
Ask HN: How do you manage passwords in teams? - siavash
How do you manage passwords for shared services in your team(s)?
======
MehdiEG
I researched this 3 years ago for our startups and couldn't find anything
really good that lets me easily and securely share passwords on a need-to-know
basis to team members and see who has access to what. Which baffles me because
this is a problem that every single startup and small company must have.

In the end, we went for
[https://www.passpack.com/](https://www.passpack.com/). They're clearly a
small shop but it's been designed from the ground up for teams, they appear to
care and know what they're doing when it comes to security (only have their
word for it though obviously). Their web interface doesn't look like much but
it's insanely fast and really well thought out, making inputing and looking
for password really quick and easy. For some reason their pricing is
ridiculously low - it costs next to nothing.

Two bad points: no native mobile app, making it a huge pain to look up
password on the go + paranoid on the security front, which means that logging
in is always a big pain. That unfortunately means that we were never able to
convince anyone to really embrace it. Convenience and security is always a
balancing act and Passpack is definitely leaning on the security side
(understandable obviously). TBH, if they had a good native iOS app, I think it
could make a difference for them. Instead of being this really annoying tool
you're forced to use at work, they could become something that everyone uses
as part of their daily personal life which would make it easier to get it
adopted at work.

~~~
mmcnickle
I've used passpack as part of a team and the workflow is pretty much spot on.

I have doubts about the security (cryptography in javascript) and the long-
term prospects of such a small provider; I worry about them disappearing one
day with all my passwords.

~~~
ams6110
They do offer export and backup

~~~
kennu
We use Passpack.com for 10+ people and have a routine policy of backing
everything up (in encrypted form) on several USB sticks regularly.

It's a nice service, although the UI/UX could be polished and simplified. We
haven't switched away.

------
borisjabes
Boris from [http://meldium.com](http://meldium.com) (YC W13) here. We've built
a solution to help teams do just this and our customers include companies like
PagerDuty and Hipmunk. Ideally, you never have to share passwords as everyone
on your team would have an individual login. Major cloud services like Google,
Salesforce & co handle this well. However, there are still thousands of web
apps out there that have yet to build a multi-user experience (it's a lot of
work). Meldium allows you to bring all of these modes together: whether you
want multiple people to access your team's Twitter account or you want to
add/remove an employee from all your cloud services with one-click.

Unlike a lot of other password managers, you don't have to share a whole
vault. You can choose exactly which applications various team-members should
have access to. Even better, Meldium automatically logs users into their apps
on Firefox and Chrome (more to come).

------
WestCoastJustin
Use a password safe (sometimes called a vault)! A password safe is an
encrypted database that allows you, and your team, to securely store and share
passwords. Basically, it is a free piece of software that is cross platform
(win, mac, linux), simply store it on a shared drive, and give your team
access, they use a common password to access the safe, which holds the other
passwords. Create multiple safes if you need segregation i.e. dev safe,
sysadmin safe, network safe, etc. I have created a screencast about this @
[http://sysadmincasts.com/episodes/7-why-you-should-use-a-
pas...](http://sysadmincasts.com/episodes/7-why-you-should-use-a-password-
safe)

p.s. please, please, please do NOT use a cloud based solution to store your
passwords! These are your crown jewels, do not outsource this!

~~~
jhh
The problem with this solution is that there's no real authorisation or role
model built in. For example, if an employee leaves the company, you will have
to change the password safe's password, and almost nobody does that. It's also
trivially easy for anyone to copy the complete database at any point of time.

So yeah, it's better than an Excel sheet, but there remain unsolved problems.

------
jt2190
There are still a lot of service providers that don't support multiple user
accounts per organization, so if you want to share admin privileges (a good
idea for redundancy) you're forced to share credentials.

We used LastPass [1] for the following reasons:

1\. Works across multiple OS and device types. 2\. Passwords can be either
"shared" (used to auto-fill forms but not viewed) or "given".

When we did a small layoff, I insisted that we quickly change the passwords
for everything [2], and LastPass made it a no-brainer to distribute the new
passwords around the organization.

[1] [http://www.lastpass.com/](http://www.lastpass.com/) [2] It felt somewhat
harsh at the time, but I'm glad I insisted on this, because shortly after one
of the founders started hypothesizing that a software bug might be due to ex-
employee hacking. I was able to squash his paranoia by reminding him that the
exes no longer had access. Eventually we determined that it was a pre-existing
bug.

~~~
brianpgordon
> Passwords can be either "shared" (used to auto-fill forms but not viewed) or
> "given".

What's preventing someone from filling a password box and reading its value
from memory? The fact that this is even a feature makes me suspicious about
their security claims.

~~~
Brandon0
Lastpass acknowledges this and tells you that a shared password can be
retrieved, but for most employees, it would be more work than it is probably
worth to view that password. Also, as another commenter pointed out, as soon
as a employee leaves the company, Lastpass makes it VERY easy for one person
to change the passwords and everyone with access gets their version updated
automatically.

------
rdl
The ideal is to avoid shared passwords on role accounts -- have individual
user accounts with user-selected passwords (and ideally MFA), with the ability
to then selectively upgrade access to role accounts.

I generally use 1Password standalone, but it's a bit weak for sharing.

~~~
Terretta
> _I generally use 1Password standalone, but it 's a bit weak for sharing._

1Password 4 introduces "Shared Vaults"

~~~
rdl
Yeah, but not everyone I want to share with is on a 1Password supported
platform, etc.

------
artie_effim
you don't - you use an directory (LDAP, Active Directory) or AAA service
(RADIUS,TACACS+) to manage that. There should never be a shared password. If
it is a cloud shared service, same rules apply. You have to know who did what
when, and with a shared PW you cannot. Even if all people have the same
privileges, you gotta know who did what.

~~~
mcculley
This is fine for things your organization controls. It isn't possible when
dealing with lots of outsourced services. Too few services provide a way to
hook into your LDAP or Active Directory.

~~~
mseebach
True, but there still shouldn't be a shared password. Personal accounts for
everyone.

For the few truly top-level master accounts around, a printed password in the
safe will do fine. It should be painful and feel dangerous to use those,
because it is.

~~~
zippergz
This isn't possible for every service. For example, our company Twitter
account. Twitter doesn't allow any way for individuals to have their own
passwords and post to the account. We have a social media team, all of whom
need to be able to post to the Twitter account. There is no way around sharing
a password for that (and it's just one example of many). It's great to be
idealistic and say don't share passwords, but in the real world, it's not
always possible.

~~~
mseebach
A 30 second Google turns up at least two third-party services that lets you
delegate access to your Twitter account without sharing the password.

------
daigoba66
You should first ask yourself why you have the shared password at all. Unless
there is simply no other way, shared passwords and logins should be avoided
for the obvious reasons.

Next you need to document the procedure for resetting each of these passwords
and accounts when an employee with access is fired or quits. Resetting the
password needs to happen the minute the employee leaves the building.

As for documenting the password itself, the best approach is a shared document
or file with built-in access control and auditing so you can tell exactly who
has seen this document (for instance, google docs. Or an "enterprise" wiki).

While you can't use technology to prevent it, there should be a policy that
employees cannot distribute these passwords, period. This is why having the
password reset procedure is so important.

~~~
doki_pen
rackspace, for example, doesn't support multiple user accounts.

~~~
bluedino
For what? All the members of our team have a Rackspace login. We can all make
tickets, reboot servers, etc.

~~~
RossM
We've only just found the user management link in account settings, how long
has this been available?

~~~
ScottWhigham
A while - I added someone last year IIRC.

------
ChikkaChiChi
Lastpass. You can set up individual and group sharing, and revoke privileges
as needed.

Plus they've been hacked and proven that provided you use safe passphrasing on
your part, your data cannot be comprimised.

~~~
generj
Lastpass Corporate is fantastic.

------
frankcaron
While I use 1Password myself, a few companies I've worked for now have been
using Passpack
([https://www.passpack.com/en/home/](https://www.passpack.com/en/home/)) which
provides a neat way to "share" passwords securely in the event that an
employee leaves so you don't lose any accounts. This is in addition to AD or
Google Apps depending on the company's infra.

~~~
zimbatm
We've been using PassPack for a while but it's more of a pain to use than a
pleasure.

The biggest issue is that password entries are owned by a single user and then
selectively shared to other users. It means that if you want to have an
overview of all the passwords you need to make sure to have a "owner" account
to whom you transfer ownership to, and then make sure to share the password
back with you and potentially others. It would be much more practical to have
a notion of bucket/group that a list of users can access and modify.

------
olegp
We've been doing research on this at StartHQ
([https://starthq.com](https://starthq.com)) since we offer a web app launcher
and new tab replacement extension (like the old Chrome New Tab page, but
better) & SaaS password management would be a logical extension to that.

Out of the 20+ companies we've interviewed so far one had heard of Okta & none
had heard of Bitium and Meldium, the main players in this space. One was using
LastPass.

Most do not have a strict password policy and the current solutions include
storing them in other web services like Trello and Google Docs, or sharing
logins within a team using post it notes or via email.

One trend that I've clearly spotted though is the use of Google Apps to
consolidate identity management in the cloud. This is often synced with AD via
LDAP. Whenever possible, companies encourage but do not enforce the use of
Google for logging into third party services. This makes offboarding a lot
easier and that is the main pain point, as opposed to onboarding of new
employees. This is further confirmed by SaaS providers saying that they see up
to 60% of all their logins being done through Google Apps.

------
nickpresta
We use Meldium[1] with Google Apps login to manage our passwords.

[1]: [https://meldium.com/](https://meldium.com/)

~~~
zimbatm
That looks convenient.

The problem is that for them to log you in they have to store your passwords
in clear. It seems like the data is encrypted in their back-end but the webapp
has probably the decoding key.
[https://www.meldium.com/security](https://www.meldium.com/security)

------
VuongN
At our company, we use our own solution: "nCryptedCloud"
([http://ncryptedcloud.com](http://ncryptedcloud.com)), client-side encryption
software that secures your files before they go into the cloud (Dropbox). We
don't keep the data, just the knowledge how to open that data (key). We don't
even have a link between the file and the key, the file contains the key's
information. This way, using dropbox shared folder, you can manage a secure
sharing experience that allows you to revoke access to anyone in the future.
It's free. Check it out and let me know if you have any question :)

------
marceldegraaf
1Password 4 introduces password sharing over iMessage/email and also supports
shared password vaults.

[https://agilebits.com/onepassword/mac#sharing](https://agilebits.com/onepassword/mac#sharing)

------
ndespres
I've had a lot of luck with Roboform Enterprise and KeePass. Storing the
passwords in a place folks can find them has never been a problem- in a
protected spreadsheet, in a heavily-locked down Sharepoint site, or in an
internal-only Wiki. The real hassle is changing them all when an employee
leaves, which happens a lot. Roboform has been great for storing those
passwords, protecting them, and keeping us from having to give plaintext
access to the passwords where it isn't required.

When you have 20+ techs accessing many different systems for many different
clients each day, that feature was huge.

------
pkhamre
I am using cpm[1] with the revision control recipe[2], storing the encrypted
file in our local Gitlab[3].

[1]: [https://github.com/comotion/cpm](https://github.com/comotion/cpm) [2]:
[https://github.com/comotion/cpm/wiki/Revision-
control](https://github.com/comotion/cpm/wiki/Revision-control) [3]:
[http://gitlab.org/](http://gitlab.org/)

------
rajvosa07
Personal.com has a solution for this. It is cloud-based, with strong crypto
and no need/motivation to see your data = secure. Secure Share is built-in and
allows each team member to manage the passwords they are responsible for and
share them with exactly the individuals that need access to them. Access can
be revoked allowing you to revoke/change password on a regular basis, or as
needed.

------
philfreo
1Password because life's too short to use LastPass.

There's no good way to share the passwords though... unlogged chat / IM /
onetimesecret.com

~~~
halostatue
There's a sharing feature (multiple vaults) in the new 1Password 4 for Mac—but
it hasn’t yet migrated to any of the other versions (including 1Password 4 for
iOS).

~~~
philfreo
Haven't tried it yet. But the key would be sharing individual passwords with
the right people - not just having a shared vault where it's all or nothing.

------
vWil
LastPass could be useful:
[https://helpdesk.lastpass.com/features/sharing/](https://helpdesk.lastpass.com/features/sharing/)

Feature summary: [https://addons.mozilla.org/en-US/firefox/addon/lastpass-
pass...](https://addons.mozilla.org/en-US/firefox/addon/lastpass-password-
manager/)

------
treskot
My company uses LastPass. It's a nice service. \- The admin will have control
over what service you need to have access to. \- Change password often and
will be accessible by team mates without having to remember anything.

Simplifies a lot of other things, all you have to remember is the master
password.

------
jongold
We all use 1Password; up until the new version it was a PITA to share
passwords though. Tended to be a 'shout it out across the office' thing.

So we built a little hackday prototype to help out:
[http://shhare.io/](http://shhare.io/) . Would love feedback!

------
cjbprime
Meldium -- [https://www.meldium.com/](https://www.meldium.com/)

------
fbm
Our product allows you to do this: Team Password Manager
([http://teampasswordmanager.com](http://teampasswordmanager.com))

It's specially designed for companies that manage lots of passwords across
lots of projects. It's a self hosted solution.

------
snowwrestler
We use KeePass databases saved to a shared drive. We each know the password to
that, and have the key file on our client machines. To access it remotely we
must first VPN into the network.

We're just starting to look at AuthAnvil. Anyone have experience with this?

------
mcculley
We are using LastPass for credentials to external services (e.g., Amazon Web
Services, Twilio, Tropo). It has the advantage that all encryption/decryption
happens on the client, so passwords are not stored in cleartext on LastPass's
servers.

------
dan_sim
Someone I know is working on that open-source project :
[http://sflvault.org/](http://sflvault.org/)

It's from "Savoir Faire Linux", a consultant shop that implements Linux
solutions in various enterprises.

------
ipmb
We GPG encrypt them and put them in Dropbox. Kip is used to handle
encryption/decryption:
[https://github.com/grahamking/kip#readme](https://github.com/grahamking/kip#readme)

------
emilpalm
I'v used a shared dropbox folder with a KeePassX instance in it with a shared
password for that container. If needed we could just change the password on
the KeePassX container and/or remove the access to dropbox.

~~~
TheSilentMan
Neither of those stop someone who saved a copy of the keepass db outside of
dropbox. You'd also have to change every password contained in keypass.

~~~
csarva
Same goes for any centralized service you may use. You are still able to copy
passwords manually into a text file, local keepass, etc. True, it is easier
with a shared keepass, but the challenge is the same if you truly need to make
sure a former employee can no longer access anything.

------
yashg
With my last client we used to have a spreadsheet on Google Docs. Not at all
secure but people weren't putting bank passwords in that either. More like
test logins to various WP sites we had and stuff.

~~~
dzhiurgis
We used to have a spreadsheet with a silly password that could be hacked in 1
minute using rainbow tables. Now we moved to a shared Google spreadsheet. Not
really that much more secure, but at least it's easier to manage.

------
hillad
Password State [0] is excellent, has a pretty good feature set, and good
support.

[0] [http://www.clickstudios.com.au/](http://www.clickstudios.com.au/)

------
mansigandhi
All three of us know it - i guess it depends on levels of trust.

------
mopoke
We use SimpleSafe ([https://www.simplesafe.net/](https://www.simplesafe.net/))
which is self-hosted and pretty simple to set up.

------
aidanlister
We use [http://teampassword.com/](http://teampassword.com/), no fuss,
fantastic customer support and a pretty UI.

------
robbfitzsimmons
Just GPG on a text file, checked into a private Github repo.

It's actually a great excuse to give business and designer types an intro to
Git / command line.

------
zwischenzug
We wrote our own app with defined security levels etc.. It had to be audited
for security/finance reasons etc, so we had to control it.

------
seanmcelroy
Check out Secret Server by Thycotic. I implemented this at my work and it
turned out to be a great turnkey solution.

------
sxsde
We simply use a MediaWiki with some Categories. Installed local on a webserver
where everyone has access to it.

------
killerpopiller
my smaller clients use keepass or
[https://lastpass.com/](https://lastpass.com/)

------
jamespo
We used to use PHPChain

------
cs02rm0
Password Gorilla.

