I did a pretty thorough review of PassBolt a couple of years back when I was trying really hard to get a company to adopt it and give up their "we store our all of our passwords on a spreadsheet" approach.
I don't have my notes any more, but off the top of my head, the big points in favor were:
- Self-hostable. The tech guy in charge just resolutely would not use any hosted service, period. In his evaluation, trusting a centralized password management service was less secure than a spreadsheet in a Windows share.
- Low cost. Password management is integrated into some MSP products but these can be a bit pricey for small shops.
- Built with PHP. Same guy was uncomfortable with Python, Node, and all that, and insisted that he be able to maintain and troubleshoot the codebase himself if necessary, so it had to be PHP.
The main failing was that it didn't have proper mobile device support, so it would be a pain in the ass for some of the employees.
As far as I know that same company still keeps their passwords in a spreadsheet. They've had several costly security incidents over the years.
It wouldn't be directly but it wouldn't be surprising either - storing credentials in a spreadsheet can be indicative of the company's attitude towards security.
> - Built with PHP. Same guy was uncomfortable with Python, Node, and all that, and insisted that he be able to maintain and troubleshoot the codebase himself if necessary, so it had to be PHP.
Now that's an interesting perspective, I don't think I've heard anyone consider PHP to be more secure than Python before.
Of course; the best comparison you can make in security here is the amount of raw memory access.
People condemn languages for two security reasons: the average level of competence in products usually written in a language, and the amount of footguns a language provides.
PHP is very easy to learn, which is why a lot (really, a _lot_) of open source software is of very questionable quality. For many, it's the first programming language someone learns, which means the quality is often far from what a developer is capable of with a little more experience.
PHP also has a lot of weird functions and behaviourisms, all perfectly well documented (but nobody really reads up on the details of `isset`, it seems). APIs seem inconsistent and mysql_escape_string and its cousin mysql_real_escape_string tell a story of a problematic history. There's also the typing issue that plagues all loosely typed languages.
I personally consider Go to be more secure of a language than PHP or Python because the behaviour is a lot easier to understand.
Of course properly written, typed, well-tested PHP can be a lot better than many Go products, but the expectations for the different language are just different because of the different levels of experience programmers are when they start with each language.
Every language has its troubled history, but PHP is especially famous for security vulnerabilities by either beginners or intuitive API design.
It might have something to do with the fact that PHP is still taught in a lot of web dev classes (though NodeJS has taken its crown) and that Go is relatively unknown for beginning programmers. Python generally just runs on your own machine because it's not as optimized for being a web language like PHP has been.
I don't have my notes any more, but off the top of my head, the big points in favor were:
- Self-hostable. The tech guy in charge just resolutely would not use any hosted service, period. In his evaluation, trusting a centralized password management service was less secure than a spreadsheet in a Windows share.
- Low cost. Password management is integrated into some MSP products but these can be a bit pricey for small shops.
- Built with PHP. Same guy was uncomfortable with Python, Node, and all that, and insisted that he be able to maintain and troubleshoot the codebase himself if necessary, so it had to be PHP.
The main failing was that it didn't have proper mobile device support, so it would be a pain in the ass for some of the employees.
As far as I know that same company still keeps their passwords in a spreadsheet. They've had several costly security incidents over the years.