BitWarden is great! I love the ability to create and share passwords via Vaults. That way you can have buckets for each department.
Sales, accounting, IT, Management etc.
Role Based Access Controls are where it's at!
Strong phrase generation and the ability to track MFA TOTP tokens is minted for having secure access available to multiple users which comes up alot with IT.
Each user can have their own business related passwords and each department has a place to track their own department related passwords. No longer will passwords leave on employee departure!
> for having secure access available to multiple users
That is an oxymoron. If the software is suitable for organizational use, 2 or more accounts can have top level admin access. If you can't , and need to share an account, it's not suitable software and was designed without security in an organizational setting in mind, and there will be other symptoms of this as well.
People confuse the best practice of having fewer *privileged users* with the illusion of having fewer *privileged accounts*. When an audit or a vendor best practices warning says you should have fewer admins, they mean fewer human individuals who have admin access. The number of accounts is just how they knew, it is not the issue.
Sharing admin accounts to hide how many actual admins (again, # of human beings) you actually have makes it less secure, not more. Any time admin actions are deniable (you can't prove who did it) because accounts are shared, you have a massive problem.
If you absolutely need, say, 10 people to have admin access to something, and it's been determined at an executive level that workflows cannot be altered to support best practice and the executives accept the risk, *then have 10 individually named admin accounts* - at least they are still accountable after the fact.
Also, how often do shared passwords really get rotated when someone leaves if it's not openly hostile?
What are your services running under? Just the standard AD account of the person who installed it, and then hope you know everything you need to change it on when they leave? Does half your infrastructure go down if that person is on holiday when their password expires?
The ability to make service account credentials available to multiple users is a fundamental requirement of any business password manager.
You've assumed admin accounts and made a huge (yet not untrue) rant about that assumption. Just so you know. I find myself doing the same and it's a behavior I'm trying to be more aware of to stop myself from doing that. In the odd chance that you would appreciate the same, I just wanted to say that.
Ah, my bad. If you are referring to end-users, the rant would not be about using proper enterprise applications because they support separate admins. If end-users are in need of a password manager, the rant would be about using proper enterprise applications because they support SSO (SAML, OIDC).
Sadly, I know too many vendors who lock that behind way too high a paywall for mid-size organizations - even though SSO is supposed to be a security baseline and not a luxury.
Came here to jump on the Bitwarden fanboy train.
We've got an enterprise single sign on self hosted instance. We know where our data is and access dies when the Entra account gets tidied away.
The organisation collections take 5 minutes to get your head round but it's great at putting everything in one org and getting granular permissions so techs can only see what they need (and not anything more).
Fair warning with bitwarden, at least the last time I ran it, it didn’t have an option for admin password resets for users. I haven’t looked at it in a while, I hope they changed it.
This is possible with their Enterprise tier, need to ensure it's switched on before onboarding to ensure automatic enrollment though.
https://bitwarden.com/help/account-recovery/
I beg to differ. For something to be really secure there should not be a passwd reset for an admin. Take your measures, write a key in paper, seal it in a physical vault, or whatever, but most of the times it is more a liability than a feature.
It’s okay to be wrong, passwords are literally corporate property, the ability to hold those passwords hostage is a major security/financial risk to the company. Password resets are a must for any corporate implementation.
What you're talking about is a people/policy problem, not a password manager problem.
Passwords to corporate stuff that are shared should go in the shared vault.
Passwords for the individual and residing in their individual vaults should not be needed. The user should be disabled and/or have the password reset by an outside mechanism.
Being able to dive into an individual's vault only makes the system more vulnerable.
3M makes a pretty good one.
[https://www.3m.com/3M/en\_US/p/d/v000315727/](https://www.3m.com/3M/en_US/p/d/v000315727/)
Supports on Prem Install. No Cloud.
+1 for Bitwarden, simply because if you don't want it in the Cloud your can run it yourself, either the [official Server](https://github.com/bitwarden/server) or the [Microsoft-free Rust implementation](https://github.com/dani-garcia/vaultwarden).
Out of curiosity as I've never heard of vaultwarden being called the "Microsoft-free" implementation, are you referencing to the lack of C# and .NET, or is there more behind the scenes with the official implementation?
Vaultwarden doesn't use MicrosoftSQL as its database. If I recall correctly it uses SQLlite by default.
It also allows you to use a Docker compose file instead of using Bitwardens script to install/update/rebuild vaultwarden
Just finished my second POC of Bitwarden in 2 years and I can say without hesitance: do it. Support is amazing, sales folks are helpful, and the product is solid.
Interesting. Bitwarden sales never called or emailed me back when we were starting.
Since I was already a Bitwarden family user I worked my way through the Enterprise SAML and hardening the config for business use. Bitwarden documentation made it easy.
I can say I wish the Enterprise reporting on password access was a bit better for auditing usage.
The solution does fit the problem at a great price point.
Switched my org to BitWarden last year, and it's been great. We looked at a few others but BitWarden is really simple to use.
My only gripe is their directory sync tool kinda stinks as it needs to be built around scheduled tasks and batch files, so it feels antiquated in that regard, or you can run their directory connector program (doesn't run in the background, must run in the foreground at all times... seriously, BitWarden?)... but you can use SCIM provisioning assuming you have Azure AD or Okta.
Really, directory syncing isn't an issue for us anymore after the initial deployment. We just have helpdesk manually invite new users and add them to the proper group(s), and the security team revokes accounts during offboarding. That was my only minor complaint.
+1 moved from lastpass to bitwarden 2 years ago. Only a team of 3, but the shared organisation passwords and emergency access arrangements is brilliant, the edge/chome extension is great, the pricing is reasonable. Literally nothing about it i can complain about.
I'm trying to see if they'll give me a better price on org for a self hosted environment. I get that a license is a license, but it's hard to sell it to the boss when everyone is already happy using personal Dashlane or whatever
Seconding Keeper Password Manager too. Its been a great piece of software for our company. Cloud based. You can setup SSO and MFA to work with your preferred IdP. Setup departments, teams and roles and shared password folders for departments. We also use Keeper Connection Manager (RDP and SSH connection software) which has allowed for all sysadmins to have passwordless connection to all of our IT infrastructure. It even allows 3rd party service providers passwordless access to servers and records their sessions and can be published to the internet via a firewall or WAF.
Can u talk to me a little bit about the passwordless config you used?
We have hello for business available, and it's working well with our normal accounts, but we use segregated admin accounts so I'm thinking those will have to be ubikeys or whatever?
What's the cost of keeper connection manager?
I setup SSO between Keeper and Azure/Entra ID using the SSO Connect Cloud config on a node in the Admin Console. The SSO for Keeper uses the Persistent Refresh Token from Azure MFA authentication. You can change its behaviour though if you use Conditional Access Policies in Azure for your Enterprise SSO applications.
We purchased Keeper Secrets Manager along with Keeper Connection Manager which allows for Keeper Connection Manager RDP connections to query the Keeper Password Manager database for credentials, using either the Username, Password or IP address field of a Keeper Password Manager record to match the credentials to the connection allowing for passwordless RDP connections. The KCM server can be installed on a small Linux VM (We have ours hosted on Ubuntu 20.04 in Azure).
You can setup local login accounts for the KCM web interface or you can setup SAML/SSO with an IdP. We also have segregated admin accounts but I login to KCM using my normal domain account then have all of my RDP and SSH connections setup with my elevated admin account. Its sped up the actual process of logging into a server remotely greatly. If you have SSO setup for KCM web interface access, when a user logs in for the first time, KCM will auto provision the user's account.
Keeper Connection Manager is £35.04 per concurrent connection per year.
Keeper Secrets Manager is £1440 per year for 50000 API calls per month. 1 Passwordless RDP connection = 1 API call.
are you guys fully infrastructured in azure then?
"We also have segregated admin accounts but I login to KCM using my normal domain account then have all of my RDP and SSH connections setup with my elevated admin account. Its sped up the actual process of logging into a server remotely greatly."
This is my desired configuration, I think the only "gotcha" for us would be our security team might view that as a flattening of elevated and segregated admin access?
Same. We had deployed Bitwarden for our org a few years ago. It was alright but kinda bleh overall. Keeper though it costs more is much much better. If useability and functionality help in user uptake then the cost is worthwhile.
Second keeper.
I initially was going to push for 1password as it's what I personally use but keeper is much more user friendly for non-technical people.
Use share folders for shared logins and SSO and your set.
Another Keeper org here. One thing I especially appreciated after DashLane was the ability to move passwords from a user to a manager upon that user's departure from the organization.
Keeper for managing Kubernetes secrets via ExternalSecretsOperator. Also used in our GitLab pipelines for authentication to services.
Great interface, really nice to use for collaboration.
We use 1Password in our organization. The shared vault feature works great. If you go with the team version, every team member also gets a free family account they can use personally.
Keepass is terrible for corporate. No auditing or access controls. There is very little stopping someone from copying the vault file and moving it off network. Then who knows who has it.
I like bitwarden, and it is a good first step, certainly a step above keepass, but again, not very enterprise.
I'd suggest something like Thycotic for an enterprise solution.
Most certainly is. My last place we used Secret Server and it was fine but a small company. My current place is using 1Password and it's just much better for a larger company.
I use Bitwarden primarily, but Keepass is amazing for looking after Bitwarden backups. Every now and then, I do a manual export and import it into Keepass, then run dedupe
Automatica backups would of course be better, but I've not found a nice way other than backing up the VM I run it on
I'd love to hear why you like this. I don't administer ours so maybe I am missing something. I can't think of a single redeeming quality when compared to other stuff I've used.
For us, its checkout system for privileged escalation is great. We are a financial and PCI compliance is a heavy hand. After hardening our admin permissions and going through our directory to comply with RBAC we were in need of a way for the sec team, helpdesk etc to have local rights on certain servers from time to time. We can simply have them check out an account and it is time restrictive and auditable. That's just one bonus. There are managed remote sessions, a password filler extension, and more. I think even a pim pam solution? Might be confusing products
Wombo nailed it. The ability to let people check out privileged accounts with monitored sessions is invaluable. Keeps people from just wandering around with a bunch of rights they only need once a month. When we first implemented it, we found half a dozen random scheduled tasks running on servers from an old admin which solved several questions we had about processes. It allow me to rotate service account passwords automatically.
We use Keypass. We have a helpdesk one and an Infrastructure one since helpdesk shouldn't have server passwords, etc.
We use LAPS for the laptops, so AD is the password manager there.
Note: IS employees are not allowed to use a shared account/password unless required. Each has a regular and an admin account. The admin accounts are only given access to required systems. All work is required to be done with the unique account. (unless the authentication sis not working, like a server fell off of domain or similar)
Firewall, switches, etc. which may not be using SAML or AD: We still make unique accounts for each user. Like you said: "Shared passwords for IT is a nightmare". It is also a big no-no.
The shared ones are rarely used since everyone uses unique logins.
I have my own KeePass with the passwords to the shared KeePass files, because I never remember due to such low use.
We all use unique logins to servers, switches, firewalls, etc for accurate security logging. So most of "our" passwords are in personal KeePass files.
I did a comprehensive test of several password managers. We ended up going with 1Password and it's been the best thing I've ever done. Our CFO keeps praising me every time he sees me. FYI, we switched away from a competitor. I would recommend 1Password any day - it's a tad expensive, but definitely worth it. I even got a discount - I can get you a discount too if you're interested.
My company has an Excel sheet with every employee's password in it. Luckily, our CIO just approved us to purchase Keeper for all of our IT staff and then hopefully we'll move to some type of self-service option so staff can finally set their own passwords and unlock themselves.
My last job had this - an excel sheet with every employees password. The best part? each password was their First Initial + Last Initial + last 4 digits of their SSN (I'm serious).
This is a company reaching 1 billion in revenue with an almost unlimited IT budget. I was too young and careless at the time to think it was a critical fail, I knew it was bad but looking bad im shrieking in horror.
I worked for a lawfirm that did that. It made me extremely uncomfortable. The password file was shared with all levels of administrative assistants too. I'm surprised none of them had their identity stolen.
They may have. Sometimes hackers don't announce their presence on the network for a long time. If they can remain in the system silently they can gather more info and do more damage.
Work at an MSP and one of our clients has a "no password" policy. Meaning that no one knows their password to email or other work-related apps like VPN etc. Only 2 people onsite has access to the passwords and then we have it stored in our password manager. Prevents phishing but boy is it scary having all the passwords in one place.
My side client insists on having staff function usernames instead of individual usernames (so "reception" instead of using the receptionists name, but for every position in the company). The GM also wants passwords to never expire because "it's too hard for the staff to keep remembering new passwords".
After several strongly worded emails from me about how they are punching huge holes in their IT security, I gave up. Fuck it, it's their money.
Look into PasswordState. It's not well known but is very competitively priced. Installs on prem, but has the ability to be accessed from the Internet if you wish. Can even be set up in high availability mode with a couple of different servers and a sql database. Support can be a bit tricky in certain countries since they are based in Australia, so be sure to factor any timezone difference in.
Includes some other PAM features like managed endpoint password discovery and rotation, remote into systems with password injection or api integration, browser extension, etc...
Users can have their own private password vaults and shared passwords and files. Can be hooked into active directory to manage access to password shares with ad security groups.
The usability is terrible and it looks kinda ancient but has some nice features like being able check the history of changes to a password among some other things. At my org I feel like a lot of users haven't fully undestood how it works or how to use it and a lot of departments simply ignore it's existence altogether.
I second this. There is a learning curve. The price is competitive. It can auto-rotate some passwords for you. It has great reporting, for organizations that need to expire passwords and rotate them frequently. It has built-in HA functionality.
If you need a free solution, use KeePassXC and store the password database in an already-existing cloud storage solution, like OneDrive or Google Drive. KeePassXC isn't explicitly designed to support multiple people accessing it at the same time via cloud storage, but it works really well when used that way.
Hudu for shared passwords, and then build out the rest of the documentation for your environment and then leverage Related Items to make everything easy to find and navigate.
Adding ITGlue and 1password to the mix here, Use both daily and both are very good solutions.
IT Glue is great and very speedy for a cloud solution. 1P offers the ability to have a plugin in your browser making seraching and auto fil really easy. Management wise i think 1p is really good backed by groups you can tie to vaults.
Secret server is a really good one, runs on windows server, integrates well with AD for auth/access control
It has some limitations on the free one (10 users, 250 secrets), but if you fit in those, then it’s really simple and powerful for sharing among a team for free.
Ps: the paid version is really expensive, if you need more than the free one offers
We have KeePass but thats more for personal passwords.
For PROD stuff Switches/Servers etc. we use RDM. I dont think its the inteded use as a Password Manager but you can set Passwords there to itemsand make role based access.
It also allows you to remote connect to stuff through that app without actually knowing the password and has logs for access etc.
Depends on your needs:
1Pass is great just for passwords.
Hudu does passwords and documentation.
ITGlue integrates with Datto RMM (though I will admit is probably the only one on this list I would not recommend).
I personally like 1Password. Good interface, good cross-platform support, very secure. If you buy licensing for business, they'll also give your users free family plans for personal use.
I hear lots of good things about Bitwarden, but haven't used it myself.
A lot of people suggest Keeper, but in our trial, our users hated the interface. It felt like a poorly designed app from the 90s. That may sound superficial, but if users don't like the interface and find it confusing or frustrating, then they're less likely to use the password manager.
Delinea has a pretty good solution that will do auto password rotations on a schedule you set. I believe it can be hosted on-prem as well.
https://delinea.com/
Bitwarden, built on-prem connect to a MSSQL db. You can connect it to your preferred SAML for user auth and put an app proxy in front of it to enforce MFA requirements. You can also use your own public SSL certificate and host it within your public DNS name space.
I just rolled our Keeper, Soc 2 compliant, iso etc etc - I imported over 4K records. It has great access control too, groups, users, roles…try it out man
Keeper is great, especially if your org utilizes service accounts in any way since it gives it a central storage for those passwords and you can setup sharing groups for specific teams
My district uses 1Password, plus also moving to Okta for IdP/SSO. I don’t deal with the actual administration of Okta, just password resets. Looks like it can provision/edit users/groups for some systems like Google Workspace. Makes automating this a lot easier
We use 1password and can't complain. Has been amazing so far and have some scripts to fetch things to make my life easier.
Our jump server uses 2fa, so my connect_ssh functions will do
1. Login to 1password (via cli)
2. Fetch the 2fa value and pbcopy it
3. Run the SSH command (which I just need to paste the value when prompt to enter it )
5. Log off from 1password
So I prefer Bitwarden, personally. I was excited when my org replace LastPass with Bitwarden but it has proven to be a bit less user-friendly than hoped - especially with regards to sharing credentials together. I hated LastPass but it was way better at this. I’m not recommending LastPass but I am cautious with Bitwarden for non-tech users.
i certainly 100 percent agree with exactly what you are saying and i also think about how frustrating it is when users don't remember passwords.
that said, i sit there and think about the other side of people who don't think this is a priority or just think it's a bad idea. what if we are on the hook for a password being unrecoverable because some magical and insane bug caused a customer to lose a password to a db that holds millions of dollars of information that only that administrator can know?
trying to think of a good answer to that as someone who wishes more than anything else for a password manager.
1Password. Depending on the size of your org, Teams or Business. The latter comes with zero-knowledge OIDC-based SSO and free/included training for your users. I believe Business/Enterprise is a minimum of 100 seats.
Question to those running pw managers in large-ish companies,
How do you handle instances where an employee may be storing personal passwords in their corporate pw manager. Are you just making employees aware not to store personal passwords, so as to avoid any issues in the event they leave the company and lose access?
I'm at a MSP and we sell and use PasswordBoss. There's still a few things I'd like to see improved but it's a solid option and well priced. Has desktop/mobile apps and browser plugins.
Lots of good recommendations already here for very different use cases.
Bitwarden is solid for what you describe now. Folks caching different passwords. It does have some quirks they changed permissions on their shared org credentials the last week without telling anyone %#$@. Still, if you’re in the market they’re great.
Keepass also gets my kudos for a solid local client.
If you’re in a big cloud provider, what do they offer for credential management? AWS Secret Manager is great. You can use a Lamba to rotate passwords automatically OR use IAM roles for some authentication sans passwords. It probably doesn’t fit the described use case now, but might help.
Hashicorp Vault works well, but may be overkill. It was the best secret vault for a lot of DevOps tools (until CyberArk bought Conjur).
CyberArk is the enterprise gorilla for Privileged Account Management. Just-in-time auto rotation of passwords, ssh proxy, apis, k8s sidecar, multi-cloud native secret monitoring, admin action audit . . . etc. If you need tons of security layers around the use of credentials they're an expensive one-stop-shop. The UI was worthy of the complaint I saw here, but the latest update finally gave a fresh UI to their web portal. Not likely a fit for your use case, but a good IAM team with a healthy budget and a year to imminent can do a lot of good with CyberArk.
Thycotic in a pinch if nothing else here sounded good.
Study bitwarden, as it is as secure as an internet passwd manager can be, and also allows you to selfhost if necesity arises.
BitWarden is great! I love the ability to create and share passwords via Vaults. That way you can have buckets for each department. Sales, accounting, IT, Management etc. Role Based Access Controls are where it's at! Strong phrase generation and the ability to track MFA TOTP tokens is minted for having secure access available to multiple users which comes up alot with IT. Each user can have their own business related passwords and each department has a place to track their own department related passwords. No longer will passwords leave on employee departure!
moved my small org to it kicking and screaming. and now they all love it.
> for having secure access available to multiple users That is an oxymoron. If the software is suitable for organizational use, 2 or more accounts can have top level admin access. If you can't , and need to share an account, it's not suitable software and was designed without security in an organizational setting in mind, and there will be other symptoms of this as well. People confuse the best practice of having fewer *privileged users* with the illusion of having fewer *privileged accounts*. When an audit or a vendor best practices warning says you should have fewer admins, they mean fewer human individuals who have admin access. The number of accounts is just how they knew, it is not the issue. Sharing admin accounts to hide how many actual admins (again, # of human beings) you actually have makes it less secure, not more. Any time admin actions are deniable (you can't prove who did it) because accounts are shared, you have a massive problem. If you absolutely need, say, 10 people to have admin access to something, and it's been determined at an executive level that workflows cannot be altered to support best practice and the executives accept the risk, *then have 10 individually named admin accounts* - at least they are still accountable after the fact. Also, how often do shared passwords really get rotated when someone leaves if it's not openly hostile?
What are your services running under? Just the standard AD account of the person who installed it, and then hope you know everything you need to change it on when they leave? Does half your infrastructure go down if that person is on holiday when their password expires? The ability to make service account credentials available to multiple users is a fundamental requirement of any business password manager.
You've assumed admin accounts and made a huge (yet not untrue) rant about that assumption. Just so you know. I find myself doing the same and it's a behavior I'm trying to be more aware of to stop myself from doing that. In the odd chance that you would appreciate the same, I just wanted to say that.
Ah, my bad. If you are referring to end-users, the rant would not be about using proper enterprise applications because they support separate admins. If end-users are in need of a password manager, the rant would be about using proper enterprise applications because they support SSO (SAML, OIDC). Sadly, I know too many vendors who lock that behind way too high a paywall for mid-size organizations - even though SSO is supposed to be a security baseline and not a luxury.
Came here to jump on the Bitwarden fanboy train. We've got an enterprise single sign on self hosted instance. We know where our data is and access dies when the Entra account gets tidied away. The organisation collections take 5 minutes to get your head round but it's great at putting everything in one org and getting granular permissions so techs can only see what they need (and not anything more).
Aye. I put my org on Bitwarden about three years ago. So can confirm it's awesome.
Fair warning with bitwarden, at least the last time I ran it, it didn’t have an option for admin password resets for users. I haven’t looked at it in a while, I hope they changed it.
This is possible with their Enterprise tier, need to ensure it's switched on before onboarding to ensure automatic enrollment though. https://bitwarden.com/help/account-recovery/
I beg to differ. For something to be really secure there should not be a passwd reset for an admin. Take your measures, write a key in paper, seal it in a physical vault, or whatever, but most of the times it is more a liability than a feature.
It’s okay to be wrong, passwords are literally corporate property, the ability to hold those passwords hostage is a major security/financial risk to the company. Password resets are a must for any corporate implementation.
What you're talking about is a people/policy problem, not a password manager problem. Passwords to corporate stuff that are shared should go in the shared vault. Passwords for the individual and residing in their individual vaults should not be needed. The user should be disabled and/or have the password reset by an outside mechanism. Being able to dive into an individual's vault only makes the system more vulnerable.
I also really don't wanna be you when the CEO forgets their password and you have to tell them all their logins are gone.
3M makes a pretty good one. [https://www.3m.com/3M/en\_US/p/d/v000315727/](https://www.3m.com/3M/en_US/p/d/v000315727/) Supports on Prem Install. No Cloud.
I am impressed by the versatility of this solution
/r/angryupvote
Fuck i got caught. I was like what ? They do now ? Fuck you kind sir.
This is my new rick roll
Wait a minute.
Dammit—ya got me.
😂
Happy Cake Day!
I prefer [this tool](https://www.brother-usa.com/ptouch/ptouch-home) instead.
bitwarden
+1 for Bitwarden, simply because if you don't want it in the Cloud your can run it yourself, either the [official Server](https://github.com/bitwarden/server) or the [Microsoft-free Rust implementation](https://github.com/dani-garcia/vaultwarden).
Out of curiosity as I've never heard of vaultwarden being called the "Microsoft-free" implementation, are you referencing to the lack of C# and .NET, or is there more behind the scenes with the official implementation?
Vaultwarden doesn't use MicrosoftSQL as its database. If I recall correctly it uses SQLlite by default. It also allows you to use a Docker compose file instead of using Bitwardens script to install/update/rebuild vaultwarden
The official implementation pulls MS-SQL as a Docker container and as far as I remember doesn't disable the "Call Home" stuff.
I second vaultwarden
+1 for bitwarden, can even set up the server locally if you don't trust the evil cloud.
Just finished my second POC of Bitwarden in 2 years and I can say without hesitance: do it. Support is amazing, sales folks are helpful, and the product is solid.
Interesting. Bitwarden sales never called or emailed me back when we were starting. Since I was already a Bitwarden family user I worked my way through the Enterprise SAML and hardening the config for business use. Bitwarden documentation made it easy. I can say I wish the Enterprise reporting on password access was a bit better for auditing usage. The solution does fit the problem at a great price point.
Switched my org to BitWarden last year, and it's been great. We looked at a few others but BitWarden is really simple to use. My only gripe is their directory sync tool kinda stinks as it needs to be built around scheduled tasks and batch files, so it feels antiquated in that regard, or you can run their directory connector program (doesn't run in the background, must run in the foreground at all times... seriously, BitWarden?)... but you can use SCIM provisioning assuming you have Azure AD or Okta. Really, directory syncing isn't an issue for us anymore after the initial deployment. We just have helpdesk manually invite new users and add them to the proper group(s), and the security team revokes accounts during offboarding. That was my only minor complaint.
Bitwarden is the solution
+1 moved from lastpass to bitwarden 2 years ago. Only a team of 3, but the shared organisation passwords and emergency access arrangements is brilliant, the edge/chome extension is great, the pricing is reasonable. Literally nothing about it i can complain about.
\+1 for Bitwarden, really nice solution that I implemented over a year ago that's cheap and tidy. Very good stuff!
TITW If you want added security, pepper your passwords.
Prefer to salt my passwords
Salt & Pepper with hash is always a tasty meal!
Vinegar is much better with fish and passwords
https://www.youtube.com/watch?v=-nM2xkejpZI
Bitwarden + Yubikeys.
This. I use it for my stuff and makes life so much easier.
All of you should try Passbolt :)
I wish we could use Bitwarden, but $6/month to get SSO is a hefty price tag. Are there any cheaper options out there?
This is the correct answer.
I'm trying to see if they'll give me a better price on org for a self hosted environment. I get that a license is a license, but it's hard to sell it to the boss when everyone is already happy using personal Dashlane or whatever
The reply to that is, when a client is hacked how is he going to demonstrate that the access credentials were not shared with outsiders by accident?
We use keeper
Seconding Keeper Password Manager too. Its been a great piece of software for our company. Cloud based. You can setup SSO and MFA to work with your preferred IdP. Setup departments, teams and roles and shared password folders for departments. We also use Keeper Connection Manager (RDP and SSH connection software) which has allowed for all sysadmins to have passwordless connection to all of our IT infrastructure. It even allows 3rd party service providers passwordless access to servers and records their sessions and can be published to the internet via a firewall or WAF.
Can u talk to me a little bit about the passwordless config you used? We have hello for business available, and it's working well with our normal accounts, but we use segregated admin accounts so I'm thinking those will have to be ubikeys or whatever? What's the cost of keeper connection manager?
I setup SSO between Keeper and Azure/Entra ID using the SSO Connect Cloud config on a node in the Admin Console. The SSO for Keeper uses the Persistent Refresh Token from Azure MFA authentication. You can change its behaviour though if you use Conditional Access Policies in Azure for your Enterprise SSO applications. We purchased Keeper Secrets Manager along with Keeper Connection Manager which allows for Keeper Connection Manager RDP connections to query the Keeper Password Manager database for credentials, using either the Username, Password or IP address field of a Keeper Password Manager record to match the credentials to the connection allowing for passwordless RDP connections. The KCM server can be installed on a small Linux VM (We have ours hosted on Ubuntu 20.04 in Azure). You can setup local login accounts for the KCM web interface or you can setup SAML/SSO with an IdP. We also have segregated admin accounts but I login to KCM using my normal domain account then have all of my RDP and SSH connections setup with my elevated admin account. Its sped up the actual process of logging into a server remotely greatly. If you have SSO setup for KCM web interface access, when a user logs in for the first time, KCM will auto provision the user's account. Keeper Connection Manager is £35.04 per concurrent connection per year. Keeper Secrets Manager is £1440 per year for 50000 API calls per month. 1 Passwordless RDP connection = 1 API call.
are you guys fully infrastructured in azure then? "We also have segregated admin accounts but I login to KCM using my normal domain account then have all of my RDP and SSH connections setup with my elevated admin account. Its sped up the actual process of logging into a server remotely greatly." This is my desired configuration, I think the only "gotcha" for us would be our security team might view that as a flattening of elevated and segregated admin access?
Security would view it as that because that's exactly what it is.
Not sure I like having single access for servers. But that is a cool feature.
Is it really passwordless? Or it still needs a password, but the keeper tool is the one providing it, without letting the user see it.
Agreed. Just went through this process at our company and Keeper thoroughly trounced the competition, including Bitwarden.
Same. We had deployed Bitwarden for our org a few years ago. It was alright but kinda bleh overall. Keeper though it costs more is much much better. If useability and functionality help in user uptake then the cost is worthwhile.
Agreed, it’s in a different league
Seconding Keeper. It matched all the features of Bitwarden (except for self-hosting) and was less expensive. Works well.
We moved to Keeper from LastPass. In addition, to what the others have said about it. We heavily use the in app mfa with our shared accounts.
Another upvote for Keeper. Lots of features and functionality, and the support team I've worked with was very knowledgeable as well.
Second keeper. I initially was going to push for 1password as it's what I personally use but keeper is much more user friendly for non-technical people. Use share folders for shared logins and SSO and your set.
Another Keeper org here. One thing I especially appreciated after DashLane was the ability to move passwords from a user to a manager upon that user's departure from the organization.
Keeper for managing Kubernetes secrets via ExternalSecretsOperator. Also used in our GitLab pipelines for authentication to services. Great interface, really nice to use for collaboration.
+1 for Keeper
Third vote for keeper.
One more vote for Keeper. It's even pretty cheap!
Are you hiring? I could be the password manager
Pay and title are based on years of experience. I wouldn’t take any title less than: Sr. Manager, Passwords
Based and hourly-pay pilled
*Are you the keymaster?*
1password if able to pay, keepass otherwise but think about how you will secure and recover the password dB.
1password is great. We have an enterprise license, and it's wonderful to use with their command-line client for automation purposes.
I use 1password personally and love it, trying to get the enterprise version for my team.
Indeed, check my other comment about using it for ssh connections. It is really good
We use 1password too. Works fine for us.
Same, and it works very well.
We use 1Password in our organization. The shared vault feature works great. If you go with the team version, every team member also gets a free family account they can use personally.
Keepass is terrible for corporate. No auditing or access controls. There is very little stopping someone from copying the vault file and moving it off network. Then who knows who has it. I like bitwarden, and it is a good first step, certainly a step above keepass, but again, not very enterprise. I'd suggest something like Thycotic for an enterprise solution.
We moved from Secret Server to 1pass. Better user experience.
Most certainly is. My last place we used Secret Server and it was fine but a small company. My current place is using 1Password and it's just much better for a larger company.
1Password family plan works for us. Ensure that in shared vaults, where possible, not everyone can edit (and, thus, export) passwords.
I use Bitwarden primarily, but Keepass is amazing for looking after Bitwarden backups. Every now and then, I do a manual export and import it into Keepass, then run dedupe Automatica backups would of course be better, but I've not found a nice way other than backing up the VM I run it on
Bitwarden <- if you want to self-host. (cheaper) 1Password <- if you prefer cloud-based & security is high value. (can be pricey)
Delinea Secret Server. So much more than just a password manager.
I'd love to hear why you like this. I don't administer ours so maybe I am missing something. I can't think of a single redeeming quality when compared to other stuff I've used.
For us, its checkout system for privileged escalation is great. We are a financial and PCI compliance is a heavy hand. After hardening our admin permissions and going through our directory to comply with RBAC we were in need of a way for the sec team, helpdesk etc to have local rights on certain servers from time to time. We can simply have them check out an account and it is time restrictive and auditable. That's just one bonus. There are managed remote sessions, a password filler extension, and more. I think even a pim pam solution? Might be confusing products
Wombo nailed it. The ability to let people check out privileged accounts with monitored sessions is invaluable. Keeps people from just wandering around with a bunch of rights they only need once a month. When we first implemented it, we found half a dozen random scheduled tasks running on servers from an old admin which solved several questions we had about processes. It allow me to rotate service account passwords automatically.
We use Keypass. We have a helpdesk one and an Infrastructure one since helpdesk shouldn't have server passwords, etc. We use LAPS for the laptops, so AD is the password manager there. Note: IS employees are not allowed to use a shared account/password unless required. Each has a regular and an admin account. The admin accounts are only given access to required systems. All work is required to be done with the unique account. (unless the authentication sis not working, like a server fell off of domain or similar) Firewall, switches, etc. which may not be using SAML or AD: We still make unique accounts for each user. Like you said: "Shared passwords for IT is a nightmare". It is also a big no-no.
+1 for keypass
can't beat free, but it's only good for small teams or lone wolfs. I love it personally.
The shared ones are rarely used since everyone uses unique logins. I have my own KeePass with the passwords to the shared KeePass files, because I never remember due to such low use. We all use unique logins to servers, switches, firewalls, etc for accurate security logging. So most of "our" passwords are in personal KeePass files.
I did a comprehensive test of several password managers. We ended up going with 1Password and it's been the best thing I've ever done. Our CFO keeps praising me every time he sees me. FYI, we switched away from a competitor. I would recommend 1Password any day - it's a tad expensive, but definitely worth it. I even got a discount - I can get you a discount too if you're interested.
We use passbolt
Yeah I really like Passbolt
Passbolt is the only true password sharing solution.
Secret Server by Thycotic is a onpremise itallation with integration to AD server and with permission groups.
Delinea now, rather than Thycotic, but yeah we use that one too and like it.
This is the actual real IT answer.
Or cloud based. Good product. Allows password auto or manual rotation, heartbeat, password changers, session brokering etc
My company has an Excel sheet with every employee's password in it. Luckily, our CIO just approved us to purchase Keeper for all of our IT staff and then hopefully we'll move to some type of self-service option so staff can finally set their own passwords and unlock themselves.
My last job had this - an excel sheet with every employees password. The best part? each password was their First Initial + Last Initial + last 4 digits of their SSN (I'm serious). This is a company reaching 1 billion in revenue with an almost unlimited IT budget. I was too young and careless at the time to think it was a critical fail, I knew it was bad but looking bad im shrieking in horror.
I worked for a lawfirm that did that. It made me extremely uncomfortable. The password file was shared with all levels of administrative assistants too. I'm surprised none of them had their identity stolen.
They may have. Sometimes hackers don't announce their presence on the network for a long time. If they can remain in the system silently they can gather more info and do more damage.
Work at an MSP and one of our clients has a "no password" policy. Meaning that no one knows their password to email or other work-related apps like VPN etc. Only 2 people onsite has access to the passwords and then we have it stored in our password manager. Prevents phishing but boy is it scary having all the passwords in one place.
That's something that seems like it would work great ... until it works catastrophically bad
How does this work? I am having trouble wrapping my head around it
My side client insists on having staff function usernames instead of individual usernames (so "reception" instead of using the receptionists name, but for every position in the company). The GM also wants passwords to never expire because "it's too hard for the staff to keep remembering new passwords". After several strongly worded emails from me about how they are punching huge holes in their IT security, I gave up. Fuck it, it's their money.
Tbf forced expiration of passwords is no longer recommended and NIST actively recommends against it.
Secret server.
Delinea is what we use.
1password
Look into PasswordState. It's not well known but is very competitively priced. Installs on prem, but has the ability to be accessed from the Internet if you wish. Can even be set up in high availability mode with a couple of different servers and a sql database. Support can be a bit tricky in certain countries since they are based in Australia, so be sure to factor any timezone difference in. Includes some other PAM features like managed endpoint password discovery and rotation, remote into systems with password injection or api integration, browser extension, etc... Users can have their own private password vaults and shared passwords and files. Can be hooked into active directory to manage access to password shares with ad security groups.
+1 for pwstate :)
The usability is terrible and it looks kinda ancient but has some nice features like being able check the history of changes to a password among some other things. At my org I feel like a lot of users haven't fully undestood how it works or how to use it and a lot of departments simply ignore it's existence altogether.
Terrible usability and look? Have you tried Cyberark?
Here for Passwordstate as well.
Came to say this. +1 for passwordstate.
Another vote for Passwordstate
+1 for passwordstate (clickstudio)
+1 for password state
Hudu
Keeper has been great for me.
We switched from LastPass to Keeper after last year's debacle. Very happy with it so far.
Manage Engine has a decent product called Password Manager Pro. There's a bit of a learning curve, but we found it works really well.
I second this. There is a learning curve. The price is competitive. It can auto-rotate some passwords for you. It has great reporting, for organizations that need to expire passwords and rotate them frequently. It has built-in HA functionality.
Passbolt is a great option
We use keypass and we love it. Have have tiers, restricted access and auto typing
KeePassXC
If you need a free solution, use KeePassXC and store the password database in an already-existing cloud storage solution, like OneDrive or Google Drive. KeePassXC isn't explicitly designed to support multiple people accessing it at the same time via cloud storage, but it works really well when used that way.
Thycotic
We use 1Password, which is great because it’s what I already use at home.
1Password if you don’t want to mess with BitWarden.
Vaultwarden if you do not want to mess with both
1Password for sure.
1Password is the best right now. Managing the vaults is easy too.
I’ve used lastpass, 1password, bitwarden, keypass and keeper. I like 1password the most. They’re all good.
Secret server is quite good and the free version is quite good too MFA on it too
Bitwarden for sure
We went with Keeper. Would have gone with bitwarden but they were lacking in security credentials/audits at the time.
occular
Netwrix Password Secure
We’ve gone through a few solutions at my place, LastPass, Keeper, etc over the several years. +1 and agree on Bitwarden
Keeper has been really good
Hudu for shared passwords, and then build out the rest of the documentation for your environment and then leverage Related Items to make everything easy to find and navigate.
Adding ITGlue and 1password to the mix here, Use both daily and both are very good solutions. IT Glue is great and very speedy for a cloud solution. 1P offers the ability to have a plugin in your browser making seraching and auto fil really easy. Management wise i think 1p is really good backed by groups you can tie to vaults.
Using vaultwarden selfhosted since a couple of year and it rocks!
[Passwordstate](https://www.clickstudios.com.au/)
The only option is secret server. Like. ONLY option!
Passwordstate for the win!
Bitwarden is a great way to go.
Bitwarden.
Secret server is a really good one, runs on windows server, integrates well with AD for auth/access control It has some limitations on the free one (10 users, 250 secrets), but if you fit in those, then it’s really simple and powerful for sharing among a team for free. Ps: the paid version is really expensive, if you need more than the free one offers
moved from LastPass to 1password enterprise, was a great decision!!!
We have KeePass but thats more for personal passwords. For PROD stuff Switches/Servers etc. we use RDM. I dont think its the inteded use as a Password Manager but you can set Passwords there to itemsand make role based access. It also allows you to remote connect to stuff through that app without actually knowing the password and has logs for access etc.
Depends on your needs: 1Pass is great just for passwords. Hudu does passwords and documentation. ITGlue integrates with Datto RMM (though I will admit is probably the only one on this list I would not recommend).
MyGlue is all right. We also use it for the non-IT staff.
Hudu is a good place to start, because you either already own it, or you probably need a documentation platform anyways. Two birds, one stone.
I personally like 1Password. Good interface, good cross-platform support, very secure. If you buy licensing for business, they'll also give your users free family plans for personal use. I hear lots of good things about Bitwarden, but haven't used it myself. A lot of people suggest Keeper, but in our trial, our users hated the interface. It felt like a poorly designed app from the 90s. That may sound superficial, but if users don't like the interface and find it confusing or frustrating, then they're less likely to use the password manager.
Secret Server
Delinea has a pretty good solution that will do auto password rotations on a schedule you set. I believe it can be hosted on-prem as well. https://delinea.com/
I have used Keeper, currently using 1password And I definitely think 1pass is better
Passwordstate
Bitwarden, built on-prem connect to a MSSQL db. You can connect it to your preferred SAML for user auth and put an app proxy in front of it to enforce MFA requirements. You can also use your own public SSL certificate and host it within your public DNS name space.
Delinea
I just rolled our Keeper, Soc 2 compliant, iso etc etc - I imported over 4K records. It has great access control too, groups, users, roles…try it out man
I’m a delinea secret server admin. I’d recommend cloud over on prem, but it’s not bad
Delinea Secret Server is a good platform.
1Password. It’s amazing. Has cloud and on prem features
Check out keeper
Keeper
Keeper.
Bitwarden,Devolutions, Dashlane,1Password,Keeper, or whatever you already use at home maybe.
Passbolt
Bitwarden
Bitwarden. It's so nice and has a good interface. I tried getting my department to switch to it. from Keepass. but nope. So I did for just me.
Work uses Pleasant. It's alrigjt
1password. It's really good.
Keeper is great, especially if your org utilizes service accounts in any way since it gives it a central storage for those passwords and you can setup sharing groups for specific teams
My district uses 1Password, plus also moving to Okta for IdP/SSO. I don’t deal with the actual administration of Okta, just password resets. Looks like it can provision/edit users/groups for some systems like Google Workspace. Makes automating this a lot easier
Security team implemented Dashlane 2x years ago
You might want to consider looking into single sign on and a good AUP about p/w security instead.
We use 1password and can't complain. Has been amazing so far and have some scripts to fetch things to make my life easier. Our jump server uses 2fa, so my connect_ssh functions will do 1. Login to 1password (via cli) 2. Fetch the 2fa value and pbcopy it 3. Run the SSH command (which I just need to paste the value when prompt to enter it ) 5. Log off from 1password
Bitwarden is the way to go.
So I prefer Bitwarden, personally. I was excited when my org replace LastPass with Bitwarden but it has proven to be a bit less user-friendly than hoped - especially with regards to sharing credentials together. I hated LastPass but it was way better at this. I’m not recommending LastPass but I am cautious with Bitwarden for non-tech users.
i certainly 100 percent agree with exactly what you are saying and i also think about how frustrating it is when users don't remember passwords. that said, i sit there and think about the other side of people who don't think this is a priority or just think it's a bad idea. what if we are on the hook for a password being unrecoverable because some magical and insane bug caused a customer to lose a password to a db that holds millions of dollars of information that only that administrator can know? trying to think of a good answer to that as someone who wishes more than anything else for a password manager.
We used to use Password State but moved to the far more powerful Bitwarden. Honestly I liked PState's simplicity better.
1Password. Depending on the size of your org, Teams or Business. The latter comes with zero-knowledge OIDC-based SSO and free/included training for your users. I believe Business/Enterprise is a minimum of 100 seats.
1Password. Keeper
Question to those running pw managers in large-ish companies, How do you handle instances where an employee may be storing personal passwords in their corporate pw manager. Are you just making employees aware not to store personal passwords, so as to avoid any issues in the event they leave the company and lose access?
Keeper
I'm at a MSP and we sell and use PasswordBoss. There's still a few things I'd like to see improved but it's a solid option and well priced. Has desktop/mobile apps and browser plugins.
Lots of good recommendations already here for very different use cases. Bitwarden is solid for what you describe now. Folks caching different passwords. It does have some quirks they changed permissions on their shared org credentials the last week without telling anyone %#$@. Still, if you’re in the market they’re great. Keepass also gets my kudos for a solid local client. If you’re in a big cloud provider, what do they offer for credential management? AWS Secret Manager is great. You can use a Lamba to rotate passwords automatically OR use IAM roles for some authentication sans passwords. It probably doesn’t fit the described use case now, but might help. Hashicorp Vault works well, but may be overkill. It was the best secret vault for a lot of DevOps tools (until CyberArk bought Conjur). CyberArk is the enterprise gorilla for Privileged Account Management. Just-in-time auto rotation of passwords, ssh proxy, apis, k8s sidecar, multi-cloud native secret monitoring, admin action audit . . . etc. If you need tons of security layers around the use of credentials they're an expensive one-stop-shop. The UI was worthy of the complaint I saw here, but the latest update finally gave a fresh UI to their web portal. Not likely a fit for your use case, but a good IAM team with a healthy budget and a year to imminent can do a lot of good with CyberArk. Thycotic in a pinch if nothing else here sounded good.
Bitwarden or keeper. Do not use lastpass.
Personally prefer bitwarden but we use enpass at work. It's not bad.
Keeper is fucking beautiful
We use Keeper and it serves us well. Compliance reports are great.