I have to start this response with the old adage: You get what you pay for. While in the past, mature, open source IAM-related programs like Kerberos LDAP and others generally were comparable to commercial products when it came to features and functions, the problem with open source products, like KeePass, is they provide no liability. This is stated directly in the KeePass license agreement:
- "…because the program is licensed free of charge, there is no warranty for the program, to the extent permitted by applicable law. … The entire risk as to the quality and performance of the program is with you. Should the program prove defective, you assume the cost of all necessary servicing, repair or correction."
Since you mentioned the demands of an enterprise network, I'm assuming you're looking at an enterprise deployment, in which case the liabilities the enterprise would assume probably don't justify the license savings. (A general rule of thumb is that license costs are approximately 30% of the overall lifecycle cost of a software product; the remaining costs being hardware, training, support, process reengineering and application/infrastructure integration.) KeePass would function as a software vault for storing multiple enterprise passwords: the keys to the company. So, while KeePass might be a good solution for an SMB, the risk of no support and the reliance on a volunteer development community -- especially if a vulnerability is discovered -- seem to outweigh the cost savings of using this freeware product.
Also, if managing multiple passwords is an issue within your organization, I'd recommend looking at a commercial single sign-on (SSO) product before I'd look at a commercial password vault. A password vault may help users keep track of multiple passwords more easily, but an SSO implementation would likely eliminate the need for multiple passwords for various applications and improve overall organizational security. In other words, it's a win-win.
For more information:
- Is there a free, enterprise-caliber password management tool? Read more.
- Learn how to encrypt passwords using network security certificates.
This was first published in December 2009