Ask the Expert

Is KeePass safe? Free password protection programs and enterprise IAM

In your opinion, does open source password protection software like KeePass live up to the demands of an enterprise network as well as vendor products?

    Requires Free Membership to View

I have to start this response with the old adage: You get what you pay for. While in the past, mature, open source IAM-related programs like Kerberos LDAP and others generally were comparable to commercial products when it came to features and functions, the problem with open source products, like KeePass, is they provide no liability. This is stated directly in the KeePass license agreement:

    "…because the program is licensed free of charge, there is no warranty for the program, to the extent permitted by applicable law. … The entire risk as to the quality and performance of the program is with you. Should the program prove defective, you assume the cost of all necessary servicing, repair or correction."

Since you mentioned the demands of an enterprise network, I'm assuming you're looking at an enterprise deployment, in which case the liabilities the enterprise would assume probably don't justify the license savings. (A general rule of thumb is that license costs are approximately 30% of the overall lifecycle cost of a software product; the remaining costs being hardware, training, support, process reengineering and application/infrastructure integration.) KeePass would function as a software vault for storing multiple enterprise passwords: the keys to the company. So, while KeePass might be a good solution for an SMB, the risk of no support and the reliance on a volunteer development community -- especially if a vulnerability is discovered -- seem to outweigh the cost savings of using this freeware product.

Also, if managing multiple passwords is an issue within your organization, I'd recommend looking at a commercial single sign-on (SSO) product before I'd look at a commercial password vault. A password vault may help users keep track of multiple passwords more easily, but an SSO implementation would likely eliminate the need for multiple passwords for various applications and improve overall organizational security. In other words, it's a win-win.

For more information:

This was first published in December 2009

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: