
Ask HN: What's the best corporate password manager? - flippyhead
My company of ~25 people needs to manage access to probably ~100 services our employees use everyday and I assume some kind of password manager which I can centrally manage is the way to go.<p>I often hear things on here about products that claim to be secure but aren&#x27;t -- what password manager is considered reliable and secure? Which do you use?<p>Thank you!
======
davismwfl
We have been using 1Password and just use vaults to segment things properly
and keep things limited to the smallest group of people possible. 1Password is
also how we handle 2fa in a common/generic way for many sites that require it.
This avoids the problem of a user using their cell phone number to get the
OTP's and then that person leaves the company and you are left trying to
coordinate the change for an account with a former employee.

1Password isn't perfect but is by far the best one I've used and it does work
well for teams IMO. We just are anal about setting up vaults and permissions
to those vaults so it easy to segment users to only see the services they are
allowed to etc. Plus it keeps things orderly and clean for maintenance
purposes. The browser plug-ins have gotten better and the search is decent so
definitely better then others I have seen.

~~~
webo
This. 1Password comes with limitations but by far it’s the best password
manager for teams due to the built in 2fa support.

I wish it was possible to share a credential with specific people without a
need to create a dedicated vault.

~~~
ac2u
I love 1password but I don't understand why you'd use it for 2fa. Surely if
someone gains access to your 1password account you're just giving them the
"something you have" aspect of 2fa for free ?

~~~
davismwfl
I understand what you are saying but part of security is making it easy enough
that people will use it, but hard enough it isn't easy to break for bad
actors. People are lazy in general, if you tell 25 engineers at a startup they
have to use two different tools just too handle credentials, the compliance
rate of using 2fa will drop to nil, making accounts easier to hack. Don't get
me wrong, it isn't like 2fa is so secure, it has been shown to be hackable for
sure, especially when using SMS devices; but if done properly it can add a
level of extra effort for a bad guy and if that extra effort is easy for
engineers to use they'll do it. 1Password makes it this way.

From a corporate standpoint, I don't want people using their personal devices
for SMS OTP (2fa) because then if they leave, are disgruntled or get
tragically hit by a bus I am locked out of a potentially important
service/account. I had this happen on three accounts in the past year where
one took me 3 days to recover the ability to access it, another I never could
recover and we had to work around it and a third that was absolutely critical
but took close to two weeks all said (lots of waiting). That is insane, and
all because people used their own personal devices (or similar) for SMS 2fa.

There are other devices you can use, and some enterprises do use hardware keys
in addition to the password which works well and the more sensitive the system
the more inconvenience people will tolerate and understand.

For me it boils down to 1Password works good for a reasonable price which
helps startups and small companies. I also don't think using 1Password is just
a tool and you still need a good password refresh cycle and to stop reuse etc.
This way if a backup at 1Password was somehow compromised or stored improperly
at your company or at 1Password at least you'd be insulated better.

It definitely does provide a single point of access that if compromised in a
way which bypasses all their security a lot of companies will be hurting.

~~~
tzs
> From a corporate standpoint, I don't want people using their personal
> devices for SMS OTP (2fa) because then if they leave, are disgruntled or get
> tragically hit by a bus I am locked out of a potentially important
> service/account. I had this happen on three accounts in the past year where
> one took me 3 days to recover the ability to access it, another I never
> could recover and we had to work around it and a third that was absolutely
> critical but took close to two weeks all said (lots of waiting)

Wait...I've seen two ways for services to handle multiple users from a client
using the same account.

1\. A company using the service gets a single user login for their account.
That login is shared by all of the employees who use the service.

2\. A company using the service starts out with a single user login for the
account. That login is meant to only be used to administer the account. The
administrator can create more user logins for the account, usually with
reduced privileges. Each employee is given a separate login of their own, with
just the privileges needed to do their job.

I don't think I've seen a #1 that uses 2FA. I assumed that was because it
could then easily run into the problem you describe.

With #2 there is no problem using 2FA, or with each user using their own
device for 2FA. The only account you have make sure won't be lost if someone
gets hit by a bus is the administrator account.

Did you run into a service using approach #1 but that used SMS OTP?

~~~
lsaferite
I have for sure run into services that strongly link an account to a person,
but don't have a concept of administrative (non-functional) users. Mix this
with draconian per-seat licensing and you have a situation where you might
reasonably need to store 2FA creds in your vault.

And if you squint a little it's still a 'thing you have' since the vault is
something you have to have access to so you can generate the constantly
changing 2FA token. It's just a bit easier, in theory, to access than a
hardware token or an SMS endpoint.

------
bpicolo
> manage access to probably ~100 services our employees use everyday

Is single sign-on an option, instead? Something like Okta is a much better
experience for less technical users (and, well, engineers too) where possible,
and also lets you trivially manage credentials access as people on/off board
(no need to rotate credentials if you're worried folk may have written them
down on paper somewhere with malicious intent). That said, it doesn't help
folk with personal credentials management, which can be useful for good
security policy in addition.

1password is my favorite to have around for services that don't support SSO. I
like it so much I pay for a family account, even.

~~~
atonse
The problem with SSO isn't technical, but that most SaaS products I've seen
only support SSO for their enterprise tiers.

Otherwise, thanks to many providers like Okta and others, SSO should really be
a feature provided to smaller tiers nowadays.

We're a small business (2 founders, 3 contractors), and we'd love to use SSO
for everything. But we're too small to afford enterprise tiers for things like
Slack, Gitlab, etc.

Hopefully this trickles down eventually.

Update: I'd like to add that we provide a SaaS product as well, and have
considered adding SSO to the enterprise tier but after much research we can't
really find a good reason to restrict it (apart from "everyone else is doing
it", and potential manual config).

But both SAML and OpenID connect have discovery protocols. Again, this CAN
technically be self-configured by the right customer. But then, maybe the
solution is to have a one-time config fee, rather than require a certain tier.

~~~
brippalcharrid
> most SaaS products I've seen only support SSO for their enterprise tiers.

Lower tiers of SaaS products are more-or-less strictly designed for:

\- individuals or very small businesses where everyone is friends

\- who don't have exacting requirements/audit/traceability/reporting concerns

\- who are willing to accept some pain/inconvenience if they use it outside of
its design parameters

Credential-sharing services in the age of SSO are a dirty workaround designed
to circumvent SaaS product segmentation (which would otherwise cause
established companies to effectively subsidise tiny startups). I'm all for
hacker philosophy, and perhaps this applies less to your situation than it
does to the OP, but I do think the idea of credential-sharing is a horrible
kludge that has only risen to prominence because of the specific issue that I
mentioned, and which only leads to more problems with things like non-
repudiation.

~~~
stinkytaco
This has not been my experience. Trello is a good example. They have an
enterprise tier that they basically starts at 100 users. Their business tier
does not include SSO and I have a team of 60 people so the enterprise tier
(which is about $250/person, by the way, compared to $12 a person for
business) is out. Slack charges nearly double for their enterprise tier with
SSO. I would not call not getting getting the tier down from the enterprise
tiers a "dirty workaround" for most teams.

~~~
brippalcharrid
Yeah, I too hate the "call for pricing!" options and the "click here to be
connected to our sales staff!" stuff, and SSO functionality being restricted
to company accounts with >100 users or organisations that sign up for multi-
year contracts. I also think the lack of white-label options for even
enterprise-focused stuff is embarrassing. I'm not sure which of the two sides
of this I hate more. In extreme cases, product offerings are bifurcated into:

\- Sign up for free or with a credit card, but you'll run into problems (or at
the very least friction/complications) if you end up trying to use if you
something serious

\- Speak to a salesperson and have your CFO sign the company up for a long-
term strategic partnership.

The examples that you gave are less clear-cut though. Trello Business is
$12.50 per month, and supports Google Apps SSO. Trello Enterprise supports
general SSO, and costs $20.83 per month. Slack pricing is $6.67/mo for
Standard, and $12.50/mo for Plus with SSO. None of these are costs that should
really make or break the profitability of a company; considering that the
business is using them to generate revenue or to reduce its expenses, how do
they compare to other things like property/facilities expenses and employee
salaries/benefits?

------
messo
I have used Bitwarden personally for a while, coming from KeePassXC (Linux and
Android), and it has been a joy to use. My company is now looking into using
it both internally and as a solution for organizations and businesses we
serve, mainly because it offers a self-hosted / on-premise solution and decent
pricing, and the fact that it is open source.

I would never trust my passwords to a closed source project that could be
ridden with insecure code and disappear or change considerably on short
notice. When the source code is open, chances for survival of the project in
one form or another is much higher.

I also like that they take feature requests on their community forum and that
their Github repo is active and responsive to issues.

~~~
jariel
"I would never trust my passwords to a closed source project that could be
ridden with insecure code "

The thing is, everywhere you use your password is probably 'closed source' and
probably has 'lots of bugs'.

Ima guess that people re-use a lot of passwords and therefore are going to be
at risk due to said 'closed source'.

I think that open v. closed may be only one of many considerations.

~~~
worble
>The thing is, everywhere you use your password is probably 'closed source'
and probably has 'lots of bugs'.

Well, that's the argument for a password manager, no? You can't trust any of
these services, so you generate transient, strong, one time passwords for each
of these, and then use a password manager you trust to manage it all instead.
If one gets leaked, then sure it's a pain, but at least it doesn't mean they
can log into every other service too!

------
djhaskin987
KeepassXC or Keepass by a _mile_ (for corporate uses; decent for personal use
too but others are also good for this).

I've used both in both personal and corporate settings. Great browser support,
Keepass2Android makes my mobile experience good.

The reason it's so good for corporate is that the database is just a file, so
you can email passwords, or share via one drive or Dropbox or ftp or shared
samba drive or ...

I worked with techs from Oracle who used to auto generate the database for
particular users and share them around. It worked really well for them.
Because it's just a file it works for all sorts of workflows.

My workplace does pay for Cyberark which is a built for purpose Enterprise
application, but I don't have rights to it it or whatever, so I just use
KeepassXC.

~~~
Legogris
The problem with KeepassXC in larger teams than, like, 4 people is the shared
secret/keyfile - basically this means that whenever a person leaves you have
to change encryption keys and make all users rotate their secrets.

Same in case of a leak.

With solutions using per-user keys, you just have to revoke/remove keys for
that single user. GNU pass (FOSS) and Bitwarden (paid, open source) both do
this.

~~~
hau
KeeShare comes with keepassxc allows for sharing secrets with per user
control. It's somewhat convoluted but preferable to sharing whole database.

[https://github.com/keepassxreboot/keepassxc/blob/develop/doc...](https://github.com/keepassxreboot/keepassxc/blob/develop/docs/QUICKSTART.md#user-
content-using-sharing)

------
mdibaiee
LastPass is the worst piece of software I have ever worked with. We had a lot
of trouble making sense out of its sluggish user interface and confusing
terminology and more.

BitWarden is my choice, it's cheaper than alternatives, the UI is simple and
easy to understand. It's open-source and battle-tested. You may want to self-
host as well.

~~~
mfasduf
Could you elaborate more on the problems with lastpass a bit?

~~~
sabalaba
\- It frequently stops working and needs to have the chrome extension re
installed (at least on Linux).

\- It’s sluggish.

\- The password sharing experience sucks.

\- The drop down menus often get obfuscated in weird ways.

~~~
tracker1
Chrome extension was broken for several days, that was painful, pulling out my
phone for long passphrases on various sites.

While I wish the bitwarden UI could stay over the top a little better, been
really appreciating it vs lastpass... it's a bit simpler and less confusing
overall. Not quite the same feature set, but that's okay..

I do wish the autofill wasn't two menus deep though. (right-click, bitwarden
-> autofill -> list) wish it just expanded autofill (if less than say 5
matches) on the right-click menu.

------
Legogris
Depending on your preferences, it might be worth looking into GNU pass. You
have to do the additional setup of syncing/sharing password stores (Keybase
can work for this) and users need to have basic knowledge of working with PGP
keys. Encryption is done via per-user GPG, which is convenient, easy and
secure if you're used to it and frustrating if you aren't already and not
willing to take the hour or two necessary to get fully up to speed. There are
tons of clients for various platforms and use-cases.

KeepassXC can work fine, but it's not super integrated in terms of alternative
clients, CLI, mobile etc. If you go with keepass, make sure to use XC (the
most recent community fork AFAIK). Similarly to GNU Pass, you need to sort out
syncing yourself and have the additional hassle of maintaining a shared
secret, and alternatively a shared keyfile. If one is compromised, you need to
make everyone rotate, which in practice leads to lazy teams never rotating
keys and even using keys they know probably are compromised already.

LastPass is horrible, in my experience. The web app is incredibly buggy and
the only thing that really works somewhat well is the browser extension, which
I don't trust much.

1password is a slight step up from LastPass.

I heard great things about BitWarden and it looks compelling but haven't tried
it yet.

Hashicorp Vault is great, but IMO not suitable for "manual" credentials and
more for provisioning and maintaining secrets that are fetched by your
internal services. If you need non-engineers to have access to it for shared
web app accounts etc, Vault is probably not a good choice.

~~~
Evidlo
KeePass has many alternative clients for each platform.

~~~
techntoke
As does pass (although, gopass is a good compatible alternative with more
features). I really like how it works with Git for version history as well and
GnuPG (PGP) is industry standard within the security sector. gopass has
browser plugins readily available, and it supports TOTP.

------
dhruvkar
My company of ~30 people just started with Bitwarden, purely because I use it
personally and knew it. I like the fact that it's open source, has a self-
hosted option and it has a Linux client.

I haven't use the 2FA option yet, and it has a Google Authenticator
equivalent.

~~~
rdslw
Unfortunately 2fa on Android bitwatrden client is non existent.

Bug is open already for a year :-(

P.S. 1password has it.

~~~
Corrado
I've been using my fingerprint as a 2FA on Android BitWarden for quite a
while. Is this not sufficient for your use-case? Is there something else that
you would rather use? Perhaps a YubiKey?

------
paol
We recently chose 1Password for this purpose. We also evaluated Dashlane but
gave it up pretty quickly because of bad UI (not that 1Password is stellar)
and some basic requirement that was not met - I forget what.

Security wise, we looked at the 1Password CVE history[1] and it seems pretty
ok.

[https://cve.mitre.org/cgi-
bin/cvekey.cgi?keyword=1password](https://cve.mitre.org/cgi-
bin/cvekey.cgi?keyword=1password)

------
cmg
Echoing what so many other people have said, we use 1Password for staff at our
organization. I moved us from LastPass last year because LP was just confusing
and frustrating for everyone.

The one issue we've run into with 1Password vs LastPass is that sharing works
differently. If you share a password (not by putting it in a Vault) with an
individual in 1Password, it makes a copy - so updates don't propagate.
Thankfully we are a pretty small and tight team so adding people to other
department Vaults isn't necessarily an issue, but it could be for others.

------
geofft
Shameless plug, my podcast on personal digital security has a few episodes on
password managers: [https://looseleafsecurity.com/password-
managers/](https://looseleafsecurity.com/password-managers/)

(And if podcasts aren't your thing - note that that page is text, and the
episodes it links all have full transcripts.)

We didn't talk a lot about what's different for corporate users, but we do
cover family/shared accounts. There's also two particular things I want to
call your attention to:

\- You probably should use a browser extension, because it's your most
effective defense against phishing. A human might not notice the difference
between a legit domain name and a phishing site, and might copy/paste a
password into the wrong one. A browser extension will notice that you're not
on the usual site and won't offer to fill in the password automatically.

\- Getting browser extensions right is hard, and some leading password
managers have been much better than others.

------
surds
I see BitWarden recommended quite a bit here. Does anyone know if it is
possible to share passwords between 2 accounts when using the self-hosted
version? Or is it limited to teams?

~~~
developer2
The paid features are the same whether you self-host or not. The only
difference is whether you're using publicly hosted servers or your own.

Search for "Organization Accounts" on
[https://bitwarden.com/](https://bitwarden.com/) – either a) $5/month for
first 5 users in a team + $2/user/month thereafter, or b) $3/month per user
for enterprise (teams + premium for TOTP + user groups). If I understand
correctly, the teams version allows users to manually share what they want,
while the enterprise version allows finer-grained permissions based on
predefined groups of users (including optional integration with LDAP).

I haven't used teams/enterprise, but based on the feature list ("User Groups:
Use groups for easier user management and greater control across departments
and teams", and "Access Control: Implement fine-grained access control
policies and organize your vault with collections"), I assume it's possible to
setup permissions to the shared collections however you want. I would hope
it's possible to have read/write owner(s) to manage credentials, with an
option to allow other users to be readonly if desired.

Based on my experience with the personal edition of Bitwarden, and how well
the developer handles his community and GitHub issues, I expect it's now as
mature and flexible as anyone needs. You likely need the enterprise
($3/mo/user) for the most flexible use cases. Don't quote me on that though.
:)

~~~
surds
Thanks!

I was curious for use in an agency, where the clients share credentials with
the agency. Multiple clients to a single agency account may get cluttered.

I will have to map out the use case specifically and see which plan works
best. Perhaps a bunch of family plans would work for multi to multi scenario,
where the agency would also maintain client-specific multiple accounts..

------
schlotzisk
Don't use LastPass. It's a nightmare. Terrible sync and thinks like "Do not
make password visible to shared contacts" are a huge PITA with no real benefit

~~~
Nagyman
> "Do not make password visible to shared contacts" are a huge PITA with no
> real benefit

While it is an inconvenience, like most security, I suspect the benefit is
that folks can't just write down or copy a shared password somewhere else. It
keeps it relatively contained, for times when employees leave the company. I'm
unsure whether or not a determined user could get the password anyway.

The sync is slow-ish; I moved an entry to a shared folder and it took 20
minutes to become available to others.

------
developer2
I haven't used it in a corporate setting, but personally I've been using
Bitwarden[1] since November 2017 without a single hiccup. It's amazing. The
best part: it's open source, including all clients/apps (browser addons,
desktop apps, smartphone apps). The server component being open source means
you can host your own instance on-premise (clients let you specify a custom
host to sync with to avoid using Bitwarden's public servers).

Personal use is free, with an optional $10 per YEAR (not per month) addon that
adds a built-in TOTP client (ie. Google Authenticator compatible two-factor
auth). There are also "Organization" accounts at extra cost for more
enterprise-level usage, including sharing credentials among teams.

Note: I believe that even if you host on-premise using the open source code,
it expects a paid license for the extra features (TOTP and Organization
accounts), at $3-5/month per user.

[1] [https://bitwarden.com/](https://bitwarden.com/)

------
rvz
Well, Dashlane is the universal platinum standard of all password managers
which has regular security audits from HackerOne and other external white hat
hackers and even has a built in VPN where the other password managers just
don't.

I found 1Password 7, 1Password X and the browser extension to all be
disconnected from each other and sloppy to use in general.

------
HikeThe46
1password works well for our team of ~20. We set up multiple vaults and give
access, where required, to shared resources.

I used 1password before my company did, it works fairly seamlessly with both
my personal and company accounts.

------
Humdeee
Post-it notes around the perimeter of your monitor

~~~
nemacol
Do you work for Hawaii emergency agency? :D

~~~
antidaily
[https://gfycat.com/queasygrandiriomotecat](https://gfycat.com/queasygrandiriomotecat)

------
evo_9
BitWarden. It's open-source so you can audit the code or create your own
version if necessary.

[https://bitwarden.com/](https://bitwarden.com/)

------
tvanantwerp
I've used LastPass. I'd say it was fine, but I think quality might be
slipping. They were recently acquired by a private equity firm, which I
consider a bad sign of things to come. Service incidents are seeming
increasingly frequent. Just yesterday, I was trying to onboard a user and
their servers couldn't be reached during his initial password reset. I'm sad
to say these problems are common. I want to like it; but if I'm being honest,
it's got a lot of problems right now.

I see BitWarden mentioned a lot in r/sysadmin, but I haven't really tried it.
Might be worth looking at.

------
ofrzeta
We are using Passbolt and are quite happy with it (only a dozen or so team
members). I haven't tested Bitwarden but I would like to compare it to
Passbolt. Migrating passwords would probably be impossible, though.

~~~
wideasleep1
Should be as easy as copy/paste.

[https://vault.bitwarden.com/#/](https://vault.bitwarden.com/#/)

~~~
ofrzeta
Heh, that's not exactly "easy" when you have a hundred passwords. Also not
including permissions to access team passwords and such.

------
zerkten
What are these services? SaaS products, or things your company built?

Okta, Azure AD, and other identity services offer password sign-in from a
custom dashboard you setup. It would be cheap to test out. That way you just
grant access to the dashboard and can change the password easily without
worrying about whether it replicated to the vault of a user. Also, the sign-in
experience is slick, but may need a browser extension.

I've heard BitWarden is good, but I'd be really careful about how you manage
hosting for any central password manager. 1password and the like handle the
maintenance for you and can scale up to a lot of users.

If you are using enterprise SaaS, or the services are owned by your company,
then you should strongly consider SSO. This will save you a lot of headaches,
but you'll also need to think about user provisioning/deprovisioning because
blocking sign-in might not be enough in all cases. Products like Azure AD and
Okta handle this stuff for you too.

Example scenario: a bad SaaS product will have unlimited lifetimes on mobile
tokens for convenience. If you assume the user only uses the web version and
enable SSO, then you aren't mitigating the problem with the mobile app. You
need to deprovision the user to purge the tokens from the app they installed
on their personal device.

------
stephenwilcock
We use 1Password in a startup of 40 people and it works beautifully. Great
product.

We are also now starting to use Okta and SSO extensively too.

------
chefkoch
We use pleasant password server
[https://pleasantsolutions.com/passwordserver](https://pleasantsolutions.com/passwordserver)
and are happy with it. It uses a customized keepass as client and has all the
features we need for a very reasonable price tag.

~~~
W4ldi
we used that too. it also has LDAP SSO afaik

------
chiefalchemist
I've used LastPass. It was okay. I switched to Bitwarden, per numerous HN
recommendations. Solid product. Great price.

My employer uses 1Password. I don't like it at all. Maybe it's because I don't
understand how it thinks vs say BW, but should a PW manager require that much
thought?

------
kaidax
Bitwarden

~~~
wadkar
To expand a little bit, Bitwarden with your own hosting

~~~
vz8
Can you share your experience with self-hosting? Docker or no docker? Any
issues?

~~~
pouulet
Pretty new to it (~3 months), I've been using it in docker, using
[https://github.com/dani-garcia/bitwarden_rs](https://github.com/dani-
garcia/bitwarden_rs)

The official docker version looked way too complicated imo ->
[https://github.com/bitwarden/server/blob/master/scripts/run....](https://github.com/bitwarden/server/blob/master/scripts/run.sh)

Pretty straightforward, lightweight, no issues so far

~~~
vz8
The light(er) weight Rust server looks interesting. We might spin it up in-
house and kick the tires. Thanks!

------
Daidyte
Me personally and my company has been using Keeper as the password manager. It
is definitely very handy and autofills the information whenever you need to
sign in everywhere. It's been claimed to be very secure and I trust my
company's choices as cybersecurity is one of the priorities. Keeper also
allows you to create secure passwords whenever needed and there is a vault
accessible from your phone as well if you ever need the passwords elsewhere
than known devices. Chrome extentions are really handy and I've got used to it
very quickly. I switched from chrome password/info management to Keeper.

------
vz8
Can anyone share setup experiences / recommendations for BitWarden self-
hosting?

With or without Docker?

Encountered any surprises?

Thanks in advance!

Also: LastPass has been a very awkward fit for my org.

------
juandazapata
We use LastPass in our company and it's terrible. Avoid it if you can.

~~~
KptMarchewa
What's the problem with LastPass? I'm using it personally and did not have any
problems with it.

~~~
Cuuugi
Closed source and confusing UI seems to be the consensus. I use LastPass as
well and am satisfied with it, but considering a switch to BitWarden due to
seemingly perfect reviews.

------
jeffadotio
Keychain Access is good if you can accept an Apple solution. Apple software of
course requires their hardware, which is a deal-breaker for many.

RememBear is made by the company that runs TunnelBear, which is a performant,
permissive and reasonably transparent VPN platform. I have not tried RememBear
but I would start there due to my positive experience with TunnelBear.

------
dragostita
The best password manager application I've used it's 1password.

------
peterwwillis
> what password manager is considered reliable and secure?

Schneier's thoughts on case studies from 2014
([https://www.schneier.com/blog/archives/2014/09/security_of_p...](https://www.schneier.com/blog/archives/2014/09/security_of_pas.html))
and 2019
([https://www.schneier.com/blog/archives/2019/02/on_the_securi...](https://www.schneier.com/blog/archives/2019/02/on_the_security_1.html)).
The comments are useful too. Also there's this SO answer:
[https://security.stackexchange.com/questions/45170/how-
safe-...](https://security.stackexchange.com/questions/45170/how-safe-are-
password-managers-like-lastpass?r=SearchResults)

------
turc1656
I think the solution I use personally would also serve your purpose. I use
KeeWeb (app.keeweb.info). It's a web app that caches in your browser and only
runs locally. It also has a desktop version for Windows as well. I keep the
web app up on my Android Chrome all the time since there's no phone specific
app and it works beautifully.

You can store the database (encrypted of course) in a Dropbox account that it
can connect to. The desktop version can also periodically store backups
locally on any device you want. If you treat the Dropbox as the centralized
master, every one of your employees can simply use either the Windows desktop
app or just keep a browser tab open with it (like I do at work). Any changes
anyone makes will instantly be reflected across all instances.

I've never tried using for more than my 3 devices, but I don't see why it
wouldn't work seamlessly.

------
rickette
If your target audience is developers/operators I would recommend gopass,
[https://github.com/gopasspw/gopass](https://github.com/gopasspw/gopass). It's
a CLI tool which allows integration with scripts, ansible, terraform, kubectl,
etc.

------
smarri
I found 1Password to be good, used in a 500 person organisation

------
aericstotle
My company uses Dashlane and I decided to try out others because it's
terrible. Switched to BitWarden since it was free but that to had some quirks
but far better than Dashlane. Now I'm using both BitWarden and Keeper and find
them both to have their pros and cons. Both are much another to use than
Dashlane though.

------
aericstotle
I can't give recommendations for a corporate setting, but I know Dashlane is a
giant pain in the ass. My company uses this and gave us all free subscriptions
and I decided to try something else. Currently I'm testing BitWarden and
Keeper and find them both to be far superior though each with their own
quirks.

------
prithsr
I don't know how good this is at a corporate level but I use bitwarden (free
to download/use, donations accepted). It's available in mobile/laptop (at
least Mac) app form, extension form, and even website. Best password manager
I've ever used (formerly used Dashlane).

------
Darsstar
I haven't used any password manager other than 1Password in anger, and no
password manager in a corporate context at all =[

I definetely wouldn't mind if my employer choose 1Password Business as I would
be able to link my binusnees account to my family account and not pay for the
latter. It is possible this might help changing behaviour for those who
currently don't use a password manager for personal use. Or it might not help
at all, who knows...

Just something you could take into consideration if this is important to you.

(Last time I checked 1Password offers this kind of deal and Dashlane, Lastpass
either don't offer it or don't promote it. I won't guarantee this is the
current state of things...)

------
bloopernova
My experiences:

Team Password Manager.
[https://teampasswordmanager.com/](https://teampasswordmanager.com/) Self
hosted. LDAP/AD auth, and LDAP groups. It has some extensive auditing logs, so
management can see exactly who changed what and when. Custom fields, pretty
good permissions system. Concepts of "projects" rather than folders can be
counter-intuitive. Cheap, and support is also pretty cheap. Worth a look just
to evaluate to see if it will fit with your corporate culture.

Bitwarden. Fantastic software. I haven't used the corporate integration side
of it at all. I protect mine with a U2F hardware key. Highly recommended.

------
tylerchilds
TIL i should stop using lastpass because it doesn't have a single positive
review here. I'd say it's fine, but it's my first experience that was a
definite improvement from trying to remember passwords.

~~~
jacekm
Don't let others influence you so easily! I personally know many people who
are happy with LastPass, I've also seen many rave reviews. Choosing a password
manager is a personal thing, almost like choosing IDE, so if you like it,
stick to it. That said, it's good to keep your mind opened so try other
popular solutions - 1Password and BitWarden.

------
codingdave
It sounds like you are looking for a SSO solution, not a central password
manager. My company uses Okta - it is mildly annoying if you only have a small
number of apps, but the friction becomes worth the trouble when you have
dozens.

I also am curious that you have a 4:1 ratio of services to employees. I've
only seen that many services at enterprise-scale companies. I'm sure you have
your reasons, but every IT department I've ever been a part of would be
actively looking to reduce that number by finding more robust solutions that
solve multiple problems instead of 100 different solutions.

------
AnIdiotOnTheNet
We've been using CorporateValut[0] at the small non-tech company I'm employed
at. Sadly it has not been updated in quite a while, has a few bugs, and uses
flash (to implement copy-to-clipboard), but it is a straight-forward
uncomplicated on-premise solution. I've considered writing a replacement but
it's never been enough of a pain for us to bother allocating the time.

[0]
[https://sourceforge.net/projects/corporatevault/](https://sourceforge.net/projects/corporatevault/)

~~~
geofft
> _uses flash (to implement copy-to-clipboard)_

Yikes. Besides the general danger of even having Flash installed on machines
that don't otherwise need it... you can copy to clipboard from pure JS in all
major browsers since about 2016.

I'd be kind of worried about a password manager that hasn't seen updates since
2016, especially if it has a browser extension, which is notoriously tricky to
get right. Is it getting security updates?

~~~
AnIdiotOnTheNet
> Besides the general danger of even having Flash installed on machines that
> don't otherwise need it...

Flash still built in to Chrome, it's installed anyway.

> you can copy to clipboard from pure JS in all major browsers since about
> 2016

CorporateVault was last updated in 2010.

> I'd be kind of worried about a password manager that hasn't seen updates
> since 2016, especially if it has a browser extension

It doesn't. Like I said, it's simple. It's just a Grails application you run
on an on-prem server you can additionally lock down in any way you like.

I've looked at some alternatives in the past but so far none of them have been
good enough to bother switching too. In fact, most of them have even worse
functionality for our usecase.

------
bitwarden
Take a look at Bitwarden ([https://bitwarden.com/](https://bitwarden.com/)).

It's open source and can be self-hosted if needed.

------
kipchak
Has anyone used Keeper Password manager by chance? We use Azure AD for primary
sign in authentication which it apparently integrates with for automatic
signin and user permissions management, and the pricing seems good.

[https://docs.microsoft.com/en-us/azure/active-
directory/saas...](https://docs.microsoft.com/en-us/azure/active-
directory/saas-apps/keeperpasswordmanager-tutorial)

~~~
maemilius
I use Keeper at my current job and find it to be a horrendously bad UX.

Off the top of my head:

1) The browser plugin is horribly written and has cause me numerous problems
(Linux latop, YMMV), mostly related to performance and memory usage (both very
bad).

2) Horrible 2FA management. You can configure Keeper to not ask you for your
2FA on a device for an hour, 30 days, or never again (iirc) and sometimes
it'll just stop asking (like it did for me just now) or switch to a different
2FA for no obvious reason (I have both a security key and OTP).

3) Personal Opinion: I hate the layout of the "vault" and the browser
extension's windows. I find all of them to be clunky and hard to use.

On the plus side, I do like how the actual records work. Most fields are
optional and they have a decent custom field system. So, you can store pretty
much anything in a reasonable way (from database credentials to PII, if you're
into that).

~~~
cybrdemo
We use keeper at our company too and find quite the opposite experience.

The browser extension worked the best of any we trialed (this includes
Dashlane, LP, Bitwarden, and 1Password).

Our users found the 2FA to be self explanatory and liked the option to use
Yubikeys (when the platform supports it) and defaulting back to TOTP when not
available.

The UI is simple and clear and as you pointed out the records are flexible.

Sharing is easy and the most robust of any solution we tested. (see what
happens when a user you didn't intend to share with gets ahold of the share
link in LastPass).

Data replication between uses and devices was near instantaneous with no user
action to ensure the vault was in sync.

Additionally, we subscribe to BreachWatch and have gotten immense value in
knowing that our users are not using breached credentials.

One final note from an enterprise perspective, the admin console for Keeper
was clearly the easiest to use with the most features of any of the solutions
we trialed.

~~~
maemilius
WRT 2FA, my problem is more in using it than managing the available options.
As I mentioned, mine is constantly misbehaving and, without any action on my
part, hasn't requested any of my configured 2FA options in, now, multiple
days. I'm guessing I must have somehow changed the "don't ask me in" dropdown
without meaning to.

WRT sharing, I can agree with that. LastPass's sharing isn't as robust, though
I don't recall ever using share links. I don't like that Keeper doesn't tell
you what record you just received, though. I already have many dozens of
records and it can be difficult for me to find new ones that have been shared
with me.

I've never had an issue with data replication on LastPass and haven't needed
it with Keeper (I only have it on one machine, anyways).

I can't speak to the Admin UI's of either, though. I've never used them in an
org setting. The closest I've come to that is the family account I manage via
LastPass, which I imagine isn't the same as what you'd get with a full
enterprise account.

All that aside, I'm glad that it's been working well for you and your org. I'm
sure Keeper is fine (particularly on Windows or Mac) and that my experience is
atypical, but it's still my experience with the thing. Unfortunately, I hate
it.

------
Cort3z
Bitwarden is worthy of a peek. I enjoy it privately and have rolled it to the
company I work in. We are not heavy users, but for basic password sharing and
secrets management it is great. It might be great for more advanced use cases
too, but have not used it for such things.

The cool thing is that you can host your own server is you want with their
open source solutions. I have no experience doing that either, but it sounds
nice to have the option.

------
des_
Passwordstate by
[https://www.clickstudios.com.au/;](https://www.clickstudios.com.au/;) does
what it should

~~~
developer2
To OP: Please don't consider Passwordstate. It's so horrible to use, that
users refuse to use it when it is offered. My company expects it to be used,
but instead everyone (hundreds of in-house users) reuse the same password
everywhere, and/or ignore company policy by using a personal password manager
not linked to the company's internal servers.

Passwordstate pisses me off so much I can't even be bothered to go into
details as to WHY it's so bad.

~~~
ClickStudios
Click Studios is proud of its product Passwordstate and the quality of its
technical support.

If you are experiencing issues with our software, we are more than happy to
work with you to address these issue.

Please log a support call via
[https://www.clickstudios.com.au/support.aspx](https://www.clickstudios.com.au/support.aspx).

------
kirstenbirgit
We use 1Password to manage hundreds of different credentials and secrets, and
it works great.

LastPass UI is a nightmare last I tried it a couple years ago.

------
ponsfrilus
Even if it's not as convenient as keepassX, lesspass, lastpassword or
1password, you should look at KeyBase
([https://keybase.io/](https://keybase.io/)). It's great to manage access and
teams, and it's easy to integrate it in automation and code.

------
bfrit
I'm a big fan of Keeper. If you're looking for an overarching cyber security
program that includes things like a keeper subscription and cyber awareness
training, check out [https://havocshield.com](https://havocshield.com)

------
f4lse
Using 1Password since the beginning. Never had any trouble. Multiple Devices,
Multiple Accounts, ...

------
Justsignedup
1password = excellent. AND if you get corporate, everyone gets a free personal
family account!!! Which is most excellent.

LastPass is 2nd place.

Personally I used LastPass for years. Then switched to 1password. I am
definitely a 1password fan at this point.

Tried other managers, they are all significantly worse.

------
crad
1Password's business offering is pretty darn good for enterprise use. I highly
recommend it.

------
tbrock
We use last pass and it stinks. Would probably go with bitwarden or dashlane
if we did it again.

~~~
developer2
I've never tried it, but I'm not surprised to find a support article for
importing to Bitwarden from LastPass:
[https://help.bitwarden.com/article/import-from-
lastpass/](https://help.bitwarden.com/article/import-from-lastpass/)

------
zwilliamson
BitWarden. It is open source and you can self-host the solution too! I manage
my own self hosted solution for my family on Digital Ocean. Minimal
maintenance and I can see it easily scaling to meet full organizational needs.

------
habosa
This is not helpful but wow 100 services for 25 people! Nothing wrong with
that, but it really shows how many dependencies a business has today on
software alone. I have to imagine that at least 1% of those services go bust
every year.

------
thepra
KeePassXC with a cloud storage (Nextcloud server and mobile\desktop client),
it's encrypted and usable offline and syncable online.

Now I'm a spoiled child without it, got used too much to this worryless
passwords management

------
leonaestep
Keeper Security is the best password manager. It allows me to keep all my
passwords and codes safe.

------
zupreme
Amerihub offers a proprietary web/based solution for this which can be run on
top of a public cloud, or on hardware within one’s corporate boundary.

It works well, and we do Active Directory SSO too. Same for our System Manager
product.

------
vanwilderrr
Myki offline is worth considering as it has 2FA and shared access across your
team - [https://myki.com/teams/](https://myki.com/teams/)

------
djshah
We use Roboform for our ~30 person company with remote workers. It is simple
to use, and comes at a great price point, although their app and browser
extension can use some improvements.

------
finaliteration
We use the cloud version of Secret Server at my workplace and I don’t have any
major complaints about it. We do combine it with SSO wherever we can to make
things a little easier on users.

------
sp33dm3
We use Keeper in our company and I have to say I like it. It does what we need
it to do. I have used KeePass before, but I prefer Keeper way more.

------
parvenu74
Ideal would be if you could issues U2F hardware keys but not everyone supports
that yet. I've seen KeePassXC used effectively as it works on Widows, macOS,
and Linux.

------
tgtweak
self-hosted: passbolt

cloud/saas: keeper security

Both have very good enterprise features and are predominantly focused on
keeping control over shared credentials compliant.

Very happy with passbolt so far for those "very secret" credentials that could
be exposed by an adversary on 3rd party services.

As others have mentioned, bitwarden is excellent also and has the advantage of
built-in 2fa and other things.

------
sergiotapia
We use Okta and I'm happy with it. You sign in once to mycompany.okta.com and
there you see nice icons to click and sign in to any service you have access
to.

------
s_dev
For mac OS -- keychain.

I like Clipperz though.

Cool blocky UI: [https://clipperz.is/app/](https://clipperz.is/app/)

------
chickahoona
Psono would work. Its open source, client side encryption packed with a ton of
features... (full disclosure I am the main developer behind it)

------
sventibolt
IBM Verify app for one-time passcode since Google Authenticator is insecure
and outdated (not updated in last 2 years), and 1Password.

------
jimnotgym
1password for me, but I only use it for administrators.

For everyone outside of the startup bubble, Active Directory is king of SSO.
We have it in hybrid mode with on site DC's synced to Azure AD. Now everyone
is logged into Office, they have onedrive for files and Teams for
messaging/conferencing.

When I evaluate a service it needs to connect to AD or I often feel like we're
better off without it....

------
reiichiroh
FYI: LastPass browser plugin appears broken starting 24-48 hours ago and not
pasting the password.

------
actionowl
It's definitely _NOT_ LastPass.

------
nfriedly
I use the one built into Firefox. Probably not a good fit for your situation,
but it's saved my bacon at least once: I started to enter my credentials on a
site and then thought "wait, why didn't Firefox auto-fill my credentials
here?" Then I noticed the domain didn't match the rest of the site.

------
jmkni
Keepass on a shared drive or something like Dropbox has always worked well for
me.

~~~
bloopernova
Have you used it with multiple users? I always hated the shared keepass
solution due to the continual-sync problem we ran into. You had to make a
change, manually sync, and hope that no one else was working on the same entry
as you.

(Not to throw shade at Keepass, just my experience of it in the past, about 5
years ago.)

~~~
jmkni
Always a risk, but communication should resolve that (in theory). ie, before
you change an entry, jump on Slack etc and say _I 'm changing the password for
X_.

Alternatively, have one person who is responsible for changing passwords,
everybody else just uses the passwords.

------
rb666
Bitwarden is amazing! And I have tried all of them over the last few years.

------
vanwilderrr
worth looking at Myki, offline, 2FA and shared access to the team
[https://myki.com/teams/](https://myki.com/teams/)

------
cybrdemo
Keeper is the clear winner in our companies testing.

------
reiichiroh
PasswordState?

------
senectus1
corp wise we use thychotic secret server.

its pretty clunky but works well enough i guess.

personally i use bitwarden.

~~~
evandena
Administrating it is a giant PITA, I wouldn't recommend.

~~~
jacekm
Could you elaborate please? My company is slowly moving towards Thycotic, it
would be great to know its pain points in advance.

------
timmit
AWS Secret Manager?

------
probinso
sticky notes under your desk

------
parkeragee
Okta

------
jhpauley
Thycotic Secret Server, hands down.

~~~
nichos
I considered this since I used it at my last company and it really was
awesome. It was already set up when I got there. So I contacted them for a
quote to deploy at my current job and holy smokes are they expensive!!! We
ended up going with bitwarden: API, CLI tools, and password sharing. We've
been happy.

------
blattimwind
bitwarden_rs

------
quotha
The human brain.

------
davego
hunter2

------
riffic
stop sharing passwords!

~~~
theandrewbailey
Boss: I need you to login to $corporate_account on $service and update $item.

~~~
riffic
should have thought about that a long time before adopting a service that
required sharing a password, or as they say in the devops field, "shift left".

------
thedance
I’d be rethinking the hundred services, to be honest.

------
kolbeypruitt
I am, give me your passwords and I will manage them.

------
mister_hn
Why not using HashiCorp Vault, supported by ActiveDirectory?

~~~
zie
It's not really built for this use case. We tried it, for end-user password
management, and it sort of sucked. Not because of the product, but because of
the UI. There are things like Adobe's Cryptr[0] that help. But you don't get
the nice browser integration one is wanting, mobile is missing, etc.

0: [https://github.com/adobe/cryptr](https://github.com/adobe/cryptr)

Vault is awesome for corporate secrets that services/code needs to see, and
even maybe for developers, but for end-user passwords for stuff, it's not so
great.

------
Syzygies
No password manager supports multiple levels of security conveniently, so I'm
forced to use two managers.

For web browsing, passwords often protect the site not me (magazine
logins...). One wants a manager to stay open during browsing sessions, so one
doesn't have to type the master password for every single use.

For financial transactions, one wants zero risk of someone cracking your
financial security because they enjoyed thirty seconds physical access while
you stepped away from your desk.

(Be reasonable: No one is going to set up a proximity monitor that locks their
screen if they lean back in their chair, any more than they'll rig a trip wire
shotgun to protect their data. Don't propose a version of this. I want
convenience, so secure data needs extreme protection, not my browser during
thirty second gaps.)

I've begged 1Password for years to allow certain passwords to be marked
"secure" invoking all obvious measures: A second password needed to unlock,
immediately locks again after use. No dice. They've tried offering a few
alternatives that are so inconvenient that using a second manager is frankly
easier.

Remember how Steve Jobs made his fortune: the iPod assumed people were stupid.
The flat file system was corrected in the first year of the Mac, but
reintroduced for the iPod for "ease of use". Similarly, I honestly don't
believe that password managers are foremost concerned with security. They're
concerned with sales.

Dashlane is no better, but it's a second system that I prefer for financial
passwords.

~~~
geofft
If you step away from your desk for thirty seconds, I can install malware that
captures your financial passwords (and cookies) next time you log in. The
reason password managers universally don't support the feature you request is
that they'd be giving their users a false sense of security. You don't have
extreme protection at all. I'm sorry, I wish computers didn't work this way,
but they do, and you have to keep yourself secure in the world as it exists
and not in the world as you wish it were.

The usual way of solving this in corporate scenarios is to keep the office
physically secure such that no outsider can get to someone's desktop in a tiny
window without being noticed, and them set the screen to lock after a minute
or so.

For personal computers, don't leave your laptop unlocked at the cafe when you
go to pick up your coffee. Get in the habit of closing your lid.

