🆕 Software Suggestion | Passbolt #1963
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#1963
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Basic Information
Name: Passbolt
Category: Password Managers
URL: https://www.passbolt.com
Description
Passbolt is a password manager for teams. It is open source and uses OpenPGP.
In browser, it requires a browser extension to ensure security, as it uses OpenPGP.js.
Why I am making the suggestion
I was surprised to see
pass
listed but not Passbolt. I couldn't find an existing thread, so figured it'd be worth suggesting at least.My connection with the software
I once set up the self-hosted version for an organisation I was the sysadmin for at the time.
Already suggested in prism-break but no reply https://gitlab.com/prism-break/prism-break/-/issues/2184
In the same category you have:
I used passbolt and bitwarden in a small team a few moths ago. Personal opinion Passbolt is better in the technical/security side that bitwarden at least at that time.
Bitwarden it seems more like a cloud service for personal use. It the technical/management side my personal opinion is a mess, I used the official documentation to do all the installation and config. The version I used had layers of microsoft stuff in a linux environment.
Passbolt the version I used was very good, fast that bitwarden, all tech/library used is open source with good license, the team are very aware of security and privacy, and do security audit frequently. The main issues, old data remains in the DB and user administration is lacking, for a personal use, self-hosted I think is wide better. From security perspective it seems good, I remember even the databases all data was encrypted, I remember even the admin don't have the power to see the passwords of user, admin user just do some admin tasks. But the same old pgp mechanics problem if you are familiar with that. All the issue mentioned was already known and already in the roadmap, maybe they are already fixed.
You can run in a docker container in you own machine and used as "Local" password manager, is lightweight. The free version of passbolt lack some feature that have the free version of bitwarden. But perfectly fine for use it with a small team/family or even personal.
Passit.io is still in development lack features.
Psono in development, more advanced in features that passIT, in my opinion what I used at that time.
In my opinion I would said:
From my personal experience with Passbolt (as a user, not administrator), it seems to be pretty lackluster (no offense to whoever is developing it):
PGP mechanics unfortunately. You own the key.
Yeah well that's a good thing, you own the key. I remember even the admin can't do anything, except recreate the account.
Is supported, only for the pro version I'm afraid. Anyway take as example the recently twitter hack, it seems all the accounts use 2fa, what is matter if all data is encrypted. If is local self-hosted doesn't matter, if you use a public vps, you should use a vpn
Overall, I think people first need to be familiar with PGP, PGP have its own quirk, and install Passbolt, use it and be familiar with all they documentation they provided.
EDIT: @jeroen7s thanks for the clarification, its about 1y I used passbolt, I don't remember everything. 😄
Except that's not a PGP limitation, the key is available to the browser extension, the browser extension should be able to regenerate a key for you with a new passphrase the same way a desktop app like the gnome keyring can.
@lynn-stephenson Would you have a time to scan over this? Seems like a nice addition for companies. I wonder how it holds up against something like bitwarden.
@blacklight447-ptio I'll look into it. :)
GPG is a hard to use tool, and it's generally easy to shoot yourself in the foot. This does adopt some good practices, but I see no reason to recommend a harder to use tool that is also partially/is behind a paywall when there are other better existing solutions.
Passbolt from installation to use is quite easy, they provide docker, just run it and start use it. Is not behind a paywall 😕 except the "PRO features", if you want ldap, audit log or business support. The Community is totally functional even for a small team like 20 people (when I used it). Is a good self host alternative.
I still think passbolt is not quite user-friendly for the end user though, at least not even close to something like Bitwarden.
For me, these 3 points remain dealbreakers:
The use-case for recommending Passbolt over bitwarden remains small:
As we are most likely going to be removing Gnu Privacy Guard as a recommendation, and in addition to other password managers having better cryptography designs and under more scrutiny, this does not seem recommendable.