Ask HN: What's the best corporate password manager?

274 points by flippyhead ↗ HN
My company of ~25 people needs to manage access to probably ~100 services our employees use everyday and I assume some kind of password manager which I can centrally manage is the way to go.

I often hear things on here about products that claim to be secure but aren't -- what password manager is considered reliable and secure? Which do you use?

Thank you!

258 comments

[ 2.5 ms ] story [ 306 ms ] thread
The best password manager application I've used it's 1password.
Well, Dashlane is the universal platinum standard of all password managers which has regular security audits from HackerOne and other external white hat hackers and even has a built in VPN where the other password managers just don't.

I found 1Password 7, 1Password X and the browser extension to all be disconnected from each other and sloppy to use in general.

Ideal would be if you could issues U2F hardware keys but not everyone supports that yet. I've seen KeePassXC used effectively as it works on Widows, macOS, and Linux.
I haven't used any password manager other than 1Password in anger, and no password manager in a corporate context at all =[

I definetely wouldn't mind if my employer choose 1Password Business as I would be able to link my binusnees account to my family account and not pay for the latter. It is possible this might help changing behaviour for those who currently don't use a password manager for personal use. Or it might not help at all, who knows...

Just something you could take into consideration if this is important to you.

(Last time I checked 1Password offers this kind of deal and Dashlane, Lastpass either don't offer it or don't promote it. I won't guarantee this is the current state of things...)

Post-it notes around the perimeter of your monitor
In my office of 10 people, I'd say that at least 50% have told me all their passwords are written on a notepad that they keep in their desk drawer. I work in a hospital so those passwords give people access to patient info.
It’s far from ideal, but not the worst. I’d rather that than an “unpassworded Excel file stored on the shared drive”, or “I use the same password on everything so it’s easy to remember”.
We tend sticking them at the bottom of the keyboard, so it's obviously more secure ;)
We use LastPass in our company and it's terrible. Avoid it if you can.
What's the problem with LastPass? I'm using it personally and did not have any problems with it.
Closed source and confusing UI seems to be the consensus. I use LastPass as well and am satisfied with it, but considering a switch to BitWarden due to seemingly perfect reviews.
- purchased a few years ago but a company with a shady privacy/security history

- hard to use, slow, clunky interface.

- desktop app (macos) doesnt work well. small file sharing is cumbersome and extremely limited.

- sync is miserable. just.. miserable. it usually required the receiver to log out and back in at least twice.

try 1password and the differences are immediate and undeniable.

We recently chose 1Password for this purpose. We also evaluated Dashlane but gave it up pretty quickly because of bad UI (not that 1Password is stellar) and some basic requirement that was not met - I forget what.

Security wise, we looked at the 1Password CVE history[1] and it seems pretty ok.

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=1password

We've been using CorporateValut[0] at the small non-tech company I'm employed at. Sadly it has not been updated in quite a while, has a few bugs, and uses flash (to implement copy-to-clipboard), but it is a straight-forward uncomplicated on-premise solution. I've considered writing a replacement but it's never been enough of a pain for us to bother allocating the time.

[0] https://sourceforge.net/projects/corporatevault/

> uses flash (to implement copy-to-clipboard)

Yikes. Besides the general danger of even having Flash installed on machines that don't otherwise need it... you can copy to clipboard from pure JS in all major browsers since about 2016.

I'd be kind of worried about a password manager that hasn't seen updates since 2016, especially if it has a browser extension, which is notoriously tricky to get right. Is it getting security updates?

> Besides the general danger of even having Flash installed on machines that don't otherwise need it...

Flash still built in to Chrome, it's installed anyway.

> you can copy to clipboard from pure JS in all major browsers since about 2016

CorporateVault was last updated in 2010.

> I'd be kind of worried about a password manager that hasn't seen updates since 2016, especially if it has a browser extension

It doesn't. Like I said, it's simple. It's just a Grails application you run on an on-prem server you can additionally lock down in any way you like.

I've looked at some alternatives in the past but so far none of them have been good enough to bother switching too. In fact, most of them have even worse functionality for our usecase.

Bitwarden
Yep, we use Bitwarden at Emvi and personally. Really nice and easy to use tool.
To expand a little bit, Bitwarden with your own hosting
Can you share your experience with self-hosting? Docker or no docker? Any issues?
Bitwarden because it has the "Teams" feature and can hsare passwords with multiple people. No sync issues like passing around a keypass file and worrying about having the latest version of it.
> manage access to probably ~100 services our employees use everyday

Is single sign-on an option, instead? Something like Okta is a much better experience for less technical users (and, well, engineers too) where possible, and also lets you trivially manage credentials access as people on/off board (no need to rotate credentials if you're worried folk may have written them down on paper somewhere with malicious intent). That said, it doesn't help folk with personal credentials management, which can be useful for good security policy in addition.

1password is my favorite to have around for services that don't support SSO. I like it so much I pay for a family account, even.

+1 for SSO. I doubt all 100 services could use SAML or OpenID but you could get a ton of coverage.

A password manager isn’t required here because it much better to control access with SSO. The user can have one password, preferably just logging into their workstation, and then SSO will sign them into whatever apps they are allowed to. Much easier than having a password manager keeping 80-100 passwords.

In the past we used a safe credential manager that our NOC could access to get admin or other management credentials for networking devices when problems occurred. You could use the same for DB or server passwords where you need the text and combine it with a password manager if you can auto fill them. Only use these options for systems that don’t have SSO.

Certainly for a company between 25 people, 1Password is great. As an added bonus, you can give staff a 1Password families account for free.

Not totally relevant to the question, but how well does it scale to enterprise? I found the need to create and manage individual access to vaults to be complicated, even at a few users. I can't imagine how you'd manage 1000s of passwords accessed by combinations of 1000s of users, including third-parties, contractors, etc. Are there any better password management solutions in the enterprise space?

I can't answer your question directly, since we only have 4 people at our company, so not really enterprise scale...

But they did recently introduce a CLI here: https://support.1password.com/command-line-getting-started/#...

That makes me optimistic that you could at least do a fair amount of automation around it. I haven't used it myself yet, so I'm not sure how fully featured the cli is

While 1Password is fantastic, their CLI is the worst CLI I’ve ever seen. Basically unusable.

You should just be able to say “give me the password for yahoo.com” but you can’t actually do that.

I wanted to use it to get npm 2FA on the command line and just gave up completely.

EDIT: if someone from 1Password reads this, please reach out. I have good CLI UX experience and would love to help fix it.

Super disappointing to hear :/
On the plus side, they did get a bunch of funding recently so hopefully they'll be able to devote some resources to it. They definitely seem like an organization that is pretty devoted to quality products.
I think it's a consequence of their internal data type not being specific to passwords. You can store some semi-freeform data structures in 1Password's database (e.g. notes, documents, account numbers, security questions, even binary files).
You can totally design a CLI around that kind of data model without resorting to jq
Disclosure: I am the lead developer for the team that builds the 1Password CLI.

You're completely right about the use-case there. One of the things I think we missed the mark on was choosing to expose the full item JSON structure as the default. I think it is important that access to the full item is available, but I think it would have been a much better user experience if we had abstracted that in the default case.

What you've pointed out here is what we are currently working on addressing. Development of the CLI was put on hold for over a year while development of our SCIM bridge was ongoing (they're built on the same codebase). In the past few months, we have ramped up the entire team, and movement has accelerated greatly on the CLI. This is feedback we're well aware of, and we're working hard to address it.

Feel free to post in our discussion forums if you're still willing to have a more extensive conversation: https://discussions.agilebits.com.

Really happy to hear you are working on it. FWIW your products are so fantastic I'm definitely more critical than I would be if that wasn't the case. I hold 1Password to a super high standard.

I'll give it a spin again too as it's been a while since I tried it last and check out the forums!

Thanks very much, and I hope within the next 2-3 months we'll be in a place where you can hold the CLI to those standards as well :)
Wow you handled that awkwardly critical comment like a champ! Haha. Cheers.
I'll chuck another vote in for Okta. It even has admin or user managed password settings if you want it to behave like a password manager for sites that have shared accounts or don't support SSO. It's not a core feature so it's not as good as a password manager for managing ad-hoc secrets, but it's good enough for most web apps.
The problem with SSO isn't technical, but that most SaaS products I've seen only support SSO for their enterprise tiers.

Otherwise, thanks to many providers like Okta and others, SSO should really be a feature provided to smaller tiers nowadays.

We're a small business (2 founders, 3 contractors), and we'd love to use SSO for everything. But we're too small to afford enterprise tiers for things like Slack, Gitlab, etc.

Hopefully this trickles down eventually.

Update: I'd like to add that we provide a SaaS product as well, and have considered adding SSO to the enterprise tier but after much research we can't really find a good reason to restrict it (apart from "everyone else is doing it", and potential manual config).

But both SAML and OpenID connect have discovery protocols. Again, this CAN technically be self-configured by the right customer. But then, maybe the solution is to have a one-time config fee, rather than require a certain tier.

Okta also works as a basic password manager so it may be worth setting up the SSO that is free/included and then use the browser add-on for the rest
Yeah, it's definitely an uncreative way for SaaS products to charge you more money that many take advantage of.
Just throwing this out there--Gitlab can be self-hosted (pretty quickly with a helm chart if you're running Kubernetes), and there are self-hosted alternatives to Slack and most other SaaS. Self-hosted Gitlab IIRC has an SSO config. If you have someone technical enough to set these up, it's an option.
If you have someone technical to set these up AND keep them up.

Many of those cool things take night or weekend to set up and that’s kind of fun to do. Regular patching and potential troubleshooting is the less fun part you get to do when adopting a new app.

Gitea (and probably gitlab) allow you to set up SSO auth.

For everything else, you can put your services behind i.e. traefik and write a middleware, or use something like caddy which has a plugin for sso.

> most SaaS products I've seen only support SSO for their enterprise tiers.

Lower tiers of SaaS products are more-or-less strictly designed for:

- individuals or very small businesses where everyone is friends

- who don't have exacting requirements/audit/traceability/reporting concerns

- who are willing to accept some pain/inconvenience if they use it outside of its design parameters

Credential-sharing services in the age of SSO are a dirty workaround designed to circumvent SaaS product segmentation (which would otherwise cause established companies to effectively subsidise tiny startups). I'm all for hacker philosophy, and perhaps this applies less to your situation than it does to the OP, but I do think the idea of credential-sharing is a horrible kludge that has only risen to prominence because of the specific issue that I mentioned, and which only leads to more problems with things like non-repudiation.

This has not been my experience. Trello is a good example. They have an enterprise tier that they basically starts at 100 users. Their business tier does not include SSO and I have a team of 60 people so the enterprise tier (which is about $250/person, by the way, compared to $12 a person for business) is out. Slack charges nearly double for their enterprise tier with SSO. I would not call not getting getting the tier down from the enterprise tiers a "dirty workaround" for most teams.
Yeah, I too hate the "call for pricing!" options and the "click here to be connected to our sales staff!" stuff, and SSO functionality being restricted to company accounts with >100 users or organisations that sign up for multi-year contracts. I also think the lack of white-label options for even enterprise-focused stuff is embarrassing. I'm not sure which of the two sides of this I hate more. In extreme cases, product offerings are bifurcated into:

- Sign up for free or with a credit card, but you'll run into problems (or at the very least friction/complications) if you end up trying to use if you something serious

- Speak to a salesperson and have your CFO sign the company up for a long-term strategic partnership.

The examples that you gave are less clear-cut though. Trello Business is $12.50 per month, and supports Google Apps SSO. Trello Enterprise supports general SSO, and costs $20.83 per month. Slack pricing is $6.67/mo for Standard, and $12.50/mo for Plus with SSO. None of these are costs that should really make or break the profitability of a company; considering that the business is using them to generate revenue or to reduce its expenses, how do they compare to other things like property/facilities expenses and employee salaries/benefits?

Shameless self-endorsement here.

I have built an API to interact with 1password through its CLI: https://github.com/lettdigital/onepassword-api

The repo also includes an example of how to call the API using AWS Lambda.

The logic to interact with the 1password CLI is wrapped in an SDK, that can be used independently: https://github.com/lettdigital/onepassword-python

what use cases do you image for this?
I currently have a stack of pem file management using terraform, lambda and this api.

When creating an ec2, we call a module that creates a tls key, a keypair and an object in a bucket.

This object creating triggers a lambda that downloads the objects contents, namely the pem key and calls the api to save it to 1password as a document.

This newly created document is available to every member that has access to the vault without having direct access to the bucket itself.

Another use I had was to create credentials for sonarqube automatically. We have a relatively large team on github and wanted to add sonarqube to the stack. What I did was just read every members name, email and username from github, create the respective users using sonarqube api and register their credentials using the sdk. It was trivial then to send them a copy of their credentials, a lot easier and less error prone than doing it by hand.

Many other use cases can be thought. You could implement iam key rotation using this. You could share support credentials for your team using 1password and have automated tools read from the same source.

It really just make everything easier to replicate, integrate and manage using this api or the python sdk. The last thing you want is to screw someones credentials because of a human error (typo, forgot to save the password etc...)

We also use 1Password at my employer of ~30. I have had 1Password Personal account and used the 1Password app since 2010. It's amazing now, especially if you're on iOS with FaceID.

I used Okta at a previous employer; it was good too.

SAASPASS password manager is both for enterprise and consumer use. It also has 2FA and SSO etc..
We use Okta and I'm happy with it. You sign in once to mycompany.okta.com and there you see nice icons to click and sign in to any service you have access to.
(comment deleted)
I've used LastPass. I'd say it was fine, but I think quality might be slipping. They were recently acquired by a private equity firm, which I consider a bad sign of things to come. Service incidents are seeming increasingly frequent. Just yesterday, I was trying to onboard a user and their servers couldn't be reached during his initial password reset. I'm sad to say these problems are common. I want to like it; but if I'm being honest, it's got a lot of problems right now.

I see BitWarden mentioned a lot in r/sysadmin, but I haven't really tried it. Might be worth looking at.

We use 1Password in a startup of 40 people and it works beautifully. Great product.

We are also now starting to use Okta and SSO extensively too.

No password manager supports multiple levels of security conveniently, so I'm forced to use two managers.

For web browsing, passwords often protect the site not me (magazine logins...). One wants a manager to stay open during browsing sessions, so one doesn't have to type the master password for every single use.

For financial transactions, one wants zero risk of someone cracking your financial security because they enjoyed thirty seconds physical access while you stepped away from your desk.

(Be reasonable: No one is going to set up a proximity monitor that locks their screen if they lean back in their chair, any more than they'll rig a trip wire shotgun to protect their data. Don't propose a version of this. I want convenience, so secure data needs extreme protection, not my browser during thirty second gaps.)

I've begged 1Password for years to allow certain passwords to be marked "secure" invoking all obvious measures: A second password needed to unlock, immediately locks again after use. No dice. They've tried offering a few alternatives that are so inconvenient that using a second manager is frankly easier.

Remember how Steve Jobs made his fortune: the iPod assumed people were stupid. The flat file system was corrected in the first year of the Mac, but reintroduced for the iPod for "ease of use". Similarly, I honestly don't believe that password managers are foremost concerned with security. They're concerned with sales.

Dashlane is no better, but it's a second system that I prefer for financial passwords.

Can I rephrase your idea - you're suggesting to have a 'flag' on some passwords so that, for those passwords, you have to re-enter the key every time? Initially, it sounds like a great idea - like how I can use my computer if it's unlocked, but need to re-enter the password to install something.

What makes you think 1Password aren't introducing this because they care more about sales than security? In general, I've found 1Password to care a huge amount about security because if somebody proves them to be insecure, it will have a huge effect on their sales. Security and their bottom line go together.

If you step away from your desk for thirty seconds, I can install malware that captures your financial passwords (and cookies) next time you log in. The reason password managers universally don't support the feature you request is that they'd be giving their users a false sense of security. You don't have extreme protection at all. I'm sorry, I wish computers didn't work this way, but they do, and you have to keep yourself secure in the world as it exists and not in the world as you wish it were.

The usual way of solving this in corporate scenarios is to keep the office physically secure such that no outsider can get to someone's desktop in a tiny window without being noticed, and them set the screen to lock after a minute or so.

For personal computers, don't leave your laptop unlocked at the cafe when you go to pick up your coffee. Get in the habit of closing your lid.

I think the solution I use personally would also serve your purpose. I use KeeWeb (app.keeweb.info). It's a web app that caches in your browser and only runs locally. It also has a desktop version for Windows as well. I keep the web app up on my Android Chrome all the time since there's no phone specific app and it works beautifully.

You can store the database (encrypted of course) in a Dropbox account that it can connect to. The desktop version can also periodically store backups locally on any device you want. If you treat the Dropbox as the centralized master, every one of your employees can simply use either the Windows desktop app or just keep a browser tab open with it (like I do at work). Any changes anyone makes will instantly be reflected across all instances.

I've never tried using for more than my 3 devices, but I don't see why it wouldn't work seamlessly.

Why not using HashiCorp Vault, supported by ActiveDirectory?
Do you have a "why" rather than a "why not"?
It's not really built for this use case. We tried it, for end-user password management, and it sort of sucked. Not because of the product, but because of the UI. There are things like Adobe's Cryptr[0] that help. But you don't get the nice browser integration one is wanting, mobile is missing, etc.

0: https://github.com/adobe/cryptr

Vault is awesome for corporate secrets that services/code needs to see, and even maybe for developers, but for end-user passwords for stuff, it's not so great.

If someone made a decent browser plugin and mobile app with vault as a backend then it'd be fantastic for human consumption. As it is now, it's for machine consumption.
LastPass is the worst piece of software I have ever worked with. We had a lot of trouble making sense out of its sluggish user interface and confusing terminology and more.

BitWarden is my choice, it's cheaper than alternatives, the UI is simple and easy to understand. It's open-source and battle-tested. You may want to self-host as well.

Upgraded from LastPass to BitWarden around this time last year. Amazing piece of software. I can't recommend it highly enough!
+1 Lastpass created more chaos than solving issues in our company. Multiple dashboards that interfere with each other, horrible overview causing outdated/wrong rights, users having to restart several times before new passwords showing up, bad mobile support and much more.
I'm still rocking Keepass after nearly ten years now. I've tried Lastpass, and found it clunky/fiddly in comparison.
How do you share passwords between people with keepass?
I've done this in a team in the past and we just put the encrypted keepass database in a private github repo. It mostly works out fine, the only pain in the butt is everyone needs to ensure that they pull down their repo and make sure its all up to date before they add anything to it.
Google drive seems to work fine here. I believe there's also a plugin for it rather than save to the folder and deal with the rare save conflicts.

(This with 2 factor passphrase and key file, btw)

We use Dropbox. We all memorise the master password, then have the Keepass database in a shared Dropbox directory we all have access to.
How do you make sure you don't overwrite people's saves?

Surely this can't work for a larger organisation?

Looks like it can reconcile this automatically.

https://keepass.info/help/v2/sync.html

Probably better used with a filesystem that has strong guarantees though.

Yeah you get a popup if somebody changes the database while you have it open
Got it. Yeah we did that for a bit, but it became apparent soon enough that we actually needed different access levels and keeping track of three or four different databases & passwords just didn't seem practical.
I've been a KeePass user for at least as long. Sharing it with my wife and my multiple computers was done via Dropbox. I switched a couple of months back to self-hosted bitwarden. It is _much_ better. No need for file sync. Better UI. My wife actually _uses_ it now, as opposed to before she would avoid keepass. With Bitwarden, you get better control over passwords and who can see them and all that. Bitwarden also will host for you if that is not your jam. I highly encourage adoption of Bitwarden :)
Could you elaborate more on the problems with lastpass a bit?
- It frequently stops working and needs to have the chrome extension re installed (at least on Linux).

- It’s sluggish.

- The password sharing experience sucks.

- The drop down menus often get obfuscated in weird ways.

That last one, the drop down menu getting some auto full garbage which obscures choices and interferes with selection is annoying.
Chrome extension was broken for several days, that was painful, pulling out my phone for long passphrases on various sites.

While I wish the bitwarden UI could stay over the top a little better, been really appreciating it vs lastpass... it's a bit simpler and less confusing overall. Not quite the same feature set, but that's okay..

I do wish the autofill wasn't two menus deep though. (right-click, bitwarden -> autofill -> list) wish it just expanded autofill (if less than say 5 matches) on the right-click menu.

1) Slow, confusing and rarely updated (any any updates are just as likely to be a regression as an improvement in my subjective opinion) UI. The browser extension is terrible and up to last year, their hacky password-field-finding javascript slowed down several pages to to point it was unusable. It's still not great.

2) The business model of LastPass worries me. Unlike a 1Password (I tried it for a 3 month trial, don't use them or have any skin in the game for them) charges a lot more than LastPass and in addition to having a more smooth, speedy and performant application, they are charging enough money to feasibly be profitable just storing passwords.

LastPass has has more data breaches than the others (google). It's run by a domain register. In my opinion this influences how the password business is run, leading to a marketing-forward rent extraction password manager vs a good one.

(comment deleted)
Another thing that drives me crazy with LastPass is it won't give you a distinct URL for a note or folder (or whatever they call that particular resource) that you want to share.

So I end up having to give other members of my team step-by-step directions to finding the right file or folder every time I share one. And that's assuming the access permissions haven't got borked, which seems to happen more often than not.

I've been pushing my company to drop it for a while.

You might not like it, but I have a long list of software worse than it, I really don't get the hate for it.
The personal version works well in comparison. We liked it and adopted it for our company but using the enterprise version, that's when it really started to give us problems.
I experimented with Bitwarden for a little while, but it didn't have a good method for changing passwords. I ended up switching back to LastPass. But, I'm pretty frustrated with their buggy iOS app.
Can you elaborate? Changing a password with Bitwarden is just editing the field or–even better–a one-click button to (re)generate a new random password (including options for length and complexity requirements). If you are logged into the browser addon, it will also (depending how javascript-hacky the website is) prompt to save the new password when you modify the password in a website's settings.

Unless you're talking about mass-replacing a single password across a bunch of different entries? Which is certainly not a limitation of any password manager; reusing a password is just horrible.

I haven't had that problem with BitWarden in testing, but I can't change to BW until they come up with some solution for having both a work and and personal vault. The ability to link-in your personal LastPass to your work LP without actually giving your employer any access to your personal LP is really beneficial to my staff.
Can't you create a personal group, and have both accounts in that group?
I'm actually using BitWarden for work and personal stuff and it works wonderfully. BW allows you to "link" the two accounts and share things between them (or not). For example, my personal Gmail account information is in BW but its not exposed to my employer at all. On the flip side, I've created management accounts (ie. JIRA admin user) and shared them with the "IT" team in BitWarden; this allows all of the IT admins to get into JIRA if necessary.
Lastpass was adopted at my previous employer, it was a mess to use and absolutely not user-friendly or intuitive.

Glad I don't have to use it anymore.

You should try OneLogin - LastPass is a dream by comparison.
Was starting to think I was the only one that thought this. It's a total POS.
I reviewed BitWarden about a year ago for my company. Ultimately the reason I rejected it was that I couldn't find a way to reset another user's master password. It is certain that users will forget their master password and need to have it reset.

Perhaps it has changed since, or maybe it was just hard to find. Oh well, too late now.

We ended up using 1Password. My only real complaint with it is the need to create a vault for sharing something from one user to another. That means that if any two people in the company want to share, they need to get an admin involved so the admin can create the vault.

With bitwarden, the account's data may be encrypted against the passphrase afaik... Also, you can setup shared groups for passphrases that are meant to be shared and the way the browser extension works, you need to enter it each restart to use it, so it should be more common.

The whole point of a password manager is so you only have to remember one passphrase. Suggesting an actual sentence and not having byzantine passphrase requirements will help. My fiance is really bad with this one, I admit that I don't have much empathy here.

Bitwarden is end-to-end encrypted. So, password "resets" aren't really a thing without also resetting the vault as a whole.
Yeah. While I can understand wanting to be able to reset a user's password as an administrator of other users (eg. an IT department supporting those who forget their master password), it's also a security problem to allow such a feature. Basically, all user accounts under an organization would need to be encrypted with two separate passwords: the user's, as well as the IT/admin/company "master key". Having all users' passwords encrypted with a master key password to allow resets means all users' passwords across the entire organization can be compromised by a single IT employee's master key password.

Personally, I'm ecstatic that there is no recovery process to reset or recover a Bitwarden master password. No security questions. No email reset. No one-time use login codes (which would need to be stored somewhere not encrypted by a user's secret key in order to verify). Again, I can understand why an IT department would want that, but all that does is open up attack vectors that are very easy for an attacker to abuse.

The whole point of the master password is it's the ONE AND ONLY password you cannot forget or lose. One... lousy... password.

We also use LastPass and it sucks so hard. Terrible UI, bad UX decisions, frequently breaks.
I can echo the frustration with LastPass. Definitely would not recommend it.

I used KeePass at a previous company and loved it.

Totally with you on both counts. It amazed me how clunky and buggy LastPass was. I used it both as a browser plugin (FF, Chrome) and as an Android app. In a truly impressive achievement of corporate standards, each platform had different issues, but all achieved the exact same level of low overall quality.

I switched to BitWarden a couple of months back and I'm very happy with it. I have quibbles, but it's a much more solid experience.

KeepassXC or Keepass by a mile (for corporate uses; decent for personal use too but others are also good for this).

I've used both in both personal and corporate settings. Great browser support, Keepass2Android makes my mobile experience good.

The reason it's so good for corporate is that the database is just a file, so you can email passwords, or share via one drive or Dropbox or ftp or shared samba drive or ...

I worked with techs from Oracle who used to auto generate the database for particular users and share them around. It worked really well for them. Because it's just a file it works for all sorts of workflows.

My workplace does pay for Cyberark which is a built for purpose Enterprise application, but I don't have rights to it it or whatever, so I just use KeepassXC.

The problem with KeepassXC in larger teams than, like, 4 people is the shared secret/keyfile - basically this means that whenever a person leaves you have to change encryption keys and make all users rotate their secrets.

Same in case of a leak.

With solutions using per-user keys, you just have to revoke/remove keys for that single user. GNU pass (FOSS) and Bitwarden (paid, open source) both do this.

Passwordstate by https://www.clickstudios.com.au/; does what it should
This seems like the best one going, and for the cheapest price for a lot of users. I'm interested in more reviews?
To OP: Please don't consider Passwordstate. It's so horrible to use, that users refuse to use it when it is offered. My company expects it to be used, but instead everyone (hundreds of in-house users) reuse the same password everywhere, and/or ignore company policy by using a personal password manager not linked to the company's internal servers.

Passwordstate pisses me off so much I can't even be bothered to go into details as to WHY it's so bad.

Please don't take this the wrong way, but could you qualify your advice instead of rant? That'd be really helpful.
Click Studios is proud of its product Passwordstate and the quality of its technical support.

If you are experiencing issues with our software, we are more than happy to work with you to address these issue.

Please log a support call via https://www.clickstudios.com.au/support.aspx.

We are using Passbolt and are quite happy with it (only a dozen or so team members). I haven't tested Bitwarden but I would like to compare it to Passbolt. Migrating passwords would probably be impossible, though.
We also used Passbolt in the 6-people IT team of my former employer and it felt nice because it's open source and its development is supported by a state (Luxemburg).

The GPG encryption un-usability is a bit abstracted away by a nice (but not perfect) browser plugin.

The CLI is a bit awkward and incomplete -- so much so that I wrote a fuzzy-search python wrapper with auto-clearing clipboard support etc. around it which served me well enough.

We have been using 1Password and just use vaults to segment things properly and keep things limited to the smallest group of people possible. 1Password is also how we handle 2fa in a common/generic way for many sites that require it. This avoids the problem of a user using their cell phone number to get the OTP's and then that person leaves the company and you are left trying to coordinate the change for an account with a former employee.

1Password isn't perfect but is by far the best one I've used and it does work well for teams IMO. We just are anal about setting up vaults and permissions to those vaults so it easy to segment users to only see the services they are allowed to etc. Plus it keeps things orderly and clean for maintenance purposes. The browser plug-ins have gotten better and the search is decent so definitely better then others I have seen.

This. 1Password comes with limitations but by far it’s the best password manager for teams due to the built in 2fa support.

I wish it was possible to share a credential with specific people without a need to create a dedicated vault.

I love 1password but I don't understand why you'd use it for 2fa. Surely if someone gains access to your 1password account you're just giving them the "something you have" aspect of 2fa for free ?
I understand what you are saying but part of security is making it easy enough that people will use it, but hard enough it isn't easy to break for bad actors. People are lazy in general, if you tell 25 engineers at a startup they have to use two different tools just too handle credentials, the compliance rate of using 2fa will drop to nil, making accounts easier to hack. Don't get me wrong, it isn't like 2fa is so secure, it has been shown to be hackable for sure, especially when using SMS devices; but if done properly it can add a level of extra effort for a bad guy and if that extra effort is easy for engineers to use they'll do it. 1Password makes it this way.

From a corporate standpoint, I don't want people using their personal devices for SMS OTP (2fa) because then if they leave, are disgruntled or get tragically hit by a bus I am locked out of a potentially important service/account. I had this happen on three accounts in the past year where one took me 3 days to recover the ability to access it, another I never could recover and we had to work around it and a third that was absolutely critical but took close to two weeks all said (lots of waiting). That is insane, and all because people used their own personal devices (or similar) for SMS 2fa.

There are other devices you can use, and some enterprises do use hardware keys in addition to the password which works well and the more sensitive the system the more inconvenience people will tolerate and understand.

For me it boils down to 1Password works good for a reasonable price which helps startups and small companies. I also don't think using 1Password is just a tool and you still need a good password refresh cycle and to stop reuse etc. This way if a backup at 1Password was somehow compromised or stored improperly at your company or at 1Password at least you'd be insulated better.

It definitely does provide a single point of access that if compromised in a way which bypasses all their security a lot of companies will be hurting.

In addition to the arguments outlined above, it protects against some attack vectors. If the service gets hacked and the password leaked or they discover the password in some other way, they still don't have the 2FA token and so can't login.
If somebody breaks into a specific service and is able to dump hashed passwords it’s very likely they also had access to TOTP keys. Since you’re already using a password manager you should be protected from password reuse.

Ultimately in this case you are protected from MITM attacks and basic forms of keylogging.

Not relevant to scenarios where you stash TOTP long term secrets in a password store, but note that WebAuthn / FIDO doesn't have this problem - the data you're keeping per user to authenticate with WebAuthn isn't a secret, it's not even personally identifiable, a bad guy could add their own credentials if they have write access, but they can't learn anything by examining yours.
> From a corporate standpoint, I don't want people using their personal devices for SMS OTP (2fa) because then if they leave, are disgruntled or get tragically hit by a bus I am locked out of a potentially important service/account. I had this happen on three accounts in the past year where one took me 3 days to recover the ability to access it, another I never could recover and we had to work around it and a third that was absolutely critical but took close to two weeks all said (lots of waiting)

Wait...I've seen two ways for services to handle multiple users from a client using the same account.

1. A company using the service gets a single user login for their account. That login is shared by all of the employees who use the service.

2. A company using the service starts out with a single user login for the account. That login is meant to only be used to administer the account. The administrator can create more user logins for the account, usually with reduced privileges. Each employee is given a separate login of their own, with just the privileges needed to do their job.

I don't think I've seen a #1 that uses 2FA. I assumed that was because it could then easily run into the problem you describe.

With #2 there is no problem using 2FA, or with each user using their own device for 2FA. The only account you have make sure won't be lost if someone gets hit by a bus is the administrator account.

Did you run into a service using approach #1 but that used SMS OTP?

I have for sure run into services that strongly link an account to a person, but don't have a concept of administrative (non-functional) users. Mix this with draconian per-seat licensing and you have a situation where you might reasonably need to store 2FA creds in your vault.

And if you squint a little it's still a 'thing you have' since the vault is something you have to have access to so you can generate the constantly changing 2FA token. It's just a bit easier, in theory, to access than a hardware token or an SMS endpoint.

Correct, number 2 in your example is not a problem at all, and we have those as well. But not all services actually support this properly IME. Our policy is to create accounts that are generic with strict permissions around a specific automation or service of our own. This happens more in devops than in everyday usage of say a report tool where shutting off a user doesn't matter.

Essentially my example is the same you pointed out though, for the generic admin account you created you will need to use it to administrate the other users etc. What we do is store that admin account in 1Password with 2fa turned on for it and that way it is never locked to a user with 2fa on their personal device.

For a little more detail too, we will setup sub account for automated systems which have restricted permission (and likely use ssh/key pairs to login for automation). However, when you need to update something about these accounts many times you have to login as them and make a change, so in that case again we store the password and 2fa in 1Password so the team can handle that quickly and isn't stuck because one person left.

I am always open to other ideas though if you think I am missing other options.

> I don't think I've seen a #1 that uses 2FA.

Hover (domain registrar) supports 2FA via TOTP or SMS, but it does not support granting multiple users access to manage a single set of domain names.

I suppose sharing the TOTP key along with the account credentials is better than dealing with the issues created by SMS, but it's still not great.

SAASPASS has that service under the Sharing Center. You can share access for:

1) Single Account across many people

2) Single Account with Authenticator code (TOTP/HOTP 2FA) across many people

3) Share single email account (with 2FA protection) across multiple people

A video on it:

https://m.youtube.com/watch?v=i31RMUMuX2U

Once you sell services to many different industries, you’ll be out of compliance.
The argument I've seen provided for this is that an attacker would both need your password and physical access to a device with 1password already set up on it.

To use 1password on a new device, you need a "secret key" that is provided to you when you create your account which serves as a basic form of 2FA for your whole account. Not a perfect system, but it is not as simple as just getting your password and having access to everything.

1password is a cloud service. So they'd either need a device like you said or your login/password + authentication key that is only used in the initial setup flow of a new device. So still pretty hard like you said. Never considered how the extra key during new device setup could be helpful until now.
You can also set up 1PW to use a OTP itself. I use 1PW for OTP generation and for passwords (naturally), but my 1Password account itself is protected by my password + secret key, as well as an authenticator/OTP app that is not 1PW.
The "secret key" is of sufficient length to not to be able to qualify as "something you know". It's either a quite lengthy string you have to type in, or a QR code.
I just stopped called it 2fa, and just otp for “one time password”, the URI standard calls it otp:// as well

see problem solved, no need to debate how single or two factor a thing is and you can just focus on the attack vectors it actually still solves for, objectively

yes the password vault is a single point of failure if someone knows your vault password or key logs it.

If an attacker has gained access to your vault you have much, much more to worry about than if 2FA codes are there or not.
It's certainly a panic but if everything is 2FA'd with tokens that the attacker doesn't have access to, then you've done a lot to mitigate the splash damage and have a path to regain control.
I don't use 1PW for teams, but I do use it personally and use it to store all my OTPs except my OTP credential to access 1Password itself. I use a different authenticator app for that (happens to be Microsoft, but that doesn't matter really).

So, while I think it storing storing your passwords beside your OTP generator isn't great, if both are locked behind another factor of authentication, you have mitigated that risk significantly.

It’s not very trivial to gain access to a 1password account:

1. Attacker needs access to the physical device of the account holder if they know the credentials.

2. Otherwise, they need to know credentials + secret key on a new device.

3. You can set up Google Auth to access the account in the first place, which can have its own separate 2fa (this is what we do)

There are still good reasons:

1password requires more than just a password to access. You need the encryption key. It acts nicely for that purpose.

2fa is unnecessary if you're generating 20 character passwords uniquely for every site.

The best security is like the best camera. There is no better camera than the one you actually use. This is why cell phone cameras are the best. This is why 1password is the best, because it is security you always use and always keep safe.

I have to spam another comment here to suggest that Bitwarden also has built-in two-factor auth. $10/year (not per month) for personal use, and I believe it's included for $3/month/user in the enterprise version. Cheaper than 1Password, and a better overall app imo.
I am a Bitwarden user (three years paying for premium) and while I like it the desktop app isn't as feature rich or as smooth to use as 1Password imho.

It lacks biometrics support for one which is something I wish they would add but I believe as it is an Electron app they cannot do so, at least not on macOS.

The iOS and Android apps are decent enough though. They support Touch/FaceID and the Android equivalents. With the exception that the iOS app has "Live Sync" (i.e. push notifications to sync the vault when a change is made elsewhere) but they never work. I recently made a post about this on the Bitwarden support reddit [0] but had no response from the developer there or on Twitter which is a shame. Live Sync works fine on Android though so it is clearly an iOS issue only.

If 1Password were cheaper, or if my needs were more complex, I would switch away from Bitwarden but as a home user it is "good enough".

[0] https://old.reddit.com/r/Bitwarden/comments/f1besd/has_live_...

I don't agree. When compared to other offerings (LastPass, BitWarden) 1password consistently comes up short in enterprise features. 1password doesn't even have an API. Three of the biggest issues I have with 1password:

1. If a user fails (or skips) 2FA, they still retain complete access to any passwords/vaults they previously locally synced... they just can't sync new/updated entries. This seems like a really flawed design - a 2FA failure should prevent access. When I asked the 1password team whether they'd consider invalidating local cache on 2FA failure, they did not seem interested.

2. You can't create links to passwords, which would allow management of an entry from a single location. If you want to share a password across multiple teams/vaults, you need to know about and maintain those entries for the same account, which means you also have to have access to all those vaults to manage that entry. This discourages password rotation, and increases the likelihood of orphaned passwords in other vaults.

3. Lack of granular permissions structure. You can't, for example, allow a user to initiate vault resets without giving them full admin access to the entire thing. Again, other password managers allow more fine-grained control.

To me, 1password feels like a small-time solution that tried to bolt on some enterprise features to retain customers. I don't think it should be considered enterprise software.

What do you exactly mean by share a credential without a vault? Share access without sharing the password etc??

If so SAASPASS has a sharing center for both password-based, 2FA protected email-based and Authenticator code-based sharing of access.

https://m.youtube.com/watch?v=i31RMUMuX2U

1Pass is great, but it lacks the kind of advanced tooling I'd want for it to scale.

Password sharing controls are insufficient.

Hi, alexandercrohde. I work for 1Password. I'm excited to learn from your experience using our product.

Would you be able to share feedback on where you feel the product falls down around tooling to scale? I'd like to make sure our teams are thinking about any difficulties you are having. There also may be more efficient ways to accomplish things that we can point out. Looking forward to your feedback. Thanks in advance!

> 1Password is also how we handle 2fa in a common/generic way for many sites that require it. This avoids the problem of a user using their cell phone number to get the OTP's and then that person leaves the company

For high level corporate account, just have 2-3 office phones with different phone numbers. Each number is for a different department or level of access. Provide the right number given the nature of the access required (AWS Root account versus Xero accounting software, for example) and then use that as the 2FA. You can even use virtual 2FA for this.

Just a thought.

For personal level access for each employee, provide your employees with second hand, cheap Android phones you can buy for mere pennies, keep them in the office at all times, on charge, on wifi-only. This has the benefit of helping to reuse old hardware as opposed to it ending up on some tip.

I haven't used it in a corporate setting, but personally I've been using Bitwarden[1] since November 2017 without a single hiccup. It's amazing. The best part: it's open source, including all clients/apps (browser addons, desktop apps, smartphone apps). The server component being open source means you can host your own instance on-premise (clients let you specify a custom host to sync with to avoid using Bitwarden's public servers).

Personal use is free, with an optional $10 per YEAR (not per month) addon that adds a built-in TOTP client (ie. Google Authenticator compatible two-factor auth). There are also "Organization" accounts at extra cost for more enterprise-level usage, including sharing credentials among teams.

Note: I believe that even if you host on-premise using the open source code, it expects a paid license for the extra features (TOTP and Organization accounts), at $3-5/month per user.

[1] https://bitwarden.com/

My company of ~30 people just started with Bitwarden, purely because I use it personally and knew it. I like the fact that it's open source, has a self-hosted option and it has a Linux client.

I haven't use the 2FA option yet, and it has a Google Authenticator equivalent.

Unfortunately 2fa on Android bitwatrden client is non existent.

Bug is open already for a year :-(

P.S. 1password has it.

I've been using my fingerprint as a 2FA on Android BitWarden for quite a while. Is this not sufficient for your use-case? Is there something else that you would rather use? Perhaps a YubiKey?
What bug? Bitwarden's android app supports 2FA.
Keepass on a shared drive or something like Dropbox has always worked well for me.
Have you used it with multiple users? I always hated the shared keepass solution due to the continual-sync problem we ran into. You had to make a change, manually sync, and hope that no one else was working on the same entry as you.

(Not to throw shade at Keepass, just my experience of it in the past, about 5 years ago.)

Always a risk, but communication should resolve that (in theory). ie, before you change an entry, jump on Slack etc and say I'm changing the password for X.

Alternatively, have one person who is responsible for changing passwords, everybody else just uses the passwords.