Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Does your org use a password keeper?
23 points by ng-user on June 1, 2022 | hide | past | favorite | 71 comments
I work for a large (~10k) organization that obviously interacts with a number of different systems/applications on a daily basis. The average employee likely has 10-20 (hopefully) different sets of credentials that they must maintain and update as necessary - I can only imagine there are a variety of Password, Password1, Password12 combinations in use.

I'm curious if anyone has experience with an enterprise/corporate level password manager. Ideally, it would be tied to the user's AD profile so when they log in to Windows they would just need to enter their master password and it would integrate with the browser to prefill passwords just like 1Password, or BitWarden.

Looking at 1Password's website, it's 7.99 USD per user/month which gets very pricey with 10k users. I'm curious what other folks on HN are using. I appreciate your feedback!




> The average employee likely has 10-20 (hopefully) different sets of credentials that they must maintain and update as necessary

That's your red flag right there. All identities that are tied to individual people should be connected to SSO in some way, then there will be no juggling of passwords at all on the individual-person level. Then you only need some 2FA solution on top in your identity provider, for instance TOTP or FIDO, and you're all set. (Corollary: If at all possible, only pick external services that can plug into your company's own SSO.)

For credentials not tied to individual people, e.g. root passwords on devices, my org uses HashiCorp Vault, and we're mostly satisfied with it. It's a bit of a struggle to configure the policies so that each group of (human/technical) users only has access to the secrets that they actually need, but I won't put the blame for that on Vault.


Easier said than done.

We rely on all kinds of industry-specific applications that only support username/password (and SMS OTP if we're lucky). After that, there are a bunch of services that do offer SSO but only if you pay stupid money. For example, we spend about $100/month on Twilio but their SSO plan starts at $15k/month.


This is nice until you consider the network effects. People can often get away with the $5/user/month plan, until they need SSO, in which case it always becomes $30k a year.

SSO seems like the only way SaaS companies can make money, and what this HN post tells me is that even enterprises with 10k employees (!) still find that to be a little out of their price range. The state of the industry is kind of crazy, but that's why people are looking for an enterprise 1password account. Cheaper to pay them once than to pay 1000% markup on every SaaS you use.


Sorry should have clarified - we are a government organization that interacts with a number of other government agencies. It's simply not feasible for us to implement SSO for all of our own internal applications (many different units/teams), let alone the external apps/systems we are consumers of.


Not all SaaS apps support SSO. We use 1password for those that don't.


Then don't give your business to them. Let them very clearly know "we will not purchase your services until you support SSO at a reasonable price". Otherwise they'll never learn.


I think you're greatly overestimating the influence IT departments have over purchasing decisions at large companies. Not only does management rarely consider their input, it's common for IT departments to simply be told "oh, by the way we just bought X, get it running."


this is somewhat a pipedream

orgs should support what people do


I'll try that reasoning with my PCI/DSS auditors next time. Let's see what they think about that.

If you think I'm being hyperbolic, I'm not. Our org has recently gone through a PCI/DSS audit, and there was a lot of frustration about the amount of required changes with regards to locking down access policies, tracking suspicious activity, enforcing 2FA and such, but most of the stuff that I saw change was stuff that feels like it really should be entirely obligatory in the first place.

There is a great tradition in IT to teach yourselves using free (as well as free-of-charge) software, but when you're in the business of IT, there should be much stricter regulation. If you're a civil engineer and the bridge you design collapses because you did your math wrong, you are criminally liable for the damage. But if you're a software "architect" and you negligently put an instance of database-du-jour on the internet without proper access controls or a vulnerability tracking process, you most often get away by just saying "whoopsie-daisy" and giving a flimsy apology to the millions of customers that had their personal data stolen. Worst case scenario, you get a fee of a few percent of your earnings. That has to end.


im not certain why any of that is at odds with providing secure secret management to employees

it's already a part of secret management for machines in secure cloud environments


> gets very pricey with 10k users

With that many users you don't pay the advertised prices. You schedule a call and they make sure you get an affordable offer.

> The average employee likely has 10-20 (hopefully) different sets of credentials that they must maintain and update as necessary

Time for azure, auth0, okta, or some other sso provider to just get rid of the passwords?


I'm really not cut out to work for a big corporation.

Even if they charged $0.50/per user, that would be $5k/month. I could go as a consultant and charge half of that to setup vaultwarden integrated with their AD for maybe 2 lazy days, and offer a support contract for $500/month. It's not even that much of rare skill. I'd guess you can randomly selected /r/selfhosted users and I'd give 10% of odds to find someone who has done it already and would even offer to do for less.

Yet, I think that most managers would simply prefer to go through all the negotiation meetings, all the internal procurement process just so they can justify the big boy expenses.


> I could go as a consultant and charge half of that to setup vaultwarden integrated with their AD for maybe 2 lazy days

That's a very simplistic view of how it works in even a medium sized real company. Google SSO is already available for many external services you might use which is a lot easier to integrate than doing and maintaining something yourself. Especially because if there's an issue it's blocking everyone in the company at the same time. It makes sense to outsource that if it's not your core business.


I am talking specifically for the case of OP: a big company with 10k users that already has AD.

You are arguing a strawman.


While I don't disagree with the gist of your idea (it can be cheaper in-house), I believe you're underestimating the ongoing support cost. At 10k users, it will become a part time support position to manage the solution, handle credential resets, write and update documentation, handle all client side problems, maintain ongoing ad / account integration and browser plugins, deal with any security certification required for services in your corp, comply with backup/data retention rules, etc.

You're saying $500/mth, but my response would be: this is half a full time IT support position and it needs a secondary + on-call cover.


IMO, 1Password has much much better UX than Vaultwarden has. So you definitely get something for the money.


That's the other part that breaks my lizard brain.

We are talking about $5k/month vs $500. If the UX of the FOSS version is lacking, pay for the closed version BUT throw $1000/month on the direction of the FOSS developers until the issues are mitigated and they satisfy your requirements. I can bet that in less than a year you'd be able to make a switch and the investment would pay itself.


> BUT throw $1000/month on the direction of the FOSS developers until the issues are mitigated and they satisfy your requirements

This is not at all an easy thing to guarantee even if you’re willing to spend the money. The FOSS developers might not be interested in doing this work (even for pay) nor have UX staff.


Do you have any idea how much "developer power" you can buy with $1000/month, if you just look in the right places?

So many talented people working for that money or less in São Paulo, Buenos Aires or Hanoi, it would be worth it to give it a shot even if they just worked part-time.


Right, but then you need to trust them to maintain a fork of vaultwarden or hope that vaultwarden accepts their patches.


Third option: the team looks at the work from someone who is outside and bring them to do the things that the team is not interested in doing.

In all three cases, though, it sends a signal that there is demand for the changes. This works as both validation for the developers (our users wants this so much they are paying someone else to do it) and also for other companies (oh, why should we be paying this much to a closed-source service if we can pay a fraction of the price to get a reasonably-well-supported open source version?)


(Most) managers hate meetings just as much as you, and they're not wasting money for the fun of it. Every technical manager has inherited problems because someone at some point tried to save money by hiring a random dude on the cheap who just half assed it.

You go with companies that can demonstrate scalability because they provide project governance, proper change management, and layers of redundancy and support in the event of an emergency.


When I was working at Deutsche Telekom, I actually heard the CIO from a German Bank say they "were not interested in our (Chromebook-like) solution, because if adopted it will be a lot cheaper than their current windows licenses and that would mean he would lose his budget in 2 years".

Also, the idea that someone charging $2k for two days of work is considered "doing it on the cheap" is almost offensive.


Relative to the enterprise vendor, that is very much on the cheap. I wasn't placing any value on your work, I was referring to the ubiquitous "I know a guy" cost cutting solutions that end up somehow being very, very expensive in the end.


I didn't mean offensive to me, the offensive part is to think as a shareholder or a taxpayer hearing that this kind of problem actually warrants so much money.

I know that people can come up with many perfectly reasonable justifications to spend this much on a service, but to someone like me who grew up in a poor country dealing with recession and austerity policies, it's hard to see these things and not thing "surely we can achieve the same results spending less?"


Even with bulk pricing, the current enterprise providers are quite expensive. I'm a YC founder working with some others on a solution to this that brings the cost way down. If you're interested, send me a quick email and I'm happy to share what we've learned.


LastPass is great. We can share credentials and secrets through it. There's a feature where you can even share the login to a site on it, but they can't view the password - only lastpass can fill it up.


Can't really agree with that. For me, LastPass is a huge annoyance (it wants to fill in passwords on pages that these passwords definitely don't belong to, and it prompts you to save passwords over and over again with no "don't save passwords on this page" checkbox), and its UI is not really good either (e.g. the floating "+" icon in the vault - if you want to create a new folder you have to hover over it, for other items, you have to click it. Also, neither of these functions is available in the context menu - huh?!). And don't get me started about the "feature" of letting users use passwords, but not see them - security by obscurity anyone?


It's as much as a pain as you make it. For me if I keep it well organized I basically just forget that I have to login to things at work, I just click them and I'm in or I navigate and it's filled.

I can see how it might not be the solution you want for home but at work I'm just trying to get things done and that unfortunately involves a large number of passwords that can't easily be federated into an SSO like okta because they span businesses clients and companies. I don't understand the hate for LastPass, for me it just works (tm)


I think the hate mostly comes out of being forced to use a solution and then being annoyed because it tries to force itself onto you. Yes, I confess, when I'm waiting for an important email I sometimes check private emails on my work laptop, and I would love to be able to just tell LastPass to not prompt me to save the credentials for my email provider into my company account, but it's simply not possible, and then the repeated "helpful" save password prompts annoy the hell out of me...


LastPass is terrible if you want to use it for automation. There is no official support for the CLI interface (it's a community project), and it does not work on Windows by default (you'd need to install cygwin on every single server you wish to use the CLI, as opposed to a simple `winget install --name LastPass.CLI`). I cannot recommend that anyone use this product for enterprise use, especially for internal IT use.


Are there password managers that do that better?


> There's a feature where you can even share the login to a site on it, but they can't view the password - only lastpass can fill it up.

Prime example of Lastpass security theater - what exact problem did they think this feature solved?


People easily copying and pasting the password into a chat app to quickly share it with Greg from finance asking if he could just quickly log into the app even though he's not really supposed to?

Sure, its not too hard to get around that feature, you could just inject your own javascript on the page to dump the contents of the password field. But it does block the low hanging fruit of the millions of users who don't know how to do that who might abuse having access to the password because they don't really know better.

In essence, it helps to prevent those users who don't know better from leaking the password to places it shouldn't be. Obviously it doesn't prevent people who know how to get around it from getting around that protection, but in those circumstances you shouldn't really be sharing your password with someone who will abuse your trust.


The people likely to do such things counter to security are going to click phishing links, install malware and misuse their company devices anyway. Their problem is not technological in nature to solve - it is personal and behavioral. I call it theater because it doesn't significantly improve the security posture and maturity, while making both the user and administrator feel tough and hardened.


> The people likely to do such things counter to security are going to click phishing links, install malware and misuse their company devices anyway.

Are you arguing that because they might make mistakes elsewhere we shouldn't bother putting any barriers up to them breaking policy, and that the only thing we should do is more training? I'd argue both things should be done. I do agree preventing LastPass from directly exposing the password isn't a very strong protection, but lets not act like it doesn't prevent any kind of password abuse. Sure, users should be more trained, but we should also create more barriers to prevent them from shooting off their toes.

It almost sounds like an argument to get rid of barriers on highways. Drivers should just know to not drive off the cliff; if people are driving off the highway clearly all we need to do is train them more. Barriers are just safety theater, people might still end up driving off the cliff if they try hard enough!

You asked for a use case for this feature and I gave you a use case that happens all the time and which such a feature prevents a large percentage of those users. You'd need someone determined to break the policy to dump the password and share it someplace they shouldn't, as opposed to someone doing it without thinking "is this against policy? shrug"


Not having to rotate shared passwords after an employee leaves I suppose?


I think parent is referring to the idea that it's not a problem for a technically inclined person to when the extensions is filling out the password inspect the password HTML element and "see" it. Other options would include sniffing network traffic in your browser or replacing DNS with self hosted website with a form under the same domain to trick the extension to fill in a form on a website you control (since they match based on the typed in domain).


> There's a feature where you can even share the login to a site on it, but they can't view the password - only lastpass can fill it up.

Is there anything that stops someone from letting LastPass fill the field, then use the browser tools to change the form field from `password` to `text`?


Even easier: let LastPass fill in the password in Chrome, save it with the browser's function, view it in the browser settings.


We use LastPass and I hate it.


Specifically - the constant and inability to disable install the safari extension and hideous use of space / user layout.


My org also uses LastPass


I've used 1password at my last two companies and I wouldn't go back to anything but maybe Bitwarden, which is practically a 1p clone. Last time I used Bitwarden it didn't work with either my Macos fingetprint reader or face unlock, I forget. It was an electron limitation IIRC, and this was years ago.

I don't face any annoyances sharing passwords with 1pass like I used to with lastpass, secretserver, etc. It's a smooth experience all the way.


Not the organization as a whole, but some small teams use them. We use KeePass for most important passwords and API-keys. The master password is a prefix and a part from personalized Yubikeys for each member accessing the store.

A larger org would probably need a manager with extended access management, I am not sure if KeePass has such features yet. I think BitWarden does have an extended AD integration, but I am not sure if it is just to import users initially or if you can use AD authentication to access the key manager itself.


If you're signing up 10k users. I'm sure the pricing for 1Password won't be 7.99.

Alternatively, have your tried SSO'ing everything?


We don't have use a password manager for most users, but for those with access to many and varied accounts (like IT and anyone dealing with social media) we use VaultWarden, which is a FOSS re-implementation of BitWarden. We don't do any browser or AD integration though.


This is great! I didn't know this existed, but it looks like for self-hosting this is a much better solution than BitWarden proper (as it is lighter). This shall go on my synology.


VaultWarden is fantastic! It's super, super light and fast (Rust + sqlite) and happily runs on my Raspberry Pi 4 4GB in docker alongside 8 other containers. And if that wasn't good enough, all the 'premium' BitWarden features are also unlocked (organisations, etc.) in VaultWarden.


Been running it for years with a mariadb database. It's rock solid and they keep up well with the mainline features.


A table in confluence with clear text passwords :(


If your company has that many users why not self-host some open source solution like KeePassXC. The cost for having your IT employees host and manage it is probably less than the cost of a commercial product, even after negotiating a special contract with them.

Of course, the UX of the free solution will never compete with the commercial solutions. If you want that, you have to pay.


Yeah, everything shared is on 1password. Everything else is Okta with 2FA. But the authentication flow is made very simple so you don't get frustrated.

My personal benefit was that the convenience of using password managers finally pushed me to use Bitwarden+2FA on all my personal devices.


We use Passwordstate. It's the slowest password manager I've ever used by a large margin, and one of the slowest websites I've ever used period. I don't know if it's inherent to the application or if it's how it's deployed for us.


I left an organisation that used passwordstate, it's ridiculously slow. Glad I left that behind me. AFAIK it's very profitable for the owner but it's pretty rare to see in the wild so I must ask.

Do you work at TechnologyOne? :-P


I don't work at TechnologyOne, but I'm somewhat glad to know that it's slow everywhere and not just for us!


We use Keeper, and I hate the UX. Would much rather use 1Password or BitWarden, but alas, the IT powers that be have spoken. Better than nothing. We do share creds through it, so that’s nice.


Yup. I was going to write the same comment.


I think what you should be looking for is a Single Sign-on solution that integrates with your different systems and applications. It's a necessity when trying to have audit logs and proper and secure onboarding and offboarding solutions.

Things like Okta, OneLogin, GCP, AWS, Auth0 or Keycloak (self-hosted). A lot of products nowaday offers SSO integrations but often unfortunately at the highest tiers - see https://sso.tax/


Passbolt is a great open source option: https://www.passbolt.com/ It has the team collaboration functionality and is free & OSS. We run it on Digital Ocean via Docker. Once you get it working it's pretty fantastic- it has a Chrome/Brave extension that works just like 1Password and LastPass for auto-filling credentials. Highly recommend.


Yes, we use secret server which works very well and we are happy for it https://thycotic.com/products/secret-server/


You could possibly host https://www.passbolt.com/ on your own servers and reduce the cost for your org.

I am sure, 1Password will be more than happy to offer you a discounted rate


Our company uses LastPass.

I don't know if AD integration is available. Ours is federated so that if you are logged into Google Chrome / Workspace then you are also logged into the LastPass plugin.


Postit notes stuck to the monitor. For security purposes I make sure to not say which password is for which account.


Could a central directory for Gpg keys, accessed via Pass/Yubikey, be a solution?

How about AWS KMS?


we have a corporate 1pass account and I have a personal lastpass account. we use okta for SSO but 1pass is still absolutely essential IMO. I need to keep track of lots of secrets that aren't in okta (eg gitlab tokens and stuff like that).


We used Okta (SSO) for a long time which is $2 per users afaik.


What did you move to after Okta?


I do not feel comfortable disclosing the SSO service, but one of the Big Corps ones.


Yes. BitWarden.


Yes




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: