I know this question comes up frequently on HN but what do you all recommend for 2021 for a business with team size of less than 25. Using passwords in KeyPassX has been useful but it starts getting difficult with a growing team where user specific permissions would be a must.
To be honest, all of these are fine. The very fact that you're going to be rolling out a tool and educating your staff in secure password management is a huge win regardless of which option you choose.
That said, for a team size < 25 I would recommend 1Password. The product is fantastic - best in class - and they are regularly pushing improvements across all platforms.
For teams 50+ I would choose LastPass which has better 'enterprise' features, but despite having used it at work for 7 years I still really dislike it. This could be because I've been using 1Password in a personal/family capacity for about 12 years!
I have been an avid user for LastPass since I knew password manager was a thing. But, I’ve been hearing about how good 1Password is from lots of sources. Seems like you know and have experience on both sides. Would you mind sharing why 1Password is better (or even have better experience) compared to LastPass? I use it personally and not in an enterprise setting. Your comment might just push me to use 1Password :)
I would say for me it's the user interface and general user experience. I find 1Pass more intuitive to use, the dedicated Mac and iOS apps are lovely and I also love the blog and general vibe of the 1Password company. Personality goes a long way! :)
I know people who think the exact opposite though, so give it a go and see what you think!
I've been using 1Password for the last 4 years, both with a family account and a work account.
It works perfectly for team management, since you can categorize passwords by vaults and give individual members. or teams, access to specific vaults. You can give guests outside your organization access as well. Beyond passwords, you can also share company cards, credential files, and 2FA tokens.
In addition, 1Password does a great job of letting you know when you should rotate your passwords, when you've re-used passwords, and when any password you've used has been leaked (in conjunction with https://www.haveibeenpwned.com). This helps ensure better security practices across the team.
Only downsides I've come across:
- Granular permissions are really hard. For example, at my last job, we had vaults per client we worked with. However, not everyone that works on that client needs access to all of those passwords. The only way around this was to make/manage hundreds of vaults for Client+Function variants.
- There's no way to guarantee security of passwords stored in someone's personal vault.
- Users can create a vault and remove owners/admins from it (unless this has changed).
Sure! As an admin, you're unable to see any passwords in an employee's "Personal" vault. This is by design, so that user-specific passwords aren't visible to _anyone_ in the org except for that user.
However, this has a few downsides. All of those features I mentioned (alerts for re-used, leaked, weak, or old passwords) are visible to the owner of the private vault, but admins won't be aware of those issues. It requires trust and security training to make sure that those issues are handled appropriately for private passwords.
Also, if someone has edit access for a vault, there's no way to prevent them from moving credentials to their personal vault or exporting credentials. Most people won't know how to do that and won't bother... but it's always a risk.
I have used LastPass for a long time, for personal usage. Recently I have begun using 1password in a team context and It is really nice. I vote for 1Password for team usage.
Yes, I had, but the only thing I had to do is log out and log in again. Cumbersome, but not a deal breaker. And, as they said, it's already fixed. It's nice to self host because I have access to all the premium features. I have a family group in bitwarden where I share specific credentials (including OTP keys) with my family.
I've used 1pass for teams and family, and LastPass and I would choose 1password hands down every time. My experience with LastPass has been miserable, from functionality to UX it's just a bad product in my opinion. I do wish the Windows client for 1pass was a little more polished, but it does have all of the functionality I expect and the UX is generally the same as macOS it's just a little rougher around the edges.
I tried bitwarden when 1Password changed to subscription because it is cheaper but at least on OS X the 1Password app is so mich better I simply paid the 60.
Of these three, only one is really safe: Bitwarden. With the other two you have to trust without proof that you are safe. With Bitwarden, you trust and know that you are safe because the source code is open.
If you are interested in checking a completely different approach, you can look at Secrez https://github.com/secrez/secrez. It is a CLI secret manager that supports git repo for distribution. Using other packages in the suite, Secrez allows direct communication between local desktop accounts using SSL tunneling.
Disclosure: I wrote it.
Personally I've been using KeePassXC with self hosted Nextcloud sync for many years and it works great on desktop, apart from minor merge conflicts when server or clients been offline for long. I haven't found a good solution for iOS but Keepassium and Minikeepass is OK for occasional logins. I think it might bee more of a Nextcloud issue on mobile.
I think it's totally insane to let a third party manage your passwords.
Strongbox is a nice iOS keepass compatible client. Integrates with the iOS password auto fill and can use can use Face ID / Touch ID with the pro versions. It supports google drive, iCloud, onedrive, sftp and local Storage on your iOS device. I find the UI is quite ok.
I had to make a call for the startup I work at. I went with 1pass and it has gone well. I had tried lastpass before and loathed the UI.
The only thing it lacks is a more powerful granular permissioning now that we've scaled. Ideally, there'd be a way for each new hire to automatically get an account and roles via LDAP, and immediately have access to necessary secrets based on that with no manual step.
I use BitWarden and run my own vaults. Pretty easy to set up using docker on a Linux machine.
I've had some trouble with the BitWarden anrdoid app not wanting to help fill in login information, but I put that down to user error - it's close enough I just can't be bothered to dig deeper.
The question is: can I save a password generator profile per entry? Because different sites sometimes require certain characters or forbid them. In Keepassxc it seems to be global which is not really useful.
All three of these expose your entire password database to system memory every time you decrypt a single secret giving you no reasonable defense against malware.
LastPass, 1pass, BitWarden, and most other password managers doubled down on good UX, but the security is pretty terrible. They help users avoid using the same password for every site, granted, but is that really good enough?
Consider that every time you go to login to Twitter you also expose say your AWS root password or any TOTP backups, etc.
Compare to Mooltipass, Trezor Password Manager, or Password Store + Yubikey which all decrypt a single password at a time with a physical touch on an external device.
If an adversary has malware on your system and wants to dump 100 passwords they must get you to physically consent 100 times on an external device.
Presumably you would notice.
Today I only recommend hardware password managers. Pay for the hardware once and there is no monthly fee or any such nonsense, as the client software is all local and open source. Also no company gets the list of services you use and analytics of how often you use them for added privacy.
All three of these alternatives let you backup your encrypted password database to a git repo or cloud storage of your choice.
For technical teams where sharing is needed I tend to setup Password Store which lets us set up per folder sharing permissions and the database is just a shared git repo.
There are multiple cli and gui front ends available for mobile and desktop.
"1Password only decrypts what you need at the time you need it. If Molly (one of my dogs) is using 1Password to log in to SquirrelsAreEvil.net, only her SquirrelsAreEvil Login details are decrypted. Her RabbitRecipies Login, along with all her other hundreds of items, remain encrypted." August 2013
You mentioned mobile at the end of your comment, and I'm wondering how this works. Isn't it very cumbersome to attach a hardware device to your phone each time you need to login somewhere?
Not OP but there are keys like the YubiKey 5C Nano. Combined with Qi charging, you could stick them permanently in your phone. Note that I can't comment whether this is wise.
That said, for a team size < 25 I would recommend 1Password. The product is fantastic - best in class - and they are regularly pushing improvements across all platforms.
For teams 50+ I would choose LastPass which has better 'enterprise' features, but despite having used it at work for 7 years I still really dislike it. This could be because I've been using 1Password in a personal/family capacity for about 12 years!