Ask HN: How do you manage passwords in teams?

you don't - you use an directory (LDAP, Active Directory) or AAA service (RADIUS,TACACS+) to manage that. There should never be a shared password. If it is a cloud shared service, same rules apply. You have to know who did what when, and with a shared PW you cannot. Even if all people have the same privileges, you gotta know who did what.

You should first ask yourself why you have the shared password at all. Unless there is simply no other way, shared passwords and logins should be avoided for the obvious reasons.

Next you need to document the procedure for resetting each of these passwords and accounts when an employee with access is fired or quits. Resetting the password needs to happen the minute the employee leaves the building.

As for documenting the password itself, the best approach is a shared document or file with built-in access control and auditing so you can tell exactly who has seen this document (for instance, google docs. Or an "enterprise" wiki).

While you can't use technology to prevent it, there should be a policy that employees cannot distribute these passwords, period. This is why having the password reset procedure is so important.

I'v used a shared dropbox folder with a KeePassX instance in it with a shared password for that container. If needed we could just change the password on the KeePassX container and/or remove the access to dropbox.

I researched this 3 years ago for our startups and couldn't find anything really good that lets me easily and securely share passwords on a need-to-know basis to team members and see who has access to what. Which baffles me because this is a problem that every single startup and small company must have.

In the end, we went for https://www.passpack.com/. They're clearly a small shop but it's been designed from the ground up for teams, they appear to care and know what they're doing when it comes to security (only have their word for it though obviously). Their web interface doesn't look like much but it's insanely fast and really well thought out, making inputing and looking for password really quick and easy. For some reason their pricing is ridiculously low - it costs next to nothing.

Two bad points: no native mobile app, making it a huge pain to look up password on the go + paranoid on the security front, which means that logging in is always a big pain. That unfortunately means that we were never able to convince anyone to really embrace it. Convenience and security is always a balancing act and Passpack is definitely leaning on the security side (understandable obviously). TBH, if they had a good native iOS app, I think it could make a difference for them. Instead of being this really annoying tool you're forced to use at work, they could become something that everyone uses as part of their daily personal life which would make it easier to get it adopted at work.

There are still a lot of service providers that don't support multiple user accounts per organization, so if you want to share admin privileges (a good idea for redundancy) you're forced to share credentials.

We used LastPass [1] for the following reasons:

1. Works across multiple OS and device types. 2. Passwords can be either "shared" (used to auto-fill forms but not viewed) or "given".

When we did a small layoff, I insisted that we quickly change the passwords for everything [2], and LastPass made it a no-brainer to distribute the new passwords around the organization.

[1] http://www.lastpass.com/ [2] It felt somewhat harsh at the time, but I'm glad I insisted on this, because shortly after one of the founders started hypothesizing that a software bug might be due to ex-employee hacking. I was able to squash his paranoia by reminding him that the exes no longer had access. Eventually we determined that it was a pre-existing bug.

The ideal is to avoid shared passwords on role accounts -- have individual user accounts with user-selected passwords (and ideally MFA), with the ability to then selectively upgrade access to role accounts.

I generally use 1Password standalone, but it's a bit weak for sharing.

1Password because life's too short to use LastPass.

There's no good way to share the passwords though... unlogged chat / IM / onetimesecret.com

Use a password safe (sometimes called a vault)! A password safe is an encrypted database that allows you, and your team, to securely store and share passwords. Basically, it is a free piece of software that is cross platform (win, mac, linux), simply store it on a shared drive, and give your team access, they use a common password to access the safe, which holds the other passwords. Create multiple safes if you need segregation i.e. dev safe, sysadmin safe, network safe, etc. I have created a screencast about this @ http://sysadmincasts.com/episodes/7-why-you-should-use-a-pas...

p.s. please, please, please do NOT use a cloud based solution to store your passwords! These are your crown jewels, do not outsource this!

Lastpass. You can set up individual and group sharing, and revoke privileges as needed.

Plus they've been hacked and proven that provided you use safe passphrasing on your part, your data cannot be comprimised.

While I use 1Password myself, a few companies I've worked for now have been using Passpack (https://www.passpack.com/en/home/) which provides a neat way to "share" passwords securely in the event that an employee leaves so you don't lose any accounts. This is in addition to AD or Google Apps depending on the company's infra.

We use Meldium[1] with Google Apps login to manage our passwords.

[1]: https://meldium.com/

With my last client we used to have a spreadsheet on Google Docs. Not at all secure but people weren't putting bank passwords in that either. More like test logins to various WP sites we had and stuff.

Boris from http://meldium.com (YC W13) here. We've built a solution to help teams do just this and our customers include companies like PagerDuty and Hipmunk. Ideally, you never have to share passwords as everyone on your team would have an individual login. Major cloud services like Google, Salesforce & co handle this well. However, there are still thousands of web apps out there that have yet to build a multi-user experience (it's a lot of work). Meldium allows you to bring all of these modes together: whether you want multiple people to access your team's Twitter account or you want to add/remove an employee from all your cloud services with one-click.

Unlike a lot of other password managers, you don't have to share a whole vault. You can choose exactly which applications various team-members should have access to. Even better, Meldium automatically logs users into their apps on Firefox and Chrome (more to come).

We've been doing research on this at StartHQ (https://starthq.com) since we offer a web app launcher and new tab replacement extension (like the old Chrome New Tab page, but better) & SaaS password management would be a logical extension to that.

Out of the 20+ companies we've interviewed so far one had heard of Okta & none had heard of Bitium and Meldium, the main players in this space. One was using LastPass.

Most do not have a strict password policy and the current solutions include storing them in other web services like Trello and Google Docs, or sharing logins within a team using post it notes or via email.

One trend that I've clearly spotted though is the use of Google Apps to consolidate identity management in the cloud. This is often synced with AD via LDAP. Whenever possible, companies encourage but do not enforce the use of Google for logging into third party services. This makes offboarding a lot easier and that is the main pain point, as opposed to onboarding of new employees. This is further confirmed by SaaS providers saying that they see up to 60% of all their logins being done through Google Apps.

At our company, we use our own solution: "nCryptedCloud" (http://ncryptedcloud.com), client-side encryption software that secures your files before they go into the cloud (Dropbox). We don't keep the data, just the knowledge how to open that data (key). We don't even have a link between the file and the key, the file contains the key's information. This way, using dropbox shared folder, you can manage a secure sharing experience that allows you to revoke access to anyone in the future. It's free. Check it out and let me know if you have any question :)

1Password 4 introduces password sharing over iMessage/email and also supports shared password vaults.

https://agilebits.com/onepassword/mac#sharing

I've had a lot of luck with Roboform Enterprise and KeePass. Storing the passwords in a place folks can find them has never been a problem- in a protected spreadsheet, in a heavily-locked down Sharepoint site, or in an internal-only Wiki. The real hassle is changing them all when an employee leaves, which happens a lot. Roboform has been great for storing those passwords, protecting them, and keeping us from having to give plaintext access to the passwords where it isn't required.

When you have 20+ techs accessing many different systems for many different clients each day, that feature was huge.

I am using cpm[1] with the revision control recipe[2], storing the encrypted file in our local Gitlab[3].

[1]: https://github.com/comotion/cpm [2]: https://github.com/comotion/cpm/wiki/Revision-control [3]: http://gitlab.org/

Personal.com has a solution for this. It is cloud-based, with strong crypto and no need/motivation to see your data = secure. Secure Share is built-in and allows each team member to manage the passwords they are responsible for and share them with exactly the individuals that need access to them. Access can be revoked allowing you to revoke/change password on a regular basis, or as needed.

LastPass could be useful: https://helpdesk.lastpass.com/features/sharing/

Feature summary: https://addons.mozilla.org/en-US/firefox/addon/lastpass-pass...

My company uses LastPass. It's a nice service. - The admin will have control over what service you need to have access to. - Change password often and will be accessible by team mates without having to remember anything.

Simplifies a lot of other things, all you have to remember is the master password.

We all use 1Password; up until the new version it was a PITA to share passwords though. Tended to be a 'shout it out across the office' thing.

So we built a little hackday prototype to help out: http://shhare.io/ . Would love feedback!

Meldium -- https://www.meldium.com/

Our product allows you to do this: Team Password Manager (http://teampasswordmanager.com)

It's specially designed for companies that manage lots of passwords across lots of projects. It's a self hosted solution.

We use KeePass databases saved to a shared drive. We each know the password to that, and have the key file on our client machines. To access it remotely we must first VPN into the network.

We're just starting to look at AuthAnvil. Anyone have experience with this?

We are using LastPass for credentials to external services (e.g., Amazon Web Services, Twilio, Tropo). It has the advantage that all encryption/decryption happens on the client, so passwords are not stored in cleartext on LastPass's servers.

Someone I know is working on that open-source project : http://sflvault.org/

It's from "Savoir Faire Linux", a consultant shop that implements Linux solutions in various enterprises.

We GPG encrypt them and put them in Dropbox. Kip is used to handle encryption/decryption: https://github.com/grahamking/kip#readme

Password State [0] is excellent, has a pretty good feature set, and good support.

[0] http://www.clickstudios.com.au/

All three of us know it - i guess it depends on levels of trust.

We use SimpleSafe (https://www.simplesafe.net/) which is self-hosted and pretty simple to set up.

We use http://teampassword.com/, no fuss, fantastic customer support and a pretty UI.

Just GPG on a text file, checked into a private Github repo.

It's actually a great excuse to give business and designer types an intro to Git / command line.

We wrote our own app with defined security levels etc.. It had to be audited for security/finance reasons etc, so we had to control it.

Check out Secret Server by Thycotic. I implemented this at my work and it turned out to be a great turnkey solution.

We simply use a MediaWiki with some Categories. Installed local on a webserver where everyone has access to it.

my smaller clients use keepass or https://lastpass.com/

We used to use PHPChain

Password Gorilla.