01575879 passwords.
In the past we used a safe credential manager that our NOC could access to get admin or other management credentials for networking devices when problems occurred. You could use the same for DB or server passwords where you need the text and combine it with a password manager if you can auto fill them. Only use these options for systems that don’t have SSO.

            

                  

We have been using 1Password and just use vaults. to segment things properly and keep things limited to the smallest group of people possible. 1Password is also how we handle 2fa in a common / generic way for many sites that require it. This avoids the problem of a user using their cell phone number to get the OTP’s and then that person leaves the company and you are left trying to coordinate the change for an account with a former employee.

1Password isn’t perfect but is by far the best one I’ve used and it does work well for teams IMO. We just are anal about setting up vaults and permissions to those vaults so it easy to segment users to only see the services they are allowed to etc. Plus it keeps things orderly and clean for maintenance purposes. The browser plug-ins have gotten better and the search is decent so definitely better then others I have seen.

            

                  

This. 1Password comes with limitations but by far it’s the best password manager for teams due to the built in 2fa support.
I wish it was possible to share a credential with specific people without a need to create a dedicated vault.

            

                  

My company of ~ people just started with Bitwarden, purely because I use it personally and knew it. I like the fact that it’s open source, has a self-hosted option and it has a Linux client.
I haven’t used the 2FA option yet, and it has a Google Authenticator equivalent.

)

            

            

                  
I’ve used LastPass. I’d say it was fine, but I think quality might be slipping. They were recently acquired by a private equity firm, which I consider a bad sign of things to come. Service incidents are seeming increasing frequent. Just yesterday, I was trying to onboard a user and their servers couldn’t be reached during his initial password reset. I’m sad to say these problems are common. I want to like it; but if I’m being honest, it’s got a lot of problems right now.

I see BitWarden mentioned a lot in r / sysadmin, but I Haven’t really tried it. Might be worth looking at.

            

                  

Enterprise Credential management is in a really awkward spot. . The best offerings I’ve seen integrate into stuff like AD so the credential doesn’t even get shared to the end user, but they’re targeted at BigCorps so I haven’t seen them in action.

The ideal scenario would be sharing authentication tokens rather than passwords. Otherwise even with an authenticated password store, as soon as any employee leaves you need to change all passwords they had access to.

It gets worse if you’re manually syncing password stores and sharing password store keys. Now you need to update all the contents and all the ways into those stores.

You could argue that employees won’t be copying passwords from the stores but that’s a risky assumption, especially if it isn’t easy to go straight from store to service.
I’ve seen some enterprise vaults which generate temporary login links for services for users authenticated against the vaults instead of exposing passwords but that presumably needs cooperation from the service vendors. (even if hopefully minimal with SAML or openIDConnect?).

Anything below that enterprise tier however has never sat well with me, because in reality those passwords don’t get changed, so even if you lock them out the box after they’ve gone they can still remember the contents. But perhaps that level of risk is adequate for small businesses, and provides the tools to prosecute in the case of misuse? So perhaps a shared password store with a single auth layer is fine for you.

            

                  

I think the solution I use personally would also serve your purpose. I use KeeWeb (app.keeweb.info). It’s a web app that caches in your browser and only runs locally. It also has a desktop version for Windows as well. I keep the web app up on my Android Chrome all the time since there’s no phone specific app and it works beautifully.
You can store the database ( encrypted of course) in a Dropbox account that it can connect to. The desktop version can also periodically store backups locally on any device you want. If you treat the Dropbox as the centralized master, every one of your employees can simply use either the Windows desktop app or just keep a browser tab open with it (like I do at work). Any changes anyone makes will instantly be reflected across all instances. I’ve never tried using for more than my 3 devices, but I don’t see why it wouldn’t work seamlessly.

            

                  

We use 1Password in a startup of people and it works beautifully. Great product.

We are also now starting to use Okta and SSO extensively too.

            


                  

KeepassXC or Keepass by a (mile) (for corporate uses; decent for personal use too but others are also good for this) .

I’ve used both in both personal and corporate settings. Great browser support, Keepass2Android makes my mobile experience good.

The reason it’s so good for corporate is that the database is just a file, so you can email passwords, or share via one drive or Dropbox or ftp or shared samba drive or …
I worked with techs from Oracle who used to auto generate the database for particular users and share them around. It worked really well for them. Because it’s just a file it works for all sorts of workflows.

My workplace does pay for Cyberark which is a built for purpose Enterprise application, but I don’t have rights to it it or whatever, so I just use KeepassXC.

                                                                

                  

In my office of people, I’d say that at least % have told me all their passwords are written on a notepad that they keep in their desk drawer. I work in a hospital so those passwords give people access to patient info.

                                      

            

                  

We’ve been using CorporateValut [0] at the small non-tech company I’m employed at. Sadly it has not been updated in quite a while, has a few bugs, and uses flash (to implement copy-to-clipboard), but it is a straight-forward uncomplicated on-premise solution. I’ve considered writing a replacement but it’s never been enough of a pain for us to bother allocating the time.

[0] [1] (https://sourceforge.net/projects/corporatevault/)

                  

uses flash (to implement copy-to-clipboard) Yikes. Besides the general danger of even having Flash installed on machines that don’t otherwise need it … you can copy to clipboard from pure JS in all major browsers since about 22534561.

I’d be kind of worried about a password manager that hasn’t seen updates since , especially if it has a browser extension , which is notoriously tricky to get right. Is it getting security updates?

            

                  

We are using Passbolt and are quite happy with it (only a dozen or so team members). I haven’t tested Bitwarden but I would like to compare it to Passbolt. Migrating passwords would probably be impossible, though.

                         

                  

I haven’t used any password manager other than 1Password in anger, and no password manager in a corporate context at all=[

I definetely wouldn’t mind if my employer choose 1Password Business as I would be able to link my binusnees account to my family account and not pay for the latter.It is possible this might help changing behaviour for those who currently don’t use a password manager for personal use. Or it might not help at all, who knows…

Just something you could take into consideration if this is important to you.

(Last time I checked 1Password offers this kind of deal and Dashlane, Lastpass either don’t offer it or don’t promote it. I won’t guarantee this is the current state of things…)

Well, Dashlane is the universal platinum standard of all password managers which has regular security audits from HackerOne and other external white hat hackers and even has a built in VPN where the other password managers just don’t.

I found 1Password 7, 1Password X and the browser extension to all be disconnected from each other and sloppy to use in general.

I haven’t used it in a corporate setting, but personally I’ve been using Bitwarden[1] since November without a single hiccup. It’s amazing. The best part: it’s open source, including all clients / apps (browser addons, desktop apps, smartphone apps). The server component being open source means you can host your own instance on-premise (clients let you specify a custom host to sync with to avoid using Bitwarden’s public servers).

Personal use is free, with an optional $ per YEAR (not per month) addon that adds a built-in TOTP client (ie. Google Authenticator compatible two-factor auth). There are also “Organization” accounts at extra cost for more enterprise-level usage, including sharing credentials among teams.

Note: I believe that even if you host on-premise using the open source code, it expects a paid license key for the extra features (TOTP and Organization accounts).

[1] [

I definetely wouldn’t mind if my employer choose 1Password Business as I would be able to link my binusnees account to my family account and not pay for the latter.It is possible this might help changing behaviour for those who currently don’t use a password manager for personal use. Or it might not help at all, who knows…

Just something you could take into consideration if this is important to you.

(Last time I checked 1Password offers this kind of deal and Dashlane, Lastpass either don’t offer it or don’t promote it. I won’t guarantee this is the current state of things…)

Well, Dashlane is the universal platinum standard of all password managers which has regular security audits from HackerOne and other external white hat hackers and even has a built in VPN where the other password managers just don’t.

I found 1Password 7, 1Password X and the browser extension to all be disconnected from each other and sloppy to use in general.

            

I haven’t used it in a corporate setting, but personally I’ve been using Bitwarden[1] https://bitwarden.com/

            

                  

Ideal would be if you could issues U2F hardware keys but not everyone supports that yet. I’ve seen KeePassXC used effectively as it works on Widows, macOS, and Linux.

                  

corp wise we use thychotic secret server. its pretty clunky but works well enough i guess.

personally i use bitwarden.

            

            


                  

We use Okta and I’m happy with it. You sign in once to mycompany.okta.com and there you see nice icons to click and sign in to any service you have access to.

            

            

            

                  

It’s not really built for this use case. We tried it, for end-user password management, and it sort of sucked. Not because of the product, but because of the UI. There are things like Adobe’s Cryptr [0] that help. But you don’t get the nice browser integration one is wanting, mobile is missing, etc.
0: https: //github.com/adobe/cryptr Vault is awesome for corporate secrets that services / code needs to see, and even maybe for developers, but for end-user passwords for stuff, it’s not so great .

            
                  

No password manager supports multiple levels of security conveniently , so I’m forced to use two managers.

For web browsing, passwords often protect the site not me (magazine logins …). One wants a manager to stay open during browsing sessions, so one does have to type the master password for every single use.

For For financial transactions, one wants zero risk of someone cracking your financial security because they enjoyed thirty seconds physical access while you stepped away from your desk.

(Be reasonable: No one is going to set up a proximity monitor that locks their screen if they lean back in their chair, any more than they’ll rig a trip wire shotgun to protect their data. Don’t propose a version of this. I want convenience, so secure data needs extreme protection, not my browser during thirty second gaps.)

I’ve begged 1Password for years to allow certain passwords to be marked “secure” invoking all obvious measures: A second password needed to unlock, immediately locks again after use. No dice. They’ve tried offering a few alternatives that are so inconvenient that using a second manager is frankly easier.

Remember how Steve Jobs made his fortune: the iPod assumed people were stupid. The flat file system was corrected in the first year of the Mac, but reintroduced for the iPod for “ease of use”. Similarly, I honestly don’t believe that password managers are foremost concerned with security. They’re concerned with sales.

Dashlane is no better, but it’s a second system that I prefer for financial passwords.

            

Read More

                  

If you step away from your desk for thirty seconds, I can install malware that captures your financial passwords (and cookies) next time you log in. The reason password managers universally don’t support the feature you request is that they’d be giving their users a false sense of security. You don’t have extreme protection at all. I’m sorry, I wish computers did work this way, but they do, and you have to keep yourself secure in the world as it exists and not in the world as you wish it were.

The usual way of solving this in corporate scenarios is to keep the office physically secure such that no outsider can get to someone’s desktop in a tiny window without being noticed, and them set the screen to lock after a minute or so.

For personal computers, don’t leave your laptop unlocked at the cafe when you go to pick up your coffee. Get in the habit of closing your lid.

            

                  

Can I rephrase your idea – you’re suggesting to have a ‘flag’ on some passwords so that, for those passwords, you have to re-enter the key every time? Initially, it sounds like a great idea – like how I can use my computer if it’s unlocked, but need to re-enter the password to install something.

What makes you think 1Password aren’t introducing this because they care more about sales than security? In general, I’ve found 1Password to care a huge amount about security because if somebody proves them to be insecure, it will have a huge effect on their sales. Security and their bottom line go together.