Passbolt Review - An Open Source Team Password Manager

Passbolt is an open-source password manager designed for team use. It can be self-hosted on your own server, self-managed on rented server space, or fully hosted by Luxemburg developer Passbolt SA. In this in-depth Passbolt review, we will look at security, features, value for money and more.

Pros

  • Audited 100% open source code
  • End-to-end encryption
  • Self-hosted or fully hosted
  • Free Community Edition
  • Autofill with browser add-ons

Cons

  • Browser-based cryptography (but as strong as it gets)
  • Fully hosted plans use Google and AWS servers

Pricing

Passbolt Community Edition (CE) is free and open source software which you can self-host or install for yourself on a third-party server.

Fully hosted enterprise plans are also available which offer a range of additional features, plus email or phone support (free users are limited to support from the community forum).

passbolt pricing

Payments are made by card using the Stripe payment processor. Those wanting to try out the additional Enterprise features can sign-up for a demo. This is a fully functioning hosted Passbolt instance, but “data will be deleted periodically. Do not use it to store sensitive information.” Demo data lasted for a day when we tested it.

Features

  • Passwords sharing
  • Self-hosted or hosted
  • Favorites
  • Filter
  • Search
  • Comments
  • Users management
  • Groups management
  • Email notifications
  • Chrome and Firefox browser add-ons
  • Dark theme (premium only)
  • 2FA (premium only)
  • LADAP synchronized user directory (premium only)

Slack integration, audit logs, and mobile apps are all promised in the near future for premium users.

Two-factor authentication

Passbolt supports two-factor authentication (2FA) via Time-based One-Time Password (TOTP), Yubikey, or Duo.

Passbolt two factor authentication settings

Dark theme

We are honestly a little perplexed by the huge popularity of dark themes, but here it is anyway.

Passbolts dark theme

Privacy and security

Jurisdiction

Passbolt SA is registered in Luxemburg and is therefore subject to GDPR and other EU data regulation. Luxemburg has no particular ties to the United States’ NSA-led Five Eyes spying alliance, but a 2013 spying scandal, which resulted in the Prime Minister resigning demonstrates that the country’s Service de Renseignement de l’État (SREL) spying agency is far from passive.

Probably more relevant is that Passbolt SA uses Google Cloud Platform and Amazon Web Services (AWS) to host fully hosted accounts, both of which can be reasonably assumed to be subject to extensive NSA-style surveillance. Passbolt uses end-to-end encryption, though, so this shouldn’t matter.

And, of course, you can self-host Passbolt anywhere – on hardware completely under your control, or on hardware rented from providers in any country you like.

Technical security

Passwords are encrypted client-side using an OpenPGP browser extension based on the OpenPGP.js JavaScript library, so they are end-to-end encrypted (e2ee). In transit, they are encrypted by SSL/TLS, the mechanism which secures HTTPS websites.

Server-side, Passbolt uses the GnuPG Php Extension and openpgp-php to perform public-key validation and to support the GPGAuth authentication protocol.

It is worth noting that only passwords are encrypted at rest – not comments or the list of people you share a password with. That said, it is usually possible to encrypt data at the system level using full-disk encryption systems such as EncFS if this bothers you.

All code used by Passbolt is fully open-source. And although, as Passbolt itself says, “the code review work will never be done,” much of it has, in fact, been extensively reviewed and audited. Which is great.

Issues remain with JavaScript cryptography in the browser, however, the most important being that browsers will just accept any malicious code pushed to them by a compromised server. Passbolt mitigates against this by using a browser extension rather than just relying on native JS in the browser, and its use of well-audited open-source code is reassuring.

Browser-based cryptography cannot be considered as secure as dedicated software client solutions, but Passbolt implementation of it is very strong.

Ease of use

Setup and installation

The easiest way to set up a Passbolt instance is let Passbolt SA do it for you. This costs money, however, removes complete control from your hands to Passbolt SA, and means hosting your data on US servers (albeit e2ee).

You can instead self-host an instance (Community Edition or Premium) on your own server hardware or on server space rented from a third-party provider. Step-by-step instructions are available for doing this on a variety of server platforms.

The Virtual Machine image didn’t work for us for some reason (quite possible our own fault), but the Ubuntu instructions were very clear and worked a charm. If you can cut-and-paste commands into a Terminal window then the installation is a breeze.

Support for Docker ensures you can install Passbolt on almost any platform, while US hosting company Digital Ocean pretty much automates the process for installing Passbolt on one of its “Droplets” for you.

Use as a team member

Once your Passbolt instance is set up then you can start sharing passwords among team members. When they receive an invitation to join, team members will be asked to download the Passbolt plugin for Firefox or Chrome. This is not optional, as Passbolt needs the browser add-on to validate key pairs.

Creating a new account is then just a case of following a few easy instructions. using the app as a team member

Once done, team members can log in to the web portal. From here you can create new passwords to share them with other team members. creating new passwords and share them with team members

You can also create groups of team members and share passwords with whichever groups you like.edit group of team members

In addition to being a vital component in the PGP cryptography scheme, the browser add-ons let you easily autofill web logins. Suggested passwords are matched to the URL you are visiting or you can search or browse for the password you want.

matching passwords to a URL 

You can even create new passwords on-the-fly. creating passwords on the fly

One thing we like about the add-on’s approach to auto-filling passwords is that it must be manually invoked by clicking on its icon. This means that the team password manager works side-by-side with any personal password manager you might also use which auto-fills forms as soon as you visit a web page.

Passbolt does not autofill things like credit card details, which is entirely appropriate for software aimed at group use. By default, the team administrator will receive email notifications whenever a new password is created.

Final thoughts

There is very little not to like about Passbolt. It is a very functional and highly audited open-source team password manager which you can self-host for maximum privacy, or let Passbolt SA do the hard work for you.

Premium features are quite limited at the moment, making the Community Edition a very attractive option for anyone with the fairly minimal technical chops required to set up an instance themselves. That said, the upcoming mobile apps, in particular, which will be available to Premium users only, may alter this equation.

Browser-based cryptography remains imperfect, but it is very convenient, and Passbolt has clearly gone to great lengths to ensure it is as good it gets.

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

0 Comments

There are no comments yet.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.