EDIT: Just want to point out that it appears that this software allows you to define access for different members of a team, but I haven't had a chance to try it.
... and the binary format makes KeePass merges impossible. Even if it's just you, if you have multiple computers you need to make sure you have the latest copy before adding something.
That's what's nice about pass, it plays nice with git, rsync, and just about everything else. Last write wins per credential. If you tack on history with git (or ZFS snapshots!) you have a central copy that you can share among a team.
Someone should make a slick UI atop a pass directory with a browser plugin.
Things like KeePass and 1Password don't scale well for teams/businesses. There are things like admin passwords that teams need to share (as bad as it is to share passwords, there are a lot of cases where there isn't another option). You can do something like store KeePass or 1Password in Dropbox, but it has issues. The vaults have a password, everyone using it needs to know the password, and everyone gets access to everything. You can't do something like share a billing password with someone in accounting, without also giving them all the root passwords. It becomes a pain to create a bunch of individual vaults for every sharing case, and keep track of and share the individual vault master passwords.
Enterprise password managers also have audit systems. You can see every password someone had access to, every password someone accessed, and who accessed a specific password.
I don't know if Passbolt is any good, it seems like it is off to a decent start. I've looked into enterprise/team password managers at every company I've worked for in the past 10 years; I've never found an open source one I trusted -- they all drop the ball in at least one critical area. And I don't trust the closed source ones either. It is a sad state of affairs, so I welcome new entrants into the space.
Not something one would fancy for a tool that handles sensitive data.
https://www.passwordstore.org/
It's a bash script.
I would love to be able to move away from their central repository and host our own solution with something like this. I just hope that any user testing is being done with some non-techies who don't know or care what a PGP key is.
Thanks for posting this, because the last time I had looked at 1Password for teams it didn't meet all the features of LastPass. I'll give it another look.
I didn't know gpgauth existed, but this is what they appear to be using (the site has a broken cert): https://gpgauth.org/
I've been investigating self-hosted team/shared password managers (with basic auditing features).
I chose RatticDB[1], but it looks like development has stalled.
Passbolt looks like an alternative worth investigating. Based on a quick look at the Git repo, it's been in development since 2012 (a shame I hadn't heard about it earlier) -- and it looks like Passbolt may be backed/bankrolled/funded by 'Bolt Softwares' (I have no issue with this - but I thought it's worth pointing out. I wonder if Bolt Softwares aims to commercialise the software in the future).
Is it possible to use Passbolt without a browser plugin?
Some suggestions (if the authors are reading):
* provide a more indepth "features" page
* provide a demo account (so I don't need to sign-up/disclose my email)
Has anyone used both 1Password and Dashlane? Which one would you choose? Also, how is Dashlane for Teams?
1PW has a notion of vaults for grouping data, but anyone with access to the vault can see all of the credentials. This makes it really cumbersome with overlapping groups that results in vault explosion. Eg, Marketing & Finance vaults have overlapping users, so you create a Marketing/Finance vault, and so on. You can see several questions about this issue in the forums.
Looks like the pricing is going to be $5/user/month for 1PW. I'm waiting for them to add individual item permissions and the ability to create custom groups. No 2FA either, which they have their reasons for. Auditing and reports would be nice.
I might end up going with LastPass for the more granular permissions. I really wish I could find a decently priced company credential/identity manager that can assist with things like automatically rotating passwords/access so I can more easily prevent staff from copying passwords into an unencrypted file, and get an audit log of who's accessing what. Dashlane has some notion of password resets but there's no control to script it for your own or client websites.
There's Thycotic but I don't think their Cloud version supports password changing (and I'm not interested in running a Windows server). There's also Manage Engine's PMP... but that interface also left much to be desired.
Any suggestions or advice?
Thanks
Not yet, same as key signing and manual keyring management. But hopefully we'll get there. Thanks for the positive feedback!
Given OpenPGP's use of custom KDFs [1], weak default hash functions (SHA1) and questionable ciphers (CAST5? really?), it certainly doesn't for me. While none of this falls under the "completely broken" category, it certainly could be better... My main concern with anything using OpenPGP is that it only takes one of these things to fall before a deep compromise is possible. There's a reason many cryptographers are anti-cipher choice.
It'd be quite possible to write similar using NaCl/libsodium and achieve a higher margin of security.
[1]: http://tools.ietf.org/html/rfc4880#section-3.7.1.3
EDIT: It seems my knowledge of this may actually be dated, GPG at least has shifted away from many of these defaults
https://lists.gnupg.org/pipermail/gnupg-announce/2014q4/0003...
I'm pretty sure most sysadmins won't be a fan of installing node (or any runtime) for this.
I use Secure Notes in Lastpass, though, and I require those for bank details and credit cards.
Also, I'll only trust you if you can't read my information yourself. Meaning you only store information I can decrypt with my passphrase.
So excited to see you being open source!
Edit: as a user, i'll totally contribute pull requests!
Along with that, I would be interested in seeing the trust network being uploaded to an external backing service (Maybe in the same SQL database?) That way it can be hosted on Heroku!
Fantastic product. I'm going to take a real good look at it and host it myself I think. Just Heroku would have been 'easy.'