Secret Symbols

Password Manager with Team Function

As soon as the scenario switches to team functionality, with a focus on corporate use, it is often difficult to find arguments in favor of free open source tools. Organizations are often reluctant to use a tool for which they cannot officially purchase support. That said, I'll look at two free community offshoots that address this need and are also officially hosted and supported products from their providers.

Bitwarden [6] has become widespread in recent years. The tool offers a free platform for private individuals and has a manageable cost framework for families. Companies can opt for a cloud or self-hosted version. In addition to the commercial version, the open source offshoot Vaultwarden [7], which provides the full set of enterprise features hosted by Bitwarden, can be obtained on GitHub as a Docker container.

For admins, one of Bitwarden's most interesting features – besides its capability as an enterprise-grade password manager – is the ability to use policies to control deployment [8]. The endpoints or server names of a local environment can be distributed by registry entries or JSON. Bitwarden can also synchronize with Active Directory, Entra ID, Google, and Okta to discover the user accounts stored there.

Bitwarden also provides a browser plugin that can be used with web forms (Figure 1) and can access the database directly. If a suitable entry is identified by URL, you can enter the stored information directly (Figure 2). For security reasons, however, you do not have a completely automatic form fill: Choosing and storing the password has to remain firmly under the control of the user; otherwise, it would be all too easy for data to end up in the wrong form by mistake and for sensitive information to be lost.

Figure 1: Integration of Vaultwarden or Bitwarden in a web form before unlocking access.

Figure 2: If the URL matches, Vaultwarden and Bitwarden make a suggestion for the appropriate credentials.

If you are worried about free software – or you are not allowed to use it – and prefer a commercial product, you might want take a look at Passbolt [9]. The tool is practically in the same league as Bitwarden. The community edition is marketed under the same name, but it lacks a few features, such as LDAP synchronization.

Each organization must decide for itself which tool is the best fit for its own needs. KeePassXC is ruled out if you need password sharing and group functionality. At the end of the day, the decision between the two free versions of Vaultwarden and Passbolt will probably come down to the graphical user interface or the desktop client. I recommend testing and evaluating the two systems. The instructions for installing the Docker-based variant are very easy to understand, and you only need minimal knowledge of Linux.

Of course, secure operation of a password server also requires familiarity with the basic feature set; if needed, some service providers offer support. For an initial test run, you could even set up a password server on a Raspberry Pi as part of a DIY project (Figure 3). After completing trials, you can then install the system on more robust underpinnings and provide it in a secure environment that includes backup and restore.

Figure 3: Passbolt comes with instructions on how to set up a password server on a Raspberry Pi.

Conclusions

Passwords will be around for a very long time. The faster the current crop of graphics cards computes, the more important password length becomes. The last few years have seen rapid growth rates in brute-force scenarios. Password length is the only factor that the user or the organization itself can control. Additional safeguards, such as the aforementioned two-factor or multifactor authentication – or even a complete shift to passkeys – might be in the hands of the IT department but are still not supported by all service providers. Organizations need to point out security deficiencies as such and insist on the gaps being plugged.