Readit News logoReadit News
Posted by u/flippyhead 6 years ago
Ask HN: What's the best corporate password manager?
My company of ~25 people needs to manage access to probably ~100 services our employees use everyday and I assume some kind of password manager which I can centrally manage is the way to go.

I often hear things on here about products that claim to be secure but aren't -- what password manager is considered reliable and secure? Which do you use?

Thank you!

davismwfl · 6 years ago
We have been using 1Password and just use vaults to segment things properly and keep things limited to the smallest group of people possible. 1Password is also how we handle 2fa in a common/generic way for many sites that require it. This avoids the problem of a user using their cell phone number to get the OTP's and then that person leaves the company and you are left trying to coordinate the change for an account with a former employee.

1Password isn't perfect but is by far the best one I've used and it does work well for teams IMO. We just are anal about setting up vaults and permissions to those vaults so it easy to segment users to only see the services they are allowed to etc. Plus it keeps things orderly and clean for maintenance purposes. The browser plug-ins have gotten better and the search is decent so definitely better then others I have seen.

webo · 6 years ago
This. 1Password comes with limitations but by far it’s the best password manager for teams due to the built in 2fa support.

I wish it was possible to share a credential with specific people without a need to create a dedicated vault.

frozen_memory · 6 years ago
I don't agree. When compared to other offerings (LastPass, BitWarden) 1password consistently comes up short in enterprise features. 1password doesn't even have an API. Three of the biggest issues I have with 1password:

1. If a user fails (or skips) 2FA, they still retain complete access to any passwords/vaults they previously locally synced... they just can't sync new/updated entries. This seems like a really flawed design - a 2FA failure should prevent access. When I asked the 1password team whether they'd consider invalidating local cache on 2FA failure, they did not seem interested.

2. You can't create links to passwords, which would allow management of an entry from a single location. If you want to share a password across multiple teams/vaults, you need to know about and maintain those entries for the same account, which means you also have to have access to all those vaults to manage that entry. This discourages password rotation, and increases the likelihood of orphaned passwords in other vaults.

3. Lack of granular permissions structure. You can't, for example, allow a user to initiate vault resets without giving them full admin access to the entire thing. Again, other password managers allow more fine-grained control.

To me, 1password feels like a small-time solution that tried to bolt on some enterprise features to retain customers. I don't think it should be considered enterprise software.

ac2u · 6 years ago
I love 1password but I don't understand why you'd use it for 2fa. Surely if someone gains access to your 1password account you're just giving them the "something you have" aspect of 2fa for free ?
developer2 · 6 years ago
I have to spam another comment here to suggest that Bitwarden also has built-in two-factor auth. $10/year (not per month) for personal use, and I believe it's included for $3/month/user in the enterprise version. Cheaper than 1Password, and a better overall app imo.

Dead Comment

movedx · 6 years ago
> 1Password is also how we handle 2fa in a common/generic way for many sites that require it. This avoids the problem of a user using their cell phone number to get the OTP's and then that person leaves the company

For high level corporate account, just have 2-3 office phones with different phone numbers. Each number is for a different department or level of access. Provide the right number given the nature of the access required (AWS Root account versus Xero accounting software, for example) and then use that as the 2FA. You can even use virtual 2FA for this.

Just a thought.

For personal level access for each employee, provide your employees with second hand, cheap Android phones you can buy for mere pennies, keep them in the office at all times, on charge, on wifi-only. This has the benefit of helping to reuse old hardware as opposed to it ending up on some tip.

alexandercrohde · 6 years ago
1Pass is great, but it lacks the kind of advanced tooling I'd want for it to scale.

Password sharing controls are insufficient.

loafcake · 6 years ago
Hi, alexandercrohde. I work for 1Password. I'm excited to learn from your experience using our product.

Would you be able to share feedback on where you feel the product falls down around tooling to scale? I'd like to make sure our teams are thinking about any difficulties you are having. There also may be more efficient ways to accomplish things that we can point out. Looking forward to your feedback. Thanks in advance!

bpicolo · 6 years ago
> manage access to probably ~100 services our employees use everyday

Is single sign-on an option, instead? Something like Okta is a much better experience for less technical users (and, well, engineers too) where possible, and also lets you trivially manage credentials access as people on/off board (no need to rotate credentials if you're worried folk may have written them down on paper somewhere with malicious intent). That said, it doesn't help folk with personal credentials management, which can be useful for good security policy in addition.

1password is my favorite to have around for services that don't support SSO. I like it so much I pay for a family account, even.

atonse · 6 years ago
The problem with SSO isn't technical, but that most SaaS products I've seen only support SSO for their enterprise tiers.

Otherwise, thanks to many providers like Okta and others, SSO should really be a feature provided to smaller tiers nowadays.

We're a small business (2 founders, 3 contractors), and we'd love to use SSO for everything. But we're too small to afford enterprise tiers for things like Slack, Gitlab, etc.

Hopefully this trickles down eventually.

Update: I'd like to add that we provide a SaaS product as well, and have considered adding SSO to the enterprise tier but after much research we can't really find a good reason to restrict it (apart from "everyone else is doing it", and potential manual config).

But both SAML and OpenID connect have discovery protocols. Again, this CAN technically be self-configured by the right customer. But then, maybe the solution is to have a one-time config fee, rather than require a certain tier.

brippalcharrid · 6 years ago
> most SaaS products I've seen only support SSO for their enterprise tiers.

Lower tiers of SaaS products are more-or-less strictly designed for:

- individuals or very small businesses where everyone is friends

- who don't have exacting requirements/audit/traceability/reporting concerns

- who are willing to accept some pain/inconvenience if they use it outside of its design parameters

Credential-sharing services in the age of SSO are a dirty workaround designed to circumvent SaaS product segmentation (which would otherwise cause established companies to effectively subsidise tiny startups). I'm all for hacker philosophy, and perhaps this applies less to your situation than it does to the OP, but I do think the idea of credential-sharing is a horrible kludge that has only risen to prominence because of the specific issue that I mentioned, and which only leads to more problems with things like non-repudiation.

blackearl · 6 years ago
Okta also works as a basic password manager so it may be worth setting up the SSO that is free/included and then use the browser add-on for the rest
tuckerconnelly · 6 years ago
Just throwing this out there--Gitlab can be self-hosted (pretty quickly with a helm chart if you're running Kubernetes), and there are self-hosted alternatives to Slack and most other SaaS. Self-hosted Gitlab IIRC has an SSO config. If you have someone technical enough to set these up, it's an option.
andrewzah · 6 years ago
Gitea (and probably gitlab) allow you to set up SSO auth.

For everything else, you can put your services behind i.e. traefik and write a middleware, or use something like caddy which has a plugin for sso.

bpicolo · 6 years ago
Yeah, it's definitely an uncreative way for SaaS products to charge you more money that many take advantage of.
gchamonlive · 6 years ago
Shameless self-endorsement here.

I have built an API to interact with 1password through its CLI: https://github.com/lettdigital/onepassword-api

The repo also includes an example of how to call the API using AWS Lambda.

The logic to interact with the 1password CLI is wrapped in an SDK, that can be used independently: https://github.com/lettdigital/onepassword-python

wheelerwj · 6 years ago
what use cases do you image for this?
blowski · 6 years ago
Certainly for a company between 25 people, 1Password is great. As an added bonus, you can give staff a 1Password families account for free.

Not totally relevant to the question, but how well does it scale to enterprise? I found the need to create and manage individual access to vaults to be complicated, even at a few users. I can't imagine how you'd manage 1000s of passwords accessed by combinations of 1000s of users, including third-parties, contractors, etc. Are there any better password management solutions in the enterprise space?

ncallaway · 6 years ago
I can't answer your question directly, since we only have 4 people at our company, so not really enterprise scale...

But they did recently introduce a CLI here: https://support.1password.com/command-line-getting-started/#...

That makes me optimistic that you could at least do a fair amount of automation around it. I haven't used it myself yet, so I'm not sure how fully featured the cli is

wil421 · 6 years ago
+1 for SSO. I doubt all 100 services could use SAML or OpenID but you could get a ton of coverage.

A password manager isn’t required here because it much better to control access with SSO. The user can have one password, preferably just logging into their workstation, and then SSO will sign them into whatever apps they are allowed to. Much easier than having a password manager keeping 80-100 passwords.

In the past we used a safe credential manager that our NOC could access to get admin or other management credentials for networking devices when problems occurred. You could use the same for DB or server passwords where you need the text and combine it with a password manager if you can auto fill them. Only use these options for systems that don’t have SSO.

mm89 · 6 years ago
We also use 1Password at my employer of ~30. I have had 1Password Personal account and used the 1Password app since 2010. It's amazing now, especially if you're on iOS with FaceID.

I used Okta at a previous employer; it was good too.

mjlee · 6 years ago
I'll chuck another vote in for Okta. It even has admin or user managed password settings if you want it to behave like a password manager for sites that have shared accounts or don't support SSO. It's not a core feature so it's not as good as a password manager for managing ad-hoc secrets, but it's good enough for most web apps.
silviogutierrez · 6 years ago
Relevant (not my own): https://sso.tax

Dead Comment

edwardr · 6 years ago
I'd agree that SSO is a good option. Check out our SSO solution and ping me with any questions!

https://tozny.com/tozid

messo · 6 years ago
I have used Bitwarden personally for a while, coming from KeePassXC (Linux and Android), and it has been a joy to use. My company is now looking into using it both internally and as a solution for organizations and businesses we serve, mainly because it offers a self-hosted / on-premise solution and decent pricing, and the fact that it is open source.

I would never trust my passwords to a closed source project that could be ridden with insecure code and disappear or change considerably on short notice. When the source code is open, chances for survival of the project in one form or another is much higher.

I also like that they take feature requests on their community forum and that their Github repo is active and responsive to issues.

jariel · 6 years ago
"I would never trust my passwords to a closed source project that could be ridden with insecure code "

The thing is, everywhere you use your password is probably 'closed source' and probably has 'lots of bugs'.

Ima guess that people re-use a lot of passwords and therefore are going to be at risk due to said 'closed source'.

I think that open v. closed may be only one of many considerations.

worble · 6 years ago
>The thing is, everywhere you use your password is probably 'closed source' and probably has 'lots of bugs'.

Well, that's the argument for a password manager, no? You can't trust any of these services, so you generate transient, strong, one time passwords for each of these, and then use a password manager you trust to manage it all instead. If one gets leaked, then sure it's a pain, but at least it doesn't mean they can log into every other service too!

benburleson · 6 years ago
Ima guess that most people that use a psssword manager generate a new, strong, unique password for each new service.
djhaskin987 · 6 years ago
KeepassXC or Keepass by a mile (for corporate uses; decent for personal use too but others are also good for this).

I've used both in both personal and corporate settings. Great browser support, Keepass2Android makes my mobile experience good.

The reason it's so good for corporate is that the database is just a file, so you can email passwords, or share via one drive or Dropbox or ftp or shared samba drive or ...

I worked with techs from Oracle who used to auto generate the database for particular users and share them around. It worked really well for them. Because it's just a file it works for all sorts of workflows.

My workplace does pay for Cyberark which is a built for purpose Enterprise application, but I don't have rights to it it or whatever, so I just use KeepassXC.

Legogris · 6 years ago
The problem with KeepassXC in larger teams than, like, 4 people is the shared secret/keyfile - basically this means that whenever a person leaves you have to change encryption keys and make all users rotate their secrets.

Same in case of a leak.

With solutions using per-user keys, you just have to revoke/remove keys for that single user. GNU pass (FOSS) and Bitwarden (paid, open source) both do this.

hau · 6 years ago
KeeShare comes with keepassxc allows for sharing secrets with per user control. It's somewhat convoluted but preferable to sharing whole database.

https://github.com/keepassxreboot/keepassxc/blob/develop/doc...

mdibaiee · 6 years ago
LastPass is the worst piece of software I have ever worked with. We had a lot of trouble making sense out of its sluggish user interface and confusing terminology and more.

BitWarden is my choice, it's cheaper than alternatives, the UI is simple and easy to understand. It's open-source and battle-tested. You may want to self-host as well.

Danski0 · 6 years ago
+1 Lastpass created more chaos than solving issues in our company. Multiple dashboards that interfere with each other, horrible overview causing outdated/wrong rights, users having to restart several times before new passwords showing up, bad mobile support and much more.
skrowl · 6 years ago
Upgraded from LastPass to BitWarden around this time last year. Amazing piece of software. I can't recommend it highly enough!
wpietri · 6 years ago
Totally with you on both counts. It amazed me how clunky and buggy LastPass was. I used it both as a browser plugin (FF, Chrome) and as an Android app. In a truly impressive achievement of corporate standards, each platform had different issues, but all achieved the exact same level of low overall quality.

I switched to BitWarden a couple of months back and I'm very happy with it. I have quibbles, but it's a much more solid experience.

znpy · 6 years ago
Lastpass was adopted at my previous employer, it was a mess to use and absolutely not user-friendly or intuitive.

Glad I don't have to use it anymore.

klenwell · 6 years ago
Another thing that drives me crazy with LastPass is it won't give you a distinct URL for a note or folder (or whatever they call that particular resource) that you want to share.

So I end up having to give other members of my team step-by-step directions to finding the right file or folder every time I share one. And that's assuming the access permissions haven't got borked, which seems to happen more often than not.

I've been pushing my company to drop it for a while.

Dead Comment

jmkni · 6 years ago
I'm still rocking Keepass after nearly ten years now. I've tried Lastpass, and found it clunky/fiddly in comparison.
sethammons · 6 years ago
I've been a KeePass user for at least as long. Sharing it with my wife and my multiple computers was done via Dropbox. I switched a couple of months back to self-hosted bitwarden. It is _much_ better. No need for file sync. Better UI. My wife actually _uses_ it now, as opposed to before she would avoid keepass. With Bitwarden, you get better control over passwords and who can see them and all that. Bitwarden also will host for you if that is not your jam. I highly encourage adoption of Bitwarden :)
eli · 6 years ago
How do you share passwords between people with keepass?
angrydev · 6 years ago
We also use LastPass and it sucks so hard. Terrible UI, bad UX decisions, frequently breaks.
lloydatkinson · 6 years ago
Was starting to think I was the only one that thought this. It's a total POS.
justin_oaks · 6 years ago
I reviewed BitWarden about a year ago for my company. Ultimately the reason I rejected it was that I couldn't find a way to reset another user's master password. It is certain that users will forget their master password and need to have it reset.

Perhaps it has changed since, or maybe it was just hard to find. Oh well, too late now.

We ended up using 1Password. My only real complaint with it is the need to create a vault for sharing something from one user to another. That means that if any two people in the company want to share, they need to get an admin involved so the admin can create the vault.

tracker1 · 6 years ago
With bitwarden, the account's data may be encrypted against the passphrase afaik... Also, you can setup shared groups for passphrases that are meant to be shared and the way the browser extension works, you need to enter it each restart to use it, so it should be more common.

The whole point of a password manager is so you only have to remember one passphrase. Suggesting an actual sentence and not having byzantine passphrase requirements will help. My fiance is really bad with this one, I admit that I don't have much empathy here.

storedbox · 6 years ago
Bitwarden is end-to-end encrypted. So, password "resets" aren't really a thing without also resetting the vault as a whole.
jdlyga · 6 years ago
I experimented with Bitwarden for a little while, but it didn't have a good method for changing passwords. I ended up switching back to LastPass. But, I'm pretty frustrated with their buggy iOS app.
developer2 · 6 years ago
Can you elaborate? Changing a password with Bitwarden is just editing the field or–even better–a one-click button to (re)generate a new random password (including options for length and complexity requirements). If you are logged into the browser addon, it will also (depending how javascript-hacky the website is) prompt to save the new password when you modify the password in a website's settings.

Unless you're talking about mass-replacing a single password across a bunch of different entries? Which is certainly not a limitation of any password manager; reusing a password is just horrible.

solumos · 6 years ago
You should try OneLogin - LastPass is a dream by comparison.
dcchambers · 6 years ago
I can echo the frustration with LastPass. Definitely would not recommend it.

I used KeePass at a previous company and loved it.

mfasduf · 6 years ago
Could you elaborate more on the problems with lastpass a bit?
xnyan · 6 years ago
1) Slow, confusing and rarely updated (any any updates are just as likely to be a regression as an improvement in my subjective opinion) UI. The browser extension is terrible and up to last year, their hacky password-field-finding javascript slowed down several pages to to point it was unusable. It's still not great.

2) The business model of LastPass worries me. Unlike a 1Password (I tried it for a 3 month trial, don't use them or have any skin in the game for them) charges a lot more than LastPass and in addition to having a more smooth, speedy and performant application, they are charging enough money to feasibly be profitable just storing passwords.

LastPass has has more data breaches than the others (google). It's run by a domain register. In my opinion this influences how the password business is run, leading to a marketing-forward rent extraction password manager vs a good one.

sabalaba · 6 years ago
- It frequently stops working and needs to have the chrome extension re installed (at least on Linux).

- It’s sluggish.

- The password sharing experience sucks.

- The drop down menus often get obfuscated in weird ways.

Deleted Comment

raverbashing · 6 years ago
You might not like it, but I have a long list of software worse than it, I really don't get the hate for it.
actionowl · 6 years ago
The personal version works well in comparison. We liked it and adopted it for our company but using the enterprise version, that's when it really started to give us problems.
Legogris · 6 years ago
Depending on your preferences, it might be worth looking into GNU pass. You have to do the additional setup of syncing/sharing password stores (Keybase can work for this) and users need to have basic knowledge of working with PGP keys. Encryption is done via per-user GPG, which is convenient, easy and secure if you're used to it and frustrating if you aren't already and not willing to take the hour or two necessary to get fully up to speed. There are tons of clients for various platforms and use-cases.

KeepassXC can work fine, but it's not super integrated in terms of alternative clients, CLI, mobile etc. If you go with keepass, make sure to use XC (the most recent community fork AFAIK). Similarly to GNU Pass, you need to sort out syncing yourself and have the additional hassle of maintaining a shared secret, and alternatively a shared keyfile. If one is compromised, you need to make everyone rotate, which in practice leads to lazy teams never rotating keys and even using keys they know probably are compromised already.

LastPass is horrible, in my experience. The web app is incredibly buggy and the only thing that really works somewhat well is the browser extension, which I don't trust much.

1password is a slight step up from LastPass.

I heard great things about BitWarden and it looks compelling but haven't tried it yet.

Hashicorp Vault is great, but IMO not suitable for "manual" credentials and more for provisioning and maintaining secrets that are fetched by your internal services. If you need non-engineers to have access to it for shared web app accounts etc, Vault is probably not a good choice.

Evidlo · 6 years ago
KeePass has many alternative clients for each platform.
techntoke · 6 years ago
As does pass (although, gopass is a good compatible alternative with more features). I really like how it works with Git for version history as well and GnuPG (PGP) is industry standard within the security sector. gopass has browser plugins readily available, and it supports TOTP.
dhruvkar · 6 years ago
My company of ~30 people just started with Bitwarden, purely because I use it personally and knew it. I like the fact that it's open source, has a self-hosted option and it has a Linux client.

I haven't use the 2FA option yet, and it has a Google Authenticator equivalent.

rdslw · 6 years ago
Unfortunately 2fa on Android bitwatrden client is non existent.

Bug is open already for a year :-(

P.S. 1password has it.

Corrado · 6 years ago
I've been using my fingerprint as a 2FA on Android BitWarden for quite a while. Is this not sufficient for your use-case? Is there something else that you would rather use? Perhaps a YubiKey?
Reptarsonist · 6 years ago
What bug? Bitwarden's android app supports 2FA.
paol · 6 years ago
We recently chose 1Password for this purpose. We also evaluated Dashlane but gave it up pretty quickly because of bad UI (not that 1Password is stellar) and some basic requirement that was not met - I forget what.

Security wise, we looked at the 1Password CVE history[1] and it seems pretty ok.

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=1password