Review: Password managers help keep hackers at bay
LastPass, Keeper top the field in test of 10 password managers.
By David Strom
In 2013, we reviewed six password managers, some suitable for enterprises and some primarily for consumers. The field has exploded and today there are more than two dozen products on the market. Even the popular TV show “Shark Tank” recently evaluated a password manager startup.
But this level of activity doesn’t necessarily indicate quality. We found that some of the products we reviewed two years ago haven’t improved as much as they could have. And some of the newer products are still a work in progress.
Password managers are an important first step for organizations that want to strengthen their security by helping users cope with multiple logins. While browsers have gotten more intelligent about storing passwords and synchronizing them across different platforms, you might want to have more control over the way your users manage passwords, which is where these tools come into play. Password managers are often seen as a less expensive and easier to implement solution than single sign-on products, which we’ve also reviewed.
In this review, we looked at 10 tools: Dashlane for Business, Keeper Security Enterprise, LastPass Enterprise (now part of LogMeIn), Lieberman Enterprise Random Password Manager, LogMeOnce Enterprise Edition, Manage Engine Password Pro, Agilebits1Password for Teams, StickyPassword, SplashID TeamsID, and SingleID. (Manage Engine is now owned by Zoho, which has a separate SaaS-based password product called Vault. We didn’t test it because it’s more consumer-oriented.)
+ ALSO ON NETWORK WORLD How to evaluate password managers
In the two years since our last test, most of the products have made at least some strides in strengthening their features and sharpened their focus on the enterprise, although some (like Dashlane and TeamsID) are still just a small step up from a consumer product.
Others, such as LastPass and Manage Engine, have improved to the point that they could be close to offering what a single sign-on tool has, without the additional administrative hassles.
The basics for these products haven’t changed: all (except SingleID) create some kind of master “vault” that stores your login information and is protected with a special password. The tools automate your logins to various online and local servers, and manage the strength and diversity of your password collection.
Features chart
| Product | Annual Price (per user) | Versions | Mobile Apps | Features |
|---|---|---|---|---|
| Dashlane for Business | $40 | Windows, Mac, Browsers, SaaS | iOS, Android | Enterprise management, multifactor authentication |
| Keeper Security Enterprise | $48 +$750/year/installation | Browsers, SaaS | iOS >8.0, Android, BlackBerry, Kindle, Nook, Windows Phone | Enterprise management, multifactor authentication, Active Directory support |
| Lastpass Enterprise | $24 | Windows, Mac, Linux, Browsers, SaaS | iOS, Android, BlackBerry, Windows Phone | Enterprise management, multifactor authentication, Active Directory support |
| Lieberman Enterprise | $25,000 (one time) | Windows, SaaS (2) | None | Enterprise management, multifactor authentication, Active Directory support |
| LogmeOnce Enterprise Edition | $65 | Browsers | iOS >8.0, Android | Enterprise management, multifactor authentication, Active Directory support |
| Manage Engine Password Manager Pro | Starting at $1,238 (one-time) | Windows, Linux | iOS, Android | Enterprise management, multifactor authentication, Active Directory support |
| AgileBits 1Password for Teams | $60 | Windows, Mac, Browsers | iOS, Android | Limited enterprise management |
| SingleID | Free | None | iOS, Android, Windows Phone | Multifactor authentication support |
| Sticky Password Premium | $20 | Windows, Mac, Browsers, SaaS | iOS, Android, BlackBerry, Kindle | Multifactor authentication support |
| TeamsID | $36 | SaaS | None | Limited enterprise management |
Winners and Losers
The two strongest products in terms of protecting individual user logins are LastPass and Keeper. Always a strong product, LastPass has gotten stronger in the past two years and has the largest collection of enterprise security policies.
While Keeper supports a larger collection of mobile devices, LastPass isn’t far behind. Keeper has a more elegant login method for mobiles, which could be a consideration. Keeper will cost at least twice as much as LastPass, however.
If you want a password management tool mainly for your IT team that has to administer many servers, then consider either Lieberman or Manage Engine. While Lieberman’s tool has long been around for this purpose, its interface is showing its age and Manage Engine can be a cheaper and just as functional alternative.
We included SingleID in this review because it is trying to do something quite innovative: part password manager, part identity manager. Basically, you use its smartphone app to encode your identity in a single, six-digit passcode to build your own secure identity infrastructure.
The other tools are more for individual consumers or lag behind in terms of features.
Pricing on these products is all over the map: some charge an annual per-user subscription fee that is generally less than $50, others charge a one-time license fee that can be a few thousand dollars (Manage Engine) to multiple thousands of dollars (Lieberman), and one is completely free (SingleID).
Score card
| Product | Client breadth | Mobile ease of use and support | Enterprise management depth | Total |
|---|---|---|---|---|
| Dashlane for Business | 4 | 4 | 2 | 3.3 |
| Keeper Security Enterprise | 5 | 5 | 3 | 4.3 |
| Lastpass Enterprise | 5 | 3 | 5 | 4.3 |
| Lieberman Enterprise | 3 | 0 | 5 | 2.7 |
| LogmeOnce Enterprise | 3 | 4 | 3 | 3.3 |
| Manage Engine Password Manager Pro | 3 | 2 | 5 | 3.3 |
| AgileBits 1Password for Teams | 3 | 2 | 2 | 2.3 |
Individual reviews
Consumer-focused Dashlane recently entered the enterprise market with its Business product, which is still a work in progress. Dashlane for Business adds a thin veneer of additional enterprise and team management software that is available via a browser window.
The Business version lacks an Active Directory agent, although they are working on it for next year. Instead, you have to export a list of Active Directory users and import it into their product.
The current version only works on iOS v8 and above, although it will install an earlier version for older operating systems. That is a nice touch, and we wish other vendors would follow their lead here, rather than locking out older smartphone models entirely. Another nice touch is that you can quickly import your entire password vault from several competitors’ products, including iPassword, Keeper and LastPass. That’s good if you want to migrate away from those tools.
One rather unique aspect of the product is a web-based email inbox scanner, which anyone can access even if you aren’t a current customer. Once you grant the scanner temporary access to your inbox, it will produce a report that shows you how many account passwords are present in your inbox. The theory is that if they can find them, so can a hacker who might get into your account. In my account, there were hundreds of passwords, and it also spotted my favorite reused password with ease.
It has simple two-factor support: you have just a single option, to enable this for new devices when you add them or for all logins; there is no step-up authentication for individual apps. It just supports Google Authenticator now and there are plans to add Yubico’s MFA key and other tools in January. You can also make use of the fingerprint readers for the mobile phone versions as an additional factor.
Dashlane comes with a separate management dashboard web page that shows you summary statistics, such as the number of users and passwords that it is storing and their overall strength. The information is available for your entire enterprise too. This is just for display purposes: other products have more actionable dashboards.
Dashlane has a SaaS version, which is very stripped down and just used to login to existing sites. You can’t make any changes or add new sites: you have to do that in either the desktop or mobile versions.
Dashlane doesn’t support 64-bit IE versions, you’ll need to launch the 32-bit version. We had trouble getting IE v8 setup and suggest that if you are still using that ancient version, this isn’t the product for your enterprise. Overall, Dashlane has some solid features for individual use but Keeper and LastPass have moved ahead of them in the past few years for the enterprise.
Dashlane for Business comes with a free onboarding session, whereby a consultant helps you get started, imports your users, and makes sure that the product is setup properly. This is included in its price, which makes it a good value.
Dashlane has a free version that has limited features. Both the consumer and business versions cost $40 per year per user, with large discounts for quantity purchases.
Keeper comes in browser extensions that really don’t do much more than bring up the SaaS-based version of the product. There are many different mobile versions (more than most of its competitors) including BlackBerry, Kindle, Nook, and Windows Phone, plus iOS and Android. Perhaps this is why Keeper is pre-installed on numerous smartphones by both Orange and AT&T. Note that for iOS you’ll need at least v8. Keeper comes a close second to LastPass in terms of overall benefit.
The mobile versions bring up a protected browser session, and your username and password information are shown across the top. When you get to the part where you want to login, you tap on each credential and they are placed in the appropriate spots on the app. That is a very neat and clean way to do the logins and better than any other product we looked at. If your users need something to support logins from their phones, this should be the first product you look at.
Their security scorecard for each user is somewhat basic, but nice to have.
Keeper supports a variety of second authentication factors, including RSA SecurID, SMS, voice calls and Google Authenticator. You can only have one method active for your account at any time, and there is no step-up authentication for individual apps.
Keeper uses a separate Web-based portal for its enterprise specific features, such as the ability to enforce a second authentication factor, password complexity requirements, a list of users and their supported mobile devices, and the Active Directory agent.
Like the other tools, it has a complex password generator. You just click the button next to the password field and it fills in with some random sequence. Unlike LastPass and some of the other tools, you don’t have any options for its format, other than the enterprise-level complexity parameters.
Keeper does not have access to any vault data as all of this is encrypted in the cloud and the key to encrypt and decrypt it resides with the user and occurs at their device.
The base plan for Keeper Enterprise is an annual $750 fee plus $48 per user per year. There is also a personal version that starts at $10 per user per year for a single device.
LastPass continues to have one of the largest collections of supported clients, spanning mobile (including Blackberry and Windows Phone), Web and desktop versions. Their enterprise management has been significantly improved, adding some solid features.
LastPass has had a busy year. First, there was a well-publicized security breach and then at a session at BlackHat Europe, two researchers were able to compromise an account via a series of exploits. In November, the company was acquired by LogMeIn. Despite these issues, they still have a solid solution.
The product has always been designed for the enterprise and there are now several ways to provision users: via a bulk series of emails, synchronization with its Active Directory agent, writing custom code with its documented API, integration with the standard Windows Login process, and via SAML connections.
SAML is supported for a variety of third-party apps and also includes the ability to provision and de-provision users on Google Apps, Box, Amazon Web Services, WordPress, and some others. De-provisioning is important: this means as you delete users from your enterprise accounts (such as from Active Directory), they automatically are deleted from your LastPass records and from the corresponding service provider. Many of LastPass’ competitors have ways to synchronize with Active Directory but not take this additional step. LastPass also works with authentication systems such as SecureAuth or RSA SecurID. All of this is impressive, and certainly more useful than any other password utility we tested.
Like other tools, these features are managed via a series of web menus. But unlike the others, LastPass’ are somewhat difficult to initially navigate. This reflects how the product has grown in the past several years. Configuration screens are spread across four menu trees: one for more than 50 security policy setup options, one for user management, one for various reports and one for managing SAML connections.