Self-hosted password management for teams, honestly reviewed. No marketing fluff, just what you get when you deploy it.

TL;DR

What it is: A free, open-source (BSD-3-Clause) self-hosted web password manager for teams, built in PHP/JavaScript and running on Docker [README].
Who it’s for: Small teams or IT admins who want a simple, deployable password vault with folder-based permissions and LDAP authentication — and don’t need the feature depth of Bitwarden or Passbolt [3].
Cost savings: SaaS team password managers like 1Password Teams ($19.95/mo) or LastPass Teams ($4/user/mo) add up fast. Passwordcockpit is $0 in licensing on a $5–10/mo VPS.
Key strength: Genuinely lightweight, BSD-3-licensed, ships with LDAP, folder-level ACLs, and a REST API with Swagger docs out of the box [README].
Key weakness: 134 GitHub stars — the smallest presence in the category by a wide margin. Near-zero third-party reviews. The project appears to be maintained but not growing. Pick this only if simplicity and license matter more than community and ecosystem depth [GitHub][2].

What is Passwordcockpit

Passwordcockpit is a self-hosted, web-based password manager built for teams. It is made in PHP, JavaScript, and MySQL or MariaDB, runs as a Docker service, and lets users store, share, and retrieve passwords, certificates, and file attachments from any device [README].

The project comes from Switzerland and describes itself simply: “a simple, free, open source, self hosted, web based password manager for teams” [README]. That description is accurate and unusually honest for a product homepage — the website doesn’t overclaim.

What differentiates it from desktop tools like KeePass is the web-first, multi-user model with role-based access control. Every password lives in a folder. Each folder has a list of users, and each user has either Read or Manage access to that folder. Admins can optionally have global access across all folders, or that permission can be locked away entirely [README]. It’s a credentialing structure that makes sense for a small IT team managing a shared vault.

The license is BSD-3-Clause, which is more permissive than the GPL and more permissive than the “Fair-code” license on n8n. You can fork it, embed it, or deploy it commercially without negotiating with anyone [README].

Where it falls short is on the momentum side. At 134 GitHub stars, this is not a community darling. It appeared in a 2020 GlassWire forum poll of 75 password managers and received exactly zero votes [2]. It shows up in a 2025 roundup of 13 free self-hosted password managers as a three-sentence entry [3]. There is no r/selfhosted hype, no YouTube setup tutorials, no Trustpilot page. You are largely on your own.

Why people choose it

The honest answer is that the evidence base for “why people choose it” is thin. No detailed third-party reviews exist as of this writing. What we can extract from the available context:

It shows up in alternatives lists for team password managers. The ebool.com comparison page [1] lists it among QGuard alternatives alongside heavier tools like 1Password and Devolutions Password Hub, noting it “enables secure storage and sharing of passwords, certificates.” The medevel.com roundup [3] calls it “lightweight and self-hosted” and notes it “ensures secure storage, sharing, and retrieval of passwords, certificates, files, and more, making it a versatile and reliable solution for team collaboration.” Neither review goes deeper than a paragraph.

LDAP is the draw for teams with Active Directory. The README explicitly covers LDAP authentication with configurable account filter format [README]. For a small business already running an LDAP or Active Directory server, having the password vault authenticate through the same user directory matters. Larger tools like Passbolt and Vaultwarden also support LDAP, but Passwordcockpit ships it as a documented, supported feature rather than a plugin.

BSD-3 license is genuinely permissive. Passbolt has a community edition but is AGPL for the open-source version (the commercial tiers are proprietary). Bitwarden’s server is AGPL. If you need to embed or redistribute a password manager as part of a product, BSD-3 is a cleaner starting point.

Docker-native from day one. The install story is docker-compose up and that’s it [README]. No LAMP stack to configure manually. For teams that already run Docker, that reduces the friction significantly.

Features

Based on the README and website documentation:

Core password management:

Web-based UI accessible from any device, including mobile [README]
Folder-based organization of credentials
File attachments alongside passwords (certificates, key files, etc.)
Password PIN encryption for individual entries — lets a user encrypt a password with their own PIN so it’s hidden even from admins with global access and teammates in the same folder [README]

Access control:

Global permissions: five tiers — normal user, create/manage users, create folders, access all directories, view logs [README]
Folder permissions: three tiers — no access (default for unassigned users), read-only, manage (add/edit/delete passwords inside the folder) [README]
Users can be assigned to a subfolder without needing access to the parent folder [README]

Authentication:

Database-stored passwords (default)
LDAP with configurable account filter format; profile data syncs from LDAP on each login when LDAP mode is active [README]

Encryption:

Three layers: Password PIN (per-entry encryption), SSL in transit, database encryption for credentials and files [README]
Custom SSL certificates supported via volume mount; falls back to auto-generated self-signed certificate [README]
PASSWORDCOCKPIT_BLOCK_CIPHER_KEY environment variable keys the database encryption — lose this key and the vault data is unrecoverable [README]

API and developer access:

REST API with optional Swagger UI at /swagger/index.html [README website]
API can be enabled or disabled via environment variable
JWT-based authentication with a configurable secret key [README]

Deployment configuration:

Full list of environment variables for database, SSL, encryption keys, LDAP settings, debug mode [README]
Docker images published to Docker Hub under passwordcockpit/passwordcockpit [README]
Runs as non-root user in the container; uses port 4343 (HTTPS) or 8080 (HTTP) instead of standard 80/443 [README]

What it does not include in any visible documentation: browser extensions, TOTP/2FA management, password health scoring, breach monitoring, hardware key (YubiKey/FIDO) support, or team audit logs as a standard user-facing feature. The “Can view log” global permission suggests some logging exists, but the extent is not documented in the README.

Pricing: SaaS vs self-hosted math

Passwordcockpit has no cloud SaaS tier. It is purely self-hosted. The licensing cost is $0.

What you’re comparing against:

Tool	Pricing
1Password Teams	$19.95/mo (up to 10 users), ~$2/user/mo above that
LastPass Teams	~$4/user/mo
Dashlane Business	~$8/user/mo
Keeper Business	~$5/user/mo
Bitwarden Teams	$3/user/mo
Passbolt Cloud	Free (community) to ~$49/mo (Business)
Passwordcockpit	$0 license + $5–10/mo VPS

For a team of 10 on 1Password Teams, you’re paying $19.95/mo minimum — $239/year. On LastPass that’s $40/mo — $480/year. On a $6 Hetzner VPS with Passwordcockpit, it’s $72/year regardless of user count.

The math is real, but the honest caveat: Bitwarden self-hosted is also free and has a vastly more mature codebase, browser extensions, mobile apps, and a 38,000+ star GitHub project behind it. The price difference between Passwordcockpit and self-hosted Bitwarden (or Vaultwarden) is $0 vs $0. The comparison you’re really making is time-to-configure and feature depth, not licensing cost.

Deployment reality check

The install path is docker-compose up with a docker-compose.yml file from the repository. The README documents every environment variable in a clear table, which is more than many projects offer [README].

What you’ll configure:

MySQL or MariaDB (can be run as a sidecar container in the same compose file)
PASSWORDCOCKPIT_BLOCK_CIPHER_KEY — a 32-character string that encrypts all stored passwords and files. The README warns explicitly: “do not lose this key, without it you will not be able to decrypt passwords and files” [README]
PASSWORDCOCKPIT_AUTHENTICATION_SECRET_KEY — JWT signing key
SSL certificate (auto-generated self-signed, or mount your own cert/key)
Optionally: LDAP settings, Swagger enable/disable, debug mode

Port note: Because the container runs as a non-root user, standard ports 80 and 443 are not used. HTTPS runs on 4343, HTTP on 8080. If you’re putting a reverse proxy (nginx, Caddy, Traefik) in front, this is transparent. If you’re not, you’ll need to know this before you start [README].

Volume you must mount: /var/www/html/upload for file attachments. If you don’t mount this, attachments disappear on container restart. The README marks this as important [README].

Realistic time estimate:

Developer comfortable with Docker: 20–40 minutes to a working instance behind a reverse proxy.
Non-technical user following documentation: 2–4 hours, including domain setup and SSL configuration.
Someone who has never run a Docker container: this is not the right starting point; use Bitwarden’s hosted tier instead.

One operational risk worth flagging: the encryption key setup is a single point of failure with no recovery mechanism documented. Back up the key before you store anything of value. This is a fairly standard constraint for encrypted-at-rest storage, but the README’s phrasing — “without it you will not be able to decrypt” — is as stark as it needs to be.

Pros and cons

Pros

BSD-3-Clause license — one of the most permissive open-source licenses available. No AGPL compliance concerns, no “fair-code” restrictions, no commercial use clauses [README].
LDAP support included — not a plugin, not a paid tier feature. Documented and configurable via environment variables [README].
Folder-level ACLs with user-granular read/manage permissions — a real access control model, not just a shared vault [README].
Password PIN encryption — individual entry encryption that hides a credential even from admins with global access. Useful for shared vaults where you need to store something that only one person should read [README].
REST API with Swagger — the API can be enabled and documented at /swagger/index.html. Useful for automation or integration into IT workflows [README].
Mobile-responsive UI — the README includes screenshots of a mobile layout [README].
Non-root Docker container — a security-positive implementation detail that most small projects skip [README].
Swiss origin — not directly relevant to the technical stack, but relevant for EU teams with data residency requirements.

Cons

134 GitHub stars — the lowest in this category by a large margin. Passbolt has 4K+ stars, Vaultwarden has 38K+, even Teampass has 2.3K. Low stars correlates with fewer contributors, fewer bug reporters, less documentation, and slower security response times [GitHub].
Near-zero community presence. Received zero votes in a 75-option password manager poll [2]. No dedicated Reddit community, no active forum, no tutorial ecosystem.
No browser extension — there is no documented browser extension. For a team using this daily, manual copy-paste from the web UI is the workflow.
No TOTP/2FA management — many teams use a password manager as a second-factor code store. No evidence this is supported.
No breach monitoring or password health scoring — features that Bitwarden and 1Password provide out of the box.
No mobile app — the UI is mobile-responsive (web), but there is no native iOS or Android application.
Single encryption key is a single point of failure — no documented key rotation or recovery mechanism.
PHP stack — not inherently bad, but the PHP/Apache backend is less fashionable for greenfield projects and fewer developers will feel comfortable auditing or extending it versus a Node.js or Go backend.
Minimal third-party security audits. No mention of external penetration testing or security reviews in the documentation or available articles.

Who should use this / who shouldn’t

Use Passwordcockpit if:

You run a small team (under ~20 people) that needs a shared web vault with folder permissions and you’re already running Docker.
Your org uses LDAP or Active Directory and wants the password manager to authenticate through it.
You need BSD-3-licensed software specifically — for embedding, redistribution, or legal compliance reasons.
You want the absolute minimum setup footprint: one compose file, no plugins, no cloud sync.
You’re an IT admin who can tolerate a sparse community and is comfortable self-supporting the deployment.

Skip it (use Vaultwarden instead) if:

You want browser extensions, mobile apps, TOTP support, and password health reports — and you still want to self-host. Vaultwarden is a Bitwarden-compatible server written in Rust with 38K+ stars, active development, and the full Bitwarden client ecosystem. It’s the default answer for self-hosted team password management [category comparison].
You want a larger community and better documentation.

Skip it (use Passbolt instead) if:

Security audits, end-to-end encryption architecture, and team collaboration are the priority. Passbolt is AGPL (open-source community edition), has regular third-party security reviews, and is built around a zero-knowledge model where the server never sees plaintext [3].
You need compliance documentation to show stakeholders.

Skip it (stay on 1Password or Bitwarden Cloud) if:

Your team has no one comfortable managing a VPS and Docker containers.
You value support SLAs and a vendor to call when something breaks.
Browser extension UX is non-negotiable for your users.

Alternatives worth considering

From the medevel.com roundup [3] and the category context:

Vaultwarden — Bitwarden-compatible server in Rust. 38K+ GitHub stars, browser extensions, mobile apps, TOTP support, full Bitwarden client compatibility. The clear default choice for self-hosted team vaults. [Not referenced in provided sources — widely known.]
Passbolt — AGPL open-source, end-to-end encrypted, regular security audits, browser extension, active community at 4K+ stars. Stronger security posture than Passwordcockpit [3].
Teampass — PHP-based collaborative password manager with MySQL, similar architectural profile to Passwordcockpit but with 2.3K+ GitHub stars and a longer track record [3].
sysPass — PHP-based, ACL-driven, supports LDAP, custom fields. Similar niche, slightly more active community [1][3].
KeeWeb — browser and desktop KeePass-compatible client, works without a server component. Better for individual use than team sharing [3].
Bitwarden Cloud (paid) — if you don’t want to self-host, Bitwarden Teams runs $3/user/mo, has mobile apps, browser extensions, and a full audit history. More expensive than self-hosting but significantly lower operational overhead.

For a non-technical founder trying to escape 1Password or LastPass bills, the realistic shortlist is Vaultwarden (best self-hosted feature depth) or Passbolt (best security posture). Passwordcockpit is a viable third option only if the BSD-3 license or the specific permission model is the deciding factor.

Bottom line

Passwordcockpit does what it says: it’s a simple, free, Docker-deployable team password manager with folder-level ACLs, LDAP support, and a REST API. The BSD-3 license is genuinely useful in contexts where AGPL or Fair-code creates problems. The deployment story is clean. The permission model is sensible.

The honest constraint is adoption. With 134 GitHub stars and zero votes in the most comprehensive password manager poll available [2], this is a project with minimal community momentum. That means fewer tutorials, slower security patches, less documentation, and fewer people who can help you debug a problem. The same self-hosting effort gets you Vaultwarden — which has browser extensions, mobile apps, and a 38,000-strong GitHub community behind it — at the same price point of $0 in licensing.

Passwordcockpit earns its place on the shortlist for a narrow use case: teams that specifically need BSD-3-licensed software and a dead-simple Docker deploy with no client apps to manage. For everyone else, the alternatives are more mature and better supported.

Sources

ebool.com — “Top 15 QGuard Alternatives & Similar Software”. https://www.ebool.com/alternatives/qguard
GlassWire Internet Security Forum — “What Password Manager do you use? (2020)”. https://forum.glasswire.com/t/what-password-manager-do-you-use-2020/9532
Hazem Abbas, medevel.com — “Top 13 Free Self-Hosted Password Managers for Teams and Agencies in 2025”. https://medevel.com/best-web-based-password-manager-1300/

Primary sources:

GitHub repository and README: https://github.com/passwordcockpit/passwordcockpit (134 stars, BSD-3-Clause license)
Official website: https://passwordcockpit.com
Docker Hub: https://hub.docker.com/u/passwordcockpit

Features

Authentication & Access

LDAP / Active Directory

Integrations & APIs

REST API

Replaces

Related Security & Authentication Tools

View all 159 →

Ghidra

66K

A free, open-source software reverse engineering framework created by the NSA — disassemble, decompile, and analyze compiled code on any platform.

security Apache-2.0

PocketBase

58K

Open-source backend in a single 12 MB binary — realtime database, auth, file storage, and admin dashboard. No Docker, no Postgres, just run it.

security MIT Easy to deploy

Vaultwarden

57K

Lightweight, self-hosted Bitwarden-compatible password manager written in Rust. Uses 10x less RAM than the official server and works with all Bitwarden clients.

security AGPL-3.0

Zen Browser

41K

Zen Browser is a privacy-focused, beautifully designed Firefox fork with a unique sidebar tab layout, split views, and built-in content blocking — no telemetry, no tracking.

security MPL-2.0