Ask HN: How to store and share passwords in a company?

316 points by hu3 ↗ HN
We tend to have zillions of passwords in IT jobs right?

What are the recommended ways to store and give access to passwords?

How can a new hire be given access to all required passwords day 1?

And when such new hire gets promoted, how can we give access to the additional passwords they will need?

And if someone leaves the company, how can we change only the sensible passwords they had access to and preferably notify everyone with access to it that it was changed?

Any best practices? Any 80/20 suggestions? Low hanging fruits? Any warnings about what not to do?

296 comments

[ 3.4 ms ] story [ 279 ms ] thread
1. Don't have passwords. This is why there's an "SSO tax". If you setup SSO then there will be less passwords / accounts.

2. Use a password manager that enables sharing. There are 1s with company accounts and different ways to share. A new hire can pick up a certain role/group and get all the passwords.

And #2 is only to be used if absolutely unavoidable and even then, I would think hard about alternatives such as ditching the service that would require using that solution.
1Password has shared vaults, 1Password for Business has the concept of groups.
The critical missing piece of 1Password for Business is that it won't reveal to IT admins what passwords are weak across the org (Watchtower only works for the individual). Despite endless training, people still choose really weak passwords, and you need tools to spot this and require employees to change them.
(comment deleted)
I'd say you will need a password manager with good auditing. Give them access to all the required passwords but log every access to it. So if someone leaves the company, you know which passwords to change.

Groups and ACLs would help to give "scoped" access to passwords.

Use SSO when possible and fallback to 1pass vaults when SSO isn’t possible
This is the right answer for internal threats, because having each employee have their own login to services means there are auditable. However it does mean you need to think carefully about the SPOF issue (single point of failure). Especially if your SSO is Google or some other company with a habit of pulling the plug without recourse.

Domain registry, password management and SSO are services which can kill your entire company if you lose access. The other option is to deploy your own SSO as a service, but that does run into the issue of potentially running a security critical service without having sufficient chops internally to keep it secure.

Lots of people suggest 1Password, and it works really well for larger or more disperse groups needing some shared vault capability, and perhaps those that want a more visual-driven web interface. Keep in mind there is the per-seat pricing for that.

What has also worked really well in the past for me and my teams, especially if they are more technical and these credentials really never need to go beyond this more technical team is setting up a single 'vault' encrypted with GPG. Each team member then gets the vault re-encrypted for them, adding them to the recipient list. While this takes a little bit of effort to get a workflow going, it keeps it out of a cloud service, if you're concerned about that, and you get to pass it around just like any other file. When someone leaves, or no longer needs access, their recipient is removed and then the file recommitted and redistributed. In the past I've had the ASCII-armored file committed in git and people just pull down a tools repo every so often.

If you are wanting to store credentials for, say, public cloud services, don't. Use roles as much as possible, don't pass around passwords, don't bother setting up individual users beyond those required to bind a role to it, grant only by roles as much as possible.

We uses D the same approach for a while. Pass/gopass will do that for you. However, the downside here is that it quickly gets unwieldy as you’ll end up with a relatively large vaults. And you can’t really remove people, they can always keep and decrypt old versions of the vault, that means that you do have to rotate all of the secrets in that vault manually if someone leaves. And then, there’s also the support cost for non-tech people. GPG on windows is a particular pain.

You’ll have a similar effect in all password storage solutions, but since adding/removing people from vaults is much simpler, you end up with smaller, more fine-grained vaults and less secrets to rotate. Also, SSO, SCIM, tying the password management into a proper group/authentication system will help.

> And you can’t really remove people, they can always keep and decrypt old versions of the vault, that means that you do have to rotate all of the secrets in that vault manually if someone leaves. And then, there’s also the support cost for non-tech people. GPG on windows is a particular pain.

In a way doesn't this just more directly reflect the reality that anyone you've ever given access to a password may have made a private copy of it? It's not actually safe to leave passwords unrotated when someone who had access to them leaves.

Absolutely. My point is that pass/gopass in practice lead to larger vaults, so.you need to rotate more passwords. And more advanced password managers offer assistance for that task, which the more basic ones do not.
I use a similar flow with the technical team to avoid unencrypted credentials in SCM. The vault (or other secrets) are encrypted with a common passphrase and then only this passphrase is whats encrypted with GPG for multiple recipients.
I've built security programs at 3 companies. This is how I would solve these problems.

1. SSO everywhere. Okta if budget is no concern and Keycloak if it is.

2. Password manager for the entire company. Even if it's possible to go SSO everywhere, there are still secrets employees will need to manage. Give them a solution or they'll solve it on their own and not in a good way. I like 1Password.

3. All services use a secret solution that can broker short lived secrets and a policy that limits secret TTL to a day or less. I like HashiCorp Vault.

Next you’re gonna tell me “send me the password over slack and then delete the message” isn’t good password security.
About 1, unless you have a dev team and dedicated time to make compatibility layers, you're more or less limited to whatever application and saas supports your sso of choice though, correct ?
No, SAML is the standard these days and it’s supported nearly everywhere (where it matters). No vendor lock-in.

Although I’m not sure why you’d go with a 3rd party idp rather than just using Google Workspace (or Microsoft equivalent).

Okta is inexpensive for small companies (our bill for 200+ employees is like, $3000 a year; it's a couple bucks per user per month). You can use Okta as a password manager as well - just add a new "application" and pick the choice for "shared username and password", which basically makes Okta's browser extension just autofill the password for the user. Works great for sites that don't have SSO as an option.
- Use 1Password or similar password vault to deliver account passwords on day one; the password manager also promotes good personal password management practices

- only share passwords for personal accounts; those accounts you terminate when the employee separates. For shared resources, use SSO and SCIM group management via the SSO provider to add and remove accounts from groups with different roles.

Rippling seems like a neat offering because they bundle SSO with HR people management, and their HR product is the best I’ve used as an employee - hopefully the administrative side is just as good or better.

If those SaaS tools aren’t in your budget, try looking for open-source or gratis alternatives with the same shape, or repurposing whatever IT infra you have to implement a similar model.

We use 1Password at our company and it works extremely well.

We also use opal for dynamic access to things like AWS or our DB service where a temp user with a specific IAM role / temp db user / pass is created for that user's session. For higher level access, someone would approve the request before credentials are generated.

https://opal.dev/

OOI do you ever use SCIM for something really granular? I have a service where people can be one of 5 roles and then have access to 1..30 named 'workspaces' - all that we'd like to control with policy on our side not vendor side

I think it's unsuitable for SCIM because I'd have to create 5*30 AD groups?

Users can be in more than one group right? Or they might have a different role per workspace?
Honestly I’ve worked in places with many 1000s of AD groups. At some point, that’s just what fine grained access control means, I’m not sure there’s much point in trying to prematurely optimise for fewer groups.

Of course, if there’s a way to simplify the access (like are there truly 5 roles or in practice do people end up bucketed in to 2/3), or if you can configure one role group with the user is always in and group per workspace that’s always ideal, but that might well come back to bite you.

I wouldn't want HR in charge of my secrets management in any way shape or form.

Happy to have a level of group synchronisation out of HR's systems, but certainly would not give them the ability to manage the high-power users.

HR might be a more suitable place to decide who is in what role than IT is, though?
I love 1Password. I use it personally, but at company level we use another.
A password manager with some documentation and process could solve this.

What I describe is more or less what has been the standard at the companies I worked for, no secret sauce here, and I added some extra processes to address the questions you asked.

Get a password manager service (none of the keepass file thrown onto Google Drive), we used 1password, it's good enough I assume. Keep related items in one collection, don't mix unrelated items. Always save passwords in the pw manager, and make sure everyone does that, too. When someone joins, give them access to what makes sense. If someone gets promoted, add them to a new collection. Document who is allowed access to each collection if necessary. When someone leaves, kick them out of the password manager service first, then in a timely fashion, change the passwords (I don't know if you can do it automatically, but if churn isn't too bad, you can also do it manually). Save the new passwords in your passwords manager. As everyone uses the password manager, they will automatically get the new passwords without them even realizing it changed.

Some extra that's also important: if possible, use SSO and everyone uses their own account, eg Okta. Create and share passwords only if needed. When one off accounts are needed, make sure they are created with company email addresses, ideally named after a team rather an individual.

My experience is that most companies can't be bothered to change passwords every time someone leaves. Most people are not assholes, or want to go to court and possibly jail for messing around in accounts from their old companies (even if they could technically save the passwords for their own use for later).

Yellow sticky note on the monitor?
Since you asked for warnings about what not to do, here's one – don't share passwords! With shared accounts, you won't be able to tell who did what. If it is an important thing to which you are sharing passwords and bad thing happens, due to user action that is either accidentally or maliciously, you won't be able to find out who exactly did it and take corrective action.
honestly wonder if this is a 1pass ad thinly veiled as a question on the hn front page? if you have to ask, you shouldnt be doing it - hire or at least consult an IT professional
Asking on Hacker News IS consulting with IT professionals.
I'd strongly advise against 1Password, several answers here recommending it and I suspect conflating personal use with 'good enough for business', hard disagree.

Your company can apply various aspects of threat modelling and more often than not several companies I've worked with find that Bitwarden self-hosted can meet a lot of requirements, this is the best solution in terms of privacy and security and controlling your trust boundaries. Failing that, Bitwarden Enterprise (they host) is also just as good. In either case there's granular controls for controlling what your new hires can be given access to.

There won't be a perfect solution such as notifying everyone about rotation, it's not needed though - simply rotate it and the next time they need it they get the new version.

Of course the general advice is something I agree with - use SSO where possible, but I fully recognise that it isn't always possible with some third party services that haven't implemented it yet.

There is a cruder solution I've often seen too, it's a bit painful but KeePass2/KeePassXC on a company hosted SAN is the ultimate offline, fully controlled solution but comes with extra hurdles to access, whereas Bitwarden is browser based and simpler to use.

Why do you disagree 1password is good enough for business?
(comment deleted)
We use Bitwarden as well. It seems to offer the sort of fine grained controls that let the right people have access to the right secrets.
We used 1Password at a ~6,000 employee tech company and it was fine. Never had any issues with 1Password.
What makes Bitwarden better than 1Password for company use?
They mention self-hosted. Unless there's a long-game supply chain attack where they infiltrate the vendor and poison the updates and nobody notices until it's too late (that disaster scenario can always happen), at least not all your passwords are gone the minute the central server where everyone's data is stored gets compromised

I don't have much experience with either product but based on what the person said, that seems the most plausible reason to me. If 1Password does something like encrypting it for every user individually and so the server can't read the stored data (like when it's decrypted in the browser with the user's password, then an attacker would again need to compromise the website, wait, and hope nobody notices until their target logs in), then I guess GP really needs to clarify what they meant

I work for a financial, we take security seriously. Production secrets like passwords, private keys etc are stored in Hashicorp Vault. They aren't stored on disk anywhere else. Privileged system account that runs the production processes can't be used by interactive users. SREs can get access if they have to but its locked down and every session is recorded. The secrets are rotated regularly. So your new hire never gets to see production passwords effective.

For developers, everything is done in their individual accounts, no system accounts. There is a dev system account that does leak out some times but this is frowned upon. Production data that is synced to dev environments have to be scrambled so devs dont get to see all the real prod data.

Exactly.

For robotic accounts, cloud providers usually even come with a vault solution (Azure keyvault, etc.) that is audited. Those vaults can be integrated in kube/openshift and seen as secrets directly by applications.

For human users, SSO is a must, otherwise a password manager that also gets audited.

PCI-DSS audit would require this kind of things.

While building Adaptive (https://adaptive.live), I have been working very closely with regulated industries, financial institutions, healthcare orgs. Traditionally, people have been using Cyberark to do Identity management, paired with Privilege access management.

There are some modern Privileged Access Management platforms like Strongdm, teleport, us (https://adaptive.live) and few more in the market that works well with cloud and modern application architectures.

There is debate in the industry whether access should be given or not. There is pros and cons for either of them. This purely depends on the culture of the org in my opinion. But in scenario, you really have to give access, it should have the least privilege as well it should be time bound. Also, all the operations should be audited and recorded.

I believe you should have zero standing access in the org, but there are always use cases like data repair and administration where you have to give access to users. In that scenario, the access should be limit, time bound and audited. Also, you have to make sure you run access review campaigns and checks for over privileged or unused users.

Just want to say that StackExchange is the place to get answers for questions like this (waiting for my downvotes). Is there a better place?
I think stack exchange would delete the question because it is too vague and open to opinion.
true, ask chatgpt to reword this post to be appropriate for stackexchange first. i cant think of a way to ask this and chatgpt failed also. maybe there is a link to a duplicate answered q there
there is no way to word this question to be appropriate for stack exchange. it fundamentally does not belong on stack exchange
(comment deleted)
yes I can kind of see that, its not specific enough and almost a product recommendation ask. Normally the Security department handles this and we turn it over to them to make the policies and procedures.
Decent chance that the asker and many of the good answers here are the professionals staffing security departments. This place is better than StackExchange for this kind of discussion. If you’re curious about how companies manage passwords, there are people with experience sharing. Why not sit back and learn?
yeah let's waste big LLM energy on obfuscating wording to make it sound like your off-topic question is actually topical ...

When I see how people decide to use this tool, I really wonder if (the current state of the art at least) really is a tool for the good or if it needs big watermarks so it can be rejected when you try to propagate/submit the contents somewhere and it becomes only usable for the things it's good at like summarizing short texts to tweet size or helping with language learning or such

And (except on a specific site within their network), product recommendations are OT.
I was going to ask if it isn't the other way around, when I realized you probably mean off-topic rather than on-topic. If anyone ever runs a competition for the worst acronym ever, this nominee can probably only be topped by a three-way confusion or something that threatens lives!
Yes I realized later that OT might have two meanings, and the most probable one is not the same everywhere... but too late to edit.
> We tend to have zillions of passwords in IT jobs right?

Yes, but they should be unique to your account. I.e. via SSO.

> What are the recommended ways to store and give access to passwords?

Whenever possible, don't. Otherwise, it depends on the scale and security you need. A password manager is one possible solution. Another solution is something like Hashicorp's Vault or OpenBao.

> How can a new hire be given access to all required passwords day 1?

They should access it through their SSO account, and not need a billion passwords across systems.

> And when such new hire gets promoted, how can we give access to the additional passwords they will need?

Again, whenever possible, tie access to their SSO account.

> And if someone leaves the company, how can we change only the sensible passwords they had access to and preferably notify everyone with access to it that it was changed?

Well if you did all of the above this wouldn't be an issue, you just close the 1 account.

> Any best practices? Any 80/20 suggestions? Low hanging fruits? Any warnings about what not to do?

Another thing you can do is give people 2 accounts, a normal account and an Admin level account, this is useful for things where the employee needs a regular day to day account as well. i.e. for the employee self portal for instance.

> Yes, but they should be unique to your account. I.e. via SSO.

This is a great best practice, but user-based value metrics for many SaaS platforms make this untenable for some IT departments. If folks have to log in seldomly, it's very hard to make the business case to pay per user.

Similarly, there's many SaaS platforms that charge A LOT extra for SSO because you have to upgrade to their Enterprise-pricing model. If managing a separate user directory isn't worth it because the software isn't personalized, understaffed IT departments aren't going to do that either.

So while there is a best practice, dismissing solutions that are "good enough" (while sharing tradeoffs) isn't as helpful.

Shared PWs are sometimes inevitable but then you must rotate them every time someone with access leaves the company. OneLogin also has a way to minimize handling of the shared passwords for auto-logins that depend on shared creds
Is sharing accounts not against the TOS of any user priced saas company?
we inquired about this to grafana.net, and their reply didn't forbid sharing accounts
Probably but IRL:

A) Who reads those? B) Who cares if e.g. Miro finds out you're sharing accounts and get banned?

We change our PW for some platforms every month, so that people leaving won’t have access anymore
Well except for the period of time between them quitting and the new month rolls around.

You really should change passwords the second they leave. Yes it's a PITA, but you should do it anyway.

> So while there is a best practice, dismissing solutions that are "good enough" (while sharing tradeoffs) isn't as helpful.

In many environments, sharing passwords is never "good enough".

Not only user-based value metrics - but also SaaS apps don't implement collaboration in approachable ways for groups.

I can setup shared inbox and shared account that all users will have access to.

If we would properly manage configuration for each SaaS app we would have to have full time employee just to do that.

Yes there is SSO and you can setup roles and rights and align that - but let's say you have Joe in CRM SaaS that has customer X - Joe leaves and only he gets notifications, now someone still has to reconfigure CRM so Jane gets the notifications, removing access from Joe is easy. That is why companies get shared inboxes because then you have pool of employees that will check shared inbox and also shared account.

Yes in ideal world Joe does handover of his customers and configurations before he leaves, but we know world is not ideal.

There's A LOT of good advice for SaaS companies here. The problem e.g. you desribe is clearly something thats solvable on the SaaS side.
SSO all the way (if you can). Chances are you've got Google Workspace or Microsoft 365 - both allow you to configure SAML based SSO into many SaaS apps either through their respective app galleries or some kind of custom configuration. Otherwise you could look at Okta, but be prepared to fork out serious cash. We use Entra ID (part of Microsoft 365) for SSO in our business, and it generally works well.

There'll be times that employees can't use SSO though. For that I'll add my voice to 1Password - it's well designed such that a breach of the 1PW service itself won't reveal credentials (you'd need peoples vault passwords and secret keys for that). Avoid Lastpass - the UI is awful, and they've been breached in the past.

> Avoid Lastpass - the UI is awful, and they've been breached in the past

They have had multiple serious breaches and to add insult to injury they have engaged in some gaslighting-esque style marketing to inquiries.

Never bind critical services to the account of one employee. When that one employee gets hit by a bus you loose access to critical infrastructure.
Well, they're asking how to share them, maybe this is why...
ah, so one should ensure that the account is duplicated in some way. "shared", if you will.
(comment deleted)
KeePassX file in a repo with long password is a reasonably good solution. Not perfect, but open source and you can segregate by user/team. Also in a team there can be 1 person who has write/update duties and updates the passwords if there a shared ones (not the best approach).

BTW, not related to the passwords is to put everything non-public serving behind a firewall and access it only via individual VPN keys.

Don't put in a place where history is saved (as in, don't put it in a repo, put on a shared disk). Also, make sure to rotate the key when people change.
> Don't put in a place where history is saved

What risks & attack vectors do you have in mind here? Also, in how far is this an issue with KeePass (whose files are encrypted)?

> What risks & attack vectors do you have in mind here?

People with deleted passwords not being able to access the old file, or really any kind of mistake being irreversible.

I'm afraid I'm still not following. Isn't the point of having a history precisely to be able to roll back in case of mistakes?
You don't want a rigid history on the case of some mistake exposing the data. (Like a weak password.)

Backups that you can erase work fine, but version control will create trouble.

Yeah, rotating the passwords when there is a possibility of a leak would be mandatory of course. (As it should be anyway.)
Folks are going to have strong opinions here about things, so I'll try to stick to my personal experience. I adopted 1Password at my current organization. Overall, I've been very satisfied with it. Here are the major points I've noticed:

* Great authenticator support. We have some accounts that our team members have to share, and we want MFA on those accounts. I can add an MFA field to 1Password entry and the people who have access to that entry can use it. Doesn't help when those entries require phone/e-mail based MFA; I'm working on a little Twilio / outlook group setup to take care of that. * Easy to navigate group membership. Passwords are stored in vaults and individuals or groups can be given access to those vaults. The model for it fits in my head and I like that. * Easy share ability. There are a few credentials that I occasionally need to share outside of a vault. I can create a link and grant access to specific individuals for a given amount of time. * The browser extension and integration have been really smooth in my opinion. * I find tagging and taxonomies of tags to be helpful, and 1Password supports those well. * We've gotten some great mileage out of 1Password connect. Some of our infrastructure secrets now reside directly in 1Password, and 1PW connect pushes them into our k8s environment as secrets where our apps can refer to them. Makes secret management across environments that much easier. * SCIM support (which I haven't yet implemented) and SSO support to bring more convenience for end-users. * Easy ability to recover if an employee forgets their master PW (have done this a handful of times). * A nice perk: our 1PW business comes with a free 1PW personal subscription for people, completely separate. If the employee leaves they have can convert their personal vault to a paid subscription or export it.

To answer your questions specifically based on my current context:

> What are the recommended ways to store and give access to passwords?

1Password vaults. One vault per style of responsibility. 1+ groups have access to a vault. People get put into 1+ groups.

> How can a new hire be given access to all required passwords day 1?

In our case, day 1 they accept the 1PW invite in their inbox, and then we assign them to groups. Done.

> And when such new hire gets promoted, how can we give access to the additional passwords they will need?

Keep those "tiers" of passwords in separate vaults. Update the groups when someone's role changes.

> And if someone leaves the company, how can we change only the sensible passwords they had access to and preferably notify everyone with access to it that it was changed?

See what groups that person is in and what vaults they had access to. Review "high priority" items which you've tagged in such a way as to surface them. Send an e-mail to the members of the vault telling them you're rotating passwords. Rotate the passwords. Anyone who's a vault member can see the password history too, I believe, so if something goes wrong the old password will still be available.

> * Great authenticator support. We have some accounts that our team members have to share, and we want MFA on those accounts. I can add an MFA field to 1Password entry and the people who have access to that entry can use it. Doesn't help when those entries require phone/e-mail based MFA; I'm working on a little Twilio / outlook group setup to take care of that. * Easy to navigate group membership. Passwords are stored in vaults and individuals or groups can be given access to those vaults. The model for it fits in my head and I like that. * Easy share ability. There are a few credentials that I occasionally need to share outside of a vault. I can create a link and grant access to specific individuals for a given amount of time. * The browser extension and integration have been really smooth in my opinion. * I find tagging and taxonomies of tags to be helpful, and 1Password supports those well. * We've gotten some great mileage out of 1Password connect. Some of our infrastructure secrets now reside directly in 1Password, and 1PW connect pushes them into our k8s environment as secrets where our apps can refer to them. Makes secret management across environments that much easier. * SCIM support (which I haven't yet implemented) and SSO support to bring more convenience for end-users. * Easy ability to recover if an employee forgets their master PW (have done this a handful of times). * A nice perk: our 1PW business comes with a free 1PW personal subscription for people, completely separate. If the employee leaves they have can convert their personal vault to a paid subscription or export it.

inserting some line breaks...

* Great authenticator support. We have some accounts that our team members have to share, and we want MFA on those accounts. I can add an MFA field to 1Password entry and the people who have access to that entry can use it. Doesn't help when those entries require phone/e-mail based MFA; I'm working on a little Twilio / outlook group setup to take care of that.

* Easy to navigate group membership. Passwords are stored in vaults and individuals or groups can be given access to those vaults. The model for it fits in my head and I like that.

* Easy share ability. There are a few credentials that I occasionally need to share outside of a vault. I can create a link and grant access to specific individuals for a given amount of time.

* The browser extension and integration have been really smooth in my opinion.

* I find tagging and taxonomies of tags to be helpful, and 1Password supports those well.

* We've gotten some great mileage out of 1Password connect. Some of our infrastructure secrets now reside directly in 1Password, and 1PW connect pushes them into our k8s environment as secrets where our apps can refer to them. Makes secret management across environments that much easier.

* SCIM support (which I haven't yet implemented) and SSO support to bring more convenience for end-users.

* Easy ability to recover if an employee forgets their master PW (have done this a handful of times).

* A nice perk: our 1PW business comes with a free 1PW personal subscription for people, completely separate. If the employee leaves they have can convert their personal vault to a paid subscription or export it.

> Easy ability to recover if an employee forgets their master PW

So the server can read all data or how does this work?

Ess Ess Oh. Understand the number of individual warm bodies who need access to what. In an ideal world (that may not exist) this should be aligned to job description/contract and the process for when those people are removed under any circumstance. Pay for the users you need on the platforms you use, whether that's cloud or resources for on-prem/locally managed tools. Elevate legacy systems that aren't implemented for the scale you're operating at to be managed safely on a per-user level. Tell executives/budget process/whatever/whoever these liabilities exist and need to be covered in budget.

And then, yeah, find a password manager tied into that SSO platform to fill the gaps/enforce policies for users using tools that don't have SSO available.

HR-and-manager-enforceable policies and penalties for users who go off the reservations.

Hashicorp Vault generally linked up to IDp or One Time Secret (or some service with expiring limited use links).

It’s pretty extendable and can integrate with other engineering use cases, shame about hashicorp license change though. Openbao looks great though as a replacement. These are open source so look no further if that’s what you’re looking for if you want password management, ssh auth, cert issuance, authentication and secret retrieval with k8s for example.

Shared passwords should always be an exception. Prefer SSO. However the exception will always exist, in which case:

Some suggest using KeePass or equivalent, but I advise against it - too easy to copy and leave with the vault and very difficult to audit.

Find a solution that audits who had access to such password. And do your audits!

Consider rotating your shared passwords frequently, especially any high privileged ones.

If your risks warrant it, check for a PAM (privileged access manager) that acts as a middlemen and fully hides the password.

I realize I am not really answering your questions, so I'll stop here. But... SSO and proper directory management!