Review: Passwork 7.0, self-hosted password manager for business

Over the years, the number of services we use has exploded, and so has the need to protect our credentials. Back in what I like to call “the age of innocence,” we scribbled passwords on paper or reused “password123” across five different accounts. Let’s be honest: those days are over. Whether we like it or not, password managers have become essential to good cybersecurity hygiene and one of the first lines of defense against unauthorized access.

Meet Passwork 7.0: Self-hosted and enterprise-ready

Passwork recently launched version 7.0 of its self-hosted password manager, designed for everything from small teams to large enterprises. As an on-premises solution, Passwork runs on your own server, giving your team the ability to create, edit, and share passwords while admins monitor activity and control access to locally stored, sensitive data.

Right now, there’s a browser extension (compatible with all major browsers) and a mobile app for iOS and Android. According to the Passwork roadmap, the desktop apps for macOS and Windows are anticipated to be released within the next three months.

Passwork runs on PHP and MongoDB and can be installed on Windows or Linux, with or without Docker. It supports both single-server and multi-server setups for those needing redundancy or fault tolerance. Thanks to its modest system requirements, it can be deployed locally or in the cloud, depending on your needs.

All data is encrypted with AES-256 and stored securely on your own server. Everything is managed by your system administrators, giving you full control and avoiding reliance on third-party servers.

For more technical environments, there’s an option to enable client-side encryption during setup. This adds an extra layer of protection by encrypting data both in transit and at rest using a unique master password per user. It increases security but also adds complexity to how Passwork operates behind the scenes.

I’ll admit, I was pleasantly surprised to see that Passwork offers auditable source code. It’s not something you see every day, and while it won’t matter to everyone, it can be a valuable addition for some teams.

The standard license includes essentials like 2FA, AD/LDAP integration, full API access, and import/export options (JSON, CSV, KeePass XML). For advanced features like SAML SSO with Okta and Azure AD, as well as clustering and failover support, the advanced license is required.

What’s new in Passwork 7.0

Passwork 7.0 brings major improvements in five key areas:

1. Custom user roles
You’re no longer limited to super admins, admins, and regular users. Now you can create roles like “auditor” or “user manager” with any combination of permissions, giving you greater flexibility and control.

2. Expanded API capabilities
The API used to be limited to accessing vaults and folders. Now it can manage users, adjust system settings, and handle almost anything you could do manually. This is especially useful for automation and integration workflows.

3. Passwork DevOps-ready toolkit
This includes the official Python connector and the Passwork CLI utility, which bring enhanced integration and automation capabilities.

4. UI and UX enhancements
The interface has been refined based on user feedback, making it cleaner and more consistent. A new flexible layout lets you resize panes, reorder sections, and customize your workspace. You can also color-code folders for better visual organization.

5. Improved logging and notifications
Complete visibility into every action and system change. With real-time tracking and instant alerts, administrators can quickly spot suspicious activity and always ensure compliance.

Default user view

Organizing passwords with vaults and permissions

As you open Passwork, you’ll find that data is structured in vaults, which are top-level containers. Inside them, you can create folders and subfolders to organize your passwords however you like. You can rename folders and assign access to specific users or groups.

There are two types of vaults:

• Private vaults (visible only to the owner)
• Shared vaults (once shared, they move from the private to the shared section)

Admins can decide who is allowed to create vaults. You can limit this to certain roles, like management.

Shared vault

Take the example of a shared vault called “IT Department.” Opening it reveals three tabs:

1. Details: Shows login, password, URL, and TOTP (for 2FA)
2. Action History: Who created, shared, or edited the password
3. Editions: Previous versions of the password, which you can view or copy

Credential sharing

To share passwords, you have several options:

• Share a vault or a specific folder by adding users or groups and assigning permissions—admin, full access, read/edit, read-only, or no access.
• Share individual passwords by sending them directly or to users’ inboxes (in Passwork). These are not copies but links to the original passwords. Changes to the original will be reflected only if the recipient has been granted the appropriate permissions, such as read or read/edit access.
• Create links for external sharing. These can be single-use or reusable, with time limits. This is helpful for contractors or customers, though some organizations choose to disable this for security reasons.
• Create shortcuts to a password in another vault/folder without duplicating it. Edits to the original update all shortcuts automatically.

User management

Admin view and user management

In the Management section, system administrators get full control over users, roles, and access.

User management

Admins can:

• View all users
• Set vault and folder access
• Block or delete users
• Manage 2FA settings

Roles and permissions

Managing roles, permissions, groups, and access control

Roles control access to Passwork features and settings. Each role determines which functions are available to the user — for example, managing users, editing vaults, or changing security settings.

Groups, on the other hand, control access rights to vaults and folders. By adding users to groups, you decide which vaults or folders they can view or edit.

Adding users

Users can be:

• Added manually
• Invited by email
• Imported from LDAP (with an advanced license)

Passwork also supports LDAP group mapping, allowing groups to sync directly with LDAP security groups.

SSO and system settings

SSO integration

Passwork supports services like Okta and Azure AD to simplify login and centralize authentication.

System settings

Admins can configure password policies, interface preferences, browser extension options, and vault/folder permissions.

Security dashboard

The dashboard helps identify weak, outdated, or potentially compromised passwords. For example, it can flag passwords last used by former employees. Passwork does this using internal checks only, no external databases. More advanced features are planned in future updates.

Security dashboard

Activity log

The Activity log shows all system events: password actions, user changes, settings updates. You can filter by user, date, or action. Logs can be integrated with Windows Event Log or Syslog for use in SIEM systems which is great additional to regular logging.

Final thoughts

In my testing, Passwork installed smoothly without any technical issues. For more complex setups like clustering or failover, things can get a bit more technical, but nothing an experienced sysadmin can’t handle. With support for LDAP/AD and SSO, Passwork scales well from small teams to large enterprises, offering flexible access control for any organization size.

The expanded API also makes it a solid option for DevOps teams who want to script and automate workflows, something not all password managers offer. Day-to-day use was straightforward, and it’s clear the team has listened to user feedback. I didn’t run into the usual pain points like poor credential sharing or limited access controls. Overall, it’s a simple, focused app that does exactly what you need it to do.

If there’s one area where Passwork could improve, it’s the current lack of desktop apps and support for physical 2FA devices. That said, these features are already on Passwork’s development roadmap and are expected in the near future.

While I didn’t need to contact support during testing, it’s worth noting that Passwork is known for its responsive support team, with advanced license users receiving a 3-hour SLA. That kind of support can make all the difference when you really need it.

The licensing model is flexible, allowing businesses to scale as they grow. Fixed plans cover organizations from 10 to 100 users, while larger deployments are available via custom quotes. A lifetime subscription option is also available upon request.

Since users are often the weakest link in the security chain, providing them with a safe and simple way to manage credentials is essential. Passwork delivers on that, offering a user-friendly solution. It’s up to you to roll it out and get your team on board.