Ask HN: How to store and share passwords in a company?

[healsdata]

> Yes, but they should be unique to your account. I.e. via SSO.

This is a great best practice, but user-based value metrics for many SaaS platforms make this untenable for some IT departments. If folks have to log in seldomly, it's very hard to make the business case to pay per user.

Similarly, there's many SaaS platforms that charge A LOT extra for SSO because you have to upgrade to their Enterprise-pricing model. If managing a separate user directory isn't worth it because the software isn't personalized, understaffed IT departments aren't going to do that either.

So while there is a best practice, dismissing solutions that are "good enough" (while sharing tradeoffs) isn't as helpful.

[ozim]

Not only user-based value metrics - but also SaaS apps don't implement collaboration in approachable ways for groups.

I can setup shared inbox and shared account that all users will have access to.

If we would properly manage configuration for each SaaS app we would have to have full time employee just to do that.

Yes there is SSO and you can setup roles and rights and align that - but let's say you have Joe in CRM SaaS that has customer X - Joe leaves and only he gets notifications, now someone still has to reconfigure CRM so Jane gets the notifications, removing access from Joe is easy. That is why companies get shared inboxes because then you have pool of employees that will check shared inbox and also shared account.

Yes in ideal world Joe does handover of his customers and configurations before he leaves, but we know world is not ideal.

[Maxion]

There's A LOT of good advice for SaaS companies here. The problem e.g. you desribe is clearly something thats solvable on the SaaS side.

[from-nibly]

Is sharing accounts not against the TOS of any user priced saas company?

[Maxion]

Probably but IRL:

A) Who reads those? B) Who cares if e.g. Miro finds out you're sharing accounts and get banned?

[J0BC6xEIDNi4]

we inquired about this to grafana.net, and their reply didn't forbid sharing accounts

[wahnfrieden]

Shared PWs are sometimes inevitable but then you must rotate them every time someone with access leaves the company. OneLogin also has a way to minimize handling of the shared passwords for auto-logins that depend on shared creds

[steve1977]

> So while there is a best practice, dismissing solutions that are "good enough" (while sharing tradeoffs) isn't as helpful.

In many environments, sharing passwords is never "good enough".

[baxtr]

We change our PW for some platforms every month, so that people leaving won’t have access anymore

[zie]

Well except for the period of time between them quitting and the new month rolls around.

You really should change passwords the second they leave. Yes it's a PITA, but you should do it anyway.