I have to say, I'm not a big fan of password security vaults. I understand the need for an easy way to help your users create and maintain their authentication information for many systems, but these tools are really just a Band-Aid for bad processes and non-integrated systems with local authentication. Password vaults are used to ease the burden of strict password policies that require passwords that are so complex users can't remember them or have to write them down. The vaults are also used to fix the problem of too many passwords due to business applications each storing their own credentials.
Before implementing a password vault, I suggest reviewing your organizational policies. If they're too cumbersome due to short expiries or long password lengths, then they cause more of a security risk than easing up on the reins. If it's the latter case, namely of applications not being integrated, then I'd look for a single sign-on (SSO) product rather than a password vault. SSO allows the user to provide a single password to access multiple systems without having to do a lot of infrastructure changes.
In the grand scheme of identity management, SSO implementations are less risky and easier on users than maintaining a password vault and asking users to maintain multiple passwords . Also, there is not much of a cost difference between the two, as both require integration, maintenance and administration support. However, if you still want to pursue the password vault route, I think you've already found some of the better products out there for a small business, and I would probably look at lastpass, then Roboform, but would need more information to lock in a selection.
The questions that still needed to be answered are: To what end systems and operating systems are your users going? How many passwords are users storing? Who are the "certain people" you mentioned in your question? And what's your budget? Whatever you do, keep in mind that as you move toward a more integrated authentication infrastructure, password vaults are only a step along the way and shouldn't be considered a long-term solution.
For more information:
- Read more about whether KeePass is a safe choice for enterprise IAM.
- Learn about encrypting passwords with network security certificates
This was first published in January 2010