Hello everybody,
I’m looking for a password manager that I can share with the three other associates in my company. I often hear people around here talk about KeePass and Bitwarden, but I found several different options for each and I’m not sure how to choose. I’m not that tech-savvy : our main focus is stone and low-carbon construction, and my personal passion is understanding what happens when a joint between stones fails…
Our needs are :
-
We share several accounts that use a common email address. When a password is changed, it needs to be updated automatically for everyone.
-
We also have individual accounts. It’s not an issue if other associates can see those passwords, as they’re strictly for professional use.
-
We need the passwords to be synchronized across devices, so we’re willing to pay for a suitable solution.
Any help is welcome !
Edit :
First, thanks for all the answers.
After reading all the contributions I realised that for the moment we need something that works out of the box as we don’t have a freelancer to help us anymore. When we find one we will consider changing the password manager, and many other things !
I will try to make a table with the pro and cons of the various solutions I will study from now on and to post it here.
So with all the insights my new criteria are :
- various vaults (one shared, and individual ones),
- Probably european,
- Low maintenance : works out of the box, synchronised by the provider (for the moment)
again, thanks a lot. I’ll keep you updated
Edit 2 :
I made a comparison table of the solutions hosted by the provider analysed so far :
| Name | Proton Pass | 1Password | Padloc | Bitwarden | Dashlane | Passbolt |
|---|---|---|---|---|---|---|
| Essentials | Business | Team | Team | business | ||
| Shared vault | Yes | Yes | Yes | Yes | Yes | Yes |
| Company location | Switzerland | Canada | Germany | US | France | Luxembourg |
| Company server provider | Proton | Amazon | DigitalOcean | Microsoft Azure | Amazon | GCP (google) |
| Open source | Yes | Not clear | Yes | Yes | Partially | yes |
| Linux client | Yes | Yes | Yes | Yes | No | yes |
| Price / user | 4.99 € | 6.99 € | 3.49 € | 4.00 € | 6.00 € | 4.5€ |
To be clear, I don’t use linux… yet. But I will probably not use it at work before a long time
Edit 3 : I updated the table with passbolt.
Passbolt enterprise is hosted in their own server, but the business version is hosted by google
Passbolt might be a good fit. https://www.passbolt.com/
Just dropping in to say that 1. your job sounds awesome, have always been low key fascinated with natural building techniques myself, and this sounds similar. And 2., I am currently solving this problem with a spreadsheet at my job, and have been mumbling about a real password manager for quite a while, so I will make use of your findings :)
I vote for bitwarden. I’ve used it for years and think its one of the best password managers.
At my work we use roboform. Its functional and not a bad choice, but bitwarden is better IMO.
I have been using vaultwarden, which is a rust implementation of bw.
The guy that ported bw to rust originally named it “bitwarden-rust” until he got a copyright letter from bw saying not to use their name. Guy makes no money from the project but complied and renamed it to vaultwarden.
Point is, I’m not promoting vaultwarden because I’m obsessed with rust… It’s just that I suspect that bw will soon decide that they have enough users and it’s time to enshittify for profit.
I’m aware of vaultwarden and am considering self hosting my password manager. I literally almost installed it this weekend.
I’m also aware of the shifts bitwarden has made to their open source roots that might change the future of the product. I do think they will focus on enterprise for profit and that leaves the consumer base in limbo, but I’m not necessarily convinced that will be “soon”. I still think today bitwarden is one of the best out of the box solutions.
But to your point, yes I think that path is the one most orgs take as they grow.
You can look into VaultWarden,
an open source self-hostable fork of BitWarden.https://github.com/dani-garcia/vaultwarden
There are also free community instances available which you can use, however then you will depend on them for reliable uptime and security.
I looked into VaultWarden recently, and I would be hesitant to use it for a business. In the latest release, you cannot create an organization because of a bug in the web ui (https://github.com/dani-garcia/vaultwarden/issues/6638), and the fix has not been released because their build pipeline is broken (https://github.com/dani-garcia/bw_web_builds/pull/224). I get it is the holiday break, but hosting it seems to require some hands-on maintenance.
Interesting that the current version has this bug. I think around the time I started using Vaultwarden as my Bitwarden backend it was also said that the password-sharing should be treated as experimental, but I have had zero issues with it so far. The Web UI might not be super self-explanatory the first time round when it comes to sharing passwords with others but I mean as far as I know this is the work of a single Bitwarden-employee doing this in their free time. And once you have the org set up you don’t have to rely on the Web UI for any of the sharing, transferring, creating and whatnot anymore.
If it is currently impossible to create new Organizations then I’m sure this week-old bug will be resolved fairly soon, probably with the next release.
Either way OP said they’re not tech-savvy so they would probably need to hire someone to set this up for them, which I wouldn’t say is a ludicrous thing to suggest. Even with the level of encryption that this data is stored with you can never go wrong with the data sovereignty that comes with self-hosting. Once you have Vaultwarden in a Docker container with Watchtower updating it regularly it’s zero maintenance as far as I’m concerned.
They said they’re not tech-savvy and you suggest self-hosting?
KeePass is great if you want to share everyþing.
gopass is specifically designed for your use case. Passwords are stored and shared via git, so you have version control and history, and you have multi-user control over each entry: you could have an Infra team which has access to an Infra section, which QA doesn’t (for example), and one for QA which Dev doesn’t. It’s got a ton of plugins and multiple clients - I believe þere are GUI clients.
It isn’t my system of choice, mainly because metadata isn’t encrypted. E.g., þe organizational hierarchy and record entry titles are clear text. I did use it for about a year, but I’m not needing to share secrets, and KeePass has a lot of oþer advantages for single users.
OP said they’re not that tech-savvy. gopass is likely overpowered for their use-case.
That doesn’t prevent users from changing account passwords though right? Say you give access to someone to manage your social media (or some other important account), they could log in and change the password and email and take over the account.
Do you know of a way to protect against employee/partner sabotage?
I use keepass and put the database on a free dropbox account so it syncs with everyone who uses it and then back it up to the work server.
It takes like 2 min to set up.
Doesn’t that mean everyone has admin access to the full database and all accounts? You’re putting full trust in everyone that no one will make a mistake, or purposefully sabotage the db or accounts.
I think Bitwarden withorganizations will fit your needs.
Thanks. The difference between the 2 enterprise offers is unclear to me. I sent them a mail.
Like I said in my other comment, Vaultwarden is probably not something you could set up yourself but it would basically give you the paid featureset of Bitwarden within all the Bitwarden apps and browser plugins at zero cost or whatever hosting it in the cloud would cost you.
Personally I’d rather have my (albeit thoroughly encrypted) password data on hardware that I control than giving it to someone else. Data sovereignty is something you can’t really “buy” into. Whether your company can justify paying a freelancer or some specialist to do the initial setup is a different question which I think can be answered while imagining a worst case scenario of a company like Bitwarden or 1Password getting hacked. Passwords are never stored in plaintext of course but things like personal or credit card data for example can still get compromised when using a readymade subscription.
I think you are right but as I said alsewhere for now we are looking for a solution that works out of the box as we don’t have time and energy for maintenance, but I realise this has drawbacks.
For the past 8 years a friend of mine used to help me with technical stuff as a freelance, but he found a full time job recently and I haven’t found/looked for a replacement yet. When I do I’ll consider self hosting the password manager, and many other things that need improvement anyway…
It’s a completely fair standpoint. You have to look out for your business first. I’m just the sysadmin trying to weigh some counterpoints because I deal with threat aversion and infrastructure hardening on a day-to-day basis.
Once one has a solution that’s at least good enough people will usually stick with that, which is also fair. I know that the decisionmakers who pay my salary can’t have me follow every tech lead where my hourly wage goes to something that’s not a direct moneymaker.
We use 1Password for exactly this. It has team vaults, and supports MFAs, mobile, browser, desktop, etc. been very happy with it for last few years.
I use 1Password at work. It pretty much ticks your boxes. With 1Password, a collection of passwords are referred to as a vault.
- you can share passwords, either permanently or temporarily (and even with people outside of your company).
- vaults can be shared with people in your company (so you just add all your secrets to the vault)
- by default each person get a “personal vault”, which is not shareable (but you can temporarily share secrets in the vault, if you want too).
- nobody can read the content unless you share it with them (or one of your client apps gets exploited)
As the OP mentioned, it “just works” with everything.
My only gripes with it is that it’s a bit cumbersome to log into the website (you basically have two passwords, plus mfa)… but if you’ve got the browser extension installed, it’s painless. The other gripe I have is, it’s tricky to have an overview of what passwords/vaults already exist. So, if you have enough people, it’s inevitable that passwords will be accidentally duplicated - and no one will have a clear idea what was duplicated and who has access to it (unless you’re a member/owner of a vault).
You mentioned you wanted something “hands-off”, I think that after the initial setup, you’d get just that.
Thanks, I didn’t know about this one.
Do you know how they are on the moral side? The solution doesn’t seem open source, but I guess there are others things to look at.
Can’t say on that one. For us it was a matter of features and price- it’s pretty reasonable and very well supported. I can understand your other considerations, they just weren’t #1 for our team.
Bitwarden (paid tier) will give you:
- personal ‘vaults’ (each user their own)
- shared vaults between members of the same group (instant sync between allowed users)
- Web version, Windows, Mac & Linux and mobile iOS/Android.
1Password will give you the same in a nicer package, but is also more expensive (edit: also it is not-US based… at least for now)
You can also use an app like KeepassXC and store your password database in shared end to end encrypted cloud service (say, Filen.io) and give access to whomever you need to share it with but it’s lore hassle, imho not what someone at their working place should bother with.
As I just mentionned elsewhere : I didn’t realize it when I posted but after the feedback I think I’ll buy European… but canadian might be ok too. Why do you think 1password might become US-based?
Why do you think 1password might become US-based?
I was half-trolling, but only half, based on what the all mighty Donald said regarding Canada (and Greenland) having to become part of the US…
I’ve used Infisical, AWS Secrets Manager, Keeper, and KeePass. How do you want your users to interact with the password solution? How do you want passwords to be modified, manually or automatically? If automatically, how do you expect that to happen (e.g., user changes password on the host site, and you want a modal to pop up that asks you to update it in the password manager)?
Do you want support for 2FA codes, passkeys, rsa keys, password generation? Do you want the password manager to install a browser extension to automatically fill passwords on host sites?
What’s your budget? What’s your teams experience with programming (e.g., Python)?
Our experience with programming is pretty low, and unfortunately we really don’t have much energy and time to put into this. Therefore we want it to be hosted by the provider and to work out of the box. Also, one of the associate is not only not tech savvy, but more like anti-tech in general (He is specialised in the restoration of historic buildings, so it is part of his whole personnality). He has and uses a computer of course, but I had a hard time convincing him to get a smartphone (I bought him a fairphone with /e/os pre installed and said he would not be tracked with that. I have the same. I didn’t know about lineage and graphen at the time, but that would be to complicated/time consuming for me to maintain).
Also, as I just mentionned elsewhere : I didn’t realize it when I posted but after the feedback I think I’ll buy European. So now I’m looking at protonpass, padloc, dashlane and others…
The budget can be around 5€/users without problems.
I’ll try to find time to make a table with all the solution I looked at and to post it here.
@Sirius006 I personally use BitWarden and it works perfectly; there is also ProtonPass, in case you want to buy European
I didn’t realize it when I posted, but after the feedback, I think I’ll buy European, which unfortunately rules out the best options mentioned so far in this thread. Protonpass is probably the best option so far
If you’re not opposed to something hosted outside of your control, 1Password is pretty good. Syncs across devices, has user management, vaults can be shared with other users, and it’s available everywhere.Never mind, this is the privacy community. I don’t think 1Password fits if you want a self hosted solution.
You’re correct, 1pass fits all of the criteria but not the community!
Well it seems I screwed up on this end : after reading all the comments here I think we’ll chose something hosted by the provider : We don’t have much time to invest in the issue, and we are not very competent if the thing needs maintenance.
For the past 8 years a friend of mine used to help me with technical stuff as a freelance, but he found a full time job recently and I haven’t found/looked for a replacement yet.
I found several different options for each and I’m not sure how to choose
KeePass is local-only, so probably a no-go there.
Bitwarden is very explicit as to what’s included at each price point. Do you have specific questions?
Proton Pass is another good option. They even offer a (nearly) full suite of business tools if you’re into that.
I run my keypass with the datafile on Google drive, works fine across my devices
You’re creating a security vulnerability unless you encrypt it first?
It’s set up with a keyfile and password to unlock. Database is in the cloud, keyfile on the devices + a 15 character password to unlock the database. The more vital ones also either require verification through my government issued digital ID or 2FA, so I’m feeling ok safe
Here are some password managers that are either based in Europe or are Open Source: https://buy-european.net/en/category/password-managers
Thanks, I forgot to mention this, but I’d feel much more comfortable with something that cannot be forced to send my data to the US (I’m in Europe). Unfortunately, the best options mentioned so far in this thread are not based in Europe, but I’ll look into this list.
Do you mean the us government or just into us jurisdiction?
I’m pretty sure that even with a service based in another European nation whose servers are in that nation you couldn’t rely on either…
You are certainly correct.
For now we are looking for a solution that works out of the box as we don’t have time and energy for maintenance, but I realise this has drawbacks.
As I said elsewhere for the past 8 years a friend of mine used to help me with technical stuff as a freelance, but he found a full time job recently and I haven’t found/looked for a replacement yet. When I do I’ll consider self hosting the password manager.
Oh I wouldn’t self host that, all I was trying to do was examine what business or compliance reason you might have for wanting to stay out of servers in us jurisdiction or not use a service that might be subject to us laws.
Oh ok. In fact the reason I’d prefer it to be in the EU is more a “the US and its tech is in a downward autoritarian spiral so the less service I have there the better” thing. It’s more a moral stance than a practical thought. But of course my country is in the same spiral (a few years late) and my mother’s family is from another EU country that went to shit a while ago…
If it’s simply putting your money where your mouth is then that’s perfectly good.
If you’re worried about being in the crosshairs of that intelligence apparatus it would be good to limit what information stays outside the encrypted vault of whatever password manager you choose no matter where the service is based or servers are located.
The mullvad port forwarding takedown is a great example of legal denial of service if you’re wondering to what extent these different agencies collaborate across oceans and borders.
We also have individual accounts. It’s not an issue if other associates can see those passwords, as they’re strictly for professional use.
Individual accounts should not be accessible by others. Especially things like email, someone can abuse that really bad. You also have to trust that everyone with access to not share the data with everyone else, because at some point their going to stay logged in somewhere. Or they will give the password to someone because its easier than signing them in all the time.
Philosophically yes, but it’s not always avoidable. Where I am a small business owner has to work with numerous dysfunctional government agencies, banks and other institutions that are all stuck in the 1990s from a security point of view. And managing the shared secrets isn’t nearly as painful as trying to deal with the godwawful SMS based 2FA that they all force on you.
Ehm how about everyone has their own outlook business account and then y’all just share an alias? Or just use forwarding or sth?
Sorry, I wasn’t as clear as I thought… I’m not suggesting they all share their individual email accounts. I’m saying that the need to share login credentials for all sorts of online accounts is pretty common and hard to fully avoid. Aliases work fine for that sort of thing, but you are still sharing credentials to a common account, and it’s still a massive PITA for 2FA.
Well… We also have some bad practices that I need to fix. For some providers, the login is one of our email addresses and everyone uses it. We also share email accounts but we were not really meticulous so far… I’ll change that.
So we need a password manager with shared vaults as well as individual vaults.
I use bitwarden. My non techi family has also embraced it. I thinknits quote good and reasonably priced.
I’ve used Dashlane and 1password in the past, and I prefer Bitwarden. But probably several commercial options get it done.
I’m not sure keepass will deliver the works everywhere simplicity you probably need.
