Problem solve Get help with specific problems with your technologies, process and projects.

Is KeePass safe? Free password protection programs and enterprise IAM

The lure of free password protection programs such as KeePass can be strong, but are they really up to enterprise security standards? In this response, IAM expert Randall Gamby explains why the best password protection software might not be the cheapest.

In your opinion, does open source password protection software like KeePass live up to the demands of an enterprise...

network as well as vendor products?

I have to start this response with the old adage: You get what you pay for. While in the past, mature, open source IAM-related programs like Kerberos LDAP and others generally were comparable to commercial products when it came to features and functions, the problem with open source products, like KeePass, is they provide no liability. This is stated directly in the KeePass license agreement:

"…because the program is licensed free of charge, there is no warranty for the program, to the extent permitted by applicable law. … The entire risk as to the quality and performance of the program is with you. Should the program prove defective, you assume the cost of all necessary servicing, repair or correction."

Since you mentioned the demands of an enterprise network, I'm assuming you're looking at an enterprise deployment, in which case the liabilities the enterprise would assume probably don't justify the license savings. (A general rule of thumb is that license costs are approximately 30% of the overall lifecycle cost of a software product; the remaining costs being hardware, training, support, process reengineering and application/infrastructure integration.) KeePass would function as a software vault for storing multiple enterprise passwords: the keys to the company. So, while KeePass might be a good solution for an SMB, the risk of no support and the reliance on a volunteer development community -- especially if a vulnerability is discovered -- seem to outweigh the cost savings of using this freeware product.

Also, if managing multiple passwords is an issue within your organization, I'd recommend looking at a commercial single sign-on (SSO) product before I'd look at a commercial password vault. A password vault may help users keep track of multiple passwords more easily, but an SSO implementation would likely eliminate the need for multiple passwords for various applications and improve overall organizational security. In other words, it's a win-win.

This was last published in December 2009

Dig Deeper on Password management and policy

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.