I work for a large (~10k) organization that obviously interacts with a number of different systems/applications on a daily basis. The average employee likely has 10-20 (hopefully) different sets of credentials that they must maintain and update as necessary - I can only imagine there are a variety of Password, Password1, Password12 combinations in use.
I'm curious if anyone has experience with an enterprise/corporate level password manager. Ideally, it would be tied to the user's AD profile so when they log in to Windows they would just need to enter their master password and it would integrate with the browser to prefill passwords just like 1Password, or BitWarden.
Looking at 1Password's website, it's 7.99 USD per user/month which gets very pricey with 10k users. I'm curious what other folks on HN are using. I appreciate your feedback!
by majewsky on 6/1/22, 1:47 PM
> The average employee likely has 10-20 (hopefully) different sets of credentials that they must maintain and update as necessary
That's your red flag right there. All identities that are tied to individual people should be connected to SSO in some way, then there will be no juggling of passwords at all on the individual-person level. Then you only need some 2FA solution on top in your identity provider, for instance TOTP or FIDO, and you're all set. (Corollary: If at all possible, only pick external services that can plug into your company's own SSO.)
For credentials not tied to individual people, e.g. root passwords on devices, my org uses HashiCorp Vault, and we're mostly satisfied with it. It's a bit of a struggle to configure the policies so that each group of (human/technical) users only has access to the secrets that they actually need, but I won't put the blame for that on Vault.
by viraptor on 6/1/22, 1:09 PM
> gets very pricey with 10k users
With that many users you don't pay the advertised prices. You schedule a call and they make sure you get an affordable offer.
> The average employee likely has 10-20 (hopefully) different sets of credentials that they must maintain and update as necessary
Time for azure, auth0, okta, or some other sso provider to just get rid of the passwords?
by muzani on 6/1/22, 1:14 PM
LastPass is great. We can share credentials and secrets through it. There's a feature where you can even share the login to a site on it, but they can't view the password - only lastpass can fill it up.
by swozey on 6/1/22, 2:11 PM
I've used 1password at my last two companies and I wouldn't go back to anything but maybe Bitwarden, which is practically a 1p clone. Last time I used Bitwarden it didn't work with either my Macos fingetprint reader or face unlock, I forget. It was an electron limitation IIRC, and this was years ago.
I don't face any annoyances sharing passwords with 1pass like I used to with lastpass, secretserver, etc. It's a smooth experience all the way.
by raxxorraxor on 6/1/22, 12:59 PM
Not the organization as a whole, but some small teams use them. We use KeePass for most important passwords and API-keys. The master password is a prefix and a part from personalized Yubikeys for each member accessing the store.
A larger org would probably need a manager with extended access management, I am not sure if KeePass has such features yet. I think BitWarden does have an extended AD integration, but I am not sure if it is just to import users initially or if you can use AD authentication to access the key manager itself.
by Raed667 on 6/1/22, 1:45 PM
If you're signing up 10k users. I'm sure the pricing for 1Password won't be 7.99.
Alternatively, have your tried SSO'ing everything?
by AnIdiotOnTheNet on 6/1/22, 1:19 PM
We don't have use a password manager for most users, but for those with access to many and varied accounts (like IT and anyone dealing with social media) we use VaultWarden, which is a FOSS re-implementation of BitWarden. We don't do any browser or AD integration though.
by throw457 on 6/1/22, 12:53 PM
A table in confluence with clear text passwords :(
by Apreche on 6/1/22, 2:06 PM
If your company has that many users why not self-host some open source solution like KeePassXC. The cost for having your IT employees host and manage it is probably less than the cost of a commercial product, even after negotiating a special contract with them.
Of course, the UX of the free solution will never compete with the commercial solutions. If you want that, you have to pay.
by jitix on 6/1/22, 2:17 PM
Yeah, everything shared is on 1password. Everything else is Okta with 2FA. But the authentication flow is made very simple so you don't get frustrated.
My personal benefit was that the convenience of using password managers finally pushed me to use Bitwarden+2FA on all my personal devices.
by Zababa on 6/1/22, 1:22 PM
We use Passwordstate. It's the slowest password manager I've ever used by a large margin, and one of the slowest websites I've ever used period. I don't know if it's inherent to the application or if it's how it's deployed for us.
by ashton314 on 6/1/22, 1:42 PM
We use Keeper, and I hate the UX. Would much rather use 1Password or BitWarden, but alas, the IT powers that be have spoken. Better than nothing. We do share creds through it, so that’s nice.
by sdfhbdf on 6/1/22, 2:17 PM
I think what you should be looking for is a Single Sign-on solution that integrates with your different systems and applications. It's a necessity when trying to have audit logs and proper and secure onboarding and offboarding solutions.
Things like Okta, OneLogin, GCP, AWS, Auth0 or Keycloak (self-hosted). A lot of products nowaday offers SSO integrations but often unfortunately at the highest tiers - see https://sso.tax/
by scrollinondubs on 6/1/22, 2:18 PM
Passbolt is a great open source option:
https://www.passbolt.com/ It has the team collaboration functionality and is free & OSS. We run it on Digital Ocean via Docker. Once you get it working it's pretty fantastic- it has a Chrome/Brave extension that works just like 1Password and LastPass for auto-filling credentials. Highly recommend.
by TowerTall on 6/2/22, 11:31 AM
by naveensky on 6/1/22, 1:49 PM
You could possibly host
https://www.passbolt.com/ on your own servers and reduce the cost for your org.
I am sure, 1Password will be more than happy to offer you a discounted rate
by kevinherron on 6/1/22, 1:03 PM
Our company uses LastPass.
I don't know if AD integration is available. Ours is federated so that if you are logged into Google Chrome / Workspace then you are also logged into the LastPass plugin.
by sys_64738 on 6/1/22, 5:08 PM
Postit notes stuck to the monitor. For security purposes I make sure to not say which password is for which account.
by aborsy on 6/2/22, 12:12 PM
Could a central directory for Gpg keys, accessed via Pass/Yubikey, be a solution?
How about AWS KMS?
by cp9 on 6/1/22, 2:29 PM
we have a corporate 1pass account and I have a personal lastpass account. we use okta for SSO but 1pass is still absolutely essential IMO. I need to keep track of lots of secrets that aren't in okta (eg gitlab tokens and stuff like that).
by Karawebnetwork on 6/1/22, 2:12 PM
We used Okta (SSO) for a long time which is $2 per users afaik.
by haolez on 6/1/22, 2:48 PM
Yes. BitWarden.
by coffeedan on 6/2/22, 1:13 AM
Yes