49 replies
20h15m
You generally want to minimize the number of passwords you manage; for instance, you should generally be paying the SSO tax and getting as many services as you can onto OIDC. After that, just do the cloud version of 1Password, which is easy to audit and manage access for, which you'll thank yourself for when it comes time to SOC2.
Remember, as you give people access to passwords, that those passwords will need to be rotated when those people change to incompatible roles or depart the company. If passwords aren't a total pain in the ass for you, you're probably doing something wrong.
That is the answer.
SSO, then password manager.
I'd strongly recommend bitwarden, having deployed and managed it. I would warn against lastpass, strongly, due to papercut level issues everywhere. I haven't used 1password in an appropriate scenario to comment on it.
We have SSO + 2FA in place, and would like to use Bitwarden for the rest of the password management. But for a company around ~50 people, the pricing feels too expensive, considering the only purpose is to manage a few passwords. So for now we are using Keepass which is kind of painful, but free. We would probably be willing to pay ~2$ per user per month, but instead it is 6$ if you want Bitwarden to work integrated with your SSO which means 3600$ per year.
Pricing is truly annoying with password managers. I know this is an edge case but I volunteered for my kid’s school PTA and discovered to my horror that all the passwords were stored in a single Google Sheet. But the pricing for the number of users we were looking at (a very small core number of staff but a large number of volunteer parents) made pretty much every password manager service unaffordable, even with non profit discounts. Per seat pricing doesn’t work out for everyone.
We ended up using Dashlane because its free tier allows sharing between users but the administration is so much more work than it needs to be.
Hi! could you please explain what is this admin work that is bothering you? Thanks! (working at Dashlane, and happy to forward feedback to product team. I'll already forward your comment on pricing)
It’s not really your fault, it’s us bending your free tier into something it isn’t intended to be. Maximum number of passwords shared, only logging in to one device at a time etc.
It’s a really weird edge case but eye opening for me as someone who is usually in a very well resourced tech environment. Google offers a great free tier for non profits and in the ideal world we’d have a password manager that plugs into our Google organization without a second thought. But that’s a premium tier feature and any money not spent on enriching the kids education has to be justified to the nth degree. We have people who are go-tos for a two factor auth code because their phone numbers are the ones attached to the accounts… people will go to surprising lengths!
There isn’t a good business case for it as such but volunteer organizations (as opposed to well resourced non profits) would make good use of a free tier and it would generate goodwill with people who are sometimes responsible for purchasing decisions in their day jobs.
I've volunteered for and served on the boards of several small, youth-oriented nonprofits. They all had this weird idea that you can't spend any money on operational stuff. Yeah I get that you want to minimize it, and you should. But payments for necessary services should just be part of the budget. There is overhead to running these orgs and not every penny can go straight through to the kids. If you make things a PITA for the volunteers, eventually you won't have any volunteers. People are giving their time freely to help, but most are busy and don't want to f*ck around with complicated solutions that waste that time.
Oh, I totally agree. But I’m in the minority in that view and have come to accept that it’s just the nature of the beast.
Completely agree. The kind of people I've encountered in non-profits and charities as an IT Sales Professional over 20 years is that they expect great products and services should be as close to free as possible. They don't seem to understand that the tax breaks and incentives are there precisely to help soften the costs of running such an organisation. To expect even MORE than that from vendors is unrealistic. I watched an interview with Naveen Jain (Viome CEO) on a podcast once and he said that a non-profit entrepreneur or CEO is more often than not "just a sh*tty entrepreneur". I couldn't agree more based on my experience selling tech since 2001!
You could self-host bitwarden on a $5 a month instance (or free-forever, if you choose to trust oracle or gcp), and then put TOTP 2fa into your bitwarden instance. Still requires a little maintenance on the instance, but this can be 99% automated.
Yeah, the thought has occurred to me. But I’m only going to be there for a few years, the responsible thing is to do something that’ll survive long after I’m gone.
I know very little about PTAs, but... why would a PTA need to share passwords anyways, instead of having separate logins?
Immediate example that comes to mind: there’s a paid-for Canva account that multiple people need to use. Can’t use separate logins because then you’d need multiple subscriptions.
This is in breach of the tos though, right? Great example to set for the kids.
Pretty sure the kids aren’t aware of the PTA’s use of Canva.
Why not just use something like Keepass in this scenario for free (forever) ?
Ever tried Psono? (I am Sascha, the main developer behind it)
It has SSO / encryption / self hosting / ... and even the enterprise version is free for up to 10 users and if you need more you only pay €2.5 / user / month.
Passkey support (I know it's a pain) would be great...
Use Vaultwarden then
I'll check it out, thanks!
Why not self-host Vaultwarden? It implements most functionality and supports the standard Bitwarden clients with virtually no resource requirements.
Was going to suggest the same, of course you're taking matters into your own hands, so know what you are doing, but it's free, very light weight and supports "organizations" as a way of sharing passwords between people. I have hosted it for my family for years and was very happy with it (until I switched to Proton Family, now doing ProtonPass).
And you get all the excellent Bitwarden apps and extensions to go with it.
I'll look into it, thanks!
We went with self-hosted Passbolt. Free, open source, and based on PGP. Only downside is having to explain PGP to the less technical users...
This is really a HUGE hurdle. Sadly even many developers don't understand it fully / mess it up a few times..
Except the search function of bitwarden is totally broken. Searching for A B shows everything with A or B, not even with A and B at the top.
This could be a good first contribution to Bitwarden for me or anyone really.
Do you mean the browser extension search feature?
Thanks for pointing it out.
Just checked, and its indeed doing this nonsense in the browser extension (on firefox). Its implemented sensibly in the Android app, and I haven't tested the website vault viewer or the desktop app.
Thank you for checking and reporting back.
I never touched Bitwarden project but I hope I or someone could contribute to a better search in the extension.
There is a syntax you can use to search for entries that contain both A and B:
It is annoying but it works.
There was the time they lost customer data in a hack and then lots of customers data was exploited. https://en.m.wikipedia.org/wiki/LastPass
Not once but multiple breaches.
Just no.
I'm surprised they still exist.
I’m still suffering from this; somehow in this hack <<something>> happened to my LastPass account and login/unlocking it became impossible. LastPass support (rightly) can’t help, so 3 or so years later I’m still stumbling into sites that I can no longer access.
Many sites have forgotten password flows, they’re easy, but many other sites related to municipal services, etc, require hours on calls, often on hold, proving my identity and getting access reinstated.
I was first using 1Password and then I really tried to love Bitwarden for two entire years (paid user). But it was riddled with bugs and UX mishaps. I gave them detailed feedback by email, they acknowledged it, but nothing changed and my frustration grew over time. I eventually switched back to 1Password one year ago and I'm delighted.
For example here some issues I flagged to the team. Note that some of them may possibly have been resolved since then:
– The “incorrect ciphers” error that keeps happening where you have to restart Bitwarden and lose all your changes.
– Basic searches take multiple seconds if you have more than 400 entries.
– Editing items is awkward. Whenever I scroll down an item and want to edit a specific entry, I have to find the edit button and then WOOSH a new panel appears and I don’t know where the field I wanted to edit ended up in the new panel.
– Bitwarden doesn’t automatically categorize login items by type and it's not possible to exclude items from the “All Items” list. So it's a big mess and when you try to search a massive amount of irrelevant auto-generated entries pop up.
– Scrolling is super laggy on Android.
– Android logins don't have icons (they could very easily extract them when Bitwarden automatically creates an entry when logging on an Android app).
– Phone numbers are not formatted. Same for many other data types.
– Credit/debit cards show a generic icon rather than Mastercard, Visa, American Express, etc.
– The whole interface is marked as selectable in CSS and when you try to move the window around it keeps selecting irrelevant text from the UI such as “Search Vault” and “Item Information” instead of moving the window. Likewise, if I try to select actual text the selection isn't constrained to the field I'm selecting from so I often select a bunch of crap I didn't mean to select.
– Clicking on a password field doesn't offer the option to generate a password.
– Password generation settings don't synchronize between Bitwarden instances. Every time you install the app or the browser extension you have to reconfigure the length, symbols, letters, casing, etc. Again. By default it uses Bitwarden's default basic (and pretty insecure) criteria.
– Bitwarden frequently doesn't detect password fields, and frequently doesn't offer to automatically save the password.
– Can’t drag & drop an item from the list to a folder. I have to manually edit the item entry and select the folder from the dropdown. Every time.
– When editing an item, the ‶Attachments″ entry is a tiny line hidden below ‶Master password re-prompt″ so it's incredibly easy to miss and hard to find.
– Attachments don’t have previews and you can't rename them. You have to manually download a given item and open it in order to see what it's about.
– Can't copy attached images to the clipboard. Instead you have to press the download button, pick a folder, find it, copy the file (or possibly open it with an image editor when you need to copy the image itself), and then paste it where you want.
– Automatic entry names are dumb. For example for Android apps it just picks the package name (e.g. com.voyagerx.scanner) instead of the name of the app (in this example the corresponding app's name is vFlat, so not clear from the package name!).
And this is only the tip of the iceberg. I had many more issues than those with Bitwarden. None of these issues happen on 1Password.
What’s SSO and how do I put vendor API keys into it? Like one of the most important APIs we have is just 1 key and that’s it. I don’t think the vendor has heard the term “key rotation”
I would recommend you get some people with IT security knowledge on board, either permanently or at least to do a review.
For API keys you want to look into secrets management, for example Hashicorp Vault or OpenBao. AWS/Azure/Google Cloud also have their own secrets management features.
On top of this, prefer individual accounts and passwords over shared accounts.
Some services require shared passwords, keys, or tokens. Consider grouping them by sensitivity. Key to the kingdom shared accounts should be accessible only to a tiny number of people.
Finally, never send credentials over plaintext, such as email or Slack. 1Password and other password managers have a “share” feature. If need be, send a zipped and encrypted text file and share the password via a voice call.
Because people are lazy and not everyone wants to write a file, zip it, encrypt it, call someone, spell the password... Consider sending the password regularly over slack, wait a minute till the other side confirms they got it, and remove the message.
Mediocre solutions that people use are better than perfect solutions that everyone circumvents.
Slack works for us in a very small (<5) number of trusted long-time remote devs, but with two important conditions:
1. New/updated password(s) to be shared are in an encrypted Keypass file (encrypted with a preset and prearranged password that was only shared once offline). Recipient merges into their local keypass file.
2. Confirm recipient is online, send, confirm receipt, delete immediately afterwords.
We use many AWS services so obv all those are handled with AWS Secrets and IAM, so we only need to save the login pwd externally. And for services which support multi-user, Google, GitHub, etc., each user has their own pwd. So not many passwords need to be shared in the above manner. In daily use I keep KeyPass open and copy/paste passwords into the browser when needed -- nothing stored online.
Never pay the "SSO tax" by outsourcing to Okta, etc. There many FOSS IdP solutions that are usable with some customization and integration.
The SSO tax is the premium your vendors add to accounts that link with any IdP.
FOSS solutions like Keycloak are absolutely capable but it completely ignores the "tax" you pay in terms of maintenance and setup. For smaller teams, it's not feasible at all to keep something like that up-to-date and running smoothly (i.e. no downtime)
1Password is brilliant. They have all sorts of open source libraries and integrations on GitHub.
1password is solid, and works everywhere and in most situations. Features are however quite limited on the more basic packages
Unfortunately the SSO tax isn’t the worst. Most companies pay for it anyway.
In my experience (as in IC), the real issue is when the company don’t want to pay enough seats for everyone.
Honestly sometimes it makes sense when you don’t use the tool everyday but it’s a PITA.
I think, maybe, that SaaS companies should reflect on a (capped) per-day billing for those accounts.
And when you set up 1Password, make sure you also get the CLI going, so passwords & shared gunk that's needed to access other people's services can be scripted, and when the passwords, etc get rotated no-one needs to know because no-one needs to store them.
Agree. The trio of Okta + Bitwarden + AWS Secrets Manager covers most bases and has served us well.
The SSO tax is real though, especially if you're a < 50 person entity and don't need everything else that normally comes with "Enterprise" plans <sigh>. Shout out to the few enlightened/kind SaaS peeps that don't do this (e.g. Windmill.dev) !
You can even avoid using passwords altogether by using hardware security keys.