Ask HN: How to store and share passwords in a company?

Hacker News Discussion ↗

Reduce Passwords via SSO and Identity Management

  • Strong consensus: the best “password strategy” is to avoid passwords where possible.
  • Use SSO (SAML/OIDC) with an IdP (e.g., Google Workspace/Microsoft 365/Okta/Keycloak/Entra ID) so each person has their own account and access is auditable.
  • Pay the “SSO tax” for critical SaaS where feasible; some complain it’s expensive or tied to enterprise tiers, but most agree it’s worth it for security and offboarding.
  • Concern: SSO and IdPs are single points of failure; mitigations include MFA, device constraints, and careful vendor choice (or self‑hosting, which adds operational burden).

Password Managers for the Remainder

  • Widely recommended: company-wide password manager rather than ad‑hoc Google Sheets/docs.
  • Common tools discussed: 1Password, Bitwarden (incl. self‑hosted Vaultwarden), Keeper, Passbolt, KeePass(+server), Passwordstate, Zoho Vault.
  • Desired features: shared vaults/collections, group- / role-based access, SCIM/SSO integration, auditing, recovery options, good UX, browser/CLI integrations.
  • LastPass is repeatedly discouraged due to past breaches and poor UX.

Shared & Service Accounts / Secrets Management

  • Best practice: avoid shared human logins; use per-user accounts and SSO. When sharing is unavoidable, rotate passwords whenever someone leaves and for high-privilege accounts.
  • For machine secrets, API keys, and “break-glass” accounts, use secrets managers and/or PAM:
    • HashiCorp Vault / OpenBao, cloud key vaults, Thycotic/Delinea, CyberArk, StrongDM, Teleport, similar.
    • Preferred patterns: short-lived credentials, automatic rotation, just-in-time access, and “nobody knows the password” workflows.

Onboarding, Offboarding, Roles, and Auditing

  • Use RBAC and groups: access is granted by role/team, not by individual ad‑hoc sharing.
  • Joiner–Mover–Leaver workflows: add/remove group memberships to adjust access; disable one central account on departure.
  • Audit who accessed which secrets and when; some tools provide reporting and watchtower-like features.
  • For smaller orgs, simpler patterns (Bitwarden/1Password orgs, KeePass on shared storage) are used, but manual rotation and support overhead are acknowledged.

Anti-Patterns & Pitfalls

  • Avoid shared spreadsheets, Slack/Email plaintext passwords, and large GPG/pass/git vaults with immutable history.
  • Recognize that any shared secret must be considered compromised once someone leaves; rotation is mandatory but often neglected.