Hacker News new | comments | show | ask | jobs | submit login
Ask HN: How do you store/manage all of the passwords your organization uses?
9 points by awwstn on Oct 23, 2012 | hide | past | web | favorite | 10 comments

We have a nice question about this over at Server Fault: http://serverfault.com/questions/119892/company-password-man...

I've looked at Thycotic Software's Secret Server product (http://www.thycotic.com/products_secretserver_overview.html) I was impressed, but none of my consulting customers have signed-up.

I recently spun up a copy of the open source WebPasswordSafe (http://code.google.com/p/webpasswordsafe/) and liked what I saw but haven't really had much of a chance to bang on it.

Wearing my security auditing / pentester hat I've run into CyberArk's Enterprise Vault product (http://www.cyber-ark.com/digital-vault-products/pim-suite/en...) and found it very reasonable. It was refreshing to do a pentest where we didn't find a shared Keepass database or something similar.

We are looking at lastPass - looks good so far. (enterprise Ed)

IronStratus is another one to check out lets users keep their own personal passwords and grant access to apps passwords by an admin.

I personally prefer 1password - but it's really single user oriented.

Obviously different from I'd/auth providers like okta or ping identity...but i find there are so many accounts/passwords shared in organizations for services that these guys may not support. (apps with no SSO services for example). Yes, they have some password management tools but they don't seem to have in app/browser shortcuts (ie:chrome/ff extensions).

Keepass is a decent option for a smaller company (http://keepass.info/). It's a bit limited in a sense that it doesn't support multiple users that can view different password tiers, but it does an ok job at syncing changes by multiple users. I am sure there are plenty of decent commercial options.

I've seen some companies hack a homemade solution based on Truecrypt as well, though it's probably not very efficient.

We also use KeePass (Classic Edition) saved in a repository that we can then share. The nice thing about KeePass is that there are clients/ports/compatible programs on Windows, linux, iDevices, and Android.

The repository gives us versioning and a relatively crude but effective way of sharing as well as some additional access control.

We've used a few solutions we created for ourselves, and I know LastPass has an enterprise feature, but I'm curious if people have thoughts and advice on tools that worked or didn't work.

"Very alpha" - but I think this is exactly what you want.


We use passpack.com over here, but for server SSH logins we strictly use publickey authentication.

Another vote for Passpack. Great service.

I use www.memengo.com in combination with the iOS app.

I also own and operate the site and the app.

KeyPass all the way. Truecrypt over it for when I back it up somewhere online

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact