I work for a large (~10k) organization that obviously interacts with a number of different systems/applications on a daily basis. The average employee likely has 10-20 (hopefully) different sets of credentials that they must maintain and update as necessary - I can only imagine there are a variety of Password, Password1, Password12 combinations in use.<p>I'm curious if anyone has experience with an enterprise/corporate level password manager. Ideally, it would be tied to the user's AD profile so when they log in to Windows they would just need to enter their master password and it would integrate with the browser to prefill passwords just like 1Password, or BitWarden.<p>Looking at 1Password's website, it's 7.99 USD per user/month which gets very pricey with 10k users. I'm curious what other folks on HN are using. I appreciate your feedback!
> The average employee likely has 10-20 (hopefully) different sets of credentials that they must maintain and update as necessary<p>That's your red flag right there. All identities that are tied to individual people should be connected to SSO in some way, then there will be no juggling of passwords at all on the individual-person level. Then you only need some 2FA solution on top in your identity provider, for instance TOTP or FIDO, and you're all set. (Corollary: If at all possible, only pick external services that can plug into your company's own SSO.)<p>For credentials not tied to individual people, e.g. root passwords on devices, my org uses HashiCorp Vault, and we're mostly satisfied with it. It's a bit of a struggle to configure the policies so that each group of (human/technical) users only has access to the secrets that they actually need, but I won't put the blame for that on Vault.
> gets very pricey with 10k users<p>With that many users you don't pay the advertised prices. You schedule a call and they make sure you get an affordable offer.<p>> The average employee likely has 10-20 (hopefully) different sets of credentials that they must maintain and update as necessary<p>Time for azure, auth0, okta, or some other sso provider to just get rid of the passwords?
LastPass is great. We can share credentials and secrets through it. There's a feature where you can even share the login to a site on it, but they can't view the password - only lastpass can fill it up.
I've used 1password at my last two companies and I wouldn't go back to anything but maybe Bitwarden, which is practically a 1p clone. Last time I used Bitwarden it didn't work with either my Macos fingetprint reader or face unlock, I forget. It was an electron limitation IIRC, and this was years ago.<p>I don't face any annoyances sharing passwords with 1pass like I used to with lastpass, secretserver, etc. It's a smooth experience all the way.
Not the organization as a whole, but some small teams use them. We use KeePass for most important passwords and API-keys. The master password is a prefix and a part from personalized Yubikeys for each member accessing the store.<p>A larger org would probably need a manager with extended access management, I am not sure if KeePass has such features yet. I think BitWarden does have an extended AD integration, but I am not sure if it is just to import users initially or if you can use AD authentication to access the key manager itself.
If you're signing up 10k users. I'm sure the pricing for 1Password won't be 7.99.<p>Alternatively, have your tried SSO'ing everything?
We don't have use a password manager for most users, but for those with access to many and varied accounts (like IT and anyone dealing with social media) we use VaultWarden, which is a FOSS re-implementation of BitWarden. We don't do any browser or AD integration though.
If your company has that many users why not self-host some open source solution like KeePassXC. The cost for having your IT employees host and manage it is probably less than the cost of a commercial product, even after negotiating a special contract with them.<p>Of course, the UX of the free solution will never compete with the commercial solutions. If you want that, you have to pay.
Yeah, everything shared is on 1password. Everything else is Okta with 2FA. But the authentication flow is made very simple so you don't get frustrated.<p>My personal benefit was that the convenience of using password managers finally pushed me to use Bitwarden+2FA on all my personal devices.
We use Passwordstate. It's the slowest password manager I've ever used by a large margin, and one of the slowest websites I've ever used period. I don't know if it's inherent to the application or if it's how it's deployed for us.
We use Keeper, and I hate the UX. Would much rather use 1Password or BitWarden, but alas, the IT powers that be have spoken. Better than nothing. We do share creds through it, so that’s nice.
I think what you should be looking for is a Single Sign-on solution that integrates with your different systems and applications. It's a necessity when trying to have audit logs and proper and secure onboarding and offboarding solutions.<p>Things like Okta, OneLogin, GCP, AWS, Auth0 or Keycloak (self-hosted). A lot of products nowaday offers SSO integrations but often unfortunately at the highest tiers - see <a href="https://sso.tax/" rel="nofollow">https://sso.tax/</a>
Passbolt is a great open source option: <a href="https://www.passbolt.com/" rel="nofollow">https://www.passbolt.com/</a> It has the team collaboration functionality and is free & OSS. We run it on Digital Ocean via Docker. Once you get it working it's pretty fantastic- it has a Chrome/Brave extension that works just like 1Password and LastPass for auto-filling credentials. Highly recommend.
Yes, we use secret server which works very well and we are happy for it
<a href="https://thycotic.com/products/secret-server/" rel="nofollow">https://thycotic.com/products/secret-server/</a>
You could possibly host <a href="https://www.passbolt.com/" rel="nofollow">https://www.passbolt.com/</a> on your own servers and reduce the cost for your org.<p>I am sure, 1Password will be more than happy to offer you a discounted rate
Our company uses LastPass.<p>I don't know if AD integration is available. Ours is federated so that if you are logged into Google Chrome / Workspace then you are also logged into the LastPass plugin.
we have a corporate 1pass account and I have a personal lastpass account. we use okta for SSO but 1pass is still absolutely essential IMO. I need to keep track of lots of secrets that aren't in okta (eg gitlab tokens and stuff like that).