What's the best corporate password manager?

We have been using 1Password and just use vaults to segment things properly and keep things limited to the smallest group of people possible. 1Password is also how we handle 2fa in a common/generic way for many sites that require it. This avoids the problem of a user using their cell phone number to get the OTP's and then that person leaves the company and you are left trying to coordinate the change for an account with a former employee.

1Password isn't perfect but is by far the best one I've used and it does work well for teams IMO. We just are anal about setting up vaults and permissions to those vaults so it easy to segment users to only see the services they are allowed to etc. Plus it keeps things orderly and clean for maintenance purposes. The browser plug-ins have gotten better and the search is decent so definitely better then others I have seen.

> manage access to probably ~100 services our employees use everyday

Is single sign-on an option, instead? Something like Okta is a much better experience for less technical users (and, well, engineers too) where possible, and also lets you trivially manage credentials access as people on/off board (no need to rotate credentials if you're worried folk may have written them down on paper somewhere with malicious intent). That said, it doesn't help folk with personal credentials management, which can be useful for good security policy in addition.

1password is my favorite to have around for services that don't support SSO. I like it so much I pay for a family account, even.

I have used Bitwarden personally for a while, coming from KeePassXC (Linux and Android), and it has been a joy to use. My company is now looking into using it both internally and as a solution for organizations and businesses we serve, mainly because it offers a self-hosted / on-premise solution and decent pricing, and the fact that it is open source.

I would never trust my passwords to a closed source project that could be ridden with insecure code and disappear or change considerably on short notice. When the source code is open, chances for survival of the project in one form or another is much higher.

I also like that they take feature requests on their community forum and that their Github repo is active and responsive to issues.

KeepassXC or Keepass by a mile (for corporate uses; decent for personal use too but others are also good for this).

I've used both in both personal and corporate settings. Great browser support, Keepass2Android makes my mobile experience good.

The reason it's so good for corporate is that the database is just a file, so you can email passwords, or share via one drive or Dropbox or ftp or shared samba drive or ...

I worked with techs from Oracle who used to auto generate the database for particular users and share them around. It worked really well for them. Because it's just a file it works for all sorts of workflows.

My workplace does pay for Cyberark which is a built for purpose Enterprise application, but I don't have rights to it it or whatever, so I just use KeepassXC.

LastPass is the worst piece of software I have ever worked with. We had a lot of trouble making sense out of its sluggish user interface and confusing terminology and more.

BitWarden is my choice, it's cheaper than alternatives, the UI is simple and easy to understand. It's open-source and battle-tested. You may want to self-host as well.

Depending on your preferences, it might be worth looking into GNU pass. You have to do the additional setup of syncing/sharing password stores (Keybase can work for this) and users need to have basic knowledge of working with PGP keys. Encryption is done via per-user GPG, which is convenient, easy and secure if you're used to it and frustrating if you aren't already and not willing to take the hour or two necessary to get fully up to speed. There are tons of clients for various platforms and use-cases.

KeepassXC can work fine, but it's not super integrated in terms of alternative clients, CLI, mobile etc. If you go with keepass, make sure to use XC (the most recent community fork AFAIK). Similarly to GNU Pass, you need to sort out syncing yourself and have the additional hassle of maintaining a shared secret, and alternatively a shared keyfile. If one is compromised, you need to make everyone rotate, which in practice leads to lazy teams never rotating keys and even using keys they know probably are compromised already.

LastPass is horrible, in my experience. The web app is incredibly buggy and the only thing that really works somewhat well is the browser extension, which I don't trust much.

1password is a slight step up from LastPass.

I heard great things about BitWarden and it looks compelling but haven't tried it yet.

Hashicorp Vault is great, but IMO not suitable for "manual" credentials and more for provisioning and maintaining secrets that are fetched by your internal services. If you need non-engineers to have access to it for shared web app accounts etc, Vault is probably not a good choice.

My company of ~30 people just started with Bitwarden, purely because I use it personally and knew it. I like the fact that it's open source, has a self-hosted option and it has a Linux client.

I haven't use the 2FA option yet, and it has a Google Authenticator equivalent.

We recently chose 1Password for this purpose. We also evaluated Dashlane but gave it up pretty quickly because of bad UI (not that 1Password is stellar) and some basic requirement that was not met - I forget what.

Security wise, we looked at the 1Password CVE history[1] and it seems pretty ok.

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=1password

Echoing what so many other people have said, we use 1Password for staff at our organization. I moved us from LastPass last year because LP was just confusing and frustrating for everyone.

The one issue we've run into with 1Password vs LastPass is that sharing works differently. If you share a password (not by putting it in a Vault) with an individual in 1Password, it makes a copy - so updates don't propagate. Thankfully we are a pretty small and tight team so adding people to other department Vaults isn't necessarily an issue, but it could be for others.

Shameless plug, my podcast on personal digital security has a few episodes on password managers: https://looseleafsecurity.com/password-managers/

(And if podcasts aren't your thing - note that that page is text, and the episodes it links all have full transcripts.)

We didn't talk a lot about what's different for corporate users, but we do cover family/shared accounts. There's also two particular things I want to call your attention to:

- You probably should use a browser extension, because it's your most effective defense against phishing. A human might not notice the difference between a legit domain name and a phishing site, and might copy/paste a password into the wrong one. A browser extension will notice that you're not on the usual site and won't offer to fill in the password automatically.

- Getting browser extensions right is hard, and some leading password managers have been much better than others.

I see BitWarden recommended quite a bit here. Does anyone know if it is possible to share passwords between 2 accounts when using the self-hosted version? Or is it limited to teams?

Don't use LastPass. It's a nightmare. Terrible sync and thinks like "Do not make password visible to shared contacts" are a huge PITA with no real benefit

I haven't used it in a corporate setting, but personally I've been using Bitwarden[1] since November 2017 without a single hiccup. It's amazing. The best part: it's open source, including all clients/apps (browser addons, desktop apps, smartphone apps). The server component being open source means you can host your own instance on-premise (clients let you specify a custom host to sync with to avoid using Bitwarden's public servers).

Personal use is free, with an optional $10 per YEAR (not per month) addon that adds a built-in TOTP client (ie. Google Authenticator compatible two-factor auth). There are also "Organization" accounts at extra cost for more enterprise-level usage, including sharing credentials among teams.

Note: I believe that even if you host on-premise using the open source code, it expects a paid license for the extra features (TOTP and Organization accounts), at $3-5/month per user.

[1] https://bitwarden.com/

Well, Dashlane is the universal platinum standard of all password managers which has regular security audits from HackerOne and other external white hat hackers and even has a built in VPN where the other password managers just don't.

I found 1Password 7, 1Password X and the browser extension to all be disconnected from each other and sloppy to use in general.

1password works well for our team of ~20. We set up multiple vaults and give access, where required, to shared resources.

I used 1password before my company did, it works fairly seamlessly with both my personal and company accounts.

Post-it notes around the perimeter of your monitor

BitWarden. It's open-source so you can audit the code or create your own version if necessary.

https://bitwarden.com/

I've used LastPass. I'd say it was fine, but I think quality might be slipping. They were recently acquired by a private equity firm, which I consider a bad sign of things to come. Service incidents are seeming increasingly frequent. Just yesterday, I was trying to onboard a user and their servers couldn't be reached during his initial password reset. I'm sad to say these problems are common. I want to like it; but if I'm being honest, it's got a lot of problems right now.

I see BitWarden mentioned a lot in r/sysadmin, but I haven't really tried it. Might be worth looking at.

We are using Passbolt and are quite happy with it (only a dozen or so team members). I haven't tested Bitwarden but I would like to compare it to Passbolt. Migrating passwords would probably be impossible, though.

What are these services? SaaS products, or things your company built?

Okta, Azure AD, and other identity services offer password sign-in from a custom dashboard you setup. It would be cheap to test out. That way you just grant access to the dashboard and can change the password easily without worrying about whether it replicated to the vault of a user. Also, the sign-in experience is slick, but may need a browser extension.

I've heard BitWarden is good, but I'd be really careful about how you manage hosting for any central password manager. 1password and the like handle the maintenance for you and can scale up to a lot of users.

If you are using enterprise SaaS, or the services are owned by your company, then you should strongly consider SSO. This will save you a lot of headaches, but you'll also need to think about user provisioning/deprovisioning because blocking sign-in might not be enough in all cases. Products like Azure AD and Okta handle this stuff for you too.

Example scenario: a bad SaaS product will have unlimited lifetimes on mobile tokens for convenience. If you assume the user only uses the web version and enable SSO, then you aren't mitigating the problem with the mobile app. You need to deprovision the user to purge the tokens from the app they installed on their personal device.

We use 1Password in a startup of 40 people and it works beautifully. Great product.

We are also now starting to use Okta and SSO extensively too.

We use pleasant password server https://pleasantsolutions.com/passwordserver and are happy with it. It uses a customized keepass as client and has all the features we need for a very reasonable price tag.

I've used LastPass. It was okay. I switched to Bitwarden, per numerous HN recommendations. Solid product. Great price.

My employer uses 1Password. I don't like it at all. Maybe it's because I don't understand how it thinks vs say BW, but should a PW manager require that much thought?

Bitwarden

Can anyone share setup experiences / recommendations for BitWarden self-hosting?

With or without Docker?

Encountered any surprises?

Thanks in advance!

Also: LastPass has been a very awkward fit for my org.

We use LastPass in our company and it's terrible. Avoid it if you can.

Keychain Access is good if you can accept an Apple solution. Apple software of course requires their hardware, which is a deal-breaker for many.

RememBear is made by the company that runs TunnelBear, which is a performant, permissive and reasonably transparent VPN platform. I have not tried RememBear but I would start there due to my positive experience with TunnelBear.

The best password manager application I've used it's 1password.

> what password manager is considered reliable and secure?

Schneier's thoughts on case studies from 2014 (https://www.schneier.com/blog/archives/2014/09/security_of_p...) and 2019 (https://www.schneier.com/blog/archives/2019/02/on_the_securi...). The comments are useful too. Also there's this SO answer: https://security.stackexchange.com/questions/45170/how-safe-...

I think the solution I use personally would also serve your purpose. I use KeeWeb (app.keeweb.info). It's a web app that caches in your browser and only runs locally. It also has a desktop version for Windows as well. I keep the web app up on my Android Chrome all the time since there's no phone specific app and it works beautifully.

You can store the database (encrypted of course) in a Dropbox account that it can connect to. The desktop version can also periodically store backups locally on any device you want. If you treat the Dropbox as the centralized master, every one of your employees can simply use either the Windows desktop app or just keep a browser tab open with it (like I do at work). Any changes anyone makes will instantly be reflected across all instances.

I've never tried using for more than my 3 devices, but I don't see why it wouldn't work seamlessly.

If your target audience is developers/operators I would recommend gopass, https://github.com/gopasspw/gopass. It's a CLI tool which allows integration with scripts, ansible, terraform, kubectl, etc.

I found 1Password to be good, used in a 500 person organisation

I don't know how good this is at a corporate level but I use bitwarden (free to download/use, donations accepted). It's available in mobile/laptop (at least Mac) app form, extension form, and even website. Best password manager I've ever used (formerly used Dashlane).

I haven't used any password manager other than 1Password in anger, and no password manager in a corporate context at all =[

I definetely wouldn't mind if my employer choose 1Password Business as I would be able to link my binusnees account to my family account and not pay for the latter. It is possible this might help changing behaviour for those who currently don't use a password manager for personal use. Or it might not help at all, who knows...

Just something you could take into consideration if this is important to you.

(Last time I checked 1Password offers this kind of deal and Dashlane, Lastpass either don't offer it or don't promote it. I won't guarantee this is the current state of things...)

My experiences:

Team Password Manager. https://teampasswordmanager.com/ Self hosted. LDAP/AD auth, and LDAP groups. It has some extensive auditing logs, so management can see exactly who changed what and when. Custom fields, pretty good permissions system. Concepts of "projects" rather than folders can be counter-intuitive. Cheap, and support is also pretty cheap. Worth a look just to evaluate to see if it will fit with your corporate culture.

Bitwarden. Fantastic software. I haven't used the corporate integration side of it at all. I protect mine with a U2F hardware key. Highly recommended.

Me personally and my company has been using Keeper as the password manager. It is definitely very handy and autofills the information whenever you need to sign in everywhere. It's been claimed to be very secure and I trust my company's choices as cybersecurity is one of the priorities. Keeper also allows you to create secure passwords whenever needed and there is a vault accessible from your phone as well if you ever need the passwords elsewhere than known devices. Chrome extentions are really handy and I've got used to it very quickly. I switched from chrome password/info management to Keeper.

TIL i should stop using lastpass because it doesn't have a single positive review here. I'd say it's fine, but it's my first experience that was a definite improvement from trying to remember passwords.

It sounds like you are looking for a SSO solution, not a central password manager. My company uses Okta - it is mildly annoying if you only have a small number of apps, but the friction becomes worth the trouble when you have dozens.

I also am curious that you have a 4:1 ratio of services to employees. I've only seen that many services at enterprise-scale companies. I'm sure you have your reasons, but every IT department I've ever been a part of would be actively looking to reduce that number by finding more robust solutions that solve multiple problems instead of 100 different solutions.

We've been using CorporateValut[0] at the small non-tech company I'm employed at. Sadly it has not been updated in quite a while, has a few bugs, and uses flash (to implement copy-to-clipboard), but it is a straight-forward uncomplicated on-premise solution. I've considered writing a replacement but it's never been enough of a pain for us to bother allocating the time.

[0] https://sourceforge.net/projects/corporatevault/

Take a look at Bitwarden (https://bitwarden.com/).

It's open source and can be self-hosted if needed.

Has anyone used Keeper Password manager by chance? We use Azure AD for primary sign in authentication which it apparently integrates with for automatic signin and user permissions management, and the pricing seems good.

https://docs.microsoft.com/en-us/azure/active-directory/saas...

Passwordstate by https://www.clickstudios.com.au/; does what it should

Bitwarden is worthy of a peek. I enjoy it privately and have rolled it to the company I work in. We are not heavy users, but for basic password sharing and secrets management it is great. It might be great for more advanced use cases too, but have not used it for such things.

The cool thing is that you can host your own server is you want with their open source solutions. I have no experience doing that either, but it sounds nice to have the option.

We use 1Password to manage hundreds of different credentials and secrets, and it works great.

LastPass UI is a nightmare last I tried it a couple years ago.

My company uses Dashlane and I decided to try out others because it's terrible. Switched to BitWarden since it was free but that to had some quirks but far better than Dashlane. Now I'm using both BitWarden and Keeper and find them both to have their pros and cons. Both are much another to use than Dashlane though.

I can't give recommendations for a corporate setting, but I know Dashlane is a giant pain in the ass. My company uses this and gave us all free subscriptions and I decided to try something else. Currently I'm testing BitWarden and Keeper and find them both to be far superior though each with their own quirks.

Even if it's not as convenient as keepassX, lesspass, lastpassword or 1password, you should look at KeyBase (https://keybase.io/). It's great to manage access and teams, and it's easy to integrate it in automation and code.

I'm a big fan of Keeper. If you're looking for an overarching cyber security program that includes things like a keeper subscription and cyber awareness training, check out https://havocshield.com

Using 1Password since the beginning. Never had any trouble. Multiple Devices, Multiple Accounts, ...

1Password's business offering is pretty darn good for enterprise use. I highly recommend it.

1password = excellent. AND if you get corporate, everyone gets a free personal family account!!! Which is most excellent.

LastPass is 2nd place.

Personally I used LastPass for years. Then switched to 1password. I am definitely a 1password fan at this point.

Tried other managers, they are all significantly worse.

We use last pass and it stinks. Would probably go with bitwarden or dashlane if we did it again.

This is not helpful but wow 100 services for 25 people! Nothing wrong with that, but it really shows how many dependencies a business has today on software alone. I have to imagine that at least 1% of those services go bust every year.

BitWarden. It is open source and you can self-host the solution too! I manage my own self hosted solution for my family on Digital Ocean. Minimal maintenance and I can see it easily scaling to meet full organizational needs.

Amerihub offers a proprietary web/based solution for this which can be run on top of a public cloud, or on hardware within one’s corporate boundary.

It works well, and we do Active Directory SSO too. Same for our System Manager product.

KeePassXC with a cloud storage (Nextcloud server and mobile\desktop client), it's encrypted and usable offline and syncable online.

Now I'm a spoiled child without it, got used too much to this worryless passwords management

Myki offline is worth considering as it has 2FA and shared access across your team - https://myki.com/teams/

We use the cloud version of Secret Server at my workplace and I don’t have any major complaints about it. We do combine it with SSO wherever we can to make things a little easier on users.

We use Roboform for our ~30 person company with remote workers. It is simple to use, and comes at a great price point, although their app and browser extension can use some improvements.

Ideal would be if you could issues U2F hardware keys but not everyone supports that yet. I've seen KeePassXC used effectively as it works on Widows, macOS, and Linux.

We use Okta and I'm happy with it. You sign in once to mycompany.okta.com and there you see nice icons to click and sign in to any service you have access to.

We use Keeper in our company and I have to say I like it. It does what we need it to do. I have used KeePass before, but I prefer Keeper way more.

For mac OS -- keychain.

I like Clipperz though.

Cool blocky UI: https://clipperz.is/app/

Psono would work. Its open source, client side encryption packed with a ton of features... (full disclosure I am the main developer behind it)

IBM Verify app for one-time passcode since Google Authenticator is insecure and outdated (not updated in last 2 years), and 1Password.

self-hosted: passbolt

cloud/saas: keeper security

Both have very good enterprise features and are predominantly focused on keeping control over shared credentials compliant.

Very happy with passbolt so far for those "very secret" credentials that could be exposed by an adversary on 3rd party services.

As others have mentioned, bitwarden is excellent also and has the advantage of built-in 2fa and other things.

1password for me, but I only use it for administrators.

For everyone outside of the startup bubble, Active Directory is king of SSO. We have it in hybrid mode with on site DC's synced to Azure AD. Now everyone is logged into Office, they have onedrive for files and Teams for messaging/conferencing.

When I evaluate a service it needs to connect to AD or I often feel like we're better off without it....

Keeper Security is the best password manager. It allows me to keep all my passwords and codes safe.

FYI: LastPass browser plugin appears broken starting 24-48 hours ago and not pasting the password.

It's definitely _NOT_ LastPass.

I use the one built into Firefox. Probably not a good fit for your situation, but it's saved my bacon at least once: I started to enter my credentials on a site and then thought "wait, why didn't Firefox auto-fill my credentials here?" Then I noticed the domain didn't match the rest of the site.

Keepass on a shared drive or something like Dropbox has always worked well for me.

Bitwarden is amazing! And I have tried all of them over the last few years.

worth looking at Myki, offline, 2FA and shared access to the team https://myki.com/teams/

Keeper is the clear winner in our companies testing.

PasswordState?

corp wise we use thychotic secret server.

its pretty clunky but works well enough i guess.

personally i use bitwarden.

AWS Secret Manager?

sticky notes under your desk

Okta

Thycotic Secret Server, hands down.

bitwarden_rs

The human brain.

hunter2

stop sharing passwords!

I’d be rethinking the hundred services, to be honest.

I am, give me your passwords and I will manage them.

Why not using HashiCorp Vault, supported by ActiveDirectory?

No password manager supports multiple levels of security conveniently, so I'm forced to use two managers.

For web browsing, passwords often protect the site not me (magazine logins...). One wants a manager to stay open during browsing sessions, so one doesn't have to type the master password for every single use.

For financial transactions, one wants zero risk of someone cracking your financial security because they enjoyed thirty seconds physical access while you stepped away from your desk.

(Be reasonable: No one is going to set up a proximity monitor that locks their screen if they lean back in their chair, any more than they'll rig a trip wire shotgun to protect their data. Don't propose a version of this. I want convenience, so secure data needs extreme protection, not my browser during thirty second gaps.)

I've begged 1Password for years to allow certain passwords to be marked "secure" invoking all obvious measures: A second password needed to unlock, immediately locks again after use. No dice. They've tried offering a few alternatives that are so inconvenient that using a second manager is frankly easier.

Remember how Steve Jobs made his fortune: the iPod assumed people were stupid. The flat file system was corrected in the first year of the Mac, but reintroduced for the iPod for "ease of use". Similarly, I honestly don't believe that password managers are foremost concerned with security. They're concerned with sales.

Dashlane is no better, but it's a second system that I prefer for financial passwords.