Evaluating Passwd.team — how much does the lack of audits matter?
Posted by OkArt331@reddit | sysadmin | View on Reddit | 3 comments
Looking at Passwd.team for a small org since we’re already fully on Google Workspace and its model aligns with that, but I haven’t found any independent audits or pentest results for it.
For those who’ve evaluated similar tools:
Is that a hard blocker, or something you’d weigh against the architecture? What app-layer risks would you focus on in a setup like this?
Just trying to sanity-check the risk here.
disclosure5@reddit
I find this to be some extremely questionable weasel wording from their FAQ. It's fine to not be SOC2 certified. It costs a lot and most orgs have better places to spend security investment.
Writing something implying that you are, then actually meaning "we store stuff on Google Cloud and they are SOC2" is a really big stretch and misleads about what's going on.
gumbrilla@reddit
Oh for sure. This is awful.. you can say, it's all in your cloud, as a great selling point, but Google's SOC2 won't cover custom apps obviously, and all the processes going into creating and maintaining a product. That sort of weasel working is a hard no instantly from me.
If I can't download their SOC2, and am happy with the scope, then it's not worth anything., I mean we're SOC2 and I know what goes into it, and while we are actually pretty damn good, I could easily fool auditors given the level they go to, should I be evil aligned.
skossan@reddit
When it comes to passwords, secrets, keys etc I would not trust anything that is not open-sourece. Mind you, I know nothing about passwd specifically but I don't think a better alternative than Vaultwarden exists right now. Of course this is very subjective. I don't konw anything about your situation or needs.