(no title)

Some tips from what we learned: 1. don't use shared spreadsheets or docs, way too easy to mess up 2. need granular access controls + audit logs 3. automate onboarding/offboarding as much as possible 4. rotate creds regularly, especially for sensitive stuff 5. use SSO where you can to minimize password sprawl

There are some decent enterprise password managers out there, but they get pricey fast as you scale. We ended up using a combo of 1password for team passwords + a custom system built on top of vault by hashicorp for machine creds/api keys etc.

One thing that worked well was having "password owners" for each system who were responsible for rotations, access reviews etc. helps distribute the work.

If you want something more turnkey, you might want to check out hoop.dev - does a lot of this stuff out of the box, including automated access reviews, just-in-time access etc.

Whatever you do, just please don't use a shared google doc :)