

Ask HN: How do you store/manage all of the passwords your organization uses? - awwstn


======
EvanAnderson
We have a nice question about this over at Server Fault:
[http://serverfault.com/questions/119892/company-password-
man...](http://serverfault.com/questions/119892/company-password-management)

I've looked at Thycotic Software's Secret Server product
(<http://www.thycotic.com/products_secretserver_overview.html>) I was
impressed, but none of my consulting customers have signed-up.

I recently spun up a copy of the open source WebPasswordSafe
(<http://code.google.com/p/webpasswordsafe/>) and liked what I saw but haven't
really had much of a chance to bang on it.

Wearing my security auditing / pentester hat I've run into CyberArk's
Enterprise Vault product ([http://www.cyber-ark.com/digital-vault-
products/pim-suite/en...](http://www.cyber-ark.com/digital-vault-products/pim-
suite/enterprise-password-vault/index.asp)) and found it very reasonable. It
was refreshing to do a pentest where we didn't find a shared Keepass database
or something similar.

------
win_ini
We are looking at lastPass - looks good so far. (enterprise Ed)

IronStratus is another one to check out lets users keep their own personal
passwords and grant access to apps passwords by an admin.

I personally prefer 1password - but it's really single user oriented.

Obviously different from I'd/auth providers like okta or ping identity...but i
find there are so many accounts/passwords shared in organizations for services
that these guys may not support. (apps with no SSO services for example). Yes,
they have some password management tools but they don't seem to have in
app/browser shortcuts (ie:chrome/ff extensions).

------
golovast
Keepass is a decent option for a smaller company (<http://keepass.info/>).
It's a bit limited in a sense that it doesn't support multiple users that can
view different password tiers, but it does an ok job at syncing changes by
multiple users. I am sure there are plenty of decent commercial options.

I've seen some companies hack a homemade solution based on Truecrypt as well,
though it's probably not very efficient.

~~~
gvb
We also use KeePass (Classic Edition) saved in a repository that we can then
share. The nice thing about KeePass is that there are clients/ports/compatible
programs on Windows, linux, iDevices, and Android.

The repository gives us versioning and a relatively crude but effective way of
sharing as well as some additional access control.

------
awwstn
We've used a few solutions we created for ourselves, and I know LastPass has
an enterprise feature, but I'm curious if people have thoughts and advice on
tools that worked or didn't work.

------
swanson
"Very alpha" - but I think this is exactly what you want.

<https://github.com/github/swordfish>

------
DenisM
I use www.memengo.com in combination with the iOS app.

I also own and operate the site and the app.

------
bkanber
We use passpack.com over here, but for server SSH logins we strictly use
publickey authentication.

~~~
achompas
Another vote for Passpack. Great service.

------
devb0x
KeyPass all the way. Truecrypt over it for when I back it up somewhere online

