Ask HN: What's the best corporate password manager?
My company of ~25 people needs to manage access to probably ~100 services our employees use everyday and I assume some kind of password manager which I can centrally manage is the way to go.
I often hear things on here about products that claim to be secure but aren't -- what password manager is considered reliable and secure? Which do you use?
Thank you!
258 comments
[ 2.5 ms ] story [ 306 ms ] threadI found 1Password 7, 1Password X and the browser extension to all be disconnected from each other and sloppy to use in general.
I definetely wouldn't mind if my employer choose 1Password Business as I would be able to link my binusnees account to my family account and not pay for the latter. It is possible this might help changing behaviour for those who currently don't use a password manager for personal use. Or it might not help at all, who knows...
Just something you could take into consideration if this is important to you.
(Last time I checked 1Password offers this kind of deal and Dashlane, Lastpass either don't offer it or don't promote it. I won't guarantee this is the current state of things...)
- hard to use, slow, clunky interface.
- desktop app (macos) doesnt work well. small file sharing is cumbersome and extremely limited.
- sync is miserable. just.. miserable. it usually required the receiver to log out and back in at least twice.
try 1password and the differences are immediate and undeniable.
Security wise, we looked at the 1Password CVE history[1] and it seems pretty ok.
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=1password
[0] https://sourceforge.net/projects/corporatevault/
Yikes. Besides the general danger of even having Flash installed on machines that don't otherwise need it... you can copy to clipboard from pure JS in all major browsers since about 2016.
I'd be kind of worried about a password manager that hasn't seen updates since 2016, especially if it has a browser extension, which is notoriously tricky to get right. Is it getting security updates?
Flash still built in to Chrome, it's installed anyway.
> you can copy to clipboard from pure JS in all major browsers since about 2016
CorporateVault was last updated in 2010.
> I'd be kind of worried about a password manager that hasn't seen updates since 2016, especially if it has a browser extension
It doesn't. Like I said, it's simple. It's just a Grails application you run on an on-prem server you can additionally lock down in any way you like.
I've looked at some alternatives in the past but so far none of them have been good enough to bother switching too. In fact, most of them have even worse functionality for our usecase.
The official docker version looked way too complicated imo -> https://github.com/bitwarden/server/blob/master/scripts/run....
Pretty straightforward, lightweight, no issues so far
Is single sign-on an option, instead? Something like Okta is a much better experience for less technical users (and, well, engineers too) where possible, and also lets you trivially manage credentials access as people on/off board (no need to rotate credentials if you're worried folk may have written them down on paper somewhere with malicious intent). That said, it doesn't help folk with personal credentials management, which can be useful for good security policy in addition.
1password is my favorite to have around for services that don't support SSO. I like it so much I pay for a family account, even.
A password manager isn’t required here because it much better to control access with SSO. The user can have one password, preferably just logging into their workstation, and then SSO will sign them into whatever apps they are allowed to. Much easier than having a password manager keeping 80-100 passwords.
In the past we used a safe credential manager that our NOC could access to get admin or other management credentials for networking devices when problems occurred. You could use the same for DB or server passwords where you need the text and combine it with a password manager if you can auto fill them. Only use these options for systems that don’t have SSO.
Not totally relevant to the question, but how well does it scale to enterprise? I found the need to create and manage individual access to vaults to be complicated, even at a few users. I can't imagine how you'd manage 1000s of passwords accessed by combinations of 1000s of users, including third-parties, contractors, etc. Are there any better password management solutions in the enterprise space?
But they did recently introduce a CLI here: https://support.1password.com/command-line-getting-started/#...
That makes me optimistic that you could at least do a fair amount of automation around it. I haven't used it myself yet, so I'm not sure how fully featured the cli is
You should just be able to say “give me the password for yahoo.com” but you can’t actually do that.
I wanted to use it to get npm 2FA on the command line and just gave up completely.
EDIT: if someone from 1Password reads this, please reach out. I have good CLI UX experience and would love to help fix it.
You're completely right about the use-case there. One of the things I think we missed the mark on was choosing to expose the full item JSON structure as the default. I think it is important that access to the full item is available, but I think it would have been a much better user experience if we had abstracted that in the default case.
What you've pointed out here is what we are currently working on addressing. Development of the CLI was put on hold for over a year while development of our SCIM bridge was ongoing (they're built on the same codebase). In the past few months, we have ramped up the entire team, and movement has accelerated greatly on the CLI. This is feedback we're well aware of, and we're working hard to address it.
Feel free to post in our discussion forums if you're still willing to have a more extensive conversation: https://discussions.agilebits.com.
I'll give it a spin again too as it's been a while since I tried it last and check out the forums!
Otherwise, thanks to many providers like Okta and others, SSO should really be a feature provided to smaller tiers nowadays.
We're a small business (2 founders, 3 contractors), and we'd love to use SSO for everything. But we're too small to afford enterprise tiers for things like Slack, Gitlab, etc.
Hopefully this trickles down eventually.
Update: I'd like to add that we provide a SaaS product as well, and have considered adding SSO to the enterprise tier but after much research we can't really find a good reason to restrict it (apart from "everyone else is doing it", and potential manual config).
But both SAML and OpenID connect have discovery protocols. Again, this CAN technically be self-configured by the right customer. But then, maybe the solution is to have a one-time config fee, rather than require a certain tier.
Many of those cool things take night or weekend to set up and that’s kind of fun to do. Regular patching and potential troubleshooting is the less fun part you get to do when adopting a new app.
For everything else, you can put your services behind i.e. traefik and write a middleware, or use something like caddy which has a plugin for sso.
Lower tiers of SaaS products are more-or-less strictly designed for:
- individuals or very small businesses where everyone is friends
- who don't have exacting requirements/audit/traceability/reporting concerns
- who are willing to accept some pain/inconvenience if they use it outside of its design parameters
Credential-sharing services in the age of SSO are a dirty workaround designed to circumvent SaaS product segmentation (which would otherwise cause established companies to effectively subsidise tiny startups). I'm all for hacker philosophy, and perhaps this applies less to your situation than it does to the OP, but I do think the idea of credential-sharing is a horrible kludge that has only risen to prominence because of the specific issue that I mentioned, and which only leads to more problems with things like non-repudiation.
- Sign up for free or with a credit card, but you'll run into problems (or at the very least friction/complications) if you end up trying to use if you something serious
- Speak to a salesperson and have your CFO sign the company up for a long-term strategic partnership.
The examples that you gave are less clear-cut though. Trello Business is $12.50 per month, and supports Google Apps SSO. Trello Enterprise supports general SSO, and costs $20.83 per month. Slack pricing is $6.67/mo for Standard, and $12.50/mo for Plus with SSO. None of these are costs that should really make or break the profitability of a company; considering that the business is using them to generate revenue or to reduce its expenses, how do they compare to other things like property/facilities expenses and employee salaries/benefits?
I have built an API to interact with 1password through its CLI: https://github.com/lettdigital/onepassword-api
The repo also includes an example of how to call the API using AWS Lambda.
The logic to interact with the 1password CLI is wrapped in an SDK, that can be used independently: https://github.com/lettdigital/onepassword-python
When creating an ec2, we call a module that creates a tls key, a keypair and an object in a bucket.
This object creating triggers a lambda that downloads the objects contents, namely the pem key and calls the api to save it to 1password as a document.
This newly created document is available to every member that has access to the vault without having direct access to the bucket itself.
Another use I had was to create credentials for sonarqube automatically. We have a relatively large team on github and wanted to add sonarqube to the stack. What I did was just read every members name, email and username from github, create the respective users using sonarqube api and register their credentials using the sdk. It was trivial then to send them a copy of their credentials, a lot easier and less error prone than doing it by hand.
Many other use cases can be thought. You could implement iam key rotation using this. You could share support credentials for your team using 1password and have automated tools read from the same source.
It really just make everything easier to replicate, integrate and manage using this api or the python sdk. The last thing you want is to screw someones credentials because of a human error (typo, forgot to save the password etc...)
I used Okta at a previous employer; it was good too.
https://tozny.com/tozid
I see BitWarden mentioned a lot in r/sysadmin, but I haven't really tried it. Might be worth looking at.
We are also now starting to use Okta and SSO extensively too.
For web browsing, passwords often protect the site not me (magazine logins...). One wants a manager to stay open during browsing sessions, so one doesn't have to type the master password for every single use.
For financial transactions, one wants zero risk of someone cracking your financial security because they enjoyed thirty seconds physical access while you stepped away from your desk.
(Be reasonable: No one is going to set up a proximity monitor that locks their screen if they lean back in their chair, any more than they'll rig a trip wire shotgun to protect their data. Don't propose a version of this. I want convenience, so secure data needs extreme protection, not my browser during thirty second gaps.)
I've begged 1Password for years to allow certain passwords to be marked "secure" invoking all obvious measures: A second password needed to unlock, immediately locks again after use. No dice. They've tried offering a few alternatives that are so inconvenient that using a second manager is frankly easier.
Remember how Steve Jobs made his fortune: the iPod assumed people were stupid. The flat file system was corrected in the first year of the Mac, but reintroduced for the iPod for "ease of use". Similarly, I honestly don't believe that password managers are foremost concerned with security. They're concerned with sales.
Dashlane is no better, but it's a second system that I prefer for financial passwords.
What makes you think 1Password aren't introducing this because they care more about sales than security? In general, I've found 1Password to care a huge amount about security because if somebody proves them to be insecure, it will have a huge effect on their sales. Security and their bottom line go together.
The usual way of solving this in corporate scenarios is to keep the office physically secure such that no outsider can get to someone's desktop in a tiny window without being noticed, and them set the screen to lock after a minute or so.
For personal computers, don't leave your laptop unlocked at the cafe when you go to pick up your coffee. Get in the habit of closing your lid.
You can store the database (encrypted of course) in a Dropbox account that it can connect to. The desktop version can also periodically store backups locally on any device you want. If you treat the Dropbox as the centralized master, every one of your employees can simply use either the Windows desktop app or just keep a browser tab open with it (like I do at work). Any changes anyone makes will instantly be reflected across all instances.
I've never tried using for more than my 3 devices, but I don't see why it wouldn't work seamlessly.
0: https://github.com/adobe/cryptr
Vault is awesome for corporate secrets that services/code needs to see, and even maybe for developers, but for end-user passwords for stuff, it's not so great.
BitWarden is my choice, it's cheaper than alternatives, the UI is simple and easy to understand. It's open-source and battle-tested. You may want to self-host as well.
(This with 2 factor passphrase and key file, btw)
Surely this can't work for a larger organisation?
https://keepass.info/help/v2/sync.html
Probably better used with a filesystem that has strong guarantees though.
- It’s sluggish.
- The password sharing experience sucks.
- The drop down menus often get obfuscated in weird ways.
While I wish the bitwarden UI could stay over the top a little better, been really appreciating it vs lastpass... it's a bit simpler and less confusing overall. Not quite the same feature set, but that's okay..
I do wish the autofill wasn't two menus deep though. (right-click, bitwarden -> autofill -> list) wish it just expanded autofill (if less than say 5 matches) on the right-click menu.
2) The business model of LastPass worries me. Unlike a 1Password (I tried it for a 3 month trial, don't use them or have any skin in the game for them) charges a lot more than LastPass and in addition to having a more smooth, speedy and performant application, they are charging enough money to feasibly be profitable just storing passwords.
LastPass has has more data breaches than the others (google). It's run by a domain register. In my opinion this influences how the password business is run, leading to a marketing-forward rent extraction password manager vs a good one.
So I end up having to give other members of my team step-by-step directions to finding the right file or folder every time I share one. And that's assuming the access permissions haven't got borked, which seems to happen more often than not.
I've been pushing my company to drop it for a while.
Unless you're talking about mass-replacing a single password across a bunch of different entries? Which is certainly not a limitation of any password manager; reusing a password is just horrible.
[0] https://helpdesk.lastpass.com/generating-a-password/auto-pas...
Glad I don't have to use it anymore.
Perhaps it has changed since, or maybe it was just hard to find. Oh well, too late now.
We ended up using 1Password. My only real complaint with it is the need to create a vault for sharing something from one user to another. That means that if any two people in the company want to share, they need to get an admin involved so the admin can create the vault.
The whole point of a password manager is so you only have to remember one passphrase. Suggesting an actual sentence and not having byzantine passphrase requirements will help. My fiance is really bad with this one, I admit that I don't have much empathy here.
Personally, I'm ecstatic that there is no recovery process to reset or recover a Bitwarden master password. No security questions. No email reset. No one-time use login codes (which would need to be stored somewhere not encrypted by a user's secret key in order to verify). Again, I can understand why an IT department would want that, but all that does is open up attack vectors that are very easy for an attacker to abuse.
The whole point of the master password is it's the ONE AND ONLY password you cannot forget or lose. One... lousy... password.
I used KeePass at a previous company and loved it.
I switched to BitWarden a couple of months back and I'm very happy with it. I have quibbles, but it's a much more solid experience.
I've used both in both personal and corporate settings. Great browser support, Keepass2Android makes my mobile experience good.
The reason it's so good for corporate is that the database is just a file, so you can email passwords, or share via one drive or Dropbox or ftp or shared samba drive or ...
I worked with techs from Oracle who used to auto generate the database for particular users and share them around. It worked really well for them. Because it's just a file it works for all sorts of workflows.
My workplace does pay for Cyberark which is a built for purpose Enterprise application, but I don't have rights to it it or whatever, so I just use KeepassXC.
Same in case of a leak.
With solutions using per-user keys, you just have to revoke/remove keys for that single user. GNU pass (FOSS) and Bitwarden (paid, open source) both do this.
https://github.com/keepassxreboot/keepassxc/blob/develop/doc...
Passwordstate pisses me off so much I can't even be bothered to go into details as to WHY it's so bad.
If you are experiencing issues with our software, we are more than happy to work with you to address these issue.
Please log a support call via https://www.clickstudios.com.au/support.aspx.
The GPG encryption un-usability is a bit abstracted away by a nice (but not perfect) browser plugin.
The CLI is a bit awkward and incomplete -- so much so that I wrote a fuzzy-search python wrapper with auto-clearing clipboard support etc. around it which served me well enough.
https://vault.bitwarden.com/#/
1Password isn't perfect but is by far the best one I've used and it does work well for teams IMO. We just are anal about setting up vaults and permissions to those vaults so it easy to segment users to only see the services they are allowed to etc. Plus it keeps things orderly and clean for maintenance purposes. The browser plug-ins have gotten better and the search is decent so definitely better then others I have seen.
I wish it was possible to share a credential with specific people without a need to create a dedicated vault.
From a corporate standpoint, I don't want people using their personal devices for SMS OTP (2fa) because then if they leave, are disgruntled or get tragically hit by a bus I am locked out of a potentially important service/account. I had this happen on three accounts in the past year where one took me 3 days to recover the ability to access it, another I never could recover and we had to work around it and a third that was absolutely critical but took close to two weeks all said (lots of waiting). That is insane, and all because people used their own personal devices (or similar) for SMS 2fa.
There are other devices you can use, and some enterprises do use hardware keys in addition to the password which works well and the more sensitive the system the more inconvenience people will tolerate and understand.
For me it boils down to 1Password works good for a reasonable price which helps startups and small companies. I also don't think using 1Password is just a tool and you still need a good password refresh cycle and to stop reuse etc. This way if a backup at 1Password was somehow compromised or stored improperly at your company or at 1Password at least you'd be insulated better.
It definitely does provide a single point of access that if compromised in a way which bypasses all their security a lot of companies will be hurting.
Ultimately in this case you are protected from MITM attacks and basic forms of keylogging.
Wait...I've seen two ways for services to handle multiple users from a client using the same account.
1. A company using the service gets a single user login for their account. That login is shared by all of the employees who use the service.
2. A company using the service starts out with a single user login for the account. That login is meant to only be used to administer the account. The administrator can create more user logins for the account, usually with reduced privileges. Each employee is given a separate login of their own, with just the privileges needed to do their job.
I don't think I've seen a #1 that uses 2FA. I assumed that was because it could then easily run into the problem you describe.
With #2 there is no problem using 2FA, or with each user using their own device for 2FA. The only account you have make sure won't be lost if someone gets hit by a bus is the administrator account.
Did you run into a service using approach #1 but that used SMS OTP?
And if you squint a little it's still a 'thing you have' since the vault is something you have to have access to so you can generate the constantly changing 2FA token. It's just a bit easier, in theory, to access than a hardware token or an SMS endpoint.
Essentially my example is the same you pointed out though, for the generic admin account you created you will need to use it to administrate the other users etc. What we do is store that admin account in 1Password with 2fa turned on for it and that way it is never locked to a user with 2fa on their personal device.
For a little more detail too, we will setup sub account for automated systems which have restricted permission (and likely use ssh/key pairs to login for automation). However, when you need to update something about these accounts many times you have to login as them and make a change, so in that case again we store the password and 2fa in 1Password so the team can handle that quickly and isn't stuck because one person left.
I am always open to other ideas though if you think I am missing other options.
Hover (domain registrar) supports 2FA via TOTP or SMS, but it does not support granting multiple users access to manage a single set of domain names.
I suppose sharing the TOTP key along with the account credentials is better than dealing with the issues created by SMS, but it's still not great.
1) Single Account across many people
2) Single Account with Authenticator code (TOTP/HOTP 2FA) across many people
3) Share single email account (with 2FA protection) across multiple people
A video on it:
https://m.youtube.com/watch?v=i31RMUMuX2U
To use 1password on a new device, you need a "secret key" that is provided to you when you create your account which serves as a basic form of 2FA for your whole account. Not a perfect system, but it is not as simple as just getting your password and having access to everything.
see problem solved, no need to debate how single or two factor a thing is and you can just focus on the attack vectors it actually still solves for, objectively
yes the password vault is a single point of failure if someone knows your vault password or key logs it.
So, while I think it storing storing your passwords beside your OTP generator isn't great, if both are locked behind another factor of authentication, you have mitigated that risk significantly.
1. Attacker needs access to the physical device of the account holder if they know the credentials.
2. Otherwise, they need to know credentials + secret key on a new device.
3. You can set up Google Auth to access the account in the first place, which can have its own separate 2fa (this is what we do)
1password requires more than just a password to access. You need the encryption key. It acts nicely for that purpose.
2fa is unnecessary if you're generating 20 character passwords uniquely for every site.
The best security is like the best camera. There is no better camera than the one you actually use. This is why cell phone cameras are the best. This is why 1password is the best, because it is security you always use and always keep safe.
It lacks biometrics support for one which is something I wish they would add but I believe as it is an Electron app they cannot do so, at least not on macOS.
The iOS and Android apps are decent enough though. They support Touch/FaceID and the Android equivalents. With the exception that the iOS app has "Live Sync" (i.e. push notifications to sync the vault when a change is made elsewhere) but they never work. I recently made a post about this on the Bitwarden support reddit [0] but had no response from the developer there or on Twitter which is a shame. Live Sync works fine on Android though so it is clearly an iOS issue only.
If 1Password were cheaper, or if my needs were more complex, I would switch away from Bitwarden but as a home user it is "good enough".
[0] https://old.reddit.com/r/Bitwarden/comments/f1besd/has_live_...
1. If a user fails (or skips) 2FA, they still retain complete access to any passwords/vaults they previously locally synced... they just can't sync new/updated entries. This seems like a really flawed design - a 2FA failure should prevent access. When I asked the 1password team whether they'd consider invalidating local cache on 2FA failure, they did not seem interested.
2. You can't create links to passwords, which would allow management of an entry from a single location. If you want to share a password across multiple teams/vaults, you need to know about and maintain those entries for the same account, which means you also have to have access to all those vaults to manage that entry. This discourages password rotation, and increases the likelihood of orphaned passwords in other vaults.
3. Lack of granular permissions structure. You can't, for example, allow a user to initiate vault resets without giving them full admin access to the entire thing. Again, other password managers allow more fine-grained control.
To me, 1password feels like a small-time solution that tried to bolt on some enterprise features to retain customers. I don't think it should be considered enterprise software.
If so SAASPASS has a sharing center for both password-based, 2FA protected email-based and Authenticator code-based sharing of access.
https://m.youtube.com/watch?v=i31RMUMuX2U
Password sharing controls are insufficient.
Would you be able to share feedback on where you feel the product falls down around tooling to scale? I'd like to make sure our teams are thinking about any difficulties you are having. There also may be more efficient ways to accomplish things that we can point out. Looking forward to your feedback. Thanks in advance!
For high level corporate account, just have 2-3 office phones with different phone numbers. Each number is for a different department or level of access. Provide the right number given the nature of the access required (AWS Root account versus Xero accounting software, for example) and then use that as the 2FA. You can even use virtual 2FA for this.
Just a thought.
For personal level access for each employee, provide your employees with second hand, cheap Android phones you can buy for mere pennies, keep them in the office at all times, on charge, on wifi-only. This has the benefit of helping to reuse old hardware as opposed to it ending up on some tip.
Personal use is free, with an optional $10 per YEAR (not per month) addon that adds a built-in TOTP client (ie. Google Authenticator compatible two-factor auth). There are also "Organization" accounts at extra cost for more enterprise-level usage, including sharing credentials among teams.
Note: I believe that even if you host on-premise using the open source code, it expects a paid license for the extra features (TOTP and Organization accounts), at $3-5/month per user.
[1] https://bitwarden.com/
I haven't use the 2FA option yet, and it has a Google Authenticator equivalent.
Bug is open already for a year :-(
P.S. 1password has it.
(Not to throw shade at Keepass, just my experience of it in the past, about 5 years ago.)
Alternatively, have one person who is responsible for changing passwords, everybody else just uses the passwords.