Ask HN: Does your org use a password keeper?

23 points by ng-user 3 years ago | 71 comments
I work for a large (~10k) organization that obviously interacts with a number of different systems/applications on a daily basis. The average employee likely has 10-20 (hopefully) different sets of credentials that they must maintain and update as necessary - I can only imagine there are a variety of Password, Password1, Password12 combinations in use.

I'm curious if anyone has experience with an enterprise/corporate level password manager. Ideally, it would be tied to the user's AD profile so when they log in to Windows they would just need to enter their master password and it would integrate with the browser to prefill passwords just like 1Password, or BitWarden.

Looking at 1Password's website, it's 7.99 USD per user/month which gets very pricey with 10k users. I'm curious what other folks on HN are using. I appreciate your feedback!

  • majewsky 3 years ago
    > The average employee likely has 10-20 (hopefully) different sets of credentials that they must maintain and update as necessary

    That's your red flag right there. All identities that are tied to individual people should be connected to SSO in some way, then there will be no juggling of passwords at all on the individual-person level. Then you only need some 2FA solution on top in your identity provider, for instance TOTP or FIDO, and you're all set. (Corollary: If at all possible, only pick external services that can plug into your company's own SSO.)

    For credentials not tied to individual people, e.g. root passwords on devices, my org uses HashiCorp Vault, and we're mostly satisfied with it. It's a bit of a struggle to configure the policies so that each group of (human/technical) users only has access to the secrets that they actually need, but I won't put the blame for that on Vault.

    • cameronh90 3 years ago
      Easier said than done.

      We rely on all kinds of industry-specific applications that only support username/password (and SMS OTP if we're lucky). After that, there are a bunch of services that do offer SSO but only if you pay stupid money. For example, we spend about $100/month on Twilio but their SSO plan starts at $15k/month.

      • jrockway 3 years ago
        This is nice until you consider the network effects. People can often get away with the $5/user/month plan, until they need SSO, in which case it always becomes $30k a year.

        SSO seems like the only way SaaS companies can make money, and what this HN post tells me is that even enterprises with 10k employees (!) still find that to be a little out of their price range. The state of the industry is kind of crazy, but that's why people are looking for an enterprise 1password account. Cheaper to pay them once than to pay 1000% markup on every SaaS you use.

        • ng-user 3 years ago
          Sorry should have clarified - we are a government organization that interacts with a number of other government agencies. It's simply not feasible for us to implement SSO for all of our own internal applications (many different units/teams), let alone the external apps/systems we are consumers of.
          • ams92 3 years ago
            Not all SaaS apps support SSO. We use 1password for those that don't.
            • majewsky 3 years ago
              Then don't give your business to them. Let them very clearly know "we will not purchase your services until you support SSO at a reasonable price". Otherwise they'll never learn.
              • PowerBar 3 years ago
                I think you're greatly overestimating the influence IT departments have over purchasing decisions at large companies. Not only does management rarely consider their input, it's common for IT departments to simply be told "oh, by the way we just bought X, get it running."
            • iovrthoughtthis 3 years ago
              this is somewhat a pipedream

              orgs should support what people do

              • majewsky 3 years ago
                I'll try that reasoning with my PCI/DSS auditors next time. Let's see what they think about that.

                If you think I'm being hyperbolic, I'm not. Our org has recently gone through a PCI/DSS audit, and there was a lot of frustration about the amount of required changes with regards to locking down access policies, tracking suspicious activity, enforcing 2FA and such, but most of the stuff that I saw change was stuff that feels like it really should be entirely obligatory in the first place.

                There is a great tradition in IT to teach yourselves using free (as well as free-of-charge) software, but when you're in the business of IT, there should be much stricter regulation. If you're a civil engineer and the bridge you design collapses because you did your math wrong, you are criminally liable for the damage. But if you're a software "architect" and you negligently put an instance of database-du-jour on the internet without proper access controls or a vulnerability tracking process, you most often get away by just saying "whoopsie-daisy" and giving a flimsy apology to the millions of customers that had their personal data stolen. Worst case scenario, you get a fee of a few percent of your earnings. That has to end.

                • iovrthoughtthis 3 years ago
                  im not certain why any of that is at odds with providing secure secret management to employees

                  it's already a part of secret management for machines in secure cloud environments

            • viraptor 3 years ago
              > gets very pricey with 10k users

              With that many users you don't pay the advertised prices. You schedule a call and they make sure you get an affordable offer.

              > The average employee likely has 10-20 (hopefully) different sets of credentials that they must maintain and update as necessary

              Time for azure, auth0, okta, or some other sso provider to just get rid of the passwords?

              • rglullis 3 years ago
                I'm really not cut out to work for a big corporation.

                Even if they charged $0.50/per user, that would be $5k/month. I could go as a consultant and charge half of that to setup vaultwarden integrated with their AD for maybe 2 lazy days, and offer a support contract for $500/month. It's not even that much of rare skill. I'd guess you can randomly selected /r/selfhosted users and I'd give 10% of odds to find someone who has done it already and would even offer to do for less.

                Yet, I think that most managers would simply prefer to go through all the negotiation meetings, all the internal procurement process just so they can justify the big boy expenses.

                • dewey 3 years ago
                  > I could go as a consultant and charge half of that to setup vaultwarden integrated with their AD for maybe 2 lazy days

                  That's a very simplistic view of how it works in even a medium sized real company. Google SSO is already available for many external services you might use which is a lot easier to integrate than doing and maintaining something yourself. Especially because if there's an issue it's blocking everyone in the company at the same time. It makes sense to outsource that if it's not your core business.

                  • rglullis 3 years ago
                    I am talking specifically for the case of OP: a big company with 10k users that already has AD.

                    You are arguing a strawman.

                  • viraptor 3 years ago
                    While I don't disagree with the gist of your idea (it can be cheaper in-house), I believe you're underestimating the ongoing support cost. At 10k users, it will become a part time support position to manage the solution, handle credential resets, write and update documentation, handle all client side problems, maintain ongoing ad / account integration and browser plugins, deal with any security certification required for services in your corp, comply with backup/data retention rules, etc.

                    You're saying $500/mth, but my response would be: this is half a full time IT support position and it needs a secondary + on-call cover.

                    • 3 years ago
                    • cpach 3 years ago
                      IMO, 1Password has much much better UX than Vaultwarden has. So you definitely get something for the money.
                      • rglullis 3 years ago
                        That's the other part that breaks my lizard brain.

                        We are talking about $5k/month vs $500. If the UX of the FOSS version is lacking, pay for the closed version BUT throw $1000/month on the direction of the FOSS developers until the issues are mitigated and they satisfy your requirements. I can bet that in less than a year you'd be able to make a switch and the investment would pay itself.

                      • dtjb 3 years ago
                        (Most) managers hate meetings just as much as you, and they're not wasting money for the fun of it. Every technical manager has inherited problems because someone at some point tried to save money by hiring a random dude on the cheap who just half assed it.

                        You go with companies that can demonstrate scalability because they provide project governance, proper change management, and layers of redundancy and support in the event of an emergency.

                        • rglullis 3 years ago
                          When I was working at Deutsche Telekom, I actually heard the CIO from a German Bank say they "were not interested in our (Chromebook-like) solution, because if adopted it will be a lot cheaper than their current windows licenses and that would mean he would lose his budget in 2 years".

                          Also, the idea that someone charging $2k for two days of work is considered "doing it on the cheap" is almost offensive.

                      • nugget 3 years ago
                        Even with bulk pricing, the current enterprise providers are quite expensive. I'm a YC founder working with some others on a solution to this that brings the cost way down. If you're interested, send me a quick email and I'm happy to share what we've learned.
                      • muzani 3 years ago
                        LastPass is great. We can share credentials and secrets through it. There's a feature where you can even share the login to a site on it, but they can't view the password - only lastpass can fill it up.
                        • rob74 3 years ago
                          Can't really agree with that. For me, LastPass is a huge annoyance (it wants to fill in passwords on pages that these passwords definitely don't belong to, and it prompts you to save passwords over and over again with no "don't save passwords on this page" checkbox), and its UI is not really good either (e.g. the floating "+" icon in the vault - if you want to create a new folder you have to hover over it, for other items, you have to click it. Also, neither of these functions is available in the context menu - huh?!). And don't get me started about the "feature" of letting users use passwords, but not see them - security by obscurity anyone?
                          • cosmiccatnap 3 years ago
                            It's as much as a pain as you make it. For me if I keep it well organized I basically just forget that I have to login to things at work, I just click them and I'm in or I navigate and it's filled.

                            I can see how it might not be the solution you want for home but at work I'm just trying to get things done and that unfortunately involves a large number of passwords that can't easily be federated into an SSO like okta because they span businesses clients and companies. I don't understand the hate for LastPass, for me it just works (tm)

                            • rob74 3 years ago
                              I think the hate mostly comes out of being forced to use a solution and then being annoyed because it tries to force itself onto you. Yes, I confess, when I'm waiting for an important email I sometimes check private emails on my work laptop, and I would love to be able to just tell LastPass to not prompt me to save the credentials for my email provider into my company account, but it's simply not possible, and then the repeated "helpful" save password prompts annoy the hell out of me...
                          • Natfan 3 years ago
                            LastPass is terrible if you want to use it for automation. There is no official support for the CLI interface (it's a community project), and it does not work on Windows by default (you'd need to install cygwin on every single server you wish to use the CLI, as opposed to a simple `winget install --name LastPass.CLI`). I cannot recommend that anyone use this product for enterprise use, especially for internal IT use.
                            • muzani 3 years ago
                              Are there password managers that do that better?
                            • 0daystock 3 years ago
                              > There's a feature where you can even share the login to a site on it, but they can't view the password - only lastpass can fill it up.

                              Prime example of Lastpass security theater - what exact problem did they think this feature solved?

                              • vel0city 3 years ago
                                People easily copying and pasting the password into a chat app to quickly share it with Greg from finance asking if he could just quickly log into the app even though he's not really supposed to?

                                Sure, its not too hard to get around that feature, you could just inject your own javascript on the page to dump the contents of the password field. But it does block the low hanging fruit of the millions of users who don't know how to do that who might abuse having access to the password because they don't really know better.

                                In essence, it helps to prevent those users who don't know better from leaking the password to places it shouldn't be. Obviously it doesn't prevent people who know how to get around it from getting around that protection, but in those circumstances you shouldn't really be sharing your password with someone who will abuse your trust.

                                • 0daystock 3 years ago
                                  The people likely to do such things counter to security are going to click phishing links, install malware and misuse their company devices anyway. Their problem is not technological in nature to solve - it is personal and behavioral. I call it theater because it doesn't significantly improve the security posture and maturity, while making both the user and administrator feel tough and hardened.
                                • procinct 3 years ago
                                  Not having to rotate shared passwords after an employee leaves I suppose?
                                  • sdfhbdf 3 years ago
                                    I think parent is referring to the idea that it's not a problem for a technically inclined person to when the extensions is filling out the password inspect the password HTML element and "see" it. Other options would include sniffing network traffic in your browser or replacing DNS with self hosted website with a form under the same domain to trick the extension to fill in a form on a website you control (since they match based on the typed in domain).
                                • Moeancurly 3 years ago
                                  > There's a feature where you can even share the login to a site on it, but they can't view the password - only lastpass can fill it up.

                                  Is there anything that stops someone from letting LastPass fill the field, then use the browser tools to change the form field from `password` to `text`?

                                  • rob74 3 years ago
                                    Even easier: let LastPass fill in the password in Chrome, save it with the browser's function, view it in the browser settings.
                                  • jmspring 3 years ago
                                    We use LastPass and I hate it.
                                    • jmspring 3 years ago
                                      Specifically - the constant and inability to disable install the safari extension and hideous use of space / user layout.
                                    • BirAdam 3 years ago
                                      My org also uses LastPass
                                    • swozey 3 years ago
                                      I've used 1password at my last two companies and I wouldn't go back to anything but maybe Bitwarden, which is practically a 1p clone. Last time I used Bitwarden it didn't work with either my Macos fingetprint reader or face unlock, I forget. It was an electron limitation IIRC, and this was years ago.

                                      I don't face any annoyances sharing passwords with 1pass like I used to with lastpass, secretserver, etc. It's a smooth experience all the way.

                                      • raxxorraxor 3 years ago
                                        Not the organization as a whole, but some small teams use them. We use KeePass for most important passwords and API-keys. The master password is a prefix and a part from personalized Yubikeys for each member accessing the store.

                                        A larger org would probably need a manager with extended access management, I am not sure if KeePass has such features yet. I think BitWarden does have an extended AD integration, but I am not sure if it is just to import users initially or if you can use AD authentication to access the key manager itself.

                                        • Raed667 3 years ago
                                          If you're signing up 10k users. I'm sure the pricing for 1Password won't be 7.99.

                                          Alternatively, have your tried SSO'ing everything?

                                          • AnIdiotOnTheNet 3 years ago
                                            We don't have use a password manager for most users, but for those with access to many and varied accounts (like IT and anyone dealing with social media) we use VaultWarden, which is a FOSS re-implementation of BitWarden. We don't do any browser or AD integration though.
                                            • BirAdam 3 years ago
                                              This is great! I didn't know this existed, but it looks like for self-hosting this is a much better solution than BitWarden proper (as it is lighter). This shall go on my synology.
                                              • supersparrow 3 years ago
                                                VaultWarden is fantastic! It's super, super light and fast (Rust + sqlite) and happily runs on my Raspberry Pi 4 4GB in docker alongside 8 other containers. And if that wasn't good enough, all the 'premium' BitWarden features are also unlocked (organisations, etc.) in VaultWarden.
                                                • jhot 3 years ago
                                                  Been running it for years with a mariadb database. It's rock solid and they keep up well with the mainline features.
                                              • throw457 3 years ago
                                                A table in confluence with clear text passwords :(
                                                • Apreche 3 years ago
                                                  If your company has that many users why not self-host some open source solution like KeePassXC. The cost for having your IT employees host and manage it is probably less than the cost of a commercial product, even after negotiating a special contract with them.

                                                  Of course, the UX of the free solution will never compete with the commercial solutions. If you want that, you have to pay.

                                                  • jitix 3 years ago
                                                    Yeah, everything shared is on 1password. Everything else is Okta with 2FA. But the authentication flow is made very simple so you don't get frustrated.

                                                    My personal benefit was that the convenience of using password managers finally pushed me to use Bitwarden+2FA on all my personal devices.

                                                    • Zababa 3 years ago
                                                      We use Passwordstate. It's the slowest password manager I've ever used by a large margin, and one of the slowest websites I've ever used period. I don't know if it's inherent to the application or if it's how it's deployed for us.
                                                      • LilBytes 3 years ago
                                                        I left an organisation that used passwordstate, it's ridiculously slow. Glad I left that behind me. AFAIK it's very profitable for the owner but it's pretty rare to see in the wild so I must ask.

                                                        Do you work at TechnologyOne? :-P

                                                        • Zababa 3 years ago
                                                          I don't work at TechnologyOne, but I'm somewhat glad to know that it's slow everywhere and not just for us!
                                                      • ashton314 3 years ago
                                                        We use Keeper, and I hate the UX. Would much rather use 1Password or BitWarden, but alas, the IT powers that be have spoken. Better than nothing. We do share creds through it, so that’s nice.
                                                        • __derek__ 3 years ago
                                                          Yup. I was going to write the same comment.
                                                        • sdfhbdf 3 years ago
                                                          I think what you should be looking for is a Single Sign-on solution that integrates with your different systems and applications. It's a necessity when trying to have audit logs and proper and secure onboarding and offboarding solutions.

                                                          Things like Okta, OneLogin, GCP, AWS, Auth0 or Keycloak (self-hosted). A lot of products nowaday offers SSO integrations but often unfortunately at the highest tiers - see https://sso.tax/

                                                          • scrollinondubs 3 years ago
                                                            Passbolt is a great open source option: https://www.passbolt.com/ It has the team collaboration functionality and is free & OSS. We run it on Digital Ocean via Docker. Once you get it working it's pretty fantastic- it has a Chrome/Brave extension that works just like 1Password and LastPass for auto-filling credentials. Highly recommend.
                                                            • 3 years ago
                                                              • TowerTall 3 years ago
                                                                Yes, we use secret server which works very well and we are happy for it https://thycotic.com/products/secret-server/
                                                                • naveensky 3 years ago
                                                                  You could possibly host https://www.passbolt.com/ on your own servers and reduce the cost for your org.

                                                                  I am sure, 1Password will be more than happy to offer you a discounted rate

                                                                  • kevinherron 3 years ago
                                                                    Our company uses LastPass.

                                                                    I don't know if AD integration is available. Ours is federated so that if you are logged into Google Chrome / Workspace then you are also logged into the LastPass plugin.

                                                                    • sys_64738 3 years ago
                                                                      Postit notes stuck to the monitor. For security purposes I make sure to not say which password is for which account.
                                                                      • aborsy 3 years ago
                                                                        Could a central directory for Gpg keys, accessed via Pass/Yubikey, be a solution?

                                                                        How about AWS KMS?

                                                                        • cp9 3 years ago
                                                                          we have a corporate 1pass account and I have a personal lastpass account. we use okta for SSO but 1pass is still absolutely essential IMO. I need to keep track of lots of secrets that aren't in okta (eg gitlab tokens and stuff like that).
                                                                          • Karawebnetwork 3 years ago
                                                                            We used Okta (SSO) for a long time which is $2 per users afaik.
                                                                            • nugget 3 years ago
                                                                              What did you move to after Okta?
                                                                              • Karawebnetwork 3 years ago
                                                                                I do not feel comfortable disclosing the SSO service, but one of the Big Corps ones.
                                                                            • haolez 3 years ago
                                                                              Yes. BitWarden.
                                                                              • coffeedan 3 years ago
                                                                                Yes