Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: What's the best corporate password manager?
274 points by flippyhead 19 days ago | hide | past | web | favorite | 247 comments
My company of ~25 people needs to manage access to probably ~100 services our employees use everyday and I assume some kind of password manager which I can centrally manage is the way to go.

I often hear things on here about products that claim to be secure but aren't -- what password manager is considered reliable and secure? Which do you use?

Thank you!

We have been using 1Password and just use vaults to segment things properly and keep things limited to the smallest group of people possible. 1Password is also how we handle 2fa in a common/generic way for many sites that require it. This avoids the problem of a user using their cell phone number to get the OTP's and then that person leaves the company and you are left trying to coordinate the change for an account with a former employee.

1Password isn't perfect but is by far the best one I've used and it does work well for teams IMO. We just are anal about setting up vaults and permissions to those vaults so it easy to segment users to only see the services they are allowed to etc. Plus it keeps things orderly and clean for maintenance purposes. The browser plug-ins have gotten better and the search is decent so definitely better then others I have seen.

This. 1Password comes with limitations but by far it’s the best password manager for teams due to the built in 2fa support.

I wish it was possible to share a credential with specific people without a need to create a dedicated vault.

I don't agree. When compared to other offerings (LastPass, BitWarden) 1password consistently comes up short in enterprise features. 1password doesn't even have an API. Three of the biggest issues I have with 1password:

1. If a user fails (or skips) 2FA, they still retain complete access to any passwords/vaults they previously locally synced... they just can't sync new/updated entries. This seems like a really flawed design - a 2FA failure should prevent access. When I asked the 1password team whether they'd consider invalidating local cache on 2FA failure, they did not seem interested.

2. You can't create links to passwords, which would allow management of an entry from a single location. If you want to share a password across multiple teams/vaults, you need to know about and maintain those entries for the same account, which means you also have to have access to all those vaults to manage that entry. This discourages password rotation, and increases the likelihood of orphaned passwords in other vaults.

3. Lack of granular permissions structure. You can't, for example, allow a user to initiate vault resets without giving them full admin access to the entire thing. Again, other password managers allow more fine-grained control.

To me, 1password feels like a small-time solution that tried to bolt on some enterprise features to retain customers. I don't think it should be considered enterprise software.

I love 1password but I don't understand why you'd use it for 2fa. Surely if someone gains access to your 1password account you're just giving them the "something you have" aspect of 2fa for free ?

I understand what you are saying but part of security is making it easy enough that people will use it, but hard enough it isn't easy to break for bad actors. People are lazy in general, if you tell 25 engineers at a startup they have to use two different tools just too handle credentials, the compliance rate of using 2fa will drop to nil, making accounts easier to hack. Don't get me wrong, it isn't like 2fa is so secure, it has been shown to be hackable for sure, especially when using SMS devices; but if done properly it can add a level of extra effort for a bad guy and if that extra effort is easy for engineers to use they'll do it. 1Password makes it this way.

From a corporate standpoint, I don't want people using their personal devices for SMS OTP (2fa) because then if they leave, are disgruntled or get tragically hit by a bus I am locked out of a potentially important service/account. I had this happen on three accounts in the past year where one took me 3 days to recover the ability to access it, another I never could recover and we had to work around it and a third that was absolutely critical but took close to two weeks all said (lots of waiting). That is insane, and all because people used their own personal devices (or similar) for SMS 2fa.

There are other devices you can use, and some enterprises do use hardware keys in addition to the password which works well and the more sensitive the system the more inconvenience people will tolerate and understand.

For me it boils down to 1Password works good for a reasonable price which helps startups and small companies. I also don't think using 1Password is just a tool and you still need a good password refresh cycle and to stop reuse etc. This way if a backup at 1Password was somehow compromised or stored improperly at your company or at 1Password at least you'd be insulated better.

It definitely does provide a single point of access that if compromised in a way which bypasses all their security a lot of companies will be hurting.

> From a corporate standpoint, I don't want people using their personal devices for SMS OTP (2fa) because then if they leave, are disgruntled or get tragically hit by a bus I am locked out of a potentially important service/account. I had this happen on three accounts in the past year where one took me 3 days to recover the ability to access it, another I never could recover and we had to work around it and a third that was absolutely critical but took close to two weeks all said (lots of waiting)

Wait...I've seen two ways for services to handle multiple users from a client using the same account.

1. A company using the service gets a single user login for their account. That login is shared by all of the employees who use the service.

2. A company using the service starts out with a single user login for the account. That login is meant to only be used to administer the account. The administrator can create more user logins for the account, usually with reduced privileges. Each employee is given a separate login of their own, with just the privileges needed to do their job.

I don't think I've seen a #1 that uses 2FA. I assumed that was because it could then easily run into the problem you describe.

With #2 there is no problem using 2FA, or with each user using their own device for 2FA. The only account you have make sure won't be lost if someone gets hit by a bus is the administrator account.

Did you run into a service using approach #1 but that used SMS OTP?

I have for sure run into services that strongly link an account to a person, but don't have a concept of administrative (non-functional) users. Mix this with draconian per-seat licensing and you have a situation where you might reasonably need to store 2FA creds in your vault.

And if you squint a little it's still a 'thing you have' since the vault is something you have to have access to so you can generate the constantly changing 2FA token. It's just a bit easier, in theory, to access than a hardware token or an SMS endpoint.

> I don't think I've seen a #1 that uses 2FA.

Hover (domain registrar) supports 2FA via TOTP or SMS, but it does not support granting multiple users access to manage a single set of domain names.

I suppose sharing the TOTP key along with the account credentials is better than dealing with the issues created by SMS, but it's still not great.

Correct, number 2 in your example is not a problem at all, and we have those as well. But not all services actually support this properly IME. Our policy is to create accounts that are generic with strict permissions around a specific automation or service of our own. This happens more in devops than in everyday usage of say a report tool where shutting off a user doesn't matter.

Essentially my example is the same you pointed out though, for the generic admin account you created you will need to use it to administrate the other users etc. What we do is store that admin account in 1Password with 2fa turned on for it and that way it is never locked to a user with 2fa on their personal device.

For a little more detail too, we will setup sub account for automated systems which have restricted permission (and likely use ssh/key pairs to login for automation). However, when you need to update something about these accounts many times you have to login as them and make a change, so in that case again we store the password and 2fa in 1Password so the team can handle that quickly and isn't stuck because one person left.

I am always open to other ideas though if you think I am missing other options.

In addition to the arguments outlined above, it protects against some attack vectors. If the service gets hacked and the password leaked or they discover the password in some other way, they still don't have the 2FA token and so can't login.

If somebody breaks into a specific service and is able to dump hashed passwords it’s very likely they also had access to TOTP keys. Since you’re already using a password manager you should be protected from password reuse.

Ultimately in this case you are protected from MITM attacks and basic forms of keylogging.

Not relevant to scenarios where you stash TOTP long term secrets in a password store, but note that WebAuthn / FIDO doesn't have this problem - the data you're keeping per user to authenticate with WebAuthn isn't a secret, it's not even personally identifiable, a bad guy could add their own credentials if they have write access, but they can't learn anything by examining yours.

Once you sell services to many different industries, you’ll be out of compliance.

The argument I've seen provided for this is that an attacker would both need your password and physical access to a device with 1password already set up on it.

To use 1password on a new device, you need a "secret key" that is provided to you when you create your account which serves as a basic form of 2FA for your whole account. Not a perfect system, but it is not as simple as just getting your password and having access to everything.

1password is a cloud service. So they'd either need a device like you said or your login/password + authentication key that is only used in the initial setup flow of a new device. So still pretty hard like you said. Never considered how the extra key during new device setup could be helpful until now.

You can also set up 1PW to use a OTP itself. I use 1PW for OTP generation and for passwords (naturally), but my 1Password account itself is protected by my password + secret key, as well as an authenticator/OTP app that is not 1PW.

The "secret key" is of sufficient length to not to be able to qualify as "something you know". It's either a quite lengthy string you have to type in, or a QR code.

I don't use 1PW for teams, but I do use it personally and use it to store all my OTPs except my OTP credential to access 1Password itself. I use a different authenticator app for that (happens to be Microsoft, but that doesn't matter really).

So, while I think it storing storing your passwords beside your OTP generator isn't great, if both are locked behind another factor of authentication, you have mitigated that risk significantly.

There are still good reasons:

1password requires more than just a password to access. You need the encryption key. It acts nicely for that purpose.

2fa is unnecessary if you're generating 20 character passwords uniquely for every site.

The best security is like the best camera. There is no better camera than the one you actually use. This is why cell phone cameras are the best. This is why 1password is the best, because it is security you always use and always keep safe.

It’s not very trivial to gain access to a 1password account:

1. Attacker needs access to the physical device of the account holder if they know the credentials.

2. Otherwise, they need to know credentials + secret key on a new device.

3. You can set up Google Auth to access the account in the first place, which can have its own separate 2fa (this is what we do)

If an attacker has gained access to your vault you have much, much more to worry about than if 2FA codes are there or not.

It's certainly a panic but if everything is 2FA'd with tokens that the attacker doesn't have access to, then you've done a lot to mitigate the splash damage and have a path to regain control.

I just stopped called it 2fa, and just otp for “one time password”, the URI standard calls it otp:// as well

see problem solved, no need to debate how single or two factor a thing is and you can just focus on the attack vectors it actually still solves for, objectively

yes the password vault is a single point of failure if someone knows your vault password or key logs it.

I have to spam another comment here to suggest that Bitwarden also has built-in two-factor auth. $10/year (not per month) for personal use, and I believe it's included for $3/month/user in the enterprise version. Cheaper than 1Password, and a better overall app imo.

I am a Bitwarden user (three years paying for premium) and while I like it the desktop app isn't as feature rich or as smooth to use as 1Password imho.

It lacks biometrics support for one which is something I wish they would add but I believe as it is an Electron app they cannot do so, at least not on macOS.

The iOS and Android apps are decent enough though. They support Touch/FaceID and the Android equivalents. With the exception that the iOS app has "Live Sync" (i.e. push notifications to sync the vault when a change is made elsewhere) but they never work. I recently made a post about this on the Bitwarden support reddit [0] but had no response from the developer there or on Twitter which is a shame. Live Sync works fine on Android though so it is clearly an iOS issue only.

If 1Password were cheaper, or if my needs were more complex, I would switch away from Bitwarden but as a home user it is "good enough".

[0] https://old.reddit.com/r/Bitwarden/comments/f1besd/has_live_...

> 1Password is also how we handle 2fa in a common/generic way for many sites that require it. This avoids the problem of a user using their cell phone number to get the OTP's and then that person leaves the company

For high level corporate account, just have 2-3 office phones with different phone numbers. Each number is for a different department or level of access. Provide the right number given the nature of the access required (AWS Root account versus Xero accounting software, for example) and then use that as the 2FA. You can even use virtual 2FA for this.

Just a thought.

For personal level access for each employee, provide your employees with second hand, cheap Android phones you can buy for mere pennies, keep them in the office at all times, on charge, on wifi-only. This has the benefit of helping to reuse old hardware as opposed to it ending up on some tip.

1Pass is great, but it lacks the kind of advanced tooling I'd want for it to scale.

Password sharing controls are insufficient.

Hi, alexandercrohde. I work for 1Password. I'm excited to learn from your experience using our product.

Would you be able to share feedback on where you feel the product falls down around tooling to scale? I'd like to make sure our teams are thinking about any difficulties you are having. There also may be more efficient ways to accomplish things that we can point out. Looking forward to your feedback. Thanks in advance!

> manage access to probably ~100 services our employees use everyday

Is single sign-on an option, instead? Something like Okta is a much better experience for less technical users (and, well, engineers too) where possible, and also lets you trivially manage credentials access as people on/off board (no need to rotate credentials if you're worried folk may have written them down on paper somewhere with malicious intent). That said, it doesn't help folk with personal credentials management, which can be useful for good security policy in addition.

1password is my favorite to have around for services that don't support SSO. I like it so much I pay for a family account, even.

The problem with SSO isn't technical, but that most SaaS products I've seen only support SSO for their enterprise tiers.

Otherwise, thanks to many providers like Okta and others, SSO should really be a feature provided to smaller tiers nowadays.

We're a small business (2 founders, 3 contractors), and we'd love to use SSO for everything. But we're too small to afford enterprise tiers for things like Slack, Gitlab, etc.

Hopefully this trickles down eventually.

Update: I'd like to add that we provide a SaaS product as well, and have considered adding SSO to the enterprise tier but after much research we can't really find a good reason to restrict it (apart from "everyone else is doing it", and potential manual config).

But both SAML and OpenID connect have discovery protocols. Again, this CAN technically be self-configured by the right customer. But then, maybe the solution is to have a one-time config fee, rather than require a certain tier.

> most SaaS products I've seen only support SSO for their enterprise tiers.

Lower tiers of SaaS products are more-or-less strictly designed for:

- individuals or very small businesses where everyone is friends

- who don't have exacting requirements/audit/traceability/reporting concerns

- who are willing to accept some pain/inconvenience if they use it outside of its design parameters

Credential-sharing services in the age of SSO are a dirty workaround designed to circumvent SaaS product segmentation (which would otherwise cause established companies to effectively subsidise tiny startups). I'm all for hacker philosophy, and perhaps this applies less to your situation than it does to the OP, but I do think the idea of credential-sharing is a horrible kludge that has only risen to prominence because of the specific issue that I mentioned, and which only leads to more problems with things like non-repudiation.

This has not been my experience. Trello is a good example. They have an enterprise tier that they basically starts at 100 users. Their business tier does not include SSO and I have a team of 60 people so the enterprise tier (which is about $250/person, by the way, compared to $12 a person for business) is out. Slack charges nearly double for their enterprise tier with SSO. I would not call not getting getting the tier down from the enterprise tiers a "dirty workaround" for most teams.

Yeah, I too hate the "call for pricing!" options and the "click here to be connected to our sales staff!" stuff, and SSO functionality being restricted to company accounts with >100 users or organisations that sign up for multi-year contracts. I also think the lack of white-label options for even enterprise-focused stuff is embarrassing. I'm not sure which of the two sides of this I hate more. In extreme cases, product offerings are bifurcated into:

- Sign up for free or with a credit card, but you'll run into problems (or at the very least friction/complications) if you end up trying to use if you something serious

- Speak to a salesperson and have your CFO sign the company up for a long-term strategic partnership.

The examples that you gave are less clear-cut though. Trello Business is $12.50 per month, and supports Google Apps SSO. Trello Enterprise supports general SSO, and costs $20.83 per month. Slack pricing is $6.67/mo for Standard, and $12.50/mo for Plus with SSO. None of these are costs that should really make or break the profitability of a company; considering that the business is using them to generate revenue or to reduce its expenses, how do they compare to other things like property/facilities expenses and employee salaries/benefits?

Okta also works as a basic password manager so it may be worth setting up the SSO that is free/included and then use the browser add-on for the rest

Just throwing this out there--Gitlab can be self-hosted (pretty quickly with a helm chart if you're running Kubernetes), and there are self-hosted alternatives to Slack and most other SaaS. Self-hosted Gitlab IIRC has an SSO config. If you have someone technical enough to set these up, it's an option.

If you have someone technical to set these up AND keep them up.

Many of those cool things take night or weekend to set up and that’s kind of fun to do. Regular patching and potential troubleshooting is the less fun part you get to do when adopting a new app.

Gitea (and probably gitlab) allow you to set up SSO auth.

For everything else, you can put your services behind i.e. traefik and write a middleware, or use something like caddy which has a plugin for sso.

Yeah, it's definitely an uncreative way for SaaS products to charge you more money that many take advantage of.

Shameless self-endorsement here.

I have built an API to interact with 1password through its CLI: https://github.com/lettdigital/onepassword-api

The repo also includes an example of how to call the API using AWS Lambda.

The logic to interact with the 1password CLI is wrapped in an SDK, that can be used independently: https://github.com/lettdigital/onepassword-python

what use cases do you image for this?

I currently have a stack of pem file management using terraform, lambda and this api.

When creating an ec2, we call a module that creates a tls key, a keypair and an object in a bucket.

This object creating triggers a lambda that downloads the objects contents, namely the pem key and calls the api to save it to 1password as a document.

This newly created document is available to every member that has access to the vault without having direct access to the bucket itself.

Another use I had was to create credentials for sonarqube automatically. We have a relatively large team on github and wanted to add sonarqube to the stack. What I did was just read every members name, email and username from github, create the respective users using sonarqube api and register their credentials using the sdk. It was trivial then to send them a copy of their credentials, a lot easier and less error prone than doing it by hand.

Many other use cases can be thought. You could implement iam key rotation using this. You could share support credentials for your team using 1password and have automated tools read from the same source.

It really just make everything easier to replicate, integrate and manage using this api or the python sdk. The last thing you want is to screw someones credentials because of a human error (typo, forgot to save the password etc...)

Certainly for a company between 25 people, 1Password is great. As an added bonus, you can give staff a 1Password families account for free.

Not totally relevant to the question, but how well does it scale to enterprise? I found the need to create and manage individual access to vaults to be complicated, even at a few users. I can't imagine how you'd manage 1000s of passwords accessed by combinations of 1000s of users, including third-parties, contractors, etc. Are there any better password management solutions in the enterprise space?

I can't answer your question directly, since we only have 4 people at our company, so not really enterprise scale...

But they did recently introduce a CLI here: https://support.1password.com/command-line-getting-started/#...

That makes me optimistic that you could at least do a fair amount of automation around it. I haven't used it myself yet, so I'm not sure how fully featured the cli is

While 1Password is fantastic, their CLI is the worst CLI I’ve ever seen. Basically unusable.

You should just be able to say “give me the password for yahoo.com” but you can’t actually do that.

I wanted to use it to get npm 2FA on the command line and just gave up completely.

EDIT: if someone from 1Password reads this, please reach out. I have good CLI UX experience and would love to help fix it.

Disclosure: I am the lead developer for the team that builds the 1Password CLI.

You're completely right about the use-case there. One of the things I think we missed the mark on was choosing to expose the full item JSON structure as the default. I think it is important that access to the full item is available, but I think it would have been a much better user experience if we had abstracted that in the default case.

What you've pointed out here is what we are currently working on addressing. Development of the CLI was put on hold for over a year while development of our SCIM bridge was ongoing (they're built on the same codebase). In the past few months, we have ramped up the entire team, and movement has accelerated greatly on the CLI. This is feedback we're well aware of, and we're working hard to address it.

Feel free to post in our discussion forums if you're still willing to have a more extensive conversation: https://discussions.agilebits.com.

Really happy to hear you are working on it. FWIW your products are so fantastic I'm definitely more critical than I would be if that wasn't the case. I hold 1Password to a super high standard.

I'll give it a spin again too as it's been a while since I tried it last and check out the forums!

Thanks very much, and I hope within the next 2-3 months we'll be in a place where you can hold the CLI to those standards as well :)

Wow you handled that awkwardly critical comment like a champ! Haha. Cheers.

I think it's a consequence of their internal data type not being specific to passwords. You can store some semi-freeform data structures in 1Password's database (e.g. notes, documents, account numbers, security questions, even binary files).

You can totally design a CLI around that kind of data model without resorting to jq

Super disappointing to hear :/

On the plus side, they did get a bunch of funding recently so hopefully they'll be able to devote some resources to it. They definitely seem like an organization that is pretty devoted to quality products.

+1 for SSO. I doubt all 100 services could use SAML or OpenID but you could get a ton of coverage.

A password manager isn’t required here because it much better to control access with SSO. The user can have one password, preferably just logging into their workstation, and then SSO will sign them into whatever apps they are allowed to. Much easier than having a password manager keeping 80-100 passwords.

In the past we used a safe credential manager that our NOC could access to get admin or other management credentials for networking devices when problems occurred. You could use the same for DB or server passwords where you need the text and combine it with a password manager if you can auto fill them. Only use these options for systems that don’t have SSO.

We also use 1Password at my employer of ~30. I have had 1Password Personal account and used the 1Password app since 2010. It's amazing now, especially if you're on iOS with FaceID.

I used Okta at a previous employer; it was good too.

I'll chuck another vote in for Okta. It even has admin or user managed password settings if you want it to behave like a password manager for sites that have shared accounts or don't support SSO. It's not a core feature so it's not as good as a password manager for managing ad-hoc secrets, but it's good enough for most web apps.

Relevant (not my own): https://sso.tax

I'd agree that SSO is a good option. Check out our SSO solution and ping me with any questions!


I have used Bitwarden personally for a while, coming from KeePassXC (Linux and Android), and it has been a joy to use. My company is now looking into using it both internally and as a solution for organizations and businesses we serve, mainly because it offers a self-hosted / on-premise solution and decent pricing, and the fact that it is open source.

I would never trust my passwords to a closed source project that could be ridden with insecure code and disappear or change considerably on short notice. When the source code is open, chances for survival of the project in one form or another is much higher.

I also like that they take feature requests on their community forum and that their Github repo is active and responsive to issues.

"I would never trust my passwords to a closed source project that could be ridden with insecure code "

The thing is, everywhere you use your password is probably 'closed source' and probably has 'lots of bugs'.

Ima guess that people re-use a lot of passwords and therefore are going to be at risk due to said 'closed source'.

I think that open v. closed may be only one of many considerations.

>The thing is, everywhere you use your password is probably 'closed source' and probably has 'lots of bugs'.

Well, that's the argument for a password manager, no? You can't trust any of these services, so you generate transient, strong, one time passwords for each of these, and then use a password manager you trust to manage it all instead. If one gets leaked, then sure it's a pain, but at least it doesn't mean they can log into every other service too!

Ima guess that most people that use a psssword manager generate a new, strong, unique password for each new service.

KeepassXC or Keepass by a mile (for corporate uses; decent for personal use too but others are also good for this).

I've used both in both personal and corporate settings. Great browser support, Keepass2Android makes my mobile experience good.

The reason it's so good for corporate is that the database is just a file, so you can email passwords, or share via one drive or Dropbox or ftp or shared samba drive or ...

I worked with techs from Oracle who used to auto generate the database for particular users and share them around. It worked really well for them. Because it's just a file it works for all sorts of workflows.

My workplace does pay for Cyberark which is a built for purpose Enterprise application, but I don't have rights to it it or whatever, so I just use KeepassXC.

The problem with KeepassXC in larger teams than, like, 4 people is the shared secret/keyfile - basically this means that whenever a person leaves you have to change encryption keys and make all users rotate their secrets.

Same in case of a leak.

With solutions using per-user keys, you just have to revoke/remove keys for that single user. GNU pass (FOSS) and Bitwarden (paid, open source) both do this.

KeeShare comes with keepassxc allows for sharing secrets with per user control. It's somewhat convoluted but preferable to sharing whole database.


LastPass is the worst piece of software I have ever worked with. We had a lot of trouble making sense out of its sluggish user interface and confusing terminology and more.

BitWarden is my choice, it's cheaper than alternatives, the UI is simple and easy to understand. It's open-source and battle-tested. You may want to self-host as well.

+1 Lastpass created more chaos than solving issues in our company. Multiple dashboards that interfere with each other, horrible overview causing outdated/wrong rights, users having to restart several times before new passwords showing up, bad mobile support and much more.

Upgraded from LastPass to BitWarden around this time last year. Amazing piece of software. I can't recommend it highly enough!

Totally with you on both counts. It amazed me how clunky and buggy LastPass was. I used it both as a browser plugin (FF, Chrome) and as an Android app. In a truly impressive achievement of corporate standards, each platform had different issues, but all achieved the exact same level of low overall quality.

I switched to BitWarden a couple of months back and I'm very happy with it. I have quibbles, but it's a much more solid experience.

Lastpass was adopted at my previous employer, it was a mess to use and absolutely not user-friendly or intuitive.

Glad I don't have to use it anymore.

Another thing that drives me crazy with LastPass is it won't give you a distinct URL for a note or folder (or whatever they call that particular resource) that you want to share.

So I end up having to give other members of my team step-by-step directions to finding the right file or folder every time I share one. And that's assuming the access permissions haven't got borked, which seems to happen more often than not.

I've been pushing my company to drop it for a while.

I'm still rocking Keepass after nearly ten years now. I've tried Lastpass, and found it clunky/fiddly in comparison.

I've been a KeePass user for at least as long. Sharing it with my wife and my multiple computers was done via Dropbox. I switched a couple of months back to self-hosted bitwarden. It is _much_ better. No need for file sync. Better UI. My wife actually _uses_ it now, as opposed to before she would avoid keepass. With Bitwarden, you get better control over passwords and who can see them and all that. Bitwarden also will host for you if that is not your jam. I highly encourage adoption of Bitwarden :)

How do you share passwords between people with keepass?

We use Dropbox. We all memorise the master password, then have the Keepass database in a shared Dropbox directory we all have access to.

Got it. Yeah we did that for a bit, but it became apparent soon enough that we actually needed different access levels and keeping track of three or four different databases & passwords just didn't seem practical.

How do you make sure you don't overwrite people's saves?

Surely this can't work for a larger organisation?

Looks like it can reconcile this automatically.


Probably better used with a filesystem that has strong guarantees though.

Yeah you get a popup if somebody changes the database while you have it open

Google drive seems to work fine here. I believe there's also a plugin for it rather than save to the folder and deal with the rare save conflicts.

(This with 2 factor passphrase and key file, btw)

I've done this in a team in the past and we just put the encrypted keepass database in a private github repo. It mostly works out fine, the only pain in the butt is everyone needs to ensure that they pull down their repo and make sure its all up to date before they add anything to it.

We also use LastPass and it sucks so hard. Terrible UI, bad UX decisions, frequently breaks.

Was starting to think I was the only one that thought this. It's a total POS.

I reviewed BitWarden about a year ago for my company. Ultimately the reason I rejected it was that I couldn't find a way to reset another user's master password. It is certain that users will forget their master password and need to have it reset.

Perhaps it has changed since, or maybe it was just hard to find. Oh well, too late now.

We ended up using 1Password. My only real complaint with it is the need to create a vault for sharing something from one user to another. That means that if any two people in the company want to share, they need to get an admin involved so the admin can create the vault.

With bitwarden, the account's data may be encrypted against the passphrase afaik... Also, you can setup shared groups for passphrases that are meant to be shared and the way the browser extension works, you need to enter it each restart to use it, so it should be more common.

The whole point of a password manager is so you only have to remember one passphrase. Suggesting an actual sentence and not having byzantine passphrase requirements will help. My fiance is really bad with this one, I admit that I don't have much empathy here.

Bitwarden is end-to-end encrypted. So, password "resets" aren't really a thing without also resetting the vault as a whole.

Yeah. While I can understand wanting to be able to reset a user's password as an administrator of other users (eg. an IT department supporting those who forget their master password), it's also a security problem to allow such a feature. Basically, all user accounts under an organization would need to be encrypted with two separate passwords: the user's, as well as the IT/admin/company "master key". Having all users' passwords encrypted with a master key password to allow resets means all users' passwords across the entire organization can be compromised by a single IT employee's master key password.

Personally, I'm ecstatic that there is no recovery process to reset or recover a Bitwarden master password. No security questions. No email reset. No one-time use login codes (which would need to be stored somewhere not encrypted by a user's secret key in order to verify). Again, I can understand why an IT department would want that, but all that does is open up attack vectors that are very easy for an attacker to abuse.

The whole point of the master password is it's the ONE AND ONLY password you cannot forget or lose. One... lousy... password.

I experimented with Bitwarden for a little while, but it didn't have a good method for changing passwords. I ended up switching back to LastPass. But, I'm pretty frustrated with their buggy iOS app.

Can you elaborate? Changing a password with Bitwarden is just editing the field or–even better–a one-click button to (re)generate a new random password (including options for length and complexity requirements). If you are logged into the browser addon, it will also (depending how javascript-hacky the website is) prompt to save the new password when you modify the password in a website's settings.

Unless you're talking about mass-replacing a single password across a bunch of different entries? Which is certainly not a limitation of any password manager; reusing a password is just horrible.

Lastpass has a feature called auto password change [0] that allows you to update a password directly from inside lastpass at the click of the button. It doesn't work for all sites but it's a pretty nice feature.

[0] https://helpdesk.lastpass.com/generating-a-password/auto-pas...

I haven't had that problem with BitWarden in testing, but I can't change to BW until they come up with some solution for having both a work and and personal vault. The ability to link-in your personal LastPass to your work LP without actually giving your employer any access to your personal LP is really beneficial to my staff.

I'm actually using BitWarden for work and personal stuff and it works wonderfully. BW allows you to "link" the two accounts and share things between them (or not). For example, my personal Gmail account information is in BW but its not exposed to my employer at all. On the flip side, I've created management accounts (ie. JIRA admin user) and shared them with the "IT" team in BitWarden; this allows all of the IT admins to get into JIRA if necessary.

Can't you create a personal group, and have both accounts in that group?

You should try OneLogin - LastPass is a dream by comparison.

I can echo the frustration with LastPass. Definitely would not recommend it.

I used KeePass at a previous company and loved it.

Could you elaborate more on the problems with lastpass a bit?

1) Slow, confusing and rarely updated (any any updates are just as likely to be a regression as an improvement in my subjective opinion) UI. The browser extension is terrible and up to last year, their hacky password-field-finding javascript slowed down several pages to to point it was unusable. It's still not great.

2) The business model of LastPass worries me. Unlike a 1Password (I tried it for a 3 month trial, don't use them or have any skin in the game for them) charges a lot more than LastPass and in addition to having a more smooth, speedy and performant application, they are charging enough money to feasibly be profitable just storing passwords.

LastPass has has more data breaches than the others (google). It's run by a domain register. In my opinion this influences how the password business is run, leading to a marketing-forward rent extraction password manager vs a good one.

- It frequently stops working and needs to have the chrome extension re installed (at least on Linux).

- It’s sluggish.

- The password sharing experience sucks.

- The drop down menus often get obfuscated in weird ways.

Chrome extension was broken for several days, that was painful, pulling out my phone for long passphrases on various sites.

While I wish the bitwarden UI could stay over the top a little better, been really appreciating it vs lastpass... it's a bit simpler and less confusing overall. Not quite the same feature set, but that's okay..

I do wish the autofill wasn't two menus deep though. (right-click, bitwarden -> autofill -> list) wish it just expanded autofill (if less than say 5 matches) on the right-click menu.

That last one, the drop down menu getting some auto full garbage which obscures choices and interferes with selection is annoying.

You might not like it, but I have a long list of software worse than it, I really don't get the hate for it.

The personal version works well in comparison. We liked it and adopted it for our company but using the enterprise version, that's when it really started to give us problems.

Depending on your preferences, it might be worth looking into GNU pass. You have to do the additional setup of syncing/sharing password stores (Keybase can work for this) and users need to have basic knowledge of working with PGP keys. Encryption is done via per-user GPG, which is convenient, easy and secure if you're used to it and frustrating if you aren't already and not willing to take the hour or two necessary to get fully up to speed. There are tons of clients for various platforms and use-cases.

KeepassXC can work fine, but it's not super integrated in terms of alternative clients, CLI, mobile etc. If you go with keepass, make sure to use XC (the most recent community fork AFAIK). Similarly to GNU Pass, you need to sort out syncing yourself and have the additional hassle of maintaining a shared secret, and alternatively a shared keyfile. If one is compromised, you need to make everyone rotate, which in practice leads to lazy teams never rotating keys and even using keys they know probably are compromised already.

LastPass is horrible, in my experience. The web app is incredibly buggy and the only thing that really works somewhat well is the browser extension, which I don't trust much.

1password is a slight step up from LastPass.

I heard great things about BitWarden and it looks compelling but haven't tried it yet.

Hashicorp Vault is great, but IMO not suitable for "manual" credentials and more for provisioning and maintaining secrets that are fetched by your internal services. If you need non-engineers to have access to it for shared web app accounts etc, Vault is probably not a good choice.

KeePass has many alternative clients for each platform.

As does pass (although, gopass is a good compatible alternative with more features). I really like how it works with Git for version history as well and GnuPG (PGP) is industry standard within the security sector. gopass has browser plugins readily available, and it supports TOTP.

My company of ~30 people just started with Bitwarden, purely because I use it personally and knew it. I like the fact that it's open source, has a self-hosted option and it has a Linux client.

I haven't use the 2FA option yet, and it has a Google Authenticator equivalent.

Unfortunately 2fa on Android bitwatrden client is non existent.

Bug is open already for a year :-(

P.S. 1password has it.

I've been using my fingerprint as a 2FA on Android BitWarden for quite a while. Is this not sufficient for your use-case? Is there something else that you would rather use? Perhaps a YubiKey?

What bug? Bitwarden's android app supports 2FA.

We recently chose 1Password for this purpose. We also evaluated Dashlane but gave it up pretty quickly because of bad UI (not that 1Password is stellar) and some basic requirement that was not met - I forget what.

Security wise, we looked at the 1Password CVE history[1] and it seems pretty ok.


Echoing what so many other people have said, we use 1Password for staff at our organization. I moved us from LastPass last year because LP was just confusing and frustrating for everyone.

The one issue we've run into with 1Password vs LastPass is that sharing works differently. If you share a password (not by putting it in a Vault) with an individual in 1Password, it makes a copy - so updates don't propagate. Thankfully we are a pretty small and tight team so adding people to other department Vaults isn't necessarily an issue, but it could be for others.

Shameless plug, my podcast on personal digital security has a few episodes on password managers: https://looseleafsecurity.com/password-managers/

(And if podcasts aren't your thing - note that that page is text, and the episodes it links all have full transcripts.)

We didn't talk a lot about what's different for corporate users, but we do cover family/shared accounts. There's also two particular things I want to call your attention to:

- You probably should use a browser extension, because it's your most effective defense against phishing. A human might not notice the difference between a legit domain name and a phishing site, and might copy/paste a password into the wrong one. A browser extension will notice that you're not on the usual site and won't offer to fill in the password automatically.

- Getting browser extensions right is hard, and some leading password managers have been much better than others.

I see BitWarden recommended quite a bit here. Does anyone know if it is possible to share passwords between 2 accounts when using the self-hosted version? Or is it limited to teams?

The paid features are the same whether you self-host or not. The only difference is whether you're using publicly hosted servers or your own.

Search for "Organization Accounts" on https://bitwarden.com/ – either a) $5/month for first 5 users in a team + $2/user/month thereafter, or b) $3/month per user for enterprise (teams + premium for TOTP + user groups). If I understand correctly, the teams version allows users to manually share what they want, while the enterprise version allows finer-grained permissions based on predefined groups of users (including optional integration with LDAP).

I haven't used teams/enterprise, but based on the feature list ("User Groups: Use groups for easier user management and greater control across departments and teams", and "Access Control: Implement fine-grained access control policies and organize your vault with collections"), I assume it's possible to setup permissions to the shared collections however you want. I would hope it's possible to have read/write owner(s) to manage credentials, with an option to allow other users to be readonly if desired.

Based on my experience with the personal edition of Bitwarden, and how well the developer handles his community and GitHub issues, I expect it's now as mature and flexible as anyone needs. You likely need the enterprise ($3/mo/user) for the most flexible use cases. Don't quote me on that though. :)


I was curious for use in an agency, where the clients share credentials with the agency. Multiple clients to a single agency account may get cluttered.

I will have to map out the use case specifically and see which plan works best. Perhaps a bunch of family plans would work for multi to multi scenario, where the agency would also maintain client-specific multiple accounts..

It is, you can add groups as a paid feature (not sure about self-hosted version). Recently switched from LastPass to BitWarden.

You can share between two accounts with the free version.


I imagine the parent's question was moreso "share any credential between any two accounts" (as a multi-to-multi relationship), rather than being limited to sharing any/all credentials between exactly two accounts, which is extremely limiting beyond a pair of spouses.

Of course, Bitwarden also has the "Families" paid version, which costs... $1/month for up to 5 users (that's $1/month flat for all 5 users, not $1 per user). $1/month for a whole family is beyond reasonable, and precisely why I love Bitwarden – it's great software with prices designed to support a single developer's open source software rather than the exorbitant prices required to support an entire company and their proprietary software.

They did state two accounts and not multiple, but I see what you're saying. It should be known, however, that you can share without paying. I also encourage people to pay -- it's cheap and the service is fantastic.

You can share between two accounts with the free version. If you want to share any more, a paid version or self-hosted is required.

Don't use LastPass. It's a nightmare. Terrible sync and thinks like "Do not make password visible to shared contacts" are a huge PITA with no real benefit

> "Do not make password visible to shared contacts" are a huge PITA with no real benefit

While it is an inconvenience, like most security, I suspect the benefit is that folks can't just write down or copy a shared password somewhere else. It keeps it relatively contained, for times when employees leave the company. I'm unsure whether or not a determined user could get the password anyway.

The sync is slow-ish; I moved an entry to a shared folder and it took 20 minutes to become available to others.

I haven't used it in a corporate setting, but personally I've been using Bitwarden[1] since November 2017 without a single hiccup. It's amazing. The best part: it's open source, including all clients/apps (browser addons, desktop apps, smartphone apps). The server component being open source means you can host your own instance on-premise (clients let you specify a custom host to sync with to avoid using Bitwarden's public servers).

Personal use is free, with an optional $10 per YEAR (not per month) addon that adds a built-in TOTP client (ie. Google Authenticator compatible two-factor auth). There are also "Organization" accounts at extra cost for more enterprise-level usage, including sharing credentials among teams.

Note: I believe that even if you host on-premise using the open source code, it expects a paid license for the extra features (TOTP and Organization accounts), at $3-5/month per user.

[1] https://bitwarden.com/

Well, Dashlane is the universal platinum standard of all password managers which has regular security audits from HackerOne and other external white hat hackers and even has a built in VPN where the other password managers just don't.

I found 1Password 7, 1Password X and the browser extension to all be disconnected from each other and sloppy to use in general.

1password works well for our team of ~20. We set up multiple vaults and give access, where required, to shared resources.

I used 1password before my company did, it works fairly seamlessly with both my personal and company accounts.

Post-it notes around the perimeter of your monitor

Do you work for Hawaii emergency agency? :D

In my office of 10 people, I'd say that at least 50% have told me all their passwords are written on a notepad that they keep in their desk drawer. I work in a hospital so those passwords give people access to patient info.

It’s far from ideal, but not the worst. I’d rather that than an “unpassworded Excel file stored on the shared drive”, or “I use the same password on everything so it’s easy to remember”.

We tend sticking them at the bottom of the keyboard, so it's obviously more secure ;)

BitWarden. It's open-source so you can audit the code or create your own version if necessary.


I've used LastPass. I'd say it was fine, but I think quality might be slipping. They were recently acquired by a private equity firm, which I consider a bad sign of things to come. Service incidents are seeming increasingly frequent. Just yesterday, I was trying to onboard a user and their servers couldn't be reached during his initial password reset. I'm sad to say these problems are common. I want to like it; but if I'm being honest, it's got a lot of problems right now.

I see BitWarden mentioned a lot in r/sysadmin, but I haven't really tried it. Might be worth looking at.

We are using Passbolt and are quite happy with it (only a dozen or so team members). I haven't tested Bitwarden but I would like to compare it to Passbolt. Migrating passwords would probably be impossible, though.

We also used Passbolt in the 6-people IT team of my former employer and it felt nice because it's open source and its development is supported by a state (Luxemburg).

The GPG encryption un-usability is a bit abstracted away by a nice (but not perfect) browser plugin.

The CLI is a bit awkward and incomplete -- so much so that I wrote a fuzzy-search python wrapper with auto-clearing clipboard support etc. around it which served me well enough.

Should be as easy as copy/paste.


Heh, that's not exactly "easy" when you have a hundred passwords. Also not including permissions to access team passwords and such.

What are these services? SaaS products, or things your company built?

Okta, Azure AD, and other identity services offer password sign-in from a custom dashboard you setup. It would be cheap to test out. That way you just grant access to the dashboard and can change the password easily without worrying about whether it replicated to the vault of a user. Also, the sign-in experience is slick, but may need a browser extension.

I've heard BitWarden is good, but I'd be really careful about how you manage hosting for any central password manager. 1password and the like handle the maintenance for you and can scale up to a lot of users.

If you are using enterprise SaaS, or the services are owned by your company, then you should strongly consider SSO. This will save you a lot of headaches, but you'll also need to think about user provisioning/deprovisioning because blocking sign-in might not be enough in all cases. Products like Azure AD and Okta handle this stuff for you too.

Example scenario: a bad SaaS product will have unlimited lifetimes on mobile tokens for convenience. If you assume the user only uses the web version and enable SSO, then you aren't mitigating the problem with the mobile app. You need to deprovision the user to purge the tokens from the app they installed on their personal device.

We use 1Password in a startup of 40 people and it works beautifully. Great product.

We are also now starting to use Okta and SSO extensively too.

We use pleasant password server https://pleasantsolutions.com/passwordserver and are happy with it. It uses a customized keepass as client and has all the features we need for a very reasonable price tag.

we used that too. it also has LDAP SSO afaik

+1 for this

I've used LastPass. It was okay. I switched to Bitwarden, per numerous HN recommendations. Solid product. Great price.

My employer uses 1Password. I don't like it at all. Maybe it's because I don't understand how it thinks vs say BW, but should a PW manager require that much thought?


Bitwarden because it has the "Teams" feature and can hsare passwords with multiple people. No sync issues like passing around a keypass file and worrying about having the latest version of it.

To expand a little bit, Bitwarden with your own hosting

Can you share your experience with self-hosting? Docker or no docker? Any issues?

Pretty new to it (~3 months), I've been using it in docker, using https://github.com/dani-garcia/bitwarden_rs

The official docker version looked way too complicated imo -> https://github.com/bitwarden/server/blob/master/scripts/run....

Pretty straightforward, lightweight, no issues so far

The light(er) weight Rust server looks interesting. We might spin it up in-house and kick the tires. Thanks!

Yep, we use Bitwarden at Emvi and personally. Really nice and easy to use tool.

Me personally and my company has been using Keeper as the password manager. It is definitely very handy and autofills the information whenever you need to sign in everywhere. It's been claimed to be very secure and I trust my company's choices as cybersecurity is one of the priorities. Keeper also allows you to create secure passwords whenever needed and there is a vault accessible from your phone as well if you ever need the passwords elsewhere than known devices. Chrome extentions are really handy and I've got used to it very quickly. I switched from chrome password/info management to Keeper.

Can anyone share setup experiences / recommendations for BitWarden self-hosting?

With or without Docker?

Encountered any surprises?

Thanks in advance!

Also: LastPass has been a very awkward fit for my org.

We use LastPass in our company and it's terrible. Avoid it if you can.

What's the problem with LastPass? I'm using it personally and did not have any problems with it.

Closed source and confusing UI seems to be the consensus. I use LastPass as well and am satisfied with it, but considering a switch to BitWarden due to seemingly perfect reviews.

- purchased a few years ago but a company with a shady privacy/security history

- hard to use, slow, clunky interface.

- desktop app (macos) doesnt work well. small file sharing is cumbersome and extremely limited.

- sync is miserable. just.. miserable. it usually required the receiver to log out and back in at least twice.

try 1password and the differences are immediate and undeniable.

Keychain Access is good if you can accept an Apple solution. Apple software of course requires their hardware, which is a deal-breaker for many.

RememBear is made by the company that runs TunnelBear, which is a performant, permissive and reasonably transparent VPN platform. I have not tried RememBear but I would start there due to my positive experience with TunnelBear.

The best password manager application I've used it's 1password.

> what password manager is considered reliable and secure?

Schneier's thoughts on case studies from 2014 (https://www.schneier.com/blog/archives/2014/09/security_of_p...) and 2019 (https://www.schneier.com/blog/archives/2019/02/on_the_securi...). The comments are useful too. Also there's this SO answer: https://security.stackexchange.com/questions/45170/how-safe-...

I think the solution I use personally would also serve your purpose. I use KeeWeb (app.keeweb.info). It's a web app that caches in your browser and only runs locally. It also has a desktop version for Windows as well. I keep the web app up on my Android Chrome all the time since there's no phone specific app and it works beautifully.

You can store the database (encrypted of course) in a Dropbox account that it can connect to. The desktop version can also periodically store backups locally on any device you want. If you treat the Dropbox as the centralized master, every one of your employees can simply use either the Windows desktop app or just keep a browser tab open with it (like I do at work). Any changes anyone makes will instantly be reflected across all instances.

I've never tried using for more than my 3 devices, but I don't see why it wouldn't work seamlessly.

If your target audience is developers/operators I would recommend gopass, https://github.com/gopasspw/gopass. It's a CLI tool which allows integration with scripts, ansible, terraform, kubectl, etc.

I found 1Password to be good, used in a 500 person organisation

My company uses Dashlane and I decided to try out others because it's terrible. Switched to BitWarden since it was free but that to had some quirks but far better than Dashlane. Now I'm using both BitWarden and Keeper and find them both to have their pros and cons. Both are much another to use than Dashlane though.

I can't give recommendations for a corporate setting, but I know Dashlane is a giant pain in the ass. My company uses this and gave us all free subscriptions and I decided to try something else. Currently I'm testing BitWarden and Keeper and find them both to be far superior though each with their own quirks.

I don't know how good this is at a corporate level but I use bitwarden (free to download/use, donations accepted). It's available in mobile/laptop (at least Mac) app form, extension form, and even website. Best password manager I've ever used (formerly used Dashlane).

I haven't used any password manager other than 1Password in anger, and no password manager in a corporate context at all =[

I definetely wouldn't mind if my employer choose 1Password Business as I would be able to link my binusnees account to my family account and not pay for the latter. It is possible this might help changing behaviour for those who currently don't use a password manager for personal use. Or it might not help at all, who knows...

Just something you could take into consideration if this is important to you.

(Last time I checked 1Password offers this kind of deal and Dashlane, Lastpass either don't offer it or don't promote it. I won't guarantee this is the current state of things...)

My experiences:

Team Password Manager. https://teampasswordmanager.com/ Self hosted. LDAP/AD auth, and LDAP groups. It has some extensive auditing logs, so management can see exactly who changed what and when. Custom fields, pretty good permissions system. Concepts of "projects" rather than folders can be counter-intuitive. Cheap, and support is also pretty cheap. Worth a look just to evaluate to see if it will fit with your corporate culture.

Bitwarden. Fantastic software. I haven't used the corporate integration side of it at all. I protect mine with a U2F hardware key. Highly recommended.

TIL i should stop using lastpass because it doesn't have a single positive review here. I'd say it's fine, but it's my first experience that was a definite improvement from trying to remember passwords.

Don't let others influence you so easily! I personally know many people who are happy with LastPass, I've also seen many rave reviews. Choosing a password manager is a personal thing, almost like choosing IDE, so if you like it, stick to it. That said, it's good to keep your mind opened so try other popular solutions - 1Password and BitWarden.

It sounds like you are looking for a SSO solution, not a central password manager. My company uses Okta - it is mildly annoying if you only have a small number of apps, but the friction becomes worth the trouble when you have dozens.

I also am curious that you have a 4:1 ratio of services to employees. I've only seen that many services at enterprise-scale companies. I'm sure you have your reasons, but every IT department I've ever been a part of would be actively looking to reduce that number by finding more robust solutions that solve multiple problems instead of 100 different solutions.

We've been using CorporateValut[0] at the small non-tech company I'm employed at. Sadly it has not been updated in quite a while, has a few bugs, and uses flash (to implement copy-to-clipboard), but it is a straight-forward uncomplicated on-premise solution. I've considered writing a replacement but it's never been enough of a pain for us to bother allocating the time.

[0] https://sourceforge.net/projects/corporatevault/

> uses flash (to implement copy-to-clipboard)

Yikes. Besides the general danger of even having Flash installed on machines that don't otherwise need it... you can copy to clipboard from pure JS in all major browsers since about 2016.

I'd be kind of worried about a password manager that hasn't seen updates since 2016, especially if it has a browser extension, which is notoriously tricky to get right. Is it getting security updates?

> Besides the general danger of even having Flash installed on machines that don't otherwise need it...

Flash still built in to Chrome, it's installed anyway.

> you can copy to clipboard from pure JS in all major browsers since about 2016

CorporateVault was last updated in 2010.

> I'd be kind of worried about a password manager that hasn't seen updates since 2016, especially if it has a browser extension

It doesn't. Like I said, it's simple. It's just a Grails application you run on an on-prem server you can additionally lock down in any way you like.

I've looked at some alternatives in the past but so far none of them have been good enough to bother switching too. In fact, most of them have even worse functionality for our usecase.

Take a look at Bitwarden (https://bitwarden.com/).

It's open source and can be self-hosted if needed.

Has anyone used Keeper Password manager by chance? We use Azure AD for primary sign in authentication which it apparently integrates with for automatic signin and user permissions management, and the pricing seems good.


I use Keeper at my current job and find it to be a horrendously bad UX.

Off the top of my head:

1) The browser plugin is horribly written and has cause me numerous problems (Linux latop, YMMV), mostly related to performance and memory usage (both very bad).

2) Horrible 2FA management. You can configure Keeper to not ask you for your 2FA on a device for an hour, 30 days, or never again (iirc) and sometimes it'll just stop asking (like it did for me just now) or switch to a different 2FA for no obvious reason (I have both a security key and OTP).

3) Personal Opinion: I hate the layout of the "vault" and the browser extension's windows. I find all of them to be clunky and hard to use.

On the plus side, I do like how the actual records work. Most fields are optional and they have a decent custom field system. So, you can store pretty much anything in a reasonable way (from database credentials to PII, if you're into that).

We use keeper at our company too and find quite the opposite experience.

The browser extension worked the best of any we trialed (this includes Dashlane, LP, Bitwarden, and 1Password).

Our users found the 2FA to be self explanatory and liked the option to use Yubikeys (when the platform supports it) and defaulting back to TOTP when not available.

The UI is simple and clear and as you pointed out the records are flexible.

Sharing is easy and the most robust of any solution we tested. (see what happens when a user you didn't intend to share with gets ahold of the share link in LastPass).

Data replication between uses and devices was near instantaneous with no user action to ensure the vault was in sync.

Additionally, we subscribe to BreachWatch and have gotten immense value in knowing that our users are not using breached credentials.

One final note from an enterprise perspective, the admin console for Keeper was clearly the easiest to use with the most features of any of the solutions we trialed.

WRT 2FA, my problem is more in using it than managing the available options. As I mentioned, mine is constantly misbehaving and, without any action on my part, hasn't requested any of my configured 2FA options in, now, multiple days. I'm guessing I must have somehow changed the "don't ask me in" dropdown without meaning to.

WRT sharing, I can agree with that. LastPass's sharing isn't as robust, though I don't recall ever using share links. I don't like that Keeper doesn't tell you what record you just received, though. I already have many dozens of records and it can be difficult for me to find new ones that have been shared with me.

I've never had an issue with data replication on LastPass and haven't needed it with Keeper (I only have it on one machine, anyways).

I can't speak to the Admin UI's of either, though. I've never used them in an org setting. The closest I've come to that is the family account I manage via LastPass, which I imagine isn't the same as what you'd get with a full enterprise account.

All that aside, I'm glad that it's been working well for you and your org. I'm sure Keeper is fine (particularly on Windows or Mac) and that my experience is atypical, but it's still my experience with the thing. Unfortunately, I hate it.

Hi @maemilius I appreciate your feedback regarding the Keeper UI on Linux, 2FA etc. I’m the CTO of Keeper and I’m a Linux Ubuntu user myself. I would really appreciate if you could email me directly and we can troubleshoot the issues you are experiencing. Most of our users are on Windows or Mac, so perhaps there is something we need to check on for the specific Linux platform you are using. In regards to UI, also happy to share with you some of the updates in the works. If you email craig@keepersecurity.com that would be awesome.

Thanks for the feedback! The custom field system is intriguing but the rest sounds bad enough that getting people to actually use it would be difficult.

Hi @kipchak I think the comments above are very linux-user-specific so feel free to ping me directly and I’ll walk you through a demo of the full platform. craig@keepersecurity.com

Keeper integrates seamlessly with Azure AD for both authentication and SCIM provisioning. Same capability across all platforms (iOS, Android, Web, Extensions, etc). I’m happy to do a quick zoom demo with you of the workflow. craig@keepersecurity.com

Bitwarden is worthy of a peek. I enjoy it privately and have rolled it to the company I work in. We are not heavy users, but for basic password sharing and secrets management it is great. It might be great for more advanced use cases too, but have not used it for such things.

The cool thing is that you can host your own server is you want with their open source solutions. I have no experience doing that either, but it sounds nice to have the option.

Passwordstate by https://www.clickstudios.com.au/; does what it should

To OP: Please don't consider Passwordstate. It's so horrible to use, that users refuse to use it when it is offered. My company expects it to be used, but instead everyone (hundreds of in-house users) reuse the same password everywhere, and/or ignore company policy by using a personal password manager not linked to the company's internal servers.

Passwordstate pisses me off so much I can't even be bothered to go into details as to WHY it's so bad.

Click Studios is proud of its product Passwordstate and the quality of its technical support.

If you are experiencing issues with our software, we are more than happy to work with you to address these issue.

Please log a support call via https://www.clickstudios.com.au/support.aspx.

Please don't take this the wrong way, but could you qualify your advice instead of rant? That'd be really helpful.

This seems like the best one going, and for the cheapest price for a lot of users. I'm interested in more reviews?

We use 1Password to manage hundreds of different credentials and secrets, and it works great.

LastPass UI is a nightmare last I tried it a couple years ago.

Even if it's not as convenient as keepassX, lesspass, lastpassword or 1password, you should look at KeyBase (https://keybase.io/). It's great to manage access and teams, and it's easy to integrate it in automation and code.

I'm a big fan of Keeper. If you're looking for an overarching cyber security program that includes things like a keeper subscription and cyber awareness training, check out https://havocshield.com

Using 1Password since the beginning. Never had any trouble. Multiple Devices, Multiple Accounts, ...

1password = excellent. AND if you get corporate, everyone gets a free personal family account!!! Which is most excellent.

LastPass is 2nd place.

Personally I used LastPass for years. Then switched to 1password. I am definitely a 1password fan at this point.

Tried other managers, they are all significantly worse.

1Password's business offering is pretty darn good for enterprise use. I highly recommend it.

We use last pass and it stinks. Would probably go with bitwarden or dashlane if we did it again.

I've never tried it, but I'm not surprised to find a support article for importing to Bitwarden from LastPass: https://help.bitwarden.com/article/import-from-lastpass/

BitWarden. It is open source and you can self-host the solution too! I manage my own self hosted solution for my family on Digital Ocean. Minimal maintenance and I can see it easily scaling to meet full organizational needs.

This is not helpful but wow 100 services for 25 people! Nothing wrong with that, but it really shows how many dependencies a business has today on software alone. I have to imagine that at least 1% of those services go bust every year.

KeePassXC with a cloud storage (Nextcloud server and mobile\desktop client), it's encrypted and usable offline and syncable online.

Now I'm a spoiled child without it, got used too much to this worryless passwords management

Keeper Security is the best password manager. It allows me to keep all my passwords and codes safe.

Amerihub offers a proprietary web/based solution for this which can be run on top of a public cloud, or on hardware within one’s corporate boundary.

It works well, and we do Active Directory SSO too. Same for our System Manager product.

Myki offline is worth considering as it has 2FA and shared access across your team - https://myki.com/teams/

We use Roboform for our ~30 person company with remote workers. It is simple to use, and comes at a great price point, although their app and browser extension can use some improvements.

We use the cloud version of Secret Server at my workplace and I don’t have any major complaints about it. We do combine it with SSO wherever we can to make things a little easier on users.

We use Keeper in our company and I have to say I like it. It does what we need it to do. I have used KeePass before, but I prefer Keeper way more.

Ideal would be if you could issues U2F hardware keys but not everyone supports that yet. I've seen KeePassXC used effectively as it works on Widows, macOS, and Linux.

self-hosted: passbolt

cloud/saas: keeper security

Both have very good enterprise features and are predominantly focused on keeping control over shared credentials compliant.

Very happy with passbolt so far for those "very secret" credentials that could be exposed by an adversary on 3rd party services.

As others have mentioned, bitwarden is excellent also and has the advantage of built-in 2fa and other things.

We use Okta and I'm happy with it. You sign in once to mycompany.okta.com and there you see nice icons to click and sign in to any service you have access to.

For mac OS -- keychain.

I like Clipperz though.

Cool blocky UI: https://clipperz.is/app/

Psono would work. Its open source, client side encryption packed with a ton of features... (full disclosure I am the main developer behind it)

IBM Verify app for one-time passcode since Google Authenticator is insecure and outdated (not updated in last 2 years), and 1Password.

1password for me, but I only use it for administrators.

For everyone outside of the startup bubble, Active Directory is king of SSO. We have it in hybrid mode with on site DC's synced to Azure AD. Now everyone is logged into Office, they have onedrive for files and Teams for messaging/conferencing.

When I evaluate a service it needs to connect to AD or I often feel like we're better off without it....

FYI: LastPass browser plugin appears broken starting 24-48 hours ago and not pasting the password.

It's definitely _NOT_ LastPass.

I use the one built into Firefox. Probably not a good fit for your situation, but it's saved my bacon at least once: I started to enter my credentials on a site and then thought "wait, why didn't Firefox auto-fill my credentials here?" Then I noticed the domain didn't match the rest of the site.

Keepass on a shared drive or something like Dropbox has always worked well for me.

Have you used it with multiple users? I always hated the shared keepass solution due to the continual-sync problem we ran into. You had to make a change, manually sync, and hope that no one else was working on the same entry as you.

(Not to throw shade at Keepass, just my experience of it in the past, about 5 years ago.)

Always a risk, but communication should resolve that (in theory). ie, before you change an entry, jump on Slack etc and say I'm changing the password for X.

Alternatively, have one person who is responsible for changing passwords, everybody else just uses the passwords.

Bitwarden is amazing! And I have tried all of them over the last few years.

worth looking at Myki, offline, 2FA and shared access to the team https://myki.com/teams/

Keeper is the clear winner in our companies testing.


corp wise we use thychotic secret server.

its pretty clunky but works well enough i guess.

personally i use bitwarden.

Administrating it is a giant PITA, I wouldn't recommend.

Could you elaborate please? My company is slowly moving towards Thycotic, it would be great to know its pain points in advance.

AWS Secret Manager?

sticky notes under your desk


Thycotic Secret Server, hands down.

I considered this since I used it at my last company and it really was awesome. It was already set up when I got there. So I contacted them for a quote to deploy at my current job and holy smokes are they expensive!!! We ended up going with bitwarden: API, CLI tools, and password sharing. We've been happy.

We use this as well. It's alright, but really only useful for user accounts. I wish they would focus more on writing extensions for third-party services (think: Jenkins), so that it also becomes useful for service accounts.

Always heard great things about this product but haven't had a chance to implement it yet.

Advantage over keepass is that you can't retain a copy of the keyfile.


The human brain.


stop sharing passwords!

Boss: I need you to login to $corporate_account on $service and update $item.

should have thought about that a long time before adopting a service that required sharing a password, or as they say in the devops field, "shift left".

I’d be rethinking the hundred services, to be honest.

I am, give me your passwords and I will manage them.

Why not using HashiCorp Vault, supported by ActiveDirectory?

It's not really built for this use case. We tried it, for end-user password management, and it sort of sucked. Not because of the product, but because of the UI. There are things like Adobe's Cryptr[0] that help. But you don't get the nice browser integration one is wanting, mobile is missing, etc.

0: https://github.com/adobe/cryptr

Vault is awesome for corporate secrets that services/code needs to see, and even maybe for developers, but for end-user passwords for stuff, it's not so great.

If someone made a decent browser plugin and mobile app with vault as a backend then it'd be fantastic for human consumption. As it is now, it's for machine consumption.

Do you have a "why" rather than a "why not"?

No password manager supports multiple levels of security conveniently, so I'm forced to use two managers.

For web browsing, passwords often protect the site not me (magazine logins...). One wants a manager to stay open during browsing sessions, so one doesn't have to type the master password for every single use.

For financial transactions, one wants zero risk of someone cracking your financial security because they enjoyed thirty seconds physical access while you stepped away from your desk.

(Be reasonable: No one is going to set up a proximity monitor that locks their screen if they lean back in their chair, any more than they'll rig a trip wire shotgun to protect their data. Don't propose a version of this. I want convenience, so secure data needs extreme protection, not my browser during thirty second gaps.)

I've begged 1Password for years to allow certain passwords to be marked "secure" invoking all obvious measures: A second password needed to unlock, immediately locks again after use. No dice. They've tried offering a few alternatives that are so inconvenient that using a second manager is frankly easier.

Remember how Steve Jobs made his fortune: the iPod assumed people were stupid. The flat file system was corrected in the first year of the Mac, but reintroduced for the iPod for "ease of use". Similarly, I honestly don't believe that password managers are foremost concerned with security. They're concerned with sales.

Dashlane is no better, but it's a second system that I prefer for financial passwords.

If you step away from your desk for thirty seconds, I can install malware that captures your financial passwords (and cookies) next time you log in. The reason password managers universally don't support the feature you request is that they'd be giving their users a false sense of security. You don't have extreme protection at all. I'm sorry, I wish computers didn't work this way, but they do, and you have to keep yourself secure in the world as it exists and not in the world as you wish it were.

The usual way of solving this in corporate scenarios is to keep the office physically secure such that no outsider can get to someone's desktop in a tiny window without being noticed, and them set the screen to lock after a minute or so.

For personal computers, don't leave your laptop unlocked at the cafe when you go to pick up your coffee. Get in the habit of closing your lid.

Can I rephrase your idea - you're suggesting to have a 'flag' on some passwords so that, for those passwords, you have to re-enter the key every time? Initially, it sounds like a great idea - like how I can use my computer if it's unlocked, but need to re-enter the password to install something.

What makes you think 1Password aren't introducing this because they care more about sales than security? In general, I've found 1Password to care a huge amount about security because if somebody proves them to be insecure, it will have a huge effect on their sales. Security and their bottom line go together.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact