I'd strongly advise against 1Password, several answers here recommending it and I suspect conflating personal use with 'good enough for business', hard disagree.
Your company can apply various aspects of threat modelling and more often than not several companies I've worked with find that Bitwarden self-hosted can meet a lot of requirements, this is the best solution in terms of privacy and security and controlling your trust boundaries. Failing that, Bitwarden Enterprise (they host) is also just as good. In either case there's granular controls for controlling what your new hires can be given access to.
There won't be a perfect solution such as notifying everyone about rotation, it's not needed though - simply rotate it and the next time they need it they get the new version.
Of course the general advice is something I agree with - use SSO where possible, but I fully recognise that it isn't always possible with some third party services that haven't implemented it yet.
There is a cruder solution I've often seen too, it's a bit painful but KeePass2/KeePassXC on a company hosted SAN is the ultimate offline, fully controlled solution but comes with extra hurdles to access, whereas Bitwarden is browser based and simpler to use.
They mention self-hosted. Unless there's a long-game supply chain attack where they infiltrate the vendor and poison the updates and nobody notices until it's too late (that disaster scenario can always happen), at least not all your passwords are gone the minute the central server where everyone's data is stored gets compromised
I don't have much experience with either product but based on what the person said, that seems the most plausible reason to me. If 1Password does something like encrypting it for every user individually and so the server can't read the stored data (like when it's decrypted in the browser with the user's password, then an attacker would again need to compromise the website, wait, and hope nobody notices until their target logs in), then I guess GP really needs to clarify what they meant
Your company can apply various aspects of threat modelling and more often than not several companies I've worked with find that Bitwarden self-hosted can meet a lot of requirements, this is the best solution in terms of privacy and security and controlling your trust boundaries. Failing that, Bitwarden Enterprise (they host) is also just as good. In either case there's granular controls for controlling what your new hires can be given access to.
There won't be a perfect solution such as notifying everyone about rotation, it's not needed though - simply rotate it and the next time they need it they get the new version.
Of course the general advice is something I agree with - use SSO where possible, but I fully recognise that it isn't always possible with some third party services that haven't implemented it yet.
There is a cruder solution I've often seen too, it's a bit painful but KeePass2/KeePassXC on a company hosted SAN is the ultimate offline, fully controlled solution but comes with extra hurdles to access, whereas Bitwarden is browser based and simpler to use.