I'm curious if anyone has experience with an enterprise/corporate level password manager. Ideally, it would be tied to the user's AD profile so when they log in to Windows they would just need to enter their master password and it would integrate with the browser to prefill passwords just like 1Password, or BitWarden.
Looking at 1Password's website, it's 7.99 USD per user/month which gets very pricey with 10k users. I'm curious what other folks on HN are using. I appreciate your feedback!
That's your red flag right there. All identities that are tied to individual people should be connected to SSO in some way, then there will be no juggling of passwords at all on the individual-person level. Then you only need some 2FA solution on top in your identity provider, for instance TOTP or FIDO, and you're all set. (Corollary: If at all possible, only pick external services that can plug into your company's own SSO.)
For credentials not tied to individual people, e.g. root passwords on devices, my org uses HashiCorp Vault, and we're mostly satisfied with it. It's a bit of a struggle to configure the policies so that each group of (human/technical) users only has access to the secrets that they actually need, but I won't put the blame for that on Vault.
We rely on all kinds of industry-specific applications that only support username/password (and SMS OTP if we're lucky). After that, there are a bunch of services that do offer SSO but only if you pay stupid money. For example, we spend about $100/month on Twilio but their SSO plan starts at $15k/month.
SSO seems like the only way SaaS companies can make money, and what this HN post tells me is that even enterprises with 10k employees (!) still find that to be a little out of their price range. The state of the industry is kind of crazy, but that's why people are looking for an enterprise 1password account. Cheaper to pay them once than to pay 1000% markup on every SaaS you use.
orgs should support what people do
If you think I'm being hyperbolic, I'm not. Our org has recently gone through a PCI/DSS audit, and there was a lot of frustration about the amount of required changes with regards to locking down access policies, tracking suspicious activity, enforcing 2FA and such, but most of the stuff that I saw change was stuff that feels like it really should be entirely obligatory in the first place.
There is a great tradition in IT to teach yourselves using free (as well as free-of-charge) software, but when you're in the business of IT, there should be much stricter regulation. If you're a civil engineer and the bridge you design collapses because you did your math wrong, you are criminally liable for the damage. But if you're a software "architect" and you negligently put an instance of database-du-jour on the internet without proper access controls or a vulnerability tracking process, you most often get away by just saying "whoopsie-daisy" and giving a flimsy apology to the millions of customers that had their personal data stolen. Worst case scenario, you get a fee of a few percent of your earnings. That has to end.
With that many users you don't pay the advertised prices. You schedule a call and they make sure you get an affordable offer.
> The average employee likely has 10-20 (hopefully) different sets of credentials that they must maintain and update as necessary
Time for azure, auth0, okta, or some other sso provider to just get rid of the passwords?
Even if they charged $0.50/per user, that would be $5k/month. I could go as a consultant and charge half of that to setup vaultwarden integrated with their AD for maybe 2 lazy days, and offer a support contract for $500/month. It's not even that much of rare skill. I'd guess you can randomly selected /r/selfhosted users and I'd give 10% of odds to find someone who has done it already and would even offer to do for less.
Yet, I think that most managers would simply prefer to go through all the negotiation meetings, all the internal procurement process just so they can justify the big boy expenses.
That's a very simplistic view of how it works in even a medium sized real company. Google SSO is already available for many external services you might use which is a lot easier to integrate than doing and maintaining something yourself. Especially because if there's an issue it's blocking everyone in the company at the same time. It makes sense to outsource that if it's not your core business.
You're saying $500/mth, but my response would be: this is half a full time IT support position and it needs a secondary + on-call cover.
You go with companies that can demonstrate scalability because they provide project governance, proper change management, and layers of redundancy and support in the event of an emergency.
I can see how it might not be the solution you want for home but at work I'm just trying to get things done and that unfortunately involves a large number of passwords that can't easily be federated into an SSO like okta because they span businesses clients and companies. I don't understand the hate for LastPass, for me it just works (tm)
Prime example of Lastpass security theater - what exact problem did they think this feature solved?
Sure, its not too hard to get around that feature, you could just inject your own javascript on the page to dump the contents of the password field. But it does block the low hanging fruit of the millions of users who don't know how to do that who might abuse having access to the password because they don't really know better.
In essence, it helps to prevent those users who don't know better from leaking the password to places it shouldn't be. Obviously it doesn't prevent people who know how to get around it from getting around that protection, but in those circumstances you shouldn't really be sharing your password with someone who will abuse your trust.
Is there anything that stops someone from letting LastPass fill the field, then use the browser tools to change the form field from `password` to `text`?
I don't face any annoyances sharing passwords with 1pass like I used to with lastpass, secretserver, etc. It's a smooth experience all the way.
A larger org would probably need a manager with extended access management, I am not sure if KeePass has such features yet. I think BitWarden does have an extended AD integration, but I am not sure if it is just to import users initially or if you can use AD authentication to access the key manager itself.
Alternatively, have your tried SSO'ing everything?
Of course, the UX of the free solution will never compete with the commercial solutions. If you want that, you have to pay.
My personal benefit was that the convenience of using password managers finally pushed me to use Bitwarden+2FA on all my personal devices.
Do you work at TechnologyOne? :-P
Things like Okta, OneLogin, GCP, AWS, Auth0 or Keycloak (self-hosted). A lot of products nowaday offers SSO integrations but often unfortunately at the highest tiers - see https://sso.tax/
I am sure, 1Password will be more than happy to offer you a discounted rate
I don't know if AD integration is available. Ours is federated so that if you are logged into Google Chrome / Workspace then you are also logged into the LastPass plugin.
How about AWS KMS?
