Ask HN: What is the best password manager for business use?
39 comments
We use 1Password at the corporate level and I have been very pleased with their service.
Is it a per user per year pricing?
Can you centrally manage users' accesses?
Can you centrally manage users' accesses?
I use their family plan and set up everyone (max 5 people) in mine with it and they love it. None of us knew what we were missing until we tried it
Yes and yes.
+1 for 1Password. It’s really quite nice from a user’s perspective, including needing to recover my lost login after getting set up then forgetting about it for a few months. It took only a few minutes to get recovered.
I’m not honestly sure if I’d trust LastPass to be as sensible.
I’m not honestly sure if I’d trust LastPass to be as sensible.
Bitwarden is fantastic. I use it for my personal things + I've successfully migrated multiple companies to it from other password managers. Highly recommend it.
I love BitWarden, i use it both personally and at the company I work at. The previous company I worked at used it for all employees.
I‘m not sure if it has all the „business“ features you might desire but check it out, you could even host it on-prem if you want ;)
NO Lastpass, we use it at my company and it is terrible, the UX is a nightmare.
I completely agree. Use anything except LastPass, I found it to be really buggy, which makes me wonder how secure it can be if bugs that users notice don't get fixed. Granted I haven't used it for a couple of years, but I'm never going back.
I moved from LastPass to Bitwarden a few years back. Bitwarden does win a few kudos points for being free and open source. Unfortunately, Bitwarden is far from perfect either. It suffers from glaring UI problems which the developers have point-blank refused to address, insisting instead that that is how it is supposed to work --which is incredibly arrogant and 'Jobsian'... "You're using it wrong!"
Example:
* https://github.com/bitwarden/clients/issues/443
* https://github.com/bitwarden/clients/issues/839
* https://community.bitwarden.com/t/persistent-bitwarden-ui-an...
Example:
* https://github.com/bitwarden/clients/issues/443
* https://github.com/bitwarden/clients/issues/839
* https://community.bitwarden.com/t/persistent-bitwarden-ui-an...
You don't need to wonder, Google for "lastpass vulnerability" and "lastpass breach" and read from the many results. They do not have a particularly decent security track record.
Also, does anyone know of a multi-user password manager that can have permissions assigned to users? A number of the government accounts we use have a single company level login and keeping password changes synced between multiple users is difficult. We currently use one manager with a shared password but I would prefer something with better permissions and history.
1Password has fairly extensive permissions and can do this
Have you tried Bitwarden (vaultwarden for selfhosted)?
I'm pretty sure, you're able to share access to a login with just one person. Or make a "collection" of accounts and give that access to individuals as you wish.
https://bitwarden.com/help/about-collections/
I'm pretty sure, you're able to share access to a login with just one person. Or make a "collection" of accounts and give that access to individuals as you wish.
https://bitwarden.com/help/about-collections/
Bitwarden sharing requires the use of collections always. It's either in your personal vault or your organization's vault, at which point an admin can see all the entries and assign them to 0 or more collections.
If you have strict rules on who can create, access and edit entries, it's a bit painful to set up.
Currently in a large private bank: Keepass, hardware tokens in physical safes accessed supervised by another team, Hashicorp Vault, a few HSMs and managed key vaults for the cloud workloads.
Paranoid levels of security are relevant in some cases but unnecessary in others. Physical security and organisational processes are also an important complement to technological solutions.
Paranoid levels of security are relevant in some cases but unnecessary in others. Physical security and organisational processes are also an important complement to technological solutions.
I would indeed suggest bitwarden. Mostly because I believe that this type of security critical software needs to be open source to be trustworthy.
In my opinion I would say anything that has revision control, understands it's encrypted database file is shared meaning changes can converge clean and stored on-prem in a secure artifact repository with access logging that is preserved and can't be tampered with based on the companies SOC1/2/PCI policies and in no way touches a cloud not owned and under full control by that company. This is assuming the database is shared by a team. If used by just one employee then KeyPassXC is fine.
I can’t recommend anything as a community, but as me, I can say that I’ve been happy using a text file stored in an ecrypt volume. Vim lets me find and copy a password in under two seconds.
To me this makes so much sense. A file, the name of which only I know, encrypted on my local disk. Cut and paste from vim. No easy target. (Obscurity IS a security feature of certain system elements. But NOT encryption algorithms, obviously). Every hacker and his brother is pounding away at the on-line password systems. My one-off system on my personal laptop ... not a juicy target.
Your system might be secure. But, given that the vast majority of websites these days seem to require some kind of login in order to interact with them in any way, using a system like yours would drive me mad and waste so much time I'd likely end up adopting really bad practices like using memorable or repeat passwords. Just so I could speed things up a bit by being able to remember some of them, without having to decrypt and open up a text file to copy/paste login info, every time.
Which would, of course, be LESS secure than using a password manager.
Which would, of course, be LESS secure than using a password manager.
It’s not bad, but it’s missing a bunch of features. Auto locking after 30 seconds, clipboard clearing after 30 seconds, TOTP/HOTP interpretation just off the top of my head. May not be a problem if you’re using QubesOS, but it’s way too risky to accidentally keep an important password in your clipboard for too long.
pass
We use it because PGP has been through hell and back with security audits. Combined with the fact that everyone gets their own key gives you a lot of control over the ecosystem. At the end of the day it's just git + pgp, two bulletproof technologies you probably are already familiar with.
All shared passwords suffer from irrevocability, no matter your password storage solution.
We use it because PGP has been through hell and back with security audits. Combined with the fact that everyone gets their own key gives you a lot of control over the ecosystem. At the end of the day it's just git + pgp, two bulletproof technologies you probably are already familiar with.
All shared passwords suffer from irrevocability, no matter your password storage solution.
Can you elaborate on what "pass" is?
Gotcha. Any possibility for sync capability across systems? Similar to the encrypted hidden file solution below, this has risks for hardware/OS failure & online backup cracking. Offline backup solutions are good, but represent some risk as well. (Not that cloud services are risk free either)
> Any possibility for sync capability across systems?
It's a git repository. You can push it to a private github repo shared by your team. You could rsync. You could host the git repository on a flash drive and pass it around. Any method of syncing a git repository will work with password-store!
> this has risks for hardware/OS failure & online backup cracking
PGP is absolutely battle tested. You'd really have to screw the pooch on password selection to be subjected to a brute force offline attack. Even then, set your s2k-count setting for you PGP keys to something that takes 250ms or more and you'll make it impossible for even a state-level actor to brute force your keys.
For the ultra-ultra paranoid, users can keep PGP private keys on a hardware device like a Yubikey. This prevents the keys from ever being leaked (save local side channel attacks, but at the point your long screwed anyway).
It's a git repository. You can push it to a private github repo shared by your team. You could rsync. You could host the git repository on a flash drive and pass it around. Any method of syncing a git repository will work with password-store!
> this has risks for hardware/OS failure & online backup cracking
PGP is absolutely battle tested. You'd really have to screw the pooch on password selection to be subjected to a brute force offline attack. Even then, set your s2k-count setting for you PGP keys to something that takes 250ms or more and you'll make it impossible for even a state-level actor to brute force your keys.
For the ultra-ultra paranoid, users can keep PGP private keys on a hardware device like a Yubikey. This prevents the keys from ever being leaked (save local side channel attacks, but at the point your long screwed anyway).
This is awesome!
EnvKey
Programmer focused, not strictly a password manager. But easy enough to use as one.
Programmer focused, not strictly a password manager. But easy enough to use as one.
I've been using Passbolt for some time in a small company, it seems to be secure (pgp) and it has good browser plugins
1password. If you have business version employees also get free family plan.
Bitwarden is awesome.
I'm sorry, but the title is triggering me.
Why not ask, "What are some good password managers for business use cases and their pros and cons?
Why not ask, "What are some good password managers for business use cases and their pros and cons?
Because that exceeds the title character limit, if I am not mistaken.
> triggering me
Please accept my apologies for dredging up horrid memories of your past through my word choice. English is my first language, and I see no denotative issues.
> triggering me
Please accept my apologies for dredging up horrid memories of your past through my word choice. English is my first language, and I see no denotative issues.
I had flashbacks of all the spam YouTube titles and items that get populated after you search for something on google.
It’s not a big deal in any sense, but rather me just wishing that ‘best’ gets replaced ‘good’ or something similar as everyone has different use cases and just because it’s ‘best’ for someone, doesn’t means it’s for someone else.
I’ll toss my hat in the ring and say, keepassx, but that’s for my specific use case.
It’s not a big deal in any sense, but rather me just wishing that ‘best’ gets replaced ‘good’ or something similar as everyone has different use cases and just because it’s ‘best’ for someone, doesn’t means it’s for someone else.
I’ll toss my hat in the ring and say, keepassx, but that’s for my specific use case.
pen, paper, bank locker?
I've been using NordPass recently, but the interface is pretty broken with modern password flows (e.g. you enter your username, the webapp moves to the next "page" and gets your password. ADP does this, for example). NordPass guesses things are a new password on an established site about 20-30% of the time. Sort of annoying UX, though I dont really have any other complaints.
As a community, what do you recommend? I _think_ I've seen bitwarden recommended, but would love hear opinions on current state-of-the-art and recommendations.