Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Analysis: Enterprise password management tools have room to improve

Explore the differences between consumer and enterprise password management products and learn pros and cons about the latest tools.

While we all have too many passwords to deal with, few of us have the proper tools for promoting better password hygiene in our day-to-day working lives. Despite the variety of consumer-oriented products available, finding an enterprise password management product or tool can be quite difficult.

In this tip, we'll briefly examine the landscape of password management offerings and highlight the benefits and drawbacks of today's tools in an enterprise context.

After conducting a detailed analysis, I have concluded that these products basically fall into two categories.

A view of the password management options available from 1Password.
One of several password management tools available, 1Password has numerous security options, including the ability to automatically lock the vault after inactivity or when the screensaver comes on.

The first group, let's call them Type A, consists generally of consumer tools that create a secure vault where users can store IDs and password data. From here, users can generate new and more complex passwords and have them automatically filled in at login times from a Web browser. These products are typically an outgrowth of the traditional endpoint security products from TrendMicro Inc., Kaspersky Lab, Symantec Corp.'s Norton division and others. For most of these, IT managers don't have any mechanism to manage the tool or to determine if users are actually storing anything in their vaults. A few of these vendors offer enterprise options, including LastPass Enterprise, SplashID and RoboForm Enterprise.

Most Type A tools offer three important capabilities: generating a random complex password to meet certain specifications, synchronizing a password vault in the cloud and supporting a variety of Web browser plug-ins to operate more smoothly with Software as a Service based services. Some also have versions that run on a variety of mobile devices and operating systems.

Kaspersky Pure's numerous security tools.
Kaspersky Pure has a lot of additional security tools besides its Password Manager module, such as the ability to erase history securely and shred files.

The synchronization feature is a significant one. Given the state of mobility today, it is important for users to be able to log in from office desktops, home PCs and smartphones. Having a single product that delivers the correct password to users' various devices is vital. Of course, this means trusting the password-synchronization service to encrypt login data and keep it secure. Some of the vendors, such as TrendMicro or LastPass, have their own cloud service while others, such as 1Password, rely on third-party services (in this case Dropbox or iCloud) to provide the connectivity. As the market stands now, RoboForm has the widest mobile OS support.

Security options from Roboform's password management tool.
Roboform's configuration screen, showing the various security options among other menus.

The pricing for Type A products varies dramatically: Trend Micro charges $15 per user per year, while RoboForm goes for a one-time fee of $5,000, but includes licenses for 50 users. The others fall in between.

The second category, Type B, is geared toward local resources such as corporate servers, databases and the like. These logins are typically shared among a group of network administrators, which makes them much easier for a hacker to exploit. Two of the tools I evaluated -- Lieberman's Enterprise Random Password Manager and Secret Server from Thycotic Software Ltd. -- aim to fortify privileged accounts and shared administrative access to critical local Windows and Linux servers.

Different servers Lieberman's ERPM supports.
Lieberman's ERPM main dashboard, which is a Windows application, and the variety of servers that it supports.

These products, which discover and strengthen server passwords and then encrypt and store them in vaults, change passwords as often as your policies dictate. Lieberman also works with a variety of configuration management tools such as Microsoft System Center, HP Operations Center and Arcsight. Lieberman's entry-level price tag is a steep $25,000, but that includes unlimited users and accounts. Secret Server starts with a one-time payment of $2,500 plus $69 per user per year and an additional $550 annually in support fees.

Lieberman's random password setting screen.
Lieberman's password complexity settings area.

One major problem users are likely to encounter occurs when a login screen is detected by the latest version Web browsers. These browsers automatically save the credentials users provide, which makes improving password hygiene more difficult because the third-party password management tool must first disable this service and then clean out previously stored passwords from the browser's files.

Browsers Kaspersky's password management tool supports.
Kaspersky supports a wide collection of browsers, some of which you might have never heard of

It should be noted that there is some loss of convenience when using mobile apps. For example some apps, such as LastPass, require an extra cut-and-paste step to copy the password from the vault to the app's login screen -- but isn’t the added security worth it?

administration console from LastPass Enterprise's password management tool.
This is the main policy management screen for LastPass Enterprise, showing its granularity.

Here are a few final considerations and recommendations for those in search of an enterprise-caliber password management system:

  • Look more closely at LastPass. The standalone version is free for individual desktop use or you can upgrade to the enterprise version, expand it to your mobile devices and add the management console at a price tag of $24 per user, per year.
  • Understand what each tool stores in your vault. Some products, such as RoboForm and LastPass, provide this feature to keep everything encrypted and safe. Think of them as poor substitutes for whole disk encryption, but at least this offers some protection for the contents therein. (1Password can store the largest collection of items in its vault, including credit card numbers, text notes and software license information.)
  • Does the product support your particular browser portfolio? Some products support older browsers or oddball ones -- make sure yours is included. (Kaspersky has the widest browser support.)
  • Can they protect you from human errors? Some of the products have features that secure passwords further, such as automatically closing their vault after a certain amount of idle time, turning off auto-fill options on your browser or warning you of other dangerous security practices.
  • Consider single sign-on (SSO) tools as an alternative. This is a more well-established market with a dozen different tools of its own that can strengthen your password collection and make it easier for users to keep track of business-oriented Web services. For more information, check out SearchSecurity's review of two SSO security products. I recommend also looking at my favorite SSO tool, Okta.

About the author:
David Strom is a freelance writer and former editor in chief of several information technology publications. He has written for many TechTarget properties since 2000. His blog can be found at strominator.com and is @dstrom on Twitter.

Editor’s note: The contributor does not have a paid relationship with any of the vendors mentioned in this article.

Next Steps

Read how password management tolls can open partner opportunities


This was last published in October 2013

Dig Deeper on Password management and policy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.