Our IT team at my church was comparing several options for our internal password management tool. We need to securely share passwords and other sensitive information with staff and volunteers of pretty much all walks of life.
The features we needed
- Industry-standard encryption algo/level
- Cloud-based (We don't want the risky task of managing an on-premise installation for such a secure component of our internal cybersecurity)
- Ease of use
- Not too expensive (we're a non-profit)
- Mobile app with auto-fill feature integrated at the OS level
- Browser extension
- Audit log for every shared secret
- Groups of users auto-assigned to default permissions specific to collections of "secrets".
- Some flexibility with what we can store (at least blobs of text), but ideally stuff like identities and payment cards would be useful also.
- Sharing passwords to people without them being able to see their content, but still able to login with auto-fill.
- Organization-wide control over minimal password strength criteria.
Nice to haves
- Open Source (not so we can host it ourselves, but rather for the fact that the security is constantly being peer-reviewed by the community of developers)
- Linux GUI app
- API available
- CLI interface
Products we considered
Show me what you got
|Ease of use||x||✔||✔||✔||x||✔|
|Not too expensive||✔||✔||✔||✔||✔||✔|
|Mobile app with auto-fill||✔||✔||✔||✔||✔||x|
|Groups and Collections||✔||✔||x||✔||x||✔|
|Flexible secret types||✔||✔||✔||✔||✔||✔|
|Sharing logins without people having access to see the password||✔||?||✔||✔||x||?|
|Org-wide control over password criteria||✔||✔||✔||✔||x||x|
We're currently pretty much settled on Bitwarden despite the fact that 1Password also was a really strong contender. But price gave the final word for Bitwarden this time.