Review: Password managers help keep hackers at bay

In 2013, we reviewed six password managers, some suitable for enterprises and some primarily for consumers. The field has exploded and today there are more than two dozen products on the market. Even the popular TV show “Shark Tank” recently evaluated a password manager startup.

But this level of activity doesn’t necessarily indicate quality. We found that some of the products we reviewed two years ago haven’t improved as much as they could have. And some of the newer products are still a work in progress.

Password managers are an important first step for organizations that want to strengthen their security by helping users cope with multiple logins. While browsers have gotten more intelligent about storing passwords and synchronizing them across different platforms, you might want to have more control over the way your users manage passwords, which is where these tools come into play. Password managers are often seen as a less expensive and easier to implement solution than single sign-on products, which we’ve also reviewed.

In this review, we looked at 10 tools: Dashlane for Business, Keeper Security Enterprise, LastPass Enterprise (now part of LogMeIn), Lieberman Enterprise Random Password Manager, LogMeOnce Enterprise Edition, Manage Engine Password Pro, Agilebits1Password for Teams, StickyPassword, SplashID TeamsID, and SingleID. (Manage Engine is now owned by Zoho, which has a separate SaaS-based password product called Vault. We didn’t test it because it’s more consumer-oriented.)

+ ALSO ON NETWORK WORLD How to evaluate password managers

In the two years since our last test, most of the products have made at least some strides in strengthening their features and sharpened their focus on the enterprise, although some (like Dashlane and TeamsID) are still just a small step up from a consumer product.

Others, such as LastPass and Manage Engine, have improved to the point that they could be close to offering what a single sign-on tool has, without the additional administrative hassles.

The basics for these products haven’t changed: all (except SingleID) create some kind of master “vault” that stores your login information and is protected with a special password. The tools automate your logins to various online and local servers, and manage the strength and diversity of your password collection.

Winners and Losers

The two strongest products in terms of protecting individual user logins are LastPass and Keeper. Always a strong product, LastPass has gotten stronger in the past two years and has the largest collection of enterprise security policies.

While Keeper supports a larger collection of mobile devices, LastPass isn’t far behind. Keeper has a more elegant login method for mobiles, which could be a consideration. Keeper will cost at least twice as much as LastPass, however.

If you want a password management tool mainly for your IT team that has to administer many servers, then consider either Lieberman or Manage Engine. While Lieberman’s tool has long been around for this purpose, its interface is showing its age and Manage Engine can be a cheaper and just as functional alternative.

We included SingleID in this review because it is trying to do something quite innovative: part password manager, part identity manager. Basically, you use its smartphone app to encode your identity in a single, six-digit passcode to build your own secure identity infrastructure.

The other tools are more for individual consumers or lag behind in terms of features.

Pricing on these products is all over the map: some charge an annual per-user subscription fee that is generally less than $50, others charge a one-time license fee that can be a few thousand dollars (Manage Engine) to multiple thousands of dollars (Lieberman), and one is completely free (SingleID).

Individual reviews

Dashlane for Business

Consumer-focused Dashlane recently entered the enterprise market with its Business product, which is still a work in progress. Dashlane for Business adds a thin veneer of additional enterprise and team management software that is available via a browser window.

The Business version lacks an Active Directory agent, although they are working on it for next year. Instead, you have to export a list of Active Directory users and import it into their product.

The current version only works on iOS v8 and above, although it will install an earlier version for older operating systems. That is a nice touch, and we wish other vendors would follow their lead here, rather than locking out older smartphone models entirely. Another nice touch is that you can quickly import your entire password vault from several competitors’ products, including iPassword, Keeper and LastPass. That’s good if you want to migrate away from those tools.

One rather unique aspect of the product is a web-based email inbox scanner, which anyone can access even if you aren’t a current customer. Once you grant the scanner temporary access to your inbox, it will produce a report that shows you how many account passwords are present in your inbox. The theory is that if they can find them, so can a hacker who might get into your account. In my account, there were hundreds of passwords, and it also spotted my favorite reused password with ease.

It has simple two-factor support: you have just a single option, to enable this for new devices when you add them or for all logins; there is no step-up authentication for individual apps. It just supports Google Authenticator now and there are plans to add Yubico’s MFA key and other tools in January. You can also make use of the fingerprint readers for the mobile phone versions as an additional factor.

Dashlane comes with a separate management dashboard web page that shows you summary statistics, such as the number of users and passwords that it is storing and their overall strength. The information is available for your entire enterprise too. This is just for display purposes: other products have more actionable dashboards.

Dashlane has a SaaS version, which is very stripped down and just used to login to existing sites. You can’t make any changes or add new sites: you have to do that in either the desktop or mobile versions.

Dashlane doesn’t support 64-bit IE versions, you’ll need to launch the 32-bit version. We had trouble getting IE v8 setup and suggest that if you are still using that ancient version, this isn’t the product for your enterprise. Overall, Dashlane has some solid features for individual use but Keeper and LastPass have moved ahead of them in the past few years for the enterprise.

Dashlane for Business comes with a free onboarding session, whereby a consultant helps you get started, imports your users, and makes sure that the product is setup properly. This is included in its price, which makes it a good value.

Dashlane has a free version that has limited features. Both the consumer and business versions cost $40 per year per user, with large discounts for quantity purchases.

Keeper Security Enterprise

Keeper comes in browser extensions that really don’t do much more than bring up the SaaS-based version of the product. There are many different mobile versions (more than most of its competitors) including BlackBerry, Kindle, Nook, and Windows Phone, plus iOS and Android. Perhaps this is why Keeper is pre-installed on numerous smartphones by both Orange and AT&T. Note that for iOS you’ll need at least v8. Keeper comes a close second to LastPass in terms of overall benefit.

The mobile versions bring up a protected browser session, and your username and password information are shown across the top. When you get to the part where you want to login, you tap on each credential and they are placed in the appropriate spots on the app. That is a very neat and clean way to do the logins and better than any other product we looked at. If your users need something to support logins from their phones, this should be the first product you look at.

Their security scorecard for each user is somewhat basic, but nice to have.

Keeper supports a variety of second authentication factors, including RSA SecurID, SMS, voice calls and Google Authenticator. You can only have one method active for your account at any time, and there is no step-up authentication for individual apps.

Keeper uses a separate Web-based portal for its enterprise specific features, such as the ability to enforce a second authentication factor, password complexity requirements, a list of users and their supported mobile devices, and the Active Directory agent.

Like the other tools, it has a complex password generator. You just click the button next to the password field and it fills in with some random sequence. Unlike LastPass and some of the other tools, you don’t have any options for its format, other than the enterprise-level complexity parameters.

Keeper does not have access to any vault data as all of this is encrypted in the cloud and the key to encrypt and decrypt it resides with the user and occurs at their device.

The base plan for Keeper Enterprise is an annual $750 fee plus $48 per user per year. There is also a personal version that starts at $10 per user per year for a single device.

LastPass Enterprise

LastPass continues to have one of the largest collections of supported clients, spanning mobile (including Blackberry and Windows Phone), Web and desktop versions. Their enterprise management has been significantly improved, adding some solid features.

LastPass has had a busy year. First, there was a well-publicized security breach and then at a session at BlackHat Europe, two researchers were able to compromise an account via a series of exploits. In November, the company was acquired by LogMeIn. Despite these issues, they still have a solid solution.

The product has always been designed for the enterprise and there are now several ways to provision users: via a bulk series of emails, synchronization with its Active Directory agent, writing custom code with its documented API, integration with the standard Windows Login process, and via SAML connections.

SAML is supported for a variety of third-party apps and also includes the ability to provision and de-provision users on Google Apps, Box, Amazon Web Services, WordPress, and some others. De-provisioning is important: this means as you delete users from your enterprise accounts (such as from Active Directory), they automatically are deleted from your LastPass records and from the corresponding service provider. Many of LastPass’ competitors have ways to synchronize with Active Directory but not take this additional step. LastPass also works with authentication systems such as SecureAuth or RSA SecurID. All of this is impressive, and certainly more useful than any other password utility we tested.

Like other tools, these features are managed via a series of web menus. But unlike the others, LastPass’ are somewhat difficult to initially navigate. This reflects how the product has grown in the past several years. Configuration screens are spread across four menu trees: one for more than 50 security policy setup options, one for user management, one for various reports and one for managing SAML connections.

Speaking of those security policies, this is a very extensive collection, the largest of any of the 10 products we examined. You can specify password lengths, prevent mobile logins, control logoff behavior, prevent the tool from being used on TOR exit nodes, and restrict to particular IP address ranges. There are lots more choices and they can be applied across all of your users or selectively to specific groups. We tried to get a screenshot showing many of them but the list was too long. Instead, we’ll offer a link to some solid suggestions about how to strengthen your password management techniques in a blog post they wrote in November in response to the BlackHat exploit.

LastPass also has the largest collection of multifactor methods, with more than a dozen vendors and methods supported. You can turn on as many of these as you desire, unlike some of its competitors that only allow a single method per user.

There are also several ways to install its Mac and Windows desktop software, which reflects its enterprise heritage: via an executable, via a “silent mode” with a command line interface, or via a Windows group policy object using an MSI file.

The LastPass vault is stored in the cloud, where each component can access the information. Browser-based products connect to the cloud, while the desktop and mobile versions make and automatically synchronize their copies to the local desktop.

LastPass has an amusing and somewhat annoying way to remind you to update your password portfolio, sending out a periodic email trying to shame you into changing the similar and simpler passwords with a subject line “Improve your passwords sucker!” when it detects more than three similar passwords. Also one of its tools available from the browser extensions menu is called “security challenge” where it will scan your vault and show you how poor your password choices are. Whether this will motivate your users isn’t known, but at least it is a nice attempt.

It also has the ability with one click to change multiple passwords in your vault, like some of its competitors.

One issue for LastPass is you will need to first bring up its mobile app and paste the password into your browser session; it doesn’t transfer this information automatically.

LastPass costs $24 per user per year, with volume discounts starting at 100 users.

Lieberman Enterprise Random Password Manager

We reviewed the Enterprise Random Password Manager (ERPM) product two years ago and it is still the gold standard for setting up massive password collections to protect large local server infrastructures, although Manage Engine has a somewhat nicer interface. ERPM’s menus and basic command structure hasn’t changed much in the past two years.

ERPM comes with a Windows app that connects to its database and has both its own user interface and a Web-based one. Administrators use mostly the former, and ordinary end users the latter. This is because the Web UI doesn’t have the full complement of controls that the native Windows apps does. Passwords are stored in a local database on the server. For example, a user can recover their password from the Web UI.

It has the ability to discover SSH keys and manage them, both the public and private keys, and authorize users for these keys. Indeed, the goal of the product is to make your logins so effortless that you won’t ever need to remember your passwords.

You can schedule how often the passwords change, and have this happen automatically, again, so your users don’t have to bother with this chore. It has more powerful scheduling features that can update your entire password collection, or be used to create reports, or automate other activities.

It performs the logins via its own Remote Desktop connection from its server, what Lieberman calls a jump server. It does this via a series of several dozen Visual Basic scripting apps, which come as part of the product and which you can customize for your own circumstances.

And it also records each of your sessions, and can play them back, so you can view what is going on with your users and see if something is amiss.

ERPM works with a number of trouble ticketing systems, including Jira, CA Service Desk, and others. It supports a number of OATH two-factor authentication tokens. There are extensive reports that can be customized in the Windows interface.

Lieberman’s biggest drawback is its price tag: a $25,000 one-time fee. However, if you are running a large installation of servers in your data center, this is probably one product that you will need to deploy.

LogmeOnce Enterprise Edition

The newest product on the password management scene is LogMeOnce (which is not affiliated with another company LogMeIn). They use a browser extension (and a mobile app) and are still a work in progress, which is to be expected since the product was released in November.

Once the browser extension is installed, you go to their website where you see a dashboard with various controls across the top. Here is where you add logins, strengthen your security, and control the tool’s overall behavior. They have several nice features:

First is an app catalog, similar to many of the SSO tools, listing several thousand apps. You can choose login/password combination or make use of SAML to authenticate yourself. The built-in app for American Airlines didn’t initially work but was fixed after we mentioned the issue.

Next is support for several multifactor authentication methods, including sending a SMS text, voice or email message, and Google Authenticator. You can turn on multiple methods and select the most convenient one when you login to your vault. Setting these up is very simple: for example to enable the SMS you send a code to your phone and enter it in the appropriate dialog box on screen. While impressive for its ease of use (this product was the easiest of the 10 to set up for MFA), these MFA tools are just to secure the initial access to the tool: like the other products, there is no way to step up authentication for specific apps.

It comes with a complex password generator that you just invoke by clicking in the password field from your browser. But there is also a separate generator that is available for non-customers via its own web page, should you feel that you are missing out on this action.

Its overall security scorecard has a series of reports, including login activity with date, time and IP address along with which sites you’re logged into and their password strength indicators. LogMeOnce also can save notes in its password vault too.

And there is an add-in that will encrypt your entire Dropbox collection– this is included in the Enterprise edition.

They are one of the few password vaults where you can choose the location of your vault, depending on your paranoia level: on a USB thumb drive, locally on your desktop, or in their cloud. You can change it at will with a simple click of the mouse. The other tools are less flexible in this regard.

They also support OpenID and SAML in the Enterprise edition, along with connections to a variety of enterprise directory providers such as Oracle and CA.

There are several versions, ranging from the free consumer and Business editions to the more capable Enterprise edition. Pricing is based on particular features: You start with the basic set for $2 per month per user and add items such as directory integration or risk-based authentication (both are another dollar per month per user each), user provisioning ($2 per month per user), with a discount of $5.40 per month per user if you purchase all the options. The mobile apps are free, regardless of which plan you choose.

Manage Engine Password Manager Pro

Manage Engine’s Password Manager Pro (PMP) is similar to the Lieberman product and designed for enterprise teams that want to manage a large and mostly local server collection. The product takes the form of a server running on either Windows or Linux. Either server uses a Web interface; there are also mobile apps and browser extensions to automate logins that are used by individual users.

Once you install the software and setup some basic parameters, PMP stores encrypted copies of passwords in its password vault in a local SQL server, which it calls its resources. It has a long list of different kinds of information that it can contain, ranging from Windows and Linux application servers to fairly esoteric things such as AS/400 minicomputers and Juniper firewalls. One drawback was that it wasn’t as capable with web-based logins: it couldn’t automate the login on our American Airlines site that has three data fields. That is a pretty basic issue on an otherwise capable product. You download the browser extensions and set up your mobile apps from the main console.

You will need to ensure that your users can access the PMP server across your enterprise network by having its default Port 7272 open: administrative users connect via their browsers to run the configuration screens. Normal users can make do with browser extensions to access their pre-configured resources.

PMP supports several user access roles including super admin, admin, and regular password users. You can enable two-factor authentication and mobile access for specific users or groups. Users can be regularly imported from an Active Directory store just by furnishing the Active Directory credentials and setting up a synchronization service in PMP, there is no need for additional agent software. Each resource can be set up to be viewed, modified, or managed according to specific access rights policies.

There is also a unique series of advanced administrative policies where you can set up a resource to require a “double authentication” by two network administrators. All these policies have the effect whereby a user doesn’t have to know their password to access a resource, yet the login can be protected with a very strong password. You can also set up specific circumstances where users can have access to a resource for a limited time, such as a few minutes, to complete a certain task. For highly sensitive servers, this can be very useful.

PMP has similar feature to ERPM where it can record every session that involves making use of a login. It does this by opening a Remote Desktop or SSH connection inside the browser, and connecting from its own server to the network resource. These recordings can then be played back so you can see exactly what each user was doing. You can also “shadow” an active login session and terminate it if something is amiss. PMP also comes with a wide collection of audit and compliance reports.

PMP also supports SSO, and has built-in tools to enable high availability and failovers for its SQL servers.

Finally, it offers on-demand password resets across the board or schedule regular password changes.

Pricing is very transparent and available in either of six configurations: standard, premium or enterprise, and either as a monthly subscription or a perpetual license. The lowest perpetual license is a two-administrator package for $1,238 with an annual maintenance fee of $248 for the standard edition. The enterprise edition supports 10 administrators and will cost $7,488 and $1,498 for the annual maintenance. These licenses include unlimited numbers of resources and users.

Agilebits 1Password for Teams

1Password comes as paid Windows or Mac desktop versions with free iOS and Android mobile versions. There are also browser extensions. 1Password has a large collection of items that it can store in its vault besides passwords, including file attachments and free-form text notes. But since we reviewed them two years ago the product has somewhat stagnated, although in November they came out with a beta version called Teams for enterprises. The Teams version was still a work in progress, with an admin console that was far from complete. Still, it represents a good direction for the company.

On its desktop version, there are rough indicators of password strength: many of the other products have made this more useful and actionable. And one nice feature in Teams is an “emergency rescue kit” that contains information on how to recover your vault, should you lose your master password.

1Password has two major weaknesses: its mobile versions and how it synchronizes its vault. The mobile apps are very bare bones and bring up ordinary Safari browser sessions, but don’t always autofill the username and password credentials. Adding logins from the browser is clunky; it is far easier to do so when you are on your desktop and the software will capture the information with a single click. There is also no support for additional authentication factors, unlike most of its competitors.

1Password relies on a third-party synchronization service to keep its vaults communicating with the latest password information: you can make use of a local Wi-Fi connection (if all of your devices are on the same Wi-Fi network) using Apple’s Bonjour service. Probably you will use Dropbox to store your vault, which means you have to explicitly synchronize your devices. There is also a way to use iCloud, but only if you have all Apple devices. That is less elegant than some of the other products that have the synchronization built in. This was an issue when we reviewed them two years ago, and others such as LastPass, Keeper and LogMeOnce have made their synchronization much easier.

A desktop license of 1Password costs $49 with quantity discounts. The Teams version is free while it is under beta, and will most likely be priced at $5 per month per user.

SingleID

We included SingleID in this review because it is going in a very different and innovative direction from the rest of the password tools. Rather than build a vault to store your password collection, it approaches the problem from the mindset of not having the user deal with any passwords at all.

To accomplish this, they have two components for their tool: first is a series of smartphone apps (including Windows Phone along with iOS and Android). Once you install the app, you set up your identity; either by typing this information directly into the app or via a webpage that you can import the details via a QR code scan. You can include all sorts of things in this identity besides your name and address, including credit card numbers and other personal and business details. All of this identity information is tied to an eight-digit ID number in their database that is then displayed on your phone.

The second component of SingleID is a piece of open source PHP code that you place on your website. This turns the typical login dialog into a special form that asks for your SingleID login ID number. Once you type in the number (which looks like a one-time password but doesn’t ever change), SingleID then authenticates you back to your phone, and asks if you want to login to this particular site. There are code snippets for WordPress blogs and regular web servers to get you started in adding the SingleID protection to these sites.

It is a clever hack, and once you get it setup you avoid a lot of infrastructure to get a secure login. Think of the SingleID login ID number as your username for their service, so you don’t have to worry about keeping it a secret (like a OTP) because no one can do anything with this information. There is no trusted (or even untrusted) third party because all the communication is between your smartphone app and the server that you wish to access. This means that you also don’t have to worry about man-in-the-middle attacks, because there isn’t anything in the “middle.”

The advantage, apart from having to no longer have to manage multiple passwords, is that you retain complete control over your identity information. There is nothing stored on any cloud: your information is stored and encrypted on your smartphone. As the vendor says, “SingleID is a distributed platform and thus no database of sensitive personal data is being built up anywhere.”

Of course, the downside is that you have to instrument all the websites that you want to make use of the SingleID process, which won’t help you when you want to login to Dropbox or American Airlines or the hundreds of other commercial sites that you already have accounts on. But for internal applications, this could be a very useful and inexpensive solution, since it is completely free. The GitHub documentation is very clear, and it should take an average developer just an hour or so to review it and implement its code.

StickyPassword

Sticky comes with desktop and mobile and browser extensions. The mobile versions include Blackberry, Kindle Fire, and Nokia X phones, in addition to iOS (7.x and higher) and Android (2.3 and higher) phones. There is a limited SaaS control for certain administrative features, but this is because it doesn’t really have any enterprise management features. Each user has to manage their own account, using the SaaS app.

It has limited browser support: there is no Safari Windows extension and on Macs just Safari and Chrome browsers are supported.

It also has limited second factor authentication where if you change the SaaS settings, it will send an OTP to your email address when you attempt to register a new device. Other tools have more granularity for their MFA feature.

Sticky’s complex password generator is also behind the times of its competitors. The browser extension merely copies the complex password into the clipboard. If you want something more sophisticated, you will have to use the desktop version to incorporate it into the login process. We had problems logging into our Southwest Airlines account using their mobile app.

One nice feature is that Sticky presents you with two browser options on their mobile app: using the phone’s native browser or its own protected version.

Sticky has a free version that doesn’t have password synchronization across all its platforms: to have that feature, you will have to pay for the Premium version. The one-year subscription is available for $19.99, and the lifetime license is available for $99.99.  

TeamsID

TeamsID is a very simple password manager that is designed for enterprises. You set up groups of users within your organization that share the same password collections. It is currently available as a pure SaaS app, other versions are in the works for mobile and desktop apps and browser extensions.

By simple we mean that there are none of the other features that most of its competitors offer: there is no support for multifactor authentication and no Active Directory connector. TeamsID stores its vault in the cloud, as you might suspect.

When you save your login information, you are also prompted to save additional information, such as an attached file, tags, or other notes about the login to the record. The software tries to find an appropriate logo for each record, but it was somewhat inconsistent when we tested it. Records can be for individual logins or for groups. You can choose from a number of blank templates to fill in, such as for a bank or an airline frequent flyer account.

Records are shown in alphabetical order on the main dashboard, and the password details are shown in plain text which made us somewhat nervous: most of its competitors hide this information, at least by default. Finally, one large issue is that these records are just for reference only: there is no automation of the login: you will have to copy and paste the URL, login and password from each individual field.

TeamsID has begun to build a solid product but it vastly incomplete, especially when compared to some of the more established tools.

TeamsID has a 30-day free trial and an annual contract of $36 per user.

Strom is the founding editor-in-chief of Network Computing magazine and has written thousands of magazine articles and two books on various IT and networking topics. His blog can be found at strominator.com and you can follow him on Twitter @dstrom. He lives in St. Louis.

How we tested password managers

We installed each product on Windows 7 and 10 desktops as a starting point. We also used Android and iOS phones and Mac desktops (if a client was available for these systems). We then set up logins to various Web-based services such as Dropbox, Gmail, different airline accounts and a WordPress blog site to test these logins. We connected to the various websites with at least Firefox and Chrome browsers to try out the associated plug-ins. We looked to see whether our password data was synchronized across to the various clients. We examined any enterprise management-related features if they were available. Finally, we took notes on the relative differences in the clients across different operating systems both in terms of functionality and user interface.