WingNews logo WingNews
top | item 31580842

Ask HN: Does your org use a password keeper?

23 points| ng-user | 3 years ago

I work for a large (~10k) organization that obviously interacts with a number of different systems/applications on a daily basis. The average employee likely has 10-20 (hopefully) different sets of credentials that they must maintain and update as necessary - I can only imagine there are a variety of Password, Password1, Password12 combinations in use.

I'm curious if anyone has experience with an enterprise/corporate level password manager. Ideally, it would be tied to the user's AD profile so when they log in to Windows they would just need to enter their master password and it would integrate with the browser to prefill passwords just like 1Password, or BitWarden.

Looking at 1Password's website, it's 7.99 USD per user/month which gets very pricey with 10k users. I'm curious what other folks on HN are using. I appreciate your feedback!

71 comments

order

majewsky|3 years ago

> The average employee likely has 10-20 (hopefully) different sets of credentials that they must maintain and update as necessary

That's your red flag right there. All identities that are tied to individual people should be connected to SSO in some way, then there will be no juggling of passwords at all on the individual-person level. Then you only need some 2FA solution on top in your identity provider, for instance TOTP or FIDO, and you're all set. (Corollary: If at all possible, only pick external services that can plug into your company's own SSO.)

For credentials not tied to individual people, e.g. root passwords on devices, my org uses HashiCorp Vault, and we're mostly satisfied with it. It's a bit of a struggle to configure the policies so that each group of (human/technical) users only has access to the secrets that they actually need, but I won't put the blame for that on Vault.

cameronh90|3 years ago

Easier said than done.

We rely on all kinds of industry-specific applications that only support username/password (and SMS OTP if we're lucky). After that, there are a bunch of services that do offer SSO but only if you pay stupid money. For example, we spend about $100/month on Twilio but their SSO plan starts at $15k/month.

jrockway|3 years ago

This is nice until you consider the network effects. People can often get away with the $5/user/month plan, until they need SSO, in which case it always becomes $30k a year.

SSO seems like the only way SaaS companies can make money, and what this HN post tells me is that even enterprises with 10k employees (!) still find that to be a little out of their price range. The state of the industry is kind of crazy, but that's why people are looking for an enterprise 1password account. Cheaper to pay them once than to pay 1000% markup on every SaaS you use.

ng-user|3 years ago

Sorry should have clarified - we are a government organization that interacts with a number of other government agencies. It's simply not feasible for us to implement SSO for all of our own internal applications (many different units/teams), let alone the external apps/systems we are consumers of.

ams92|3 years ago

Not all SaaS apps support SSO. We use 1password for those that don't.

iovrthoughtthis|3 years ago

this is somewhat a pipedream

orgs should support what people do

viraptor|3 years ago

> gets very pricey with 10k users

With that many users you don't pay the advertised prices. You schedule a call and they make sure you get an affordable offer.

> The average employee likely has 10-20 (hopefully) different sets of credentials that they must maintain and update as necessary

Time for azure, auth0, okta, or some other sso provider to just get rid of the passwords?

rglullis|3 years ago

I'm really not cut out to work for a big corporation.

Even if they charged $0.50/per user, that would be $5k/month. I could go as a consultant and charge half of that to setup vaultwarden integrated with their AD for maybe 2 lazy days, and offer a support contract for $500/month. It's not even that much of rare skill. I'd guess you can randomly selected /r/selfhosted users and I'd give 10% of odds to find someone who has done it already and would even offer to do for less.

Yet, I think that most managers would simply prefer to go through all the negotiation meetings, all the internal procurement process just so they can justify the big boy expenses.

nugget|3 years ago

Even with bulk pricing, the current enterprise providers are quite expensive. I'm a YC founder working with some others on a solution to this that brings the cost way down. If you're interested, send me a quick email and I'm happy to share what we've learned.

muzani|3 years ago

LastPass is great. We can share credentials and secrets through it. There's a feature where you can even share the login to a site on it, but they can't view the password - only lastpass can fill it up.

rob74|3 years ago

Can't really agree with that. For me, LastPass is a huge annoyance (it wants to fill in passwords on pages that these passwords definitely don't belong to, and it prompts you to save passwords over and over again with no "don't save passwords on this page" checkbox), and its UI is not really good either (e.g. the floating "+" icon in the vault - if you want to create a new folder you have to hover over it, for other items, you have to click it. Also, neither of these functions is available in the context menu - huh?!). And don't get me started about the "feature" of letting users use passwords, but not see them - security by obscurity anyone?

Natfan|3 years ago

LastPass is terrible if you want to use it for automation. There is no official support for the CLI interface (it's a community project), and it does not work on Windows by default (you'd need to install cygwin on every single server you wish to use the CLI, as opposed to a simple `winget install --name LastPass.CLI`). I cannot recommend that anyone use this product for enterprise use, especially for internal IT use.

0daystock|3 years ago

> There's a feature where you can even share the login to a site on it, but they can't view the password - only lastpass can fill it up.

Prime example of Lastpass security theater - what exact problem did they think this feature solved?

Moeancurly|3 years ago

> There's a feature where you can even share the login to a site on it, but they can't view the password - only lastpass can fill it up.

Is there anything that stops someone from letting LastPass fill the field, then use the browser tools to change the form field from `password` to `text`?

jmspring|3 years ago

We use LastPass and I hate it.

BirAdam|3 years ago

My org also uses LastPass

swozey|3 years ago

I've used 1password at my last two companies and I wouldn't go back to anything but maybe Bitwarden, which is practically a 1p clone. Last time I used Bitwarden it didn't work with either my Macos fingetprint reader or face unlock, I forget. It was an electron limitation IIRC, and this was years ago.

I don't face any annoyances sharing passwords with 1pass like I used to with lastpass, secretserver, etc. It's a smooth experience all the way.

raxxorraxor|3 years ago

Not the organization as a whole, but some small teams use them. We use KeePass for most important passwords and API-keys. The master password is a prefix and a part from personalized Yubikeys for each member accessing the store.

A larger org would probably need a manager with extended access management, I am not sure if KeePass has such features yet. I think BitWarden does have an extended AD integration, but I am not sure if it is just to import users initially or if you can use AD authentication to access the key manager itself.

Raed667|3 years ago

If you're signing up 10k users. I'm sure the pricing for 1Password won't be 7.99.

Alternatively, have your tried SSO'ing everything?

AnIdiotOnTheNet|3 years ago

We don't have use a password manager for most users, but for those with access to many and varied accounts (like IT and anyone dealing with social media) we use VaultWarden, which is a FOSS re-implementation of BitWarden. We don't do any browser or AD integration though.

BirAdam|3 years ago

This is great! I didn't know this existed, but it looks like for self-hosting this is a much better solution than BitWarden proper (as it is lighter). This shall go on my synology.

throw457|3 years ago

A table in confluence with clear text passwords :(

Apreche|3 years ago

If your company has that many users why not self-host some open source solution like KeePassXC. The cost for having your IT employees host and manage it is probably less than the cost of a commercial product, even after negotiating a special contract with them.

Of course, the UX of the free solution will never compete with the commercial solutions. If you want that, you have to pay.

jitix|3 years ago

Yeah, everything shared is on 1password. Everything else is Okta with 2FA. But the authentication flow is made very simple so you don't get frustrated.

My personal benefit was that the convenience of using password managers finally pushed me to use Bitwarden+2FA on all my personal devices.

Zababa|3 years ago

We use Passwordstate. It's the slowest password manager I've ever used by a large margin, and one of the slowest websites I've ever used period. I don't know if it's inherent to the application or if it's how it's deployed for us.

LilBytes|3 years ago

I left an organisation that used passwordstate, it's ridiculously slow. Glad I left that behind me. AFAIK it's very profitable for the owner but it's pretty rare to see in the wild so I must ask.

Do you work at TechnologyOne? :-P

ashton314|3 years ago

We use Keeper, and I hate the UX. Would much rather use 1Password or BitWarden, but alas, the IT powers that be have spoken. Better than nothing. We do share creds through it, so that’s nice.

__derek__|3 years ago

Yup. I was going to write the same comment.

sdfhbdf|3 years ago

I think what you should be looking for is a Single Sign-on solution that integrates with your different systems and applications. It's a necessity when trying to have audit logs and proper and secure onboarding and offboarding solutions.

Things like Okta, OneLogin, GCP, AWS, Auth0 or Keycloak (self-hosted). A lot of products nowaday offers SSO integrations but often unfortunately at the highest tiers - see https://sso.tax/

scrollinondubs|3 years ago

Passbolt is a great open source option: https://www.passbolt.com/ It has the team collaboration functionality and is free & OSS. We run it on Digital Ocean via Docker. Once you get it working it's pretty fantastic- it has a Chrome/Brave extension that works just like 1Password and LastPass for auto-filling credentials. Highly recommend.

naveensky|3 years ago

You could possibly host https://www.passbolt.com/ on your own servers and reduce the cost for your org.

I am sure, 1Password will be more than happy to offer you a discounted rate

kevinherron|3 years ago

Our company uses LastPass.

I don't know if AD integration is available. Ours is federated so that if you are logged into Google Chrome / Workspace then you are also logged into the LastPass plugin.

sys_64738|3 years ago

Postit notes stuck to the monitor. For security purposes I make sure to not say which password is for which account.

aborsy|3 years ago

Could a central directory for Gpg keys, accessed via Pass/Yubikey, be a solution?

How about AWS KMS?

cp9|3 years ago

we have a corporate 1pass account and I have a personal lastpass account. we use okta for SSO but 1pass is still absolutely essential IMO. I need to keep track of lots of secrets that aren't in okta (eg gitlab tokens and stuff like that).

Karawebnetwork|3 years ago

We used Okta (SSO) for a long time which is $2 per users afaik.

nugget|3 years ago

What did you move to after Okta?

haolez|3 years ago

Yes. BitWarden.