10 Password Managers For Business Use
Beyond helping end users keep track of their logins, some password managers can integrate with Active Directory and generate compliance reports.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltd933f1da7133dc3f/64f0db7d1f28920153e312e6/48367630_thumbnail.jpg?width=700&auto=webp&quality=80&disable=upscale)
Password manager software makes promises that many infosec officers would like to believe. Instead of the users who have one weak password for everything and the users who have offices wallpapered with passwords scribbled on sticky notes, all users would have strong, unique passwords for each account. (Those passwords would be securely stored, encrypted, within a password manager, and the user would only need to remember one master password to access it.)
Sounds nice, but most password managers were not built for CISOs; they were built for consumers. Most do not allow for sharing of passwords, so they won't stop users from emailing passwords for shared accounts back and forth.
Most don't enforce corporate password policies, or help with provisioning and de-provisioning of users, or integrate with Active Directory. Their help desks won't be up to responding to pressing business demands. They won't operate on all the client platforms you need. They won't generate the kinds of logs you need or comply with privacy regulations and who knows what kind of key management they do?
But luckily, there are some password managers that can fit these business needs, including some enterprise versions of the leading consumer applications. Here's a selection of them.
Dashlane has a free version for individuals, which does not enable sharing, backup, or sync across devices. The Premium version, though, works on a wide variety of devices, handles more than just passwords, manages keys carefully, and has a lot of administrative tools that will make it appealing to business. Its flat pricing structure may turn away large enterprises.
Pricing: Dashlane Premium is $39.99 per user per year, whether you have one user or 1,000.
Interoperability: Works on any PC, Mac, iOS, or Android device. Unlimited syncing, so you can use as many devices as you want.
Sharing: Changed passwords are synced to all team members and their devices automatically. DashLane also has an "emergency contacts" function, so you can give access to different resources in case of emergency. Users set different contacts, and different conditions for different passwords. A security dashboard shows weak and reused passwords.
Multi-factor: Compatible with Google Authenticator and with the fingerprint scanner on iOS devices
Keys: Dashlane uses "local-only encryption" (on device only, not in the cloud) with AES-256. It automatically backs up credentials (keys and digit wallet data) to an Amazon Web Services (AWS) cloud instance, but encrypts all that data locally before uploading it to the cloud. DashLane never sees your master key. Some users may feel that Dashlane takes security too far, though... they don't provide password hints.
Other features: A password generator, which creates random, strong passwords. Dashlane also issues breach alerts, to advise when passwords for certain accounts should be changed. Priority support.
Beyond passwords: Dashlane is also a digital wallet that handles payment data.
Keeper Security's selling points are its mobile-first strategy, wide range of platforms it operates upon, and secure digital vault in which any files (not just credentials) can be stored.
The company has been around since 2008 when its founders sketched out an idea for the iPhone app during a flight to China, and has had a mobile-first strategy ever since, says Keeper CEO and co-founder Darren Guccione. It's since been chosen by Orange to be pre-loaded onto their Orange 70 Dive smartphone and by AT&T to be pre-loaded onto all the Android and Windows phones it sells in the U.S. This week, expanding the relationship with mobile operators and resellers, Keeper is announcing its new Channel Partner program, as well as its Enterprise 2.0 product.
Keeper is not only a password manager, but also a secure vault, which stores and encrypts -- and allows sharing of -- any kind of files, not just credentials. When operating within Keeper, new files that are created are encrypted and stored within it. Darren Guccione, CEO and co-founder of Keeper Security, proposes the example of a surgeon who needs to keep records during surgery -- the photos she takes with her phone while in the vault won't appear in the phone's Camera Roll. As Guccione puts it, "What happens in the vault, stays in the vault."
However, the secure file storage is an additional cost.
Pricing: $750 per year plus $48 per user per year. Secure file storage is another $18 per user per year. Keeper Enterprise is sold through VAR, Carrier, MSP, and OEM channels. Keeper provides volume-based discounts for enterprise customers based on number of users, in addition to Enterprise License Agreements (ELA's).
Interoperability: Keeper works with Android, iOS, Blackberry, Windows Phone, iPad, Surface, Kindle, Mac, Windows, and Linux, plus has browser extensions for IE, Chrome, Firefox, Safari, and Opera. Also integrates with a variety of Enterprise Mobile Management software platforms.
Sharing and management: Has central admin console where you can provision and de-provision employees, and integrates with Active Directory. Ownership of keys is transferrable, and they can be set to self-destruct.
Compliance and regulations: HITECH- and HIPAA-compliant. Certified with SOC-2, TRUSTe, McAfee Secure, US-EU Safe Harbor, PCI-DSS, and the U.S. Department of Commerce's Bureau of Industry and Security.
Multi-factor: Integrates with biometrics on iOS and other options
Keys: Local-only encryption/decryption. Vault resides in an Amazon AWS instance, but Keeper can also set up an on-premise system. Uses 256-AES encryption, perfect-forward secrecy. Each file is encrypted with a separate key on each device on which it resides.
Other features: FastFill of forms, password generator.
Beyond passwords: Secure data vault
Stating on its website "You shouldn't have to be subjected to archaic 'enterprise' services that don't match how your company operates," CommonKey aims at smaller teams and is just for sharing access to Web services.
Pricing: As it describes, CommonKey has a "free plan for personal and small teams, paid plans for growing teams." It's free for teams of three, but above that it is $2.00 per user per month, but to add an administrator it is $20 per month per company.
Interoperability: CommonKey is simply a Chrome extension, so it operates only on devices that run Chrome.
Sharing: User provisioning and de-provisioning. De-provisioning can be achieved pretty simply by removing a user from the list of employees with a couple clicks.
Keys: Decryption happens only on the local device.
Other features: password generator
LastPass did suffer a data breach in June -- which compromised customers' email addresses, password reminders, and authentication hashes, but not any actual passwords themselves -- but it still counts large companies like HootSuite and GoodData among its Enterprise customers. LastPass Enterprise is available in 17 languages, runs on most platforms, and has a pricing structure that gives discounted rates for larger numbers of users.
LastPass also brings a bit of gamification into the system, with its LastPass Security Audit, which not only helps find weak and duplicate passwords, but scores and ranks users' password postures.
Pricing: Prices start at $24 per user per year, for 1-100 users. For 101-1,000 users, it's $20 per user per year, 1,001-5,000+ users, $18 per user per year. Custom packages are also negotiable. A 14-day trial for 10 users is available.
Interoperability: LastPass runs on Windows, Mac, Linux, iOS, Android, Blackberry, Windows Phone, Microsoft Surface, Firefox OS, and versions for Chrome and Firefox that can be loaded onto USB keys. Can be synced to unlimited devices.
Sharing and Management: LastPass collects logs and generates compliance reports. It integrates with Active Directory and LDAP, and single sign-on for cloud apps with SAML. Customers can create unlimited shared folders with custom permissions, and administrators can also grant users the privilege to create shared folders.
Multi-factor: LastPass partners with a variety of multi-factor authentication and one-time password providers, including Toopher, Yubico, and Duo Security.
Keys: LastPass cannot see your passwords, and uses AES-256, PBKDF2, SHA-256, and salted hashes.
Other features: LastPass also issues breach alerts so you know when it's a good time to update passwords. LastPass Security Audit helps find weak and duplicate passwords and ranks users' password postures. Available in 17 languages.
Beyond passwords: LastPass is able to store additional data, attach documents and images, credit card data, IDs, etc., and keep secure back-ups of them.
Pleasant Password Server is the multi-user management tool for KeePass Password Safe, an open-source password manager.
In addition to being based on an open-source manager, the other main difference between Pleasant and other password management tools is that, through Pleasant's Password Proxy Module, passwords are never stored locally, the idea being that credentials stored on a client are harder to revoke/manage and more prone to being stolen or leaked.
Pricing: The pricing structure is a little complicated, but the good news is you only have to figure it out once, because it's a one-time fee, not an annual license. The cost is between $9.38 per user to $113.80 per user depending upon the number of users and the type of package you want (regular, enterprise, enterprise +, enterprise + with proxy).
Interoperability: Admins and clients can access via Windows desktops, in Web clients, or in Android and iOS apps
Sharing: In Pleasant, admins can share passwords and data and manage folders. Pleasant integrates with Active Directory and LDP, within it administrators can manage users and roles, and grant temporary access. It creates reports about password age, strength and expiration and collects access logs as well.
Multi-factor: Integrates with Google Authenticator, Yubikey
Keys: In addition to the proxy module, Pleasant uses AES-256 encryption on the database, 128-bit SSL to communicate with the server, SHA-512 hashing, and passwords are encrypted in-memory. It also has a clipboard-clearing mechanism: it clears the clipboard shortly after a password is used.
Compliance: Compliant with FISMA, FIPS, HIPAA, PCI, and FOIP-Canada.
Other features: Password generator. Ability to search passwords and password history, as well as restore history. Available in 40 languages.
ManageEngine has VMWare, Walmart, EMC, and NASA on its Password Manager Pro customer list. It also has a version for Managed Service Providers, so they can manage multiple customers' passwords in one instance with data segregation.
The main drawback is that it's not a solution for your mobile devices. If you're just looking for a Web client that runs on desktop machines though, ManageEngine Password Manager Pro has some nifty forensic tools wrapped in, including one that lets you record video of privileged sessions.
Pricing: The price depends on the level (standard, premium, or enterprise), number of administrators (the number of users is unlimited), and whether you want one language or multi-language version. You can buy an annual subscription (with maintenance and support included) or a perpetual license with an annual maintenance/support fee. So the cost varies widely -- from $495 for a standard, single-language, 2-admin, annual subscription to $59,986 + $11,998/year for an enterprise, multi-language, 200-admin, perpetual license. As for MSP licenses, you'll have to ask for a quote.
Interoperability: The management tool only runs on Windows and Linux. The Web interface for clients runs on IE7 and above, Chrome, Firefox, and Safari on Windows, Linux, or Mac.
Sharing and management: ManageEngine integrates with Active Directory, LDAP, and federated ID management. It also integrates with SIEM and ticketing systems and generates compliance reports.
Multi-factor: Partners with PhoneFactor and PMP/RSA for one-time passwords
Keys: Passwords are kept in a centralized vault, and retrieved through a Web interface. Administrators can grant exclusive privileges, temporary access, conduct password inventory and set password expiration.
Beyond passwords: Video recording of privileged sessions (session shadowing)
If all you want is to manage passwords for cloud services, Meldium may get the job done. The tool manages passwords for 2,350 cloud services, including Amazon AWS, Google Drive, DropBox, Box, SalesForce, and WordPress.
Pricing: Basic (20 users) is $24 per month, Premium (100 users) is $79, Professional (250 users) is $169 per month, and custom pricing is available for Enterprise accounts. Enterprise accounts also have API access and custom integration.
Interoperability: Meldium is available as a native app on iOS and Android, and a browser extension on Chrome, Firefox, Opera, Internet Explorer, and Safari
Sharing: The Premium version and above come with account provisioning, to create and delete user accounts on web apps
Multi-factor: Integrates with Google Authenticator and LogMeIn ID
Keys: uses AES-256, and secure TLS
If you're a true mobile enterprise doing all your business from phones and tablets, then this might work for you because it only works on Android and iOS.
Pricing: Free for personal use, Zoho Vault is $1 per user per month for Standard, $4 per user per month for Professional, $7 per user per month for Enterprise. It's pay as you go, so you can upgrade or downgrade whenever you want.
Interopability: Android and iOS
Sharing and management: From Zoho Vault, administrators can create and manage user groups, transfer and acquire ownership of passwords, create reports on user activity and access, and restrict access by IP address. Plus, Zoho can import passwords from other passwords managers, including LastPass, KeePass and PassPack.
Keys: All decryption is done on the device, so Zoho cannot access keys.
Other features: Password generator
Beyond passwords: Other files can be attached to passwords, too.
Team Password Manager was built from the beginning to be for sharing, and you can give it a try by using the free version, which is for two users.
Pricing: Licenses are a one-time fee, plus a yearly support fee if you want to re-up. Licenses start at $99 for five users, and run up to $2,999 for unlimited users.
Interoperability: On the server side, Team Password Manager requires Apache 2 and MySQL 5. The client-side can run in Chrome, Firefox, Internet Explorer, Safari, and Opera
Sharing: Passwords are assigned to "projects," and any user with access to the project has access to the password/s within it.
Keys: Password and other login data (including email, username, and account) are encrypted with a unique key that's generated at install, then salted and encrypted (with AES-256) in the database.
Other features: Password generator
Beyond passwords: You can also upload other kinds of files and bind them to passwords and projects within Team Password Manager.
PassPack is an inexpensive browser extension for handling passwords for Web-based accounts.
It also has an added feature, called "disposable logins," which are similar to a one-time password, except that it's not just a password, but rather a password and "packing key." PassPack gives a pile of these to customers to use when they're connecting from untrusted devices, particularly while traveling. The number of disposable logins available to customers depends on the package, and goes as high as 300 with an Enterprise account.
Pricing: Be aware that the bigger versions may not provide you room for enough passwords -- While the Group version gives you 100 passwords per user, the Enterprise version gives you only 10. In addition to the free version, there's Pro (3 users) for $1.50 per month, Group (15 users) for $4 per month, Team (80 users) for $12 per month, and Enterprise (1,000 users) for $40 per month.
Interoperability: latest "stable" versions of Chrome, Firefox, Safari, Opera, and Internet Explorer 7 and later
Sharing: Passwords can be shared or sent securely.
Multi-factor: Integrates with Yubikey
Keys: "host-proof hosting," stored encrypted with AES-256
Other features: Disposable logins
PassPack is an inexpensive browser extension for handling passwords for Web-based accounts.
It also has an added feature, called "disposable logins," which are similar to a one-time password, except that it's not just a password, but rather a password and "packing key." PassPack gives a pile of these to customers to use when they're connecting from untrusted devices, particularly while traveling. The number of disposable logins available to customers depends on the package, and goes as high as 300 with an Enterprise account.
Pricing: Be aware that the bigger versions may not provide you room for enough passwords -- While the Group version gives you 100 passwords per user, the Enterprise version gives you only 10. In addition to the free version, there's Pro (3 users) for $1.50 per month, Group (15 users) for $4 per month, Team (80 users) for $12 per month, and Enterprise (1,000 users) for $40 per month.
Interoperability: latest "stable" versions of Chrome, Firefox, Safari, Opera, and Internet Explorer 7 and later
Sharing: Passwords can be shared or sent securely.
Multi-factor: Integrates with Yubikey
Keys: "host-proof hosting," stored encrypted with AES-256
Other features: Disposable logins
Password manager software makes promises that many infosec officers would like to believe. Instead of the users who have one weak password for everything and the users who have offices wallpapered with passwords scribbled on sticky notes, all users would have strong, unique passwords for each account. (Those passwords would be securely stored, encrypted, within a password manager, and the user would only need to remember one master password to access it.)
Sounds nice, but most password managers were not built for CISOs; they were built for consumers. Most do not allow for sharing of passwords, so they won't stop users from emailing passwords for shared accounts back and forth.
Most don't enforce corporate password policies, or help with provisioning and de-provisioning of users, or integrate with Active Directory. Their help desks won't be up to responding to pressing business demands. They won't operate on all the client platforms you need. They won't generate the kinds of logs you need or comply with privacy regulations and who knows what kind of key management they do?
But luckily, there are some password managers that can fit these business needs, including some enterprise versions of the leading consumer applications. Here's a selection of them.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024