I often hear things on here about products that claim to be secure but aren't -- what password manager is considered reliable and secure? Which do you use?
1Password isn't perfect but is by far the best one I've used and it does work well for teams IMO. We just are anal about setting up vaults and permissions to those vaults so it easy to segment users to only see the services they are allowed to etc. Plus it keeps things orderly and clean for maintenance purposes. The browser plug-ins have gotten better and the search is decent so definitely better then others I have seen.
I wish it was possible to share a credential with specific people without a need to create a dedicated vault.
1. If a user fails (or skips) 2FA, they still retain complete access to any passwords/vaults they previously locally synced... they just can't sync new/updated entries. This seems like a really flawed design - a 2FA failure should prevent access. When I asked the 1password team whether they'd consider invalidating local cache on 2FA failure, they did not seem interested.
2. You can't create links to passwords, which would allow management of an entry from a single location. If you want to share a password across multiple teams/vaults, you need to know about and maintain those entries for the same account, which means you also have to have access to all those vaults to manage that entry. This discourages password rotation, and increases the likelihood of orphaned passwords in other vaults.
3. Lack of granular permissions structure. You can't, for example, allow a user to initiate vault resets without giving them full admin access to the entire thing. Again, other password managers allow more fine-grained control.
To me, 1password feels like a small-time solution that tried to bolt on some enterprise features to retain customers. I don't think it should be considered enterprise software.
From a corporate standpoint, I don't want people using their personal devices for SMS OTP (2fa) because then if they leave, are disgruntled or get tragically hit by a bus I am locked out of a potentially important service/account. I had this happen on three accounts in the past year where one took me 3 days to recover the ability to access it, another I never could recover and we had to work around it and a third that was absolutely critical but took close to two weeks all said (lots of waiting). That is insane, and all because people used their own personal devices (or similar) for SMS 2fa.
There are other devices you can use, and some enterprises do use hardware keys in addition to the password which works well and the more sensitive the system the more inconvenience people will tolerate and understand.
For me it boils down to 1Password works good for a reasonable price which helps startups and small companies. I also don't think using 1Password is just a tool and you still need a good password refresh cycle and to stop reuse etc. This way if a backup at 1Password was somehow compromised or stored improperly at your company or at 1Password at least you'd be insulated better.
It definitely does provide a single point of access that if compromised in a way which bypasses all their security a lot of companies will be hurting.
Wait...I've seen two ways for services to handle multiple users from a client using the same account.
1. A company using the service gets a single user login for their account. That login is shared by all of the employees who use the service.
2. A company using the service starts out with a single user login for the account. That login is meant to only be used to administer the account. The administrator can create more user logins for the account, usually with reduced privileges. Each employee is given a separate login of their own, with just the privileges needed to do their job.
I don't think I've seen a #1 that uses 2FA. I assumed that was because it could then easily run into the problem you describe.
With #2 there is no problem using 2FA, or with each user using their own device for 2FA. The only account you have make sure won't be lost if someone gets hit by a bus is the administrator account.
Did you run into a service using approach #1 but that used SMS OTP?
And if you squint a little it's still a 'thing you have' since the vault is something you have to have access to so you can generate the constantly changing 2FA token. It's just a bit easier, in theory, to access than a hardware token or an SMS endpoint.
Hover (domain registrar) supports 2FA via TOTP or SMS, but it does not support granting multiple users access to manage a single set of domain names.
I suppose sharing the TOTP key along with the account credentials is better than dealing with the issues created by SMS, but it's still not great.
Essentially my example is the same you pointed out though, for the generic admin account you created you will need to use it to administrate the other users etc. What we do is store that admin account in 1Password with 2fa turned on for it and that way it is never locked to a user with 2fa on their personal device.
For a little more detail too, we will setup sub account for automated systems which have restricted permission (and likely use ssh/key pairs to login for automation). However, when you need to update something about these accounts many times you have to login as them and make a change, so in that case again we store the password and 2fa in 1Password so the team can handle that quickly and isn't stuck because one person left.
I am always open to other ideas though if you think I am missing other options.
Ultimately in this case you are protected from MITM attacks and basic forms of keylogging.
To use 1password on a new device, you need a "secret key" that is provided to you when you create your account which serves as a basic form of 2FA for your whole account. Not a perfect system, but it is not as simple as just getting your password and having access to everything.
So, while I think it storing storing your passwords beside your OTP generator isn't great, if both are locked behind another factor of authentication, you have mitigated that risk significantly.
1password requires more than just a password to access. You need the encryption key. It acts nicely for that purpose.
2fa is unnecessary if you're generating 20 character passwords uniquely for every site.
The best security is like the best camera. There is no better camera than the one you actually use. This is why cell phone cameras are the best. This is why 1password is the best, because it is security you always use and always keep safe.
1. Attacker needs access to the physical device of the account holder if they know the credentials.
2. Otherwise, they need to know credentials + secret key on a new device.
3. You can set up Google Auth to access the account in the first place, which can have its own separate 2fa (this is what we do)
see problem solved, no need to debate how single or two factor a thing is and you can just focus on the attack vectors it actually still solves for, objectively
yes the password vault is a single point of failure if someone knows your vault password or key logs it.
It lacks biometrics support for one which is something I wish they would add but I believe as it is an Electron app they cannot do so, at least not on macOS.
The iOS and Android apps are decent enough though. They support Touch/FaceID and the Android equivalents. With the exception that the iOS app has "Live Sync" (i.e. push notifications to sync the vault when a change is made elsewhere) but they never work. I recently made a post about this on the Bitwarden support reddit  but had no response from the developer there or on Twitter which is a shame. Live Sync works fine on Android though so it is clearly an iOS issue only.
If 1Password were cheaper, or if my needs were more complex, I would switch away from Bitwarden but as a home user it is "good enough".
For high level corporate account, just have 2-3 office phones with different phone numbers. Each number is for a different department or level of access. Provide the right number given the nature of the access required (AWS Root account versus Xero accounting software, for example) and then use that as the 2FA. You can even use virtual 2FA for this.
Just a thought.
For personal level access for each employee, provide your employees with second hand, cheap Android phones you can buy for mere pennies, keep them in the office at all times, on charge, on wifi-only. This has the benefit of helping to reuse old hardware as opposed to it ending up on some tip.
Password sharing controls are insufficient.
Would you be able to share feedback on where you feel the product falls down around tooling to scale? I'd like to make sure our teams are thinking about any difficulties you are having. There also may be more efficient ways to accomplish things that we can point out. Looking forward to your feedback. Thanks in advance!
Is single sign-on an option, instead? Something like Okta is a much better experience for less technical users (and, well, engineers too) where possible, and also lets you trivially manage credentials access as people on/off board (no need to rotate credentials if you're worried folk may have written them down on paper somewhere with malicious intent). That said, it doesn't help folk with personal credentials management, which can be useful for good security policy in addition.
1password is my favorite to have around for services that don't support SSO. I like it so much I pay for a family account, even.
Otherwise, thanks to many providers like Okta and others, SSO should really be a feature provided to smaller tiers nowadays.
We're a small business (2 founders, 3 contractors), and we'd love to use SSO for everything. But we're too small to afford enterprise tiers for things like Slack, Gitlab, etc.
Hopefully this trickles down eventually.
Update: I'd like to add that we provide a SaaS product as well, and have considered adding SSO to the enterprise tier but after much research we can't really find a good reason to restrict it (apart from "everyone else is doing it", and potential manual config).
But both SAML and OpenID connect have discovery protocols. Again, this CAN technically be self-configured by the right customer. But then, maybe the solution is to have a one-time config fee, rather than require a certain tier.
Lower tiers of SaaS products are more-or-less strictly designed for:
- individuals or very small businesses where everyone is friends
- who don't have exacting requirements/audit/traceability/reporting concerns
- who are willing to accept some pain/inconvenience if they use it outside of its design parameters
Credential-sharing services in the age of SSO are a dirty workaround designed to circumvent SaaS product segmentation (which would otherwise cause established companies to effectively subsidise tiny startups). I'm all for hacker philosophy, and perhaps this applies less to your situation than it does to the OP, but I do think the idea of credential-sharing is a horrible kludge that has only risen to prominence because of the specific issue that I mentioned, and which only leads to more problems with things like non-repudiation.
- Sign up for free or with a credit card, but you'll run into problems (or at the very least friction/complications) if you end up trying to use if you something serious
- Speak to a salesperson and have your CFO sign the company up for a long-term strategic partnership.
The examples that you gave are less clear-cut though. Trello Business is $12.50 per month, and supports Google Apps SSO. Trello Enterprise supports general SSO, and costs $20.83 per month. Slack pricing is $6.67/mo for Standard, and $12.50/mo for Plus with SSO. None of these are costs that should really make or break the profitability of a company; considering that the business is using them to generate revenue or to reduce its expenses, how do they compare to other things like property/facilities expenses and employee salaries/benefits?
Many of those cool things take night or weekend to set up and that’s kind of fun to do. Regular patching and potential troubleshooting is the less fun part you get to do when adopting a new app.
For everything else, you can put your services behind i.e. traefik and write a middleware, or use something like caddy which has a plugin for sso.
I have built an API to interact with 1password through its CLI: https://github.com/lettdigital/onepassword-api
The repo also includes an example of how to call the API using AWS Lambda.
The logic to interact with the 1password CLI is wrapped in an SDK, that can be used independently: https://github.com/lettdigital/onepassword-python
When creating an ec2, we call a module that creates a tls key, a keypair and an object in a bucket.
This object creating triggers a lambda that downloads the objects contents, namely the pem key and calls the api to save it to 1password as a document.
This newly created document is available to every member that has access to the vault without having direct access to the bucket itself.
Another use I had was to create credentials for sonarqube automatically. We have a relatively large team on github and wanted to add sonarqube to the stack. What I did was just read every members name, email and username from github, create the respective users using sonarqube api and register their credentials using the sdk. It was trivial then to send them a copy of their credentials, a lot easier and less error prone than doing it by hand.
Many other use cases can be thought. You could implement iam key rotation using this. You could share support credentials for your team using 1password and have automated tools read from the same source.
It really just make everything easier to replicate, integrate and manage using this api or the python sdk. The last thing you want is to screw someones credentials because of a human error (typo, forgot to save the password etc...)
Not totally relevant to the question, but how well does it scale to enterprise? I found the need to create and manage individual access to vaults to be complicated, even at a few users. I can't imagine how you'd manage 1000s of passwords accessed by combinations of 1000s of users, including third-parties, contractors, etc. Are there any better password management solutions in the enterprise space?
But they did recently introduce a CLI here: https://support.1password.com/command-line-getting-started/#...
That makes me optimistic that you could at least do a fair amount of automation around it. I haven't used it myself yet, so I'm not sure how fully featured the cli is
You should just be able to say “give me the password for yahoo.com” but you can’t actually do that.
I wanted to use it to get npm 2FA on the command line and just gave up completely.
EDIT: if someone from 1Password reads this, please reach out. I have good CLI UX experience and would love to help fix it.
You're completely right about the use-case there. One of the things I think we missed the mark on was choosing to expose the full item JSON structure as the default. I think it is important that access to the full item is available, but I think it would have been a much better user experience if we had abstracted that in the default case.
What you've pointed out here is what we are currently working on addressing. Development of the CLI was put on hold for over a year while development of our SCIM bridge was ongoing (they're built on the same codebase). In the past few months, we have ramped up the entire team, and movement has accelerated greatly on the CLI. This is feedback we're well aware of, and we're working hard to address it.
Feel free to post in our discussion forums if you're still willing to have a more extensive conversation: https://discussions.agilebits.com.
I'll give it a spin again too as it's been a while since I tried it last and check out the forums!
A password manager isn’t required here because it much better to control access with SSO. The user can have one password, preferably just logging into their workstation, and then SSO will sign them into whatever apps they are allowed to. Much easier than having a password manager keeping 80-100 passwords.
In the past we used a safe credential manager that our NOC could access to get admin or other management credentials for networking devices when problems occurred. You could use the same for DB or server passwords where you need the text and combine it with a password manager if you can auto fill them. Only use these options for systems that don’t have SSO.
I used Okta at a previous employer; it was good too.
I would never trust my passwords to a closed source project that could be ridden with insecure code and disappear or change considerably on short notice. When the source code is open, chances for survival of the project in one form or another is much higher.
I also like that they take feature requests on their community forum and that their Github repo is active and responsive to issues.
The thing is, everywhere you use your password is probably 'closed source' and probably has 'lots of bugs'.
Ima guess that people re-use a lot of passwords and therefore are going to be at risk due to said 'closed source'.
I think that open v. closed may be only one of many considerations.
Well, that's the argument for a password manager, no? You can't trust any of these services, so you generate transient, strong, one time passwords for each of these, and then use a password manager you trust to manage it all instead. If one gets leaked, then sure it's a pain, but at least it doesn't mean they can log into every other service too!
I've used both in both personal and corporate settings. Great browser support, Keepass2Android makes my mobile experience good.
The reason it's so good for corporate is that the database is just a file, so you can email passwords, or share via one drive or Dropbox or ftp or shared samba drive or ...
I worked with techs from Oracle who used to auto generate the database for particular users and share them around. It worked really well for them. Because it's just a file it works for all sorts of workflows.
My workplace does pay for Cyberark which is a built for purpose Enterprise application, but I don't have rights to it it or whatever, so I just use KeepassXC.
Same in case of a leak.
With solutions using per-user keys, you just have to revoke/remove keys for that single user. GNU pass (FOSS) and Bitwarden (paid, open source) both do this.
BitWarden is my choice, it's cheaper than alternatives, the UI is simple and easy to understand. It's open-source and battle-tested. You may want to self-host as well.
I switched to BitWarden a couple of months back and I'm very happy with it. I have quibbles, but it's a much more solid experience.
Glad I don't have to use it anymore.
So I end up having to give other members of my team step-by-step directions to finding the right file or folder every time I share one. And that's assuming the access permissions haven't got borked, which seems to happen more often than not.
I've been pushing my company to drop it for a while.
Surely this can't work for a larger organisation?
Probably better used with a filesystem that has strong guarantees though.
(This with 2 factor passphrase and key file, btw)
Perhaps it has changed since, or maybe it was just hard to find. Oh well, too late now.
We ended up using 1Password. My only real complaint with it is the need to create a vault for sharing something from one user to another. That means that if any two people in the company want to share, they need to get an admin involved so the admin can create the vault.
The whole point of a password manager is so you only have to remember one passphrase. Suggesting an actual sentence and not having byzantine passphrase requirements will help. My fiance is really bad with this one, I admit that I don't have much empathy here.
Personally, I'm ecstatic that there is no recovery process to reset or recover a Bitwarden master password. No security questions. No email reset. No one-time use login codes (which would need to be stored somewhere not encrypted by a user's secret key in order to verify). Again, I can understand why an IT department would want that, but all that does is open up attack vectors that are very easy for an attacker to abuse.
The whole point of the master password is it's the ONE AND ONLY password you cannot forget or lose. One... lousy... password.
Unless you're talking about mass-replacing a single password across a bunch of different entries? Which is certainly not a limitation of any password manager; reusing a password is just horrible.
I used KeePass at a previous company and loved it.
2) The business model of LastPass worries me. Unlike a 1Password (I tried it for a 3 month trial, don't use them or have any skin in the game for them) charges a lot more than LastPass and in addition to having a more smooth, speedy and performant application, they are charging enough money to feasibly be profitable just storing passwords.
LastPass has has more data breaches than the others (google). It's run by a domain register. In my opinion this influences how the password business is run, leading to a marketing-forward rent extraction password manager vs a good one.
- It’s sluggish.
- The password sharing experience sucks.
- The drop down menus often get obfuscated in weird ways.
While I wish the bitwarden UI could stay over the top a little better, been really appreciating it vs lastpass... it's a bit simpler and less confusing overall. Not quite the same feature set, but that's okay..
I do wish the autofill wasn't two menus deep though. (right-click, bitwarden -> autofill -> list) wish it just expanded autofill (if less than say 5 matches) on the right-click menu.
KeepassXC can work fine, but it's not super integrated in terms of alternative clients, CLI, mobile etc. If you go with keepass, make sure to use XC (the most recent community fork AFAIK). Similarly to GNU Pass, you need to sort out syncing yourself and have the additional hassle of maintaining a shared secret, and alternatively a shared keyfile. If one is compromised, you need to make everyone rotate, which in practice leads to lazy teams never rotating keys and even using keys they know probably are compromised already.
LastPass is horrible, in my experience. The web app is incredibly buggy and the only thing that really works somewhat well is the browser extension, which I don't trust much.
1password is a slight step up from LastPass.
I heard great things about BitWarden and it looks compelling but haven't tried it yet.
Hashicorp Vault is great, but IMO not suitable for "manual" credentials and more for provisioning and maintaining secrets that are fetched by your internal services. If you need non-engineers to have access to it for shared web app accounts etc, Vault is probably not a good choice.
I haven't use the 2FA option yet, and it has a Google Authenticator equivalent.
Bug is open already for a year :-(
P.S. 1password has it.
Security wise, we looked at the 1Password CVE history and it seems pretty ok.
The one issue we've run into with 1Password vs LastPass is that sharing works differently. If you share a password (not by putting it in a Vault) with an individual in 1Password, it makes a copy - so updates don't propagate. Thankfully we are a pretty small and tight team so adding people to other department Vaults isn't necessarily an issue, but it could be for others.
(And if podcasts aren't your thing - note that that page is text, and the episodes it links all have full transcripts.)
We didn't talk a lot about what's different for corporate users, but we do cover family/shared accounts. There's also two particular things I want to call your attention to:
- You probably should use a browser extension, because it's your most effective defense against phishing. A human might not notice the difference between a legit domain name and a phishing site, and might copy/paste a password into the wrong one. A browser extension will notice that you're not on the usual site and won't offer to fill in the password automatically.
- Getting browser extensions right is hard, and some leading password managers have been much better than others.
Search for "Organization Accounts" on https://bitwarden.com/ – either a) $5/month for first 5 users in a team + $2/user/month thereafter, or b) $3/month per user for enterprise (teams + premium for TOTP + user groups). If I understand correctly, the teams version allows users to manually share what they want, while the enterprise version allows finer-grained permissions based on predefined groups of users (including optional integration with LDAP).
I haven't used teams/enterprise, but based on the feature list ("User Groups: Use groups for easier user management and greater control across departments and teams", and "Access Control: Implement fine-grained access control policies and organize your vault with collections"), I assume it's possible to setup permissions to the shared collections however you want. I would hope it's possible to have read/write owner(s) to manage credentials, with an option to allow other users to be readonly if desired.
Based on my experience with the personal edition of Bitwarden, and how well the developer handles his community and GitHub issues, I expect it's now as mature and flexible as anyone needs. You likely need the enterprise ($3/mo/user) for the most flexible use cases. Don't quote me on that though. :)
I was curious for use in an agency, where the clients share credentials with the agency. Multiple clients to a single agency account may get cluttered.
I will have to map out the use case specifically and see which plan works best. Perhaps a bunch of family plans would work for multi to multi scenario, where the agency would also maintain client-specific multiple accounts..
Of course, Bitwarden also has the "Families" paid version, which costs... $1/month for up to 5 users (that's $1/month flat for all 5 users, not $1 per user). $1/month for a whole family is beyond reasonable, and precisely why I love Bitwarden – it's great software with prices designed to support a single developer's open source software rather than the exorbitant prices required to support an entire company and their proprietary software.
While it is an inconvenience, like most security, I suspect the benefit is that folks can't just write down or copy a shared password somewhere else. It keeps it relatively contained, for times when employees leave the company. I'm unsure whether or not a determined user could get the password anyway.
The sync is slow-ish; I moved an entry to a shared folder and it took 20 minutes to become available to others.
Personal use is free, with an optional $10 per YEAR (not per month) addon that adds a built-in TOTP client (ie. Google Authenticator compatible two-factor auth). There are also "Organization" accounts at extra cost for more enterprise-level usage, including sharing credentials among teams.
Note: I believe that even if you host on-premise using the open source code, it expects a paid license for the extra features (TOTP and Organization accounts), at $3-5/month per user.
I found 1Password 7, 1Password X and the browser extension to all be disconnected from each other and sloppy to use in general.
I used 1password before my company did, it works fairly seamlessly with both my personal and company accounts.
I see BitWarden mentioned a lot in r/sysadmin, but I haven't really tried it. Might be worth looking at.
The GPG encryption un-usability is a bit abstracted away by a nice (but not perfect) browser plugin.
The CLI is a bit awkward and incomplete -- so much so that I wrote a fuzzy-search python wrapper with auto-clearing clipboard support etc. around it which served me well enough.
Okta, Azure AD, and other identity services offer password sign-in from a custom dashboard you setup. It would be cheap to test out. That way you just grant access to the dashboard and can change the password easily without worrying about whether it replicated to the vault of a user. Also, the sign-in experience is slick, but may need a browser extension.
I've heard BitWarden is good, but I'd be really careful about how you manage hosting for any central password manager. 1password and the like handle the maintenance for you and can scale up to a lot of users.
If you are using enterprise SaaS, or the services are owned by your company, then you should strongly consider SSO. This will save you a lot of headaches, but you'll also need to think about user provisioning/deprovisioning because blocking sign-in might not be enough in all cases. Products like Azure AD and Okta handle this stuff for you too.
Example scenario: a bad SaaS product will have unlimited lifetimes on mobile tokens for convenience. If you assume the user only uses the web version and enable SSO, then you aren't mitigating the problem with the mobile app. You need to deprovision the user to purge the tokens from the app they installed on their personal device.
We are also now starting to use Okta and SSO extensively too.
My employer uses 1Password. I don't like it at all. Maybe it's because I don't understand how it thinks vs say BW, but should a PW manager require that much thought?
The official docker version looked way too complicated imo -> https://github.com/bitwarden/server/blob/master/scripts/run....
Pretty straightforward, lightweight, no issues so far
With or without Docker?
Encountered any surprises?
Thanks in advance!
Also: LastPass has been a very awkward fit for my org.
- hard to use, slow, clunky interface.
- desktop app (macos) doesnt work well. small file sharing is cumbersome and extremely limited.
- sync is miserable. just.. miserable. it usually required the receiver to log out and back in at least twice.
try 1password and the differences are immediate and undeniable.
RememBear is made by the company that runs TunnelBear, which is a performant, permissive and reasonably transparent VPN platform. I have not tried RememBear but I would start there due to my positive experience with TunnelBear.
Schneier's thoughts on case studies from 2014 (https://www.schneier.com/blog/archives/2014/09/security_of_p...) and 2019 (https://www.schneier.com/blog/archives/2019/02/on_the_securi...). The comments are useful too. Also there's this SO answer: https://security.stackexchange.com/questions/45170/how-safe-...
You can store the database (encrypted of course) in a Dropbox account that it can connect to. The desktop version can also periodically store backups locally on any device you want. If you treat the Dropbox as the centralized master, every one of your employees can simply use either the Windows desktop app or just keep a browser tab open with it (like I do at work). Any changes anyone makes will instantly be reflected across all instances.
I've never tried using for more than my 3 devices, but I don't see why it wouldn't work seamlessly.
I definetely wouldn't mind if my employer choose 1Password Business as I would be able to link my binusnees account to my family account and not pay for the latter.
It is possible this might help changing behaviour for those who currently don't use a password manager for personal use. Or it might not help at all, who knows...
Just something you could take into consideration if this is important to you.
(Last time I checked 1Password offers this kind of deal and Dashlane, Lastpass either don't offer it or don't promote it. I won't guarantee this is the current state of things...)
Team Password Manager. https://teampasswordmanager.com/ Self hosted. LDAP/AD auth, and LDAP groups. It has some extensive auditing logs, so management can see exactly who changed what and when. Custom fields, pretty good permissions system. Concepts of "projects" rather than folders can be counter-intuitive. Cheap, and support is also pretty cheap. Worth a look just to evaluate to see if it will fit with your corporate culture.
Bitwarden. Fantastic software. I haven't used the corporate integration side of it at all. I protect mine with a U2F hardware key. Highly recommended.
I also am curious that you have a 4:1 ratio of services to employees. I've only seen that many services at enterprise-scale companies. I'm sure you have your reasons, but every IT department I've ever been a part of would be actively looking to reduce that number by finding more robust solutions that solve multiple problems instead of 100 different solutions.
Yikes. Besides the general danger of even having Flash installed on machines that don't otherwise need it... you can copy to clipboard from pure JS in all major browsers since about 2016.
I'd be kind of worried about a password manager that hasn't seen updates since 2016, especially if it has a browser extension, which is notoriously tricky to get right. Is it getting security updates?
Flash still built in to Chrome, it's installed anyway.
> you can copy to clipboard from pure JS in all major browsers since about 2016
CorporateVault was last updated in 2010.
> I'd be kind of worried about a password manager that hasn't seen updates since 2016, especially if it has a browser extension
It doesn't. Like I said, it's simple. It's just a Grails application you run on an on-prem server you can additionally lock down in any way you like.
I've looked at some alternatives in the past but so far none of them have been good enough to bother switching too. In fact, most of them have even worse functionality for our usecase.
It's open source and can be self-hosted if needed.
Off the top of my head:
1) The browser plugin is horribly written and has cause me numerous problems (Linux latop, YMMV), mostly related to performance and memory usage (both very bad).
2) Horrible 2FA management. You can configure Keeper to not ask you for your 2FA on a device for an hour, 30 days, or never again (iirc) and sometimes it'll just stop asking (like it did for me just now) or switch to a different 2FA for no obvious reason (I have both a security key and OTP).
3) Personal Opinion: I hate the layout of the "vault" and the browser extension's windows. I find all of them to be clunky and hard to use.
On the plus side, I do like how the actual records work. Most fields are optional and they have a decent custom field system. So, you can store pretty much anything in a reasonable way (from database credentials to PII, if you're into that).
The browser extension worked the best of any we trialed (this includes Dashlane, LP, Bitwarden, and 1Password).
Our users found the 2FA to be self explanatory and liked the option to use Yubikeys (when the platform supports it) and defaulting back to TOTP when not available.
The UI is simple and clear and as you pointed out the records are flexible.
Sharing is easy and the most robust of any solution we tested. (see what happens when a user you didn't intend to share with gets ahold of the share link in LastPass).
Data replication between uses and devices was near instantaneous with no user action to ensure the vault was in sync.
Additionally, we subscribe to BreachWatch and have gotten immense value in knowing that our users are not using breached credentials.
One final note from an enterprise perspective, the admin console for Keeper was clearly the easiest to use with the most features of any of the solutions we trialed.
WRT sharing, I can agree with that. LastPass's sharing isn't as robust, though I don't recall ever using share links. I don't like that Keeper doesn't tell you what record you just received, though. I already have many dozens of records and it can be difficult for me to find new ones that have been shared with me.
I've never had an issue with data replication on LastPass and haven't needed it with Keeper (I only have it on one machine, anyways).
I can't speak to the Admin UI's of either, though. I've never used them in an org setting. The closest I've come to that is the family account I manage via LastPass, which I imagine isn't the same as what you'd get with a full enterprise account.
All that aside, I'm glad that it's been working well for you and your org. I'm sure Keeper is fine (particularly on Windows or Mac) and that my experience is atypical, but it's still my experience with the thing. Unfortunately, I hate it.
The cool thing is that you can host your own server is you want with their open source solutions. I have no experience doing that either, but it sounds nice to have the option.
Passwordstate pisses me off so much I can't even be bothered to go into details as to WHY it's so bad.
If you are experiencing issues with our software, we are more than happy to work with you to address these issue.
Please log a support call via https://www.clickstudios.com.au/support.aspx.
LastPass UI is a nightmare last I tried it a couple years ago.
LastPass is 2nd place.
Personally I used LastPass for years. Then switched to 1password. I am definitely a 1password fan at this point.
Tried other managers, they are all significantly worse.
Now I'm a spoiled child without it, got used too much to this worryless passwords management
It works well, and we do Active Directory SSO too. Same for our System Manager product.
cloud/saas: keeper security
Both have very good enterprise features and are predominantly focused on keeping control over shared credentials compliant.
Very happy with passbolt so far for those "very secret" credentials that could be exposed by an adversary on 3rd party services.
As others have mentioned, bitwarden is excellent also and has the advantage of built-in 2fa and other things.
I like Clipperz though.
Cool blocky UI: https://clipperz.is/app/
For everyone outside of the startup bubble, Active Directory is king of SSO. We have it in hybrid mode with on site DC's synced to Azure AD. Now everyone is logged into Office, they have onedrive for files and Teams for messaging/conferencing.
When I evaluate a service it needs to connect to AD or I often feel like we're better off without it....
(Not to throw shade at Keepass, just my experience of it in the past, about 5 years ago.)
Alternatively, have one person who is responsible for changing passwords, everybody else just uses the passwords.
its pretty clunky but works well enough i guess.
personally i use bitwarden.
Advantage over keepass is that you can't retain a copy of the keyfile.
Vault is awesome for corporate secrets that services/code needs to see, and even maybe for developers, but for end-user passwords for stuff, it's not so great.
For web browsing, passwords often protect the site not me (magazine logins...). One wants a manager to stay open during browsing sessions, so one doesn't have to type the master password for every single use.
For financial transactions, one wants zero risk of someone cracking your financial security because they enjoyed thirty seconds physical access while you stepped away from your desk.
(Be reasonable: No one is going to set up a proximity monitor that locks their screen if they lean back in their chair, any more than they'll rig a trip wire shotgun to protect their data. Don't propose a version of this. I want convenience, so secure data needs extreme protection, not my browser during thirty second gaps.)
I've begged 1Password for years to allow certain passwords to be marked "secure" invoking all obvious measures: A second password needed to unlock, immediately locks again after use. No dice. They've tried offering a few alternatives that are so inconvenient that using a second manager is frankly easier.
Remember how Steve Jobs made his fortune: the iPod assumed people were stupid. The flat file system was corrected in the first year of the Mac, but reintroduced for the iPod for "ease of use". Similarly, I honestly don't believe that password managers are foremost concerned with security. They're concerned with sales.
Dashlane is no better, but it's a second system that I prefer for financial passwords.
The usual way of solving this in corporate scenarios is to keep the office physically secure such that no outsider can get to someone's desktop in a tiny window without being noticed, and them set the screen to lock after a minute or so.
For personal computers, don't leave your laptop unlocked at the cafe when you go to pick up your coffee. Get in the habit of closing your lid.
What makes you think 1Password aren't introducing this because they care more about sales than security? In general, I've found 1Password to care a huge amount about security because if somebody proves them to be insecure, it will have a huge effect on their sales. Security and their bottom line go together.