I work for a large (~10k) organization that obviously interacts with a number of different systems/applications on a daily basis. The average employee likely has 10-20 (hopefully) different sets of credentials that they must maintain and update as necessary - I can only imagine there are a variety of Password, Password1, Password12 combinations in use.
I'm curious if anyone has experience with an enterprise/corporate level password manager. Ideally, it would be tied to the user's AD profile so when they log in to Windows they would just need to enter their master password and it would integrate with the browser to prefill passwords just like 1Password, or BitWarden.
Looking at 1Password's website, it's 7.99 USD per user/month which gets very pricey with 10k users. I'm curious what other folks on HN are using. I appreciate your feedback!
That's your red flag right there. All identities that are tied to individual people should be connected to SSO in some way, then there will be no juggling of passwords at all on the individual-person level. Then you only need some 2FA solution on top in your identity provider, for instance TOTP or FIDO, and you're all set. (Corollary: If at all possible, only pick external services that can plug into your company's own SSO.)
For credentials not tied to individual people, e.g. root passwords on devices, my org uses HashiCorp Vault, and we're mostly satisfied with it. It's a bit of a struggle to configure the policies so that each group of (human/technical) users only has access to the secrets that they actually need, but I won't put the blame for that on Vault.