Passbolt: Self hostable, open source, password manager for teams

Pros<p><pre><code> - free open source - group management can be delegated - works fine with mac, linux &amp; windows browsers - maintenance free self hosted on k8s for 2 years - lack of mobile apps has not been issue - UX is ok, no complaints - requires little end-user support</code></pre> Cons<p><pre><code> - only password field is encrypted - no warning that Notes are not encrypted - promises ‘Secure files &amp; notes (Coming soon)’ for more than year - password generator has no complexity options - requires browser plugin - user passwords have no minimum entropy requirements - no helm chart, used our own </code></pre> Experience based on free version with ~75 users. Plan to switch to paid version when <i>Secure files &amp; notes</i> become available.<p>Noticed that former lead developer <a href="https:&#x2F;&#x2F;github.com&#x2F;markstory" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;markstory</a> now works on Sentry. Sentry has same list of <i>Pros</i> as above: it ’<i>just works</i>’ without maintenance or support, running self hosted on k8s for free.

I like this a lot. I&#x27;ve been a Bitwarden user for the past few months and I&#x27;m not looking back, but I&#x27;m so happy there&#x27;s reasonable competition:<p>- It&#x27;s still OSS, so you can self-host, which is a big selling point for me<p>- There&#x27;s a managed&#x2F;hosted option, which is a big selling point for probably <i>most</i> users<p>- It&#x27;s got a browser plugin à la BitWarden&#x2F;1Password, which is a crucial feature for any well-polished password manager (and hopefully it also comes with Android autofill integration)<p>Hopefully Passbolt, BitWarden and others can keep eachother on their toes and help this be an innovative and widely accessible space!<p>Expanding on that last point: I&#x27;m a <i>huge</i> fan of the general idea of having the option of self-hosting with a business model revolving around a paid, managed option, for password managers or otherwise.

heh, i know a guy that will be having rage-fits of the use of &quot;on-Premise&quot; on their web site...<p>Premise:<p>noun &#x2F;ˈprɛmɪs&#x2F; LOGIC a previous statement or proposition from which another is inferred or follows as a conclusion. &quot;if the premise is true, then the conclusion must be true&quot; verb &#x2F;prɪˈmʌɪz&#x2F; base an argument, theory, or undertaking on. &quot;the reforms were premised on our findings&quot;<p>Premises:<p>noun a house or building, together with its land and outbuildings, occupied by a business or considered in an official context. &quot;the company has moved to new premises&quot;

My team has been using this for over a year. It&#x27;s been my favorite answer for this problem-space. I love the self-hosted part (which means I also get backups I can trust). It&#x27;s trivial to put inside a VPN for added security. It&#x27;s security reviews were good and built on standard tools (so maybe if PB is dead I could recover outside?). Just save the key you download when you setup or your hosed!<p>Which reminds me, I&#x27;ve been meaning to make a plain-text archiver for this -- to print out secrets and put them in my safe.

Why would I pay at least 450 euro per month for something I have to run myself? I appreciate that support and maintenance costs are certainly something to pay for, but a high monthly charge when I&#x27;m taking all the risk, and paying for the hosting immediately turns me off.<p>Especially considering the 4 hour SLA on phone support for the enterprise version. If the password management system is down, work stops. I&#x27;d rather not have to break the glass on the emergency god account at all.

As a small dev team we needed something similar to passbolt, but that would primarily be used for sharing API keys and other application secrets for our code base. (Although we use it for other passwords as well) A lot of the existing tools are fairly complex to setup and are not tied to identity management systems. (i.e. You have to setup and maintain separate user accounts)<p>Since, we were on Keybase already for employee identity and chat, we created an extension to encpass.sh to use Keybase for our secret storage. (<a href="https:&#x2F;&#x2F;github.com&#x2F;plyint&#x2F;encpass.sh&#x2F;blob&#x2F;master&#x2F;extensions&#x2F;keybase&#x2F;KEYBASE.md" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;plyint&#x2F;encpass.sh&#x2F;blob&#x2F;master&#x2F;extensions&#x2F;...</a>) It has been working really well so far, as when we add someone to a Keybase team, that person immediately has access to that team&#x27;s secrets. No extra setup required.

We have been considering it in our team but the lack of capability of creating a &quot;shared vault&quot; and connecting it to a centralised AD&#x2F;LDAP identity was a no go for us. Also, the lack, due to the tech itself, of a recovery method for users and administrator (with audit of course) was a big disapointment. PS : never connect it to your AD&#x2F;ldap or it will spam everyone in your organisation by default ! #lessonlearned

You just need git, ssh and pass (<a href="https:&#x2F;&#x2F;www.passwordstore.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.passwordstore.org&#x2F;</a>), see <a href="https:&#x2F;&#x2F;fr.jeffprod.com&#x2F;blog&#x2F;2019&#x2F;gerez-vos-mots-de-passe-avec-des-logiciels-libres&#x2F;" rel="nofollow">https:&#x2F;&#x2F;fr.jeffprod.com&#x2F;blog&#x2F;2019&#x2F;gerez-vos-mots-de-passe-av...</a> (french)

pass[0] has been the best of everything so far. gpg based and easy to use with keyboard shortcuts. i like alternatives like htis, but pass is super barebones and highly available.<p>[0]: <a href="https:&#x2F;&#x2F;www.passwordstore.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.passwordstore.org&#x2F;</a>

I feel like this is becoming a very crowded market. What sort of differentiation separates this service from the pack?<p>For my purchasing decision, I’d lean heavily on the probability the service will be there in 5 years (it’s obvious I’m getting older I guess), as the market seems pretty mature.

This one doesn&#x27;t have any limitations, and can use LDAP&#x2F;AD. Along with it, you can use NextCloud other features:<p>* <a href="https:&#x2F;&#x2F;git.mdns.eu&#x2F;nextcloud&#x2F;passwords" rel="nofollow">https:&#x2F;&#x2F;git.mdns.eu&#x2F;nextcloud&#x2F;passwords</a>

Slightly off topic: I love this tag line under &quot;Methodically tested&quot;<p>&gt; Half of the code base is there to make sure the other half is behaving.

self hosted system requirements seem much more lightweight compared to Bitwarden

I like to evaluate this, however, I&#x27;m curious what was the Passbolt&#x27;s tasty recipe for building on top of CakePHP web framework?

I like Clipperz<p>Seems quite similar:<p><a href="https:&#x2F;&#x2F;clipperz.is&#x2F;" rel="nofollow">https:&#x2F;&#x2F;clipperz.is&#x2F;</a>

Hmm, this is the kind of software I&#x27;d sooner the developer have a liability for rather than &quot;You get what you pay for&quot; when my passwords are leaked.

&gt; Self hostable, open source, password manager for teams<p>One of my teams shares passwords as well. We use KeePass over WebDAV. Works for us. I fail to see the market niche here.

Why is is this better than Bitwarden?? - <a href="https:&#x2F;&#x2F;bitwarden.com" rel="nofollow">https:&#x2F;&#x2F;bitwarden.com</a>

I&#x27;ve become quite the fan of 1password. I think that this kind of thing is critical enough to spend money on.

Does &quot;for teams&quot; mean that passwords can be shared?<p>And is password sharing a good idea to begin with?

Is there a web API for changing passwords? Would be nice if these passwords managers could help you change passwords when they are found on a list through an API (that would require the old password anyway).