
Passbolt: Self hostable, open source, password manager for teams - fosco
https://www.passbolt.com
======
smartbit
Pros

    
    
      - free open source
      - group management can be delegated
      - works fine with mac, linux & windows browsers
      - maintenance free self hosted on k8s for 2 years
      - lack of mobile apps has not been issue
      - UX is ok, no complaints
      - requires little end-user support

Cons

    
    
      - only password field is encrypted
      - no warning that Notes are not encrypted 
      - promises ‘Secure files & notes (Coming soon)’
        for more than year
      - password generator has no complexity options
      - requires browser plugin
      - user passwords have no minimum entropy requirements
      - no helm chart, used our own
    

Experience based on free version with ~75 users. Plan to switch to paid
version when _Secure files & notes_ become available.

Noticed that former lead developer
[https://github.com/markstory](https://github.com/markstory) now works on
Sentry. Sentry has same list of _Pros_ as above: it ’ _just works_ ’ without
maintenance or support, running self hosted on k8s for free.

~~~
elric
More like "fauxpensource". All the useful features are part of the expensive
looking Business plan. I don't mind people charging money for software, but I
really wish they wouldn't pretend to be open source when they're not.

~~~
thayne
So many "open core" projects are really crippleware. The open core business
model just makes too much of an incentive to make core functionality
proprietary. I guess one nice thing is you could fork the open-source version
and add the "business/enterprise" features to it yourself. I'm sure that would
earn you the ire of the company that makes said software though. I'd love to
see the pull request to add such features to the open source version. Would
you get a response like "The PR looks great, but it doesn't align with our
business model, so we'll have to reject it."?

~~~
smartbit
Gitlab regularly considers moving features to Open Source version.

------
verandaguy
I like this a lot. I've been a Bitwarden user for the past few months and I'm
not looking back, but I'm so happy there's reasonable competition:

\- It's still OSS, so you can self-host, which is a big selling point for me

\- There's a managed/hosted option, which is a big selling point for probably
_most_ users

\- It's got a browser plugin à la BitWarden/1Password, which is a crucial
feature for any well-polished password manager (and hopefully it also comes
with Android autofill integration)

Hopefully Passbolt, BitWarden and others can keep eachother on their toes and
help this be an innovative and widely accessible space!

Expanding on that last point: I'm a _huge_ fan of the general idea of having
the option of self-hosting with a business model revolving around a paid,
managed option, for password managers or otherwise.

~~~
dmacedo
Likewise, and I'm loving Bitwarden so far!

Although I'm using the dockerized rust API (1) for self-hosting it, and so far
it's been working great for months! I am keeping a close eye on the container,
and backing up the data hourly to ensure I don't need to worry about loosing
anything.

(1): [https://github.com/dani-garcia/bitwarden_rs](https://github.com/dani-
garcia/bitwarden_rs)

~~~
8fingerlouie
I was evaluating Bitwarden years ago (before bitwarden_rs), but was thrown off
by the lack of support for 2FA tokens without a subscription.

Does selfhosting with bitwarden_rs solve this ? or do i still need a
subscription for storing 2FA tokens along with passwords ?

I have absolutely no problem paying once per major version for software, open
source or not, but i refuse to pay any subscription. At least when buying a
version i can choose to upgrade or not.

~~~
graton
Yes bitwarden_rs supports 2FA, including U2F keys. I setup my own instance in
a Docker container on my Synology. I only have access to it while I am at home
(or VPNed in) as I'm not willing to punch a hole in my firewall for external
access.

------
senectus1
heh, i know a guy that will be having rage-fits of the use of "on-Premise" on
their web site...

Premise:

noun /ˈprɛmɪs/ LOGIC a previous statement or proposition from which another is
inferred or follows as a conclusion. "if the premise is true, then the
conclusion must be true" verb /prɪˈmʌɪz/ base an argument, theory, or
undertaking on. "the reforms were premised on our findings"

Premises:

noun a house or building, together with its land and outbuildings, occupied by
a business or considered in an official context. "the company has moved to new
premises"

~~~
edoceo
Hope you let the site operator know, or filed a bug on their github

~~~
senectus1
That's possibly the first time I've ever done a bug report :-P Lets see where
it goes #358

~~~
senectus1
hey cool, they fixed it :-D

~~~
remy_
Thanks for the report

------
lexicon0
Why would I pay at least 450 euro per month for something I have to run
myself? I appreciate that support and maintenance costs are certainly
something to pay for, but a high monthly charge when I'm taking all the risk,
and paying for the hosting immediately turns me off.

Especially considering the 4 hour SLA on phone support for the enterprise
version. If the password management system is down, work stops. I'd rather not
have to break the glass on the emergency god account at all.

~~~
throw0101a
> _Why would I pay at least 450 euro per month for something I have to run
> myself?_

Some people/teams/departments are busy with other things, so that amount is
worth the cost of outsourcing a service such that the team members can focus
on other things.

Also:

* why would anyone run RHEL when they can run CentOS? (The cost of a service being down is more than the support fee.)

* why would I go to a restaurant when I can cook a meal at home for much less?

* why would I pay for a car wash when a garden house and a sponge worth just as well?

Also also, you may want to actually check what the pricing is:

* [https://www.passbolt.com/pricing/pro](https://www.passbolt.com/pricing/pro)

------
ahnick
As a small dev team we needed something similar to passbolt, but that would
primarily be used for sharing API keys and other application secrets for our
code base. (Although we use it for other passwords as well) A lot of the
existing tools are fairly complex to setup and are not tied to identity
management systems. (i.e. You have to setup and maintain separate user
accounts)

Since, we were on Keybase already for employee identity and chat, we created
an extension to encpass.sh to use Keybase for our secret storage.
([https://github.com/plyint/encpass.sh/blob/master/extensions/...](https://github.com/plyint/encpass.sh/blob/master/extensions/keybase/KEYBASE.md))
It has been working really well so far, as when we add someone to a Keybase
team, that person immediately has access to that team's secrets. No extra
setup required.

------
edoceo
My team has been using this for over a year. It's been my favorite answer for
this problem-space. I love the self-hosted part (which means I also get
backups I can trust). It's trivial to put inside a VPN for added security.
It's security reviews were good and built on standard tools (so maybe if PB is
dead I could recover outside?). Just save the key you download when you setup
or your hosed!

Which reminds me, I've been meaning to make a plain-text archiver for this --
to print out secrets and put them in my safe.

~~~
latchkey
imho, [https://www.deadmansswitch.net/](https://www.deadmansswitch.net/) is a
better option than paper in a safe.

your house could burn down or someone might not be able to open your safe
(easily).

pgp encrypt a message that gets sent to someone with instructions for how to
access your things if you don't check in.

~~~
edoceo
I hear you; I've got three copies, two physically distant safes, and a
deposit-box -- it's a habit I got doing SysOps for a bank back in the day.

~~~
toomanymike
Be careful with safety deposit boxes -
[https://www.nytimes.com/2019/07/19/business/safe-deposit-
box...](https://www.nytimes.com/2019/07/19/business/safe-deposit-box-
theft.html)

------
tazeg95
You just need git, ssh and pass
([https://www.passwordstore.org/](https://www.passwordstore.org/)), see
[https://fr.jeffprod.com/blog/2019/gerez-vos-mots-de-passe-
av...](https://fr.jeffprod.com/blog/2019/gerez-vos-mots-de-passe-avec-des-
logiciels-libres/) (french)

~~~
dewey
Or [https://github.com/gopasspw/gopass](https://github.com/gopasspw/gopass) if
you want something passwordstore compatible but with additional team features.

~~~
tfigment
I use gopass myself and got it working on my windows laptop Including WSL and
still use it. I even tried to adopt within the team and then its flaws were in
full view. Hard to setup correctly on machines, hard to share passwords in
team. Reencrypting passwords worked sometimes but not always for all team. I
gave up trying to get team to use it.

~~~
tex0
Sad to hear that. This is likely due to the additional complexity of GPG I
guess?

------
dfee
I feel like this is becoming a very crowded market. What sort of
differentiation separates this service from the pack?

For my purchasing decision, I’d lean heavily on the probability the service
will be there in 5 years (it’s obvious I’m getting older I guess), as the
market seems pretty mature.

~~~
thaumaturgy
I did a pretty thorough review of PassBolt a couple of years back when I was
trying really hard to get a company to adopt it and give up their "we store
our all of our passwords on a spreadsheet" approach.

I don't have my notes any more, but off the top of my head, the big points in
favor were:

\- Self-hostable. The tech guy in charge just resolutely would not use any
hosted service, period. In his evaluation, trusting a centralized password
management service was less secure than a spreadsheet in a Windows share.

\- Low cost. Password management is integrated into some MSP products but
these can be a bit pricey for small shops.

\- Built with PHP. Same guy was uncomfortable with Python, Node, and all that,
and insisted that he be able to maintain and troubleshoot the codebase himself
if necessary, so it had to be PHP.

The main failing was that it didn't have proper mobile device support, so it
would be a pain in the ass for some of the employees.

As far as I know that same company still keeps their passwords in a
spreadsheet. They've had several costly security incidents over the years.

~~~
jeroenhd
> \- Built with PHP. Same guy was uncomfortable with Python, Node, and all
> that, and insisted that he be able to maintain and troubleshoot the codebase
> himself if necessary, so it had to be PHP.

Now that's an interesting perspective, I don't think I've heard anyone
consider PHP to be more secure than Python before.

~~~
fraktl
> I don't think I've heard anyone consider PHP to be more secure than Python
> before

If you heard anyone discuss language X being more secure than language Y, then
I'm sorry - but that person has no clue what they're talking about.

PHP is as secure or insecure as Pythong / Ruby / Go / <insert language here>.

Hammer depends on the one holding the hammer.

~~~
jeroenhd
Of course; the best comparison you can make in security here is the amount of
raw memory access.

People condemn languages for two security reasons: the average level of
competence in products usually written in a language, and the amount of
footguns a language provides.

PHP is very easy to learn, which is why a lot (really, a _lot_) of open source
software is of very questionable quality. For many, it's the first programming
language someone learns, which means the quality is often far from what a
developer is capable of with a little more experience.

PHP also has a lot of weird functions and behaviourisms, all perfectly well
documented (but nobody really reads up on the details of `isset`, it seems).
APIs seem inconsistent and mysql_escape_string and its cousin
mysql_real_escape_string tell a story of a problematic history. There's also
the typing issue that plagues all loosely typed languages.

I personally consider Go to be more secure of a language than PHP or Python
because the behaviour is a lot easier to understand.

Of course properly written, typed, well-tested PHP can be a lot better than
many Go products, but the expectations for the different language are just
different because of the different levels of experience programmers are when
they start with each language.

~~~
GoblinSlayer
>problematic history

You say it as if it didn't happen to Python and Go. Also experienced
programmers are luxury.

~~~
jeroenhd
Every language has its troubled history, but PHP is especially famous for
security vulnerabilities by either beginners or intuitive API design.

It might have something to do with the fact that PHP is still taught in a lot
of web dev classes (though NodeJS has taken its crown) and that Go is
relatively unknown for beginning programmers. Python generally just runs on
your own machine because it's not as optimized for being a web language like
PHP has been.

------
ratchetclank
We have been considering it in our team but the lack of capability of creating
a "shared vault" and connecting it to a centralised AD/LDAP identity was a no
go for us. Also, the lack, due to the tech itself, of a recovery method for
users and administrator (with audit of course) was a big disapointment. PS :
never connect it to your AD/ldap or it will spam everyone in your organisation
by default ! #lessonlearned

------
sdan
pass[0] has been the best of everything so far. gpg based and easy to use with
keyboard shortcuts. i like alternatives like htis, but pass is super barebones
and highly available.

[0]: [https://www.passwordstore.org/](https://www.passwordstore.org/)

~~~
techntoke
Pass has got to be one of my favorite CLI tools and is descent third-party
browser plugins and mobile apps. Gopass works well too, especially for Windows
and is compatible. I wish someone would build a bookmark manager using a
similar concept.

------
majkinetor
This one doesn't have any limitations, and can use LDAP/AD. Along with it, you
can use NextCloud other features:

* [https://git.mdns.eu/nextcloud/passwords](https://git.mdns.eu/nextcloud/passwords)

------
m4tthumphrey
Slightly off topic: I love this tag line under "Methodically tested"

> Half of the code base is there to make sure the other half is behaving.

------
thunderbong
self hosted system requirements seem much more lightweight compared to
Bitwarden

~~~
rudiv
There's a alternative implementation for the BW server that is much more
lightweight than the original called bitwarden_rs.

------
todotask
I like to evaluate this, however, I'm curious what was the Passbolt's tasty
recipe for building on top of CakePHP web framework?

~~~
remy_
Hi passbolt developer here, the reason for building on top of CakePHP was
mostly: \- it's been audited multiple time (last in date was by Cure53,
financed by mozilla foundation) \- convention over configuration \- good
versatility for hosting (= less support) \- lovely community (less big but
very friendly)

~~~
tpp2020
I see no mention of a CakePHP audit here
[https://cure53.de/#publications](https://cure53.de/#publications) ... am I
looking in the wrong place?

------
s_dev
I like Clipperz

Seems quite similar:

[https://clipperz.is/](https://clipperz.is/)

------
rhabarba
> Self hostable, open source, password manager for teams

One of my teams shares passwords as well. We use KeePass over WebDAV. Works
for us. I fail to see the market niche here.

------
Chris2048
Hmm, this is the kind of software I'd sooner the developer have a liability
for rather than "You get what you pay for" when my passwords are leaked.

------
viro
Why is is this better than Bitwarden?? -
[https://bitwarden.com](https://bitwarden.com)

~~~
mynameisgnu
Not necessarily better, different. Folders management for instance :
[https://help.passbolt.com/assets/img/help/2020/05/rc1/folder...](https://help.passbolt.com/assets/img/help/2020/05/rc1/folders.gif)

------
ChrisMarshallNY
I've become quite the fan of 1password. I think that this kind of thing is
critical enough to spend money on.

------
amelius
Does "for teams" mean that passwords can be shared?

And is password sharing a good idea to begin with?

~~~
elygre
Password sharing is not a good idea, but sometimes or even often unavoidable.

~~~
amelius
I have the feeling that password sharing is only unavoidable in a company that
doesn't care much about security.

Any company that takes security seriously would, I suppose, have personal
passwords as a strict requirement. They wouldn't use services that can't
comply with this requirement.

~~~
gboone
Not necessarily true.

In the health insurance industry, for example, many insurance portals offer
one account that has to be used by a team. And, in a team scenario where all
staff need access to all third party vendor accounts, it can be simpler to
share the one password rather than manage 10.

For on site systems under a company's control, they can enforce the policies.
But third party resources are where the limitations are. It's not the company
that's minimal on security hygiene, it's the non-tech vendor in many cases.

~~~
amelius
> In the health insurance industry, for example, many insurance portals offer
> one account that has to be used by a team.

Sorry, but are you kidding me? Do these companies pass security audits?

This only shows that security is near the bottom of the priority list for
these companies, probably right above privacy.

------
whinybastard
Is there a web API for changing passwords? Would be nice if these passwords
managers could help you change passwords when they are found on a list through
an API (that would require the old password anyway).

