You generally want to minimize the number of passwords you manage; for instance, you should generally be paying the SSO tax and getting as many services as you can onto OIDC. After that, just do the cloud version of 1Password, which is easy to audit and manage access for, which you'll thank yourself for when it comes time to SOC2.
Remember, as you give people access to passwords, that those passwords will need to be rotated when those people change to incompatible roles or depart the company. If passwords aren't a total pain in the ass for you, you're probably doing something wrong.
I'd strongly recommend bitwarden, having deployed and managed it. I would warn against lastpass, strongly, due to papercut level issues everywhere. I haven't used 1password in an appropriate scenario to comment on it.
I’m still suffering from this; somehow in this hack <<something>> happened to my LastPass account and login/unlocking it became impossible. LastPass support (rightly) can’t help, so 3 or so years later I’m still stumbling into sites that I can no longer access.
Many sites have forgotten password flows, they’re easy, but many other sites related to municipal services, etc, require hours on calls, often on hold, proving my identity and getting access reinstated.
The thing about the LastPass Wikipedia article is that someone keeps editing it to reduce the number of really bad security issues LastPass has had over the years. You can Google almost any year, along with "lastpass security incident" and get results.
Nobody with the goal of security should be using LastPass. Nobody.
We have SSO + 2FA in place, and would like to use Bitwarden for the rest of the password management. But for a company around ~50 people, the pricing feels too expensive, considering the only purpose is to manage a few passwords. So for now we are using Keepass which is kind of painful, but free. We would probably be willing to pay ~2$ per user per month, but instead it is 6$ if you want Bitwarden to work integrated with your SSO which means 3600$ per year.
Pricing is truly annoying with password managers. I know this is an edge case but I volunteered for my kid’s school PTA and discovered to my horror that all the passwords were stored in a single Google Sheet. But the pricing for the number of users we were looking at (a very small core number of staff but a large number of volunteer parents) made pretty much every password manager service unaffordable, even with non profit discounts. Per seat pricing doesn’t work out for everyone.
We ended up using Dashlane because its free tier allows sharing between users but the administration is so much more work than it needs to be.
Hi! could you please explain what is this admin work that is bothering you? Thanks! (working at Dashlane, and happy to forward feedback to product team. I'll already forward your comment on pricing)
It’s not really your fault, it’s us bending your free tier into something it isn’t intended to be. Maximum number of passwords shared, only logging in to one device at a time etc.
It’s a really weird edge case but eye opening for me as someone who is usually in a very well resourced tech environment. Google offers a great free tier for non profits and in the ideal world we’d have a password manager that plugs into our Google organization without a second thought. But that’s a premium tier feature and any money not spent on enriching the kids education has to be justified to the nth degree. We have people who are go-tos for a two factor auth code because their phone numbers are the ones attached to the accounts… people will go to surprising lengths!
There isn’t a good business case for it as such but volunteer organizations (as opposed to well resourced non profits) would make good use of a free tier and it would generate goodwill with people who are sometimes responsible for purchasing decisions in their day jobs.
You could self-host bitwarden on a $5 a month instance (or free-forever, if you choose to trust oracle or gcp), and then put TOTP 2fa into your bitwarden instance. Still requires a little maintenance on the instance, but this can be 99% automated.
Yeah, the thought has occurred to me. But I’m only going to be there for a few years, the responsible thing is to do something that’ll survive long after I’m gone.
I've volunteered for and served on the boards of several small, youth-oriented nonprofits. They all had this weird idea that you can't spend any money on operational stuff. Yeah I get that you want to minimize it, and you should. But payments for necessary services should just be part of the budget. There is overhead to running these orgs and not every penny can go straight through to the kids. If you make things a PITA for the volunteers, eventually you won't have any volunteers. People are giving their time freely to help, but most are busy and don't want to f*ck around with complicated solutions that waste that time.
A strength that is often overlooked at NGO's is their people power, so don't forget to leverage that. For instance, cctv, each unit, each chief and his 4 indians, could simply use wyze to monitor their immediate environment, worst case scenario, the chief leaves in a bad way and someone else has to reprogram the wyze cams to a new chief. Same with passwords, if you don't want to pay for centralized admin, then create multiple self-sufficient micro-environments with one central IT as tier 2 for advise and rescue. Think of it as vlans, but in admin terms. This method, opens up a lot of free tiers out there for each tribe/unit to leverage, as long as IT/CENTRAL, get's informed of the master-pwd (ex. bitwarden etc.).
Completely agree. The kind of people I've encountered in non-profits and charities as an IT Sales Professional over 20 years is that they expect great products and services should be as close to free as possible. They don't seem to understand that the tax breaks and incentives are there precisely to help soften the costs of running such an organisation. To expect even MORE than that from vendors is unrealistic. I watched an interview with Naveen Jain (Viome CEO) on a podcast once and he said that a non-profit entrepreneur or CEO is more often than not "just a sh*tty entrepreneur". I couldn't agree more based on my experience selling tech since 2001!
Immediate example that comes to mind: there’s a paid-for Canva account that multiple people need to use. Can’t use separate logins because then you’d need multiple subscriptions.
Moral argument is that a PTA are part time organizations and if canva doesn't cater to that business model, then shared credentials is fair use, commercial and for profit use is a horse of a different color.
Was going to suggest the same, of course you're taking matters into your own hands, so know what you are doing, but it's free, very light weight and supports "organizations" as a way of sharing passwords between people. I have hosted it for my family for years and was very happy with it (until I switched to Proton Family, now doing ProtonPass).
And you get all the excellent Bitwarden apps and extensions to go with it.
These is non-sense. They do not do anything more or less than any company does, they do not have access to decrypted data (so they cannot share it and havent done so obviously), and I bet in most of the discussion here interpol is not in people's threat models.
That is indeed bs. They gave up some IP addresses in accordance with local laws.
Why are you saying this? To justify your own use of free big tech services at the cost of all your data? Proton services have been audited, Proton staff cannot access your encrypted data. Whereas we know from Snowden et al that your data in most public clouds is readily available to the world police. Make a pic of your kid's private parts for medical reasons and people have found out the difference. My pictures are encrypt before they go to Proton Drive.
If Apple starts on-device scanning to see if I'm a criminal while I sleep, I'll be on GrapheneOS several days later, but still a happy Proton user.
I'm not making a claim that FAAANG is any better. I'm just saying that when FVEY wants your data and you've opted for convenience over security, you WILL be owned. It's not so much that Proton is untrustworthy, it's that they operate a business, and if the pigs tell them to make exceptions to their policy for your account, it's game over for you. Proton doesn't have the balls that Ladar Levison did with Lavabit. They won't shut down for you, they will hand you over on a silver platter for the pigs to pick away at your flesh.
Don't use any external service hosted in a country that complies with LEO or MLAT requests from the country of your residence. Actively seek out services hosted in countries that are hostile to the country of your residence.
Host your own infra, with your own authenticated FDE, reed switches and shock sensors for instant power-down on the cabinet, tamper-resistant and tamper-evident everything. Tor Hidden Services and i2p eepsites for any and all private correspondence if you really take this seriously.
Ever tried Psono? (I am Sascha, the main developer behind it)
It has SSO / encryption / self hosting / ... and even the enterprise version is free for up to 10 users and if you need more you only pay €2.5 / user / month.
Just checked, and its indeed doing this nonsense in the browser extension (on firefox). Its implemented sensibly in the Android app, and I haven't tested the website vault viewer or the desktop app.
I was first using 1Password and then I really tried to love Bitwarden for two entire years (paid user). But it was riddled with bugs and UX mishaps. I gave them detailed feedback by email, they acknowledged it, but nothing changed and my frustration grew over time. I eventually switched back to 1Password one year ago and I'm delighted.
For example here some issues I flagged to the team. Note that some of them may possibly have been resolved since then:
– The “incorrect ciphers” error that keeps happening where you have to restart Bitwarden and lose all your changes.
– Basic searches take multiple seconds if you have more than 400 entries.
– Editing items is awkward. Whenever I scroll down an item and want to edit a specific entry, I have to find the edit button and then WOOSH a new panel appears and I don’t know where the field I wanted to edit ended up in the new panel.
– Bitwarden doesn’t automatically categorize login items by type and it's not possible to exclude items from the “All Items” list. So it's a big mess and when you try to search a massive amount of irrelevant auto-generated entries pop up.
– Scrolling is super laggy on Android.
– Android logins don't have icons (they could very easily extract them when Bitwarden automatically creates an entry when logging on an Android app).
– Phone numbers are not formatted. Same for many other data types.
– Credit/debit cards show a generic icon rather than Mastercard, Visa, American Express, etc.
– The whole interface is marked as selectable in CSS and when you try to move the window around it keeps selecting irrelevant text from the UI such as “Search Vault” and “Item Information” instead of moving the window. Likewise, if I try to select actual text the selection isn't constrained to the field I'm selecting from so I often select a bunch of crap I didn't mean to select.
– Clicking on a password field doesn't offer the option to generate a password.
– Password generation settings don't synchronize between Bitwarden instances. Every time you install the app or the browser extension you have to reconfigure the length, symbols, letters, casing, etc. Again. By default it uses Bitwarden's default basic (and pretty insecure) criteria.
– Bitwarden frequently doesn't detect password fields, and frequently doesn't offer to automatically save the password.
– Can’t drag & drop an item from the list to a folder. I have to manually edit the item entry and select the folder from the dropdown. Every time.
– When editing an item, the ‶Attachments″ entry is a tiny line hidden below ‶Master password re-prompt″ so it's incredibly easy to miss and hard to find.
– Attachments don’t have previews and you can't rename them. You have to manually download a given item and open it in order to see what it's about.
– Can't copy attached images to the clipboard. Instead you have to press the download button, pick a folder, find it, copy the file (or possibly open it with an image editor when you need to copy the image itself), and then paste it where you want.
– Automatic entry names are dumb. For example for Android apps it just picks the package name (e.g. com.voyagerx.scanner) instead of the name of the app (in this example the corresponding app's name is vFlat, so not clear from the package name!).
And this is only the tip of the iceberg. I had many more issues than those with Bitwarden. None of these issues happen on 1Password.
Thanks for spending the time on that list. Hopefully Bitwarden will see this and reprioritize there game plan. You cant have a solid password manager without these things working. I have been using Keepass for years, but was thinking about switch to another product in the future, but I think I am going to stay with Keepass.
And when you set up 1Password, make sure you also get the CLI going, so passwords & shared gunk that's needed to access other people's services can be scripted, and when the passwords, etc get rotated no-one needs to know because no-one needs to store them.
You're going to have to elaborate. I've been using 1pw for about 7 years, including at several startups where I've handled IT. It has worked really well, yet to be breached, has a CLI, handles passkeys and SSH keys, easily separates work and personal creds, and their support is fantastic.
On top of this, prefer individual accounts and passwords over shared accounts.
Some services require shared passwords, keys, or tokens. Consider grouping them by sensitivity. Key to the kingdom shared accounts should be accessible only to a tiny number of people.
Finally, never send credentials over plaintext, such as email or Slack. 1Password and other password managers have a “share” feature. If need be, send a zipped and encrypted text file and share the password via a voice call.
>If need be, send a zipped and encrypted text file and share the password via a voice call.
Because people are lazy and not everyone wants to write a file, zip it, encrypt it, call someone, spell the password... Consider sending the password regularly over slack, wait a minute till the other side confirms they got it, and remove the message.
Mediocre solutions that people use are better than perfect solutions that everyone circumvents.
> never send credentials over plaintext, such as email or Slack
Slack works for us in a very small (<5) number of trusted long-time remote devs, but with two important conditions:
1. New/updated password(s) to be shared are in an encrypted Keypass file (encrypted with a preset and prearranged password that was only shared once offline). Recipient merges into their local keypass file.
We use many AWS services so obv all those are handled with AWS Secrets and IAM, so we only need to save the login pwd externally. And for services which support multi-user, Google, GitHub, etc., each user has their own pwd. So not many passwords need to be shared in the above manner. In daily use I keep KeyPass open and copy/paste passwords into the browser when needed -- nothing stored online.
FOSS solutions like Keycloak are absolutely capable but it completely ignores the "tax" you pay in terms of maintenance and setup. For smaller teams, it's not feasible at all to keep something like that up-to-date and running smoothly (i.e. no downtime)
Agree. The trio of Okta + Bitwarden + AWS Secrets Manager covers most bases and has served us well.
The SSO tax is real though, especially if you're a < 50 person entity and don't need everything else that normally comes with "Enterprise" plans <sigh>. Shout out to the few enlightened/kind SaaS peeps that don't do this (e.g. Windmill.dev) !
What’s SSO and how do I put vendor API keys into it? Like one of the most important APIs we have is just 1 key and that’s it. I don’t think the vendor has heard the term “key rotation”
For API keys you want to look into secrets management, for example Hashicorp Vault or OpenBao. AWS/Azure/Google Cloud also have their own secrets management features.
Remember, as you give people access to passwords, that those passwords will need to be rotated when those people change to incompatible roles or depart the company. If passwords aren't a total pain in the ass for you, you're probably doing something wrong.