Password managers like LastPass and 1Password have a significant advantage over offline database tools like KeePass: You can easily share individual passwords with your co-workers in a somewhat secure way.
KeePass for instance lacks the ability to do just that. You can either a) share the entire database or b) use multiple databases with different passwords. However, a) is not secure as your co-workers get access to passwords they do not need and b) is very inconvenient.
LastPass (or 1Password, Bitwarden) makes sharing individual passwords within your team very easy, convenient and secure enough. You can create shared folders and define permissions to access those by certain members of your team, and most importantly, deny access to other members. Is there any offline based password manager that allows you to do that (and is usable by the average Joe)?
1Password does not support sharing (or transferring) of single passwords. You can for example not create an account for a user and send him the credentials through 1Password.
How well does KeePass support having multiple open databases? And ideally one would also want something like GPG where every sysadmin has his own password to the same shared file, which I do not think it supports.
In my experience, Keepass works great with 2 databases open.
On my work computer, I have my own personal DB and my Work DB open at all time.
I mainly use the passwords for the web, and the Kee extension in Firefox and Chrome finds the right password without any problem, from both DB.
I have my personal ssh keys stored in my DB as well, and Putty can access them without problem.
I can't speak for shared DB though, as I've never used it in that way.
My spouse and I share our streaming media accounts, for example. We also share passwords for the account on the utility company website, the phone company, and the internet company, some are under my name, some his, but they are really joint bills.
The other case I've run into is at work, when the company has an account with an outside vendor rather than individual users.
- You have a social media account that a group of people should be able to access. (Facebook does this "right," in that pages don't have their own login credentials, and you go through your personal Facebook account to access the page. But I kind of wouldn't want to use my personal Facebook account for work, anyway. Twitter, Instagram, Reddit, etc. treat each account as its own log-in-able entity.)
- You have an AWS account where you want to avoid a single point of failure for the root credentials. Yes, each person should use their own IAM creds for day-to-day use, but if person X is unavailable person Y should be able to get to things. (And for casual projects, "learn about IAM" is a significant burden over "learn how to upload pages to S3" for limited benefit.)
- You have a web hosting account from someone who's not AWS who gives you a single username and password. Or a DNS registrar account (most registrars I've seen don't let you split up access). Or whatever.
- You have a shared email account for replying to things as a team, or even for just archiving emails. Again, some systems do this "right" - if you're using Exchange, you can allow one user to access another user's inbox. But most people aren't on Exchange, they're on something like Gmail.
- You have an account for some service where you shouldn't be sharing passwords according to the service, but doing so is strictly in the service provider's benefit, not yours. Netflix is the canonical example.
I have 2FA on my shared AWS account - my project partner and I both scanned the QR code at the same time. (You should be backing up your QR codes anyway in case you lose/break your primary phone; scanning it simultaneously with a secondary phone is a great approach for this.)
Even if this weren't possible, it would still be better to use 1FA than to arbitrarily pick one person to have root account access and lock the other person out simply because you "should" have 2FA.
KeePass for instance lacks the ability to do just that. You can either a) share the entire database or b) use multiple databases with different passwords. However, a) is not secure as your co-workers get access to passwords they do not need and b) is very inconvenient.
LastPass (or 1Password, Bitwarden) makes sharing individual passwords within your team very easy, convenient and secure enough. You can create shared folders and define permissions to access those by certain members of your team, and most importantly, deny access to other members. Is there any offline based password manager that allows you to do that (and is usable by the average Joe)?