- free open source
- group management can be delegated
- works fine with mac, linux & windows browsers
- maintenance free self hosted on k8s for 2 years
- lack of mobile apps has not been issue
- UX is ok, no complaints
- requires little end-user support
Cons
- only password field is encrypted
- no warning that Notes are not encrypted
- promises ‘Secure files & notes (Coming soon)’
for more than year
- password generator has no complexity options
- requires browser plugin
- user passwords have no minimum entropy requirements
- no helm chart, used our own
Experience based on free version with ~75 users. Plan to switch to paid version when Secure files & notes become available.
Noticed that former lead developer https://github.com/markstory now works on Sentry. Sentry has same list of Pros as above: it ’just works’ without maintenance or support, running self hosted on k8s for free.
More like "fauxpensource". All the useful features are part of the expensive looking Business plan. I don't mind people charging money for software, but I really wish they wouldn't pretend to be open source when they're not.
So many "open core" projects are really crippleware. The open core business model just makes too much of an incentive to make core functionality proprietary. I guess one nice thing is you could fork the open-source version and add the "business/enterprise" features to it yourself. I'm sure that would earn you the ire of the company that makes said software though. I'd love to see the pull request to add such features to the open source version. Would you get a response like "The PR looks great, but it doesn't align with our business model, so we'll have to reject it."?
How does that work? If it's open source, I can get the source and run it for free, hell, I could even redistribute it for free. What's stopping me from doing this? I assumed it was that the non-free features were distributed under a proprietary license which comes with an invoice attached?
It's the same model than redhat, you buy a subscription, and the software checks if you have a valid subscription. Nothing is stopping you from modifying the source to remove that check, re-build and re-distribute for free (or for a fee) under another name. This allows community-driven projects like Centos or Fedora to exist. It's an ambitious business model, which doesn't prevent other to compete. The bet is companies that rely on the service will want to pay and will prefer getting professional services / hosting from the original maintainers.
I've pirated tons of stuff back in the days as a student, and know how to do all that even today. But now I've stopped pirating stuff.
It's partially because I've actually started earning money, but also because nowadays, it is incredibly easy to be able to PAY for stuff. And many companies actively integrate with local payment gateways and sell me stuff in my local currency too, which makes decision making much easier. It's actually become so easy that I straight-off decline when any friend of mine asks me to help them pirate softwares.
Just to clarify, I was never a developer of Passbolt. I think they based their repository off of CakePHP (which I do maintain) and inherited all the commit history that way.
With this type of display, you can quickly see who is contributing on an active basis, and for how long. A good example would be the vscode repository.
Indeed GitHub's contributors graphs gave me the impression that https://github.com/markstory worked on passbolt. Isn't that is what they are supposed to?
Wish you all the best with your enhanced developer insights.
Yes the repository was forked from CakePHP v2, before the framework was moved as a composer dependency, so v2 contributors are shown as Passbolt contributors.
In our use case Passbolt is used for shared Company passwords. Seemingly these have are not used on mobile devices. Our company has an healthy work life balance and we don’t perform deployments, upgrades and maintenance outside office hours from our mobile devices.
Passwords for personal Company accounts, like Active Directory & passbolt private key, we store in our private password manager. These accounts get disabled when leaving the company.
What use cases do you have where you can’t use a laptop for company related activities?
If you want secure files and notes too then have you ever tried out Psono? The free version supports those and solves most of the Cons (e.g. Psono has no offical helm yet either). (Full disclosure, I am the main developer behind Psono)
- free open source
- teams management can be delegated
- works fine with mac, linux & windows browsers
- maintenance free self hosted on k8s for 2 years
- lack of mobile apps has not been issue
- UX is ok, no complaints
- requires little end-user support
This is the same list as the Pros for passbolt. And both ’just work’ without much maintenance or support, running self hosted on k8s for free.
Nope. The parent commenter came to some interesting conclusions, but I've never worked on passbolt. From what I remember passbolt based their repository on CakePHP (of which I'm a maintainer) and inherited all the git history from that project. There are no connections between passbolt and sentry though.
I like this a lot. I've been a Bitwarden user for the past few months and I'm not looking back, but I'm so happy there's reasonable competition:
- It's still OSS, so you can self-host, which is a big selling point for me
- There's a managed/hosted option, which is a big selling point for probably most users
- It's got a browser plugin à la BitWarden/1Password, which is a crucial feature for any well-polished password manager (and hopefully it also comes with Android autofill integration)
Hopefully Passbolt, BitWarden and others can keep eachother on their toes and help this be an innovative and widely accessible space!
Expanding on that last point: I'm a huge fan of the general idea of having the option of self-hosting with a business model revolving around a paid, managed option, for password managers or otherwise.
Although I'm using the dockerized rust API (1) for self-hosting it, and so far it's been working great for months!
I am keeping a close eye on the container, and backing up the data hourly to ensure I don't need to worry about loosing anything.
I was evaluating Bitwarden years ago (before bitwarden_rs), but was thrown off by the lack of support for 2FA tokens without a subscription.
Does selfhosting with bitwarden_rs solve this ? or do i still need a subscription for storing 2FA tokens along with passwords ?
I have absolutely no problem paying once per major version for software, open source or not, but i refuse to pay any subscription. At least when buying a version i can choose to upgrade or not.
Yes bitwarden_rs supports 2FA, including U2F keys. I setup my own instance in a Docker container on my Synology. I only have access to it while I am at home (or VPNed in) as I'm not willing to punch a hole in my firewall for external access.
bitwarden_rs is definitely the way to go. I’ve been hosting it for my own use only for a couple of years now; never had any problems, and it’s a negligible drain on resources. It uses less than 20MB of disk space (15MB of the package, 2.3MB of icon cache, 408KB of sqlite database), about 24MB of RAM (admittedly it used to be about 13MB, but it’s still insignificant drain) and has an average CPU usage of less than 0.002% over 54 days of uptime (1:22.55).
Meanwhile the standard Bitwarden backend needs SQL Server and demands to have 2GB of RAM. No idea how little you could actually get away with, but I’m confident won’t be 25MB.
Another happy Bitwarden user here. I reviewed several different solutions for use within our company, and Bitwarden wins. We didn't go with Passbolt because its Chrome extension didn't work for us - there was no way to set the Passbolt URL so I never got the chance to check its autofill functionality. Bitwarden provides mobile apps, desktop apps for all operating systems and working browser extensions. Pricing is reasonable and not over the top and installation for self-hosted version is trivial. I'm glad competition exists, but they're falling short.
heh, i know a guy that will be having rage-fits of the use of "on-Premise" on their web site...
Premise:
noun
/ˈprɛmɪs/
LOGIC
a previous statement or proposition from which another is inferred or follows as a conclusion.
"if the premise is true, then the conclusion must be true"
verb
/prɪˈmʌɪz/
base an argument, theory, or undertaking on.
"the reforms were premised on our findings"
Premises:
noun
a house or building, together with its land and outbuildings, occupied by a business or considered in an official context.
"the company has moved to new premises"
My team has been using this for over a year. It's been my favorite answer for this problem-space. I love the self-hosted part (which means I also get backups I can trust). It's trivial to put inside a VPN for added security. It's security reviews were good and built on standard tools (so maybe if PB is dead I could recover outside?). Just save the key you download when you setup or your hosed!
Which reminds me, I've been meaning to make a plain-text archiver for this -- to print out secrets and put them in my safe.
Why would I pay at least 450 euro per month for something I have to run myself? I appreciate that support and maintenance costs are certainly something to pay for, but a high monthly charge when I'm taking all the risk, and paying for the hosting immediately turns me off.
Especially considering the 4 hour SLA on phone support for the enterprise version. If the password management system is down, work stops. I'd rather not have to break the glass on the emergency god account at all.
> Why would I pay at least 450 euro per month for something I have to run myself?
Some people/teams/departments are busy with other things, so that amount is worth the cost of outsourcing a service such that the team members can focus on other things.
Also:
* why would anyone run RHEL when they can run CentOS? (The cost of a service being down is more than the support fee.)
* why would I go to a restaurant when I can cook a meal at home for much less?
* why would I pay for a car wash when a garden house and a sponge worth just as well?
Also also, you may want to actually check what the pricing is:
As a small dev team we needed something similar to passbolt, but that would primarily be used for sharing API keys and other application secrets for our code base. (Although we use it for other passwords as well) A lot of the existing tools are fairly complex to setup and are not tied to identity management systems. (i.e. You have to setup and maintain separate user accounts)
Since, we were on Keybase already for employee identity and chat, we created an extension to encpass.sh to use Keybase for our secret storage. (https://github.com/plyint/encpass.sh/blob/master/extensions/...) It has been working really well so far, as when we add someone to a Keybase team, that person immediately has access to that team's secrets. No extra setup required.
We have been considering it in our team but the lack of capability of creating a "shared vault" and connecting it to a centralised AD/LDAP identity was a no go for us. Also, the lack, due to the tech itself, of a recovery method for users and administrator (with audit of course) was a big disapointment.
PS : never connect it to your AD/ldap or it will spam everyone in your organisation by default ! #lessonlearned
I use gopass myself and got it working on my windows laptop Including WSL and still use it. I even tried to adopt within the team and then its flaws were in full view. Hard to setup correctly on machines, hard to share passwords in team. Reencrypting passwords worked sometimes but not always for all team. I gave up trying to get team to use it.
pass[0] has been the best of everything so far. gpg based and easy to use with keyboard shortcuts. i like alternatives like htis, but pass is super barebones and highly available.
Although I always appreciate alternatives being given on HN, I don't see how this competes with Passbolt. There's no password sharing between groups of an organization, which is exactly what Passbuilt is built for.
Personal password managers are great unless you want to share a list of passwords in a group within an organization.
You can use pass to share passwords between multiple people in an organization. Pass supports multiple GPG keys per entry, and you can assign sets of keys to directories. You could have a directory per team, for instance.
Pass has got to be one of my favorite CLI tools and is descent third-party browser plugins and mobile apps. Gopass works well too, especially for Windows and is compatible. I wish someone would build a bookmark manager using a similar concept.
I switched from 1Password when all the subscription nonsense started, and while 1Password has (much) better integration in various systems (desktops and mobile), Pass does what it says, and it does it well.
I (briefly) evaluated Bitwarden, but the lack of support for storing 2FA tokens without a subscription threw me off. I'm aware of bitwarden_rs, which presumably supports 2FA tokens, but i've not yet had time to experiment with it. Besides, hosting a git repository is not exactly rocket science, and it's a much simpler setup compared to Bitwarden with database and server parts that needs to be running.
I feel like this is becoming a very crowded market. What sort of differentiation separates this service from the pack?
For my purchasing decision, I’d lean heavily on the probability the service will be there in 5 years (it’s obvious I’m getting older I guess), as the market seems pretty mature.
I did a pretty thorough review of PassBolt a couple of years back when I was trying really hard to get a company to adopt it and give up their "we store our all of our passwords on a spreadsheet" approach.
I don't have my notes any more, but off the top of my head, the big points in favor were:
- Self-hostable. The tech guy in charge just resolutely would not use any hosted service, period. In his evaluation, trusting a centralized password management service was less secure than a spreadsheet in a Windows share.
- Low cost. Password management is integrated into some MSP products but these can be a bit pricey for small shops.
- Built with PHP. Same guy was uncomfortable with Python, Node, and all that, and insisted that he be able to maintain and troubleshoot the codebase himself if necessary, so it had to be PHP.
The main failing was that it didn't have proper mobile device support, so it would be a pain in the ass for some of the employees.
As far as I know that same company still keeps their passwords in a spreadsheet. They've had several costly security incidents over the years.
It wouldn't be directly but it wouldn't be surprising either - storing credentials in a spreadsheet can be indicative of the company's attitude towards security.
> - Built with PHP. Same guy was uncomfortable with Python, Node, and all that, and insisted that he be able to maintain and troubleshoot the codebase himself if necessary, so it had to be PHP.
Now that's an interesting perspective, I don't think I've heard anyone consider PHP to be more secure than Python before.
Of course; the best comparison you can make in security here is the amount of raw memory access.
People condemn languages for two security reasons: the average level of competence in products usually written in a language, and the amount of footguns a language provides.
PHP is very easy to learn, which is why a lot (really, a _lot_) of open source software is of very questionable quality. For many, it's the first programming language someone learns, which means the quality is often far from what a developer is capable of with a little more experience.
PHP also has a lot of weird functions and behaviourisms, all perfectly well documented (but nobody really reads up on the details of `isset`, it seems). APIs seem inconsistent and mysql_escape_string and its cousin mysql_real_escape_string tell a story of a problematic history. There's also the typing issue that plagues all loosely typed languages.
I personally consider Go to be more secure of a language than PHP or Python because the behaviour is a lot easier to understand.
Of course properly written, typed, well-tested PHP can be a lot better than many Go products, but the expectations for the different language are just different because of the different levels of experience programmers are when they start with each language.
Every language has its troubled history, but PHP is especially famous for security vulnerabilities by either beginners or intuitive API design.
It might have something to do with the fact that PHP is still taught in a lot of web dev classes (though NodeJS has taken its crown) and that Go is relatively unknown for beginning programmers. Python generally just runs on your own machine because it's not as optimized for being a web language like PHP has been.
Hi passbolt developer here, the reason for building on top of CakePHP was mostly:
- it's been audited multiple time (last in date was by Cure53, financed by mozilla foundation)
- convention over configuration
- good versatility for hosting (= less support)
- lovely community (less big but very friendly)
I have the feeling that password sharing is only unavoidable in a company that doesn't care much about security.
Any company that takes security seriously would, I suppose, have personal passwords as a strict requirement. They wouldn't use services that can't comply with this requirement.
There’s also a difference between password sharing and shared secrets. Sometimes you need something that is like a password, and needs to be shared amongst a team.
One example would be an inter-company IPSec VPN PSK.
In the health insurance industry, for example, many insurance portals offer one account that has to be used by a team. And, in a team scenario where all staff need access to all third party vendor accounts, it can be simpler to share the one password rather than manage 10.
For on site systems under a company's control, they can enforce the policies. But third party resources are where the limitations are. It's not the company that's minimal on security hygiene, it's the non-tech vendor in many cases.
Is there a web API for changing passwords? Would be nice if these passwords managers could help you change passwords when they are found on a list through an API (that would require the old password anyway).
Noticed that former lead developer https://github.com/markstory now works on Sentry. Sentry has same list of Pros as above: it ’just works’ without maintenance or support, running self hosted on k8s for free.