> gets very pricey with 10k users
With that many users you don't pay the advertised prices. You schedule a call and they make sure you get an affordable offer.
> The average employee likely has 10-20 (hopefully) different sets of credentials that they must maintain and update as necessary
Time for azure, auth0, okta, or some other sso provider to just get rid of the passwords?
LastPass is great. We can share credentials and secrets through it. There's a feature where you can even share the login to a site on it, but they can't view the password - only lastpass can fill it up.
I've used 1password at my last two companies and I wouldn't go back to anything but maybe Bitwarden, which is practically a 1p clone. Last time I used Bitwarden it didn't work with either my Macos fingetprint reader or face unlock, I forget. It was an electron limitation IIRC, and this was years ago.
I don't face any annoyances sharing passwords with 1pass like I used to with lastpass, secretserver, etc. It's a smooth experience all the way.
Not the organization as a whole, but some small teams use them. We use KeePass for most important passwords and API-keys. The master password is a prefix and a part from personalized Yubikeys for each member accessing the store.
A larger org would probably need a manager with extended access management, I am not sure if KeePass has such features yet. I think BitWarden does have an extended AD integration, but I am not sure if it is just to import users initially or if you can use AD authentication to access the key manager itself.
If you're signing up 10k users. I'm sure the pricing for 1Password won't be 7.99.
Alternatively, have your tried SSO'ing everything?
We don't have use a password manager for most users, but for those with access to many and varied accounts (like IT and anyone dealing with social media) we use VaultWarden, which is a FOSS re-implementation of BitWarden. We don't do any browser or AD integration though.
A table in confluence with clear text passwords :(
If your company has that many users why not self-host some open source solution like KeePassXC. The cost for having your IT employees host and manage it is probably less than the cost of a commercial product, even after negotiating a special contract with them.
Of course, the UX of the free solution will never compete with the commercial solutions. If you want that, you have to pay.
Yeah, everything shared is on 1password. Everything else is Okta with 2FA. But the authentication flow is made very simple so you don't get frustrated.
My personal benefit was that the convenience of using password managers finally pushed me to use Bitwarden+2FA on all my personal devices.
We use Passwordstate. It's the slowest password manager I've ever used by a large margin, and one of the slowest websites I've ever used period. I don't know if it's inherent to the application or if it's how it's deployed for us.
We use Keeper, and I hate the UX. Would much rather use 1Password or BitWarden, but alas, the IT powers that be have spoken. Better than nothing. We do share creds through it, so that’s nice.
I think what you should be looking for is a Single Sign-on solution that integrates with your different systems and applications. It's a necessity when trying to have audit logs and proper and secure onboarding and offboarding solutions.
Things like Okta, OneLogin, GCP, AWS, Auth0 or Keycloak (self-hosted). A lot of products nowaday offers SSO integrations but often unfortunately at the highest tiers - see https://sso.tax/
Passbolt is a great open source option: https://www.passbolt.com/ It has the team collaboration functionality and is free & OSS. We run it on Digital Ocean via Docker. Once you get it working it's pretty fantastic- it has a Chrome/Brave extension that works just like 1Password and LastPass for auto-filling credentials. Highly recommend.
Yes, we use secret server which works very well and we are happy for it https://thycotic.com/products/secret-server/
You could possibly host https://www.passbolt.com/ on your own servers and reduce the cost for your org.
I am sure, 1Password will be more than happy to offer you a discounted rate
Our company uses LastPass.
I don't know if AD integration is available. Ours is federated so that if you are logged into Google Chrome / Workspace then you are also logged into the LastPass plugin.
Postit notes stuck to the monitor. For security purposes I make sure to not say which password is for which account.
Could a central directory for Gpg keys, accessed via Pass/Yubikey, be a solution?
How about AWS KMS?
we have a corporate 1pass account and I have a personal lastpass account. we use okta for SSO but 1pass is still absolutely essential IMO. I need to keep track of lots of secrets that aren't in okta (eg gitlab tokens and stuff like that).
We used Okta (SSO) for a long time which is $2 per users afaik.
Yes. BitWarden.
Yes
> The average employee likely has 10-20 (hopefully) different sets of credentials that they must maintain and update as necessary
That's your red flag right there. All identities that are tied to individual people should be connected to SSO in some way, then there will be no juggling of passwords at all on the individual-person level. Then you only need some 2FA solution on top in your identity provider, for instance TOTP or FIDO, and you're all set. (Corollary: If at all possible, only pick external services that can plug into your company's own SSO.)
For credentials not tied to individual people, e.g. root passwords on devices, my org uses HashiCorp Vault, and we're mostly satisfied with it. It's a bit of a struggle to configure the policies so that each group of (human/technical) users only has access to the secrets that they actually need, but I won't put the blame for that on Vault.