Ask HN: Does your org use a password keeper?
I work for a large (~10k) organization that obviously interacts with a number of different systems/applications on a daily basis. The average employee likely has 10-20 (hopefully) different sets of credentials that they must maintain and update as necessary - I can only imagine there are a variety of Password, Password1, Password12 combinations in use.
I'm curious if anyone has experience with an enterprise/corporate level password manager. Ideally, it would be tied to the user's AD profile so when they log in to Windows they would just need to enter their master password and it would integrate with the browser to prefill passwords just like 1Password, or BitWarden.
Looking at 1Password's website, it's 7.99 USD per user/month which gets very pricey with 10k users. I'm curious what other folks on HN are using. I appreciate your feedback!
73 comments
[ 3.9 ms ] story [ 126 ms ] threadA larger org would probably need a manager with extended access management, I am not sure if KeePass has such features yet. I think BitWarden does have an extended AD integration, but I am not sure if it is just to import users initially or if you can use AD authentication to access the key manager itself.
I don't know if AD integration is available. Ours is federated so that if you are logged into Google Chrome / Workspace then you are also logged into the LastPass plugin.
With that many users you don't pay the advertised prices. You schedule a call and they make sure you get an affordable offer.
> The average employee likely has 10-20 (hopefully) different sets of credentials that they must maintain and update as necessary
Time for azure, auth0, okta, or some other sso provider to just get rid of the passwords?
Even if they charged $0.50/per user, that would be $5k/month. I could go as a consultant and charge half of that to setup vaultwarden integrated with their AD for maybe 2 lazy days, and offer a support contract for $500/month. It's not even that much of rare skill. I'd guess you can randomly selected /r/selfhosted users and I'd give 10% of odds to find someone who has done it already and would even offer to do for less.
Yet, I think that most managers would simply prefer to go through all the negotiation meetings, all the internal procurement process just so they can justify the big boy expenses.
We are talking about $5k/month vs $500. If the UX of the FOSS version is lacking, pay for the closed version BUT throw $1000/month on the direction of the FOSS developers until the issues are mitigated and they satisfy your requirements. I can bet that in less than a year you'd be able to make a switch and the investment would pay itself.
This is not at all an easy thing to guarantee even if you’re willing to spend the money. The FOSS developers might not be interested in doing this work (even for pay) nor have UX staff.
So many talented people working for that money or less in São Paulo, Buenos Aires or Hanoi, it would be worth it to give it a shot even if they just worked part-time.
In all three cases, though, it sends a signal that there is demand for the changes. This works as both validation for the developers (our users wants this so much they are paying someone else to do it) and also for other companies (oh, why should we be paying this much to a closed-source service if we can pay a fraction of the price to get a reasonably-well-supported open source version?)
That's a very simplistic view of how it works in even a medium sized real company. Google SSO is already available for many external services you might use which is a lot easier to integrate than doing and maintaining something yourself. Especially because if there's an issue it's blocking everyone in the company at the same time. It makes sense to outsource that if it's not your core business.
You are arguing a strawman.
You go with companies that can demonstrate scalability because they provide project governance, proper change management, and layers of redundancy and support in the event of an emergency.
Also, the idea that someone charging $2k for two days of work is considered "doing it on the cheap" is almost offensive.
I know that people can come up with many perfectly reasonable justifications to spend this much on a service, but to someone like me who grew up in a poor country dealing with recession and austerity policies, it's hard to see these things and not thing "surely we can achieve the same results spending less?"
You're saying $500/mth, but my response would be: this is half a full time IT support position and it needs a secondary + on-call cover.
Is there anything that stops someone from letting LastPass fill the field, then use the browser tools to change the form field from `password` to `text`?
I can see how it might not be the solution you want for home but at work I'm just trying to get things done and that unfortunately involves a large number of passwords that can't easily be federated into an SSO like okta because they span businesses clients and companies. I don't understand the hate for LastPass, for me it just works (tm)
Prime example of Lastpass security theater - what exact problem did they think this feature solved?
Sure, its not too hard to get around that feature, you could just inject your own javascript on the page to dump the contents of the password field. But it does block the low hanging fruit of the millions of users who don't know how to do that who might abuse having access to the password because they don't really know better.
In essence, it helps to prevent those users who don't know better from leaking the password to places it shouldn't be. Obviously it doesn't prevent people who know how to get around it from getting around that protection, but in those circumstances you shouldn't really be sharing your password with someone who will abuse your trust.
Are you arguing that because they might make mistakes elsewhere we shouldn't bother putting any barriers up to them breaking policy, and that the only thing we should do is more training? I'd argue both things should be done. I do agree preventing LastPass from directly exposing the password isn't a very strong protection, but lets not act like it doesn't prevent any kind of password abuse. Sure, users should be more trained, but we should also create more barriers to prevent them from shooting off their toes.
It almost sounds like an argument to get rid of barriers on highways. Drivers should just know to not drive off the cliff; if people are driving off the highway clearly all we need to do is train them more. Barriers are just safety theater, people might still end up driving off the cliff if they try hard enough!
You asked for a use case for this feature and I gave you a use case that happens all the time and which such a feature prevents a large percentage of those users. You'd need someone determined to break the policy to dump the password and share it someplace they shouldn't, as opposed to someone doing it without thinking "is this against policy? shrug"
Do you work at TechnologyOne? :-P
Alternatively, have your tried SSO'ing everything?
That's your red flag right there. All identities that are tied to individual people should be connected to SSO in some way, then there will be no juggling of passwords at all on the individual-person level. Then you only need some 2FA solution on top in your identity provider, for instance TOTP or FIDO, and you're all set. (Corollary: If at all possible, only pick external services that can plug into your company's own SSO.)
For credentials not tied to individual people, e.g. root passwords on devices, my org uses HashiCorp Vault, and we're mostly satisfied with it. It's a bit of a struggle to configure the policies so that each group of (human/technical) users only has access to the secrets that they actually need, but I won't put the blame for that on Vault.
orgs should support what people do
If you think I'm being hyperbolic, I'm not. Our org has recently gone through a PCI/DSS audit, and there was a lot of frustration about the amount of required changes with regards to locking down access policies, tracking suspicious activity, enforcing 2FA and such, but most of the stuff that I saw change was stuff that feels like it really should be entirely obligatory in the first place.
There is a great tradition in IT to teach yourselves using free (as well as free-of-charge) software, but when you're in the business of IT, there should be much stricter regulation. If you're a civil engineer and the bridge you design collapses because you did your math wrong, you are criminally liable for the damage. But if you're a software "architect" and you negligently put an instance of database-du-jour on the internet without proper access controls or a vulnerability tracking process, you most often get away by just saying "whoopsie-daisy" and giving a flimsy apology to the millions of customers that had their personal data stolen. Worst case scenario, you get a fee of a few percent of your earnings. That has to end.
it's already a part of secret management for machines in secure cloud environments
SSO seems like the only way SaaS companies can make money, and what this HN post tells me is that even enterprises with 10k employees (!) still find that to be a little out of their price range. The state of the industry is kind of crazy, but that's why people are looking for an enterprise 1password account. Cheaper to pay them once than to pay 1000% markup on every SaaS you use.
We rely on all kinds of industry-specific applications that only support username/password (and SMS OTP if we're lucky). After that, there are a bunch of services that do offer SSO but only if you pay stupid money. For example, we spend about $100/month on Twilio but their SSO plan starts at $15k/month.
I am sure, 1Password will be more than happy to offer you a discounted rate
Of course, the UX of the free solution will never compete with the commercial solutions. If you want that, you have to pay.
I don't face any annoyances sharing passwords with 1pass like I used to with lastpass, secretserver, etc. It's a smooth experience all the way.
My personal benefit was that the convenience of using password managers finally pushed me to use Bitwarden+2FA on all my personal devices.
Things like Okta, OneLogin, GCP, AWS, Auth0 or Keycloak (self-hosted). A lot of products nowaday offers SSO integrations but often unfortunately at the highest tiers - see https://sso.tax/
How about AWS KMS?