Produced by Australian developer Clickstudios, Passwordstate aims to be the definitive enterprise password manager. Built around role-based access, Passwordstate breaks down managed passwords into lists that can be organised via department or function. The interface itself is web-based, and so will work anywhere a browser is present, and is much the same between users and administrators, with administrators having access to more features and options.
Considering its web-based focus Passwordstate provides a clean, simple design. On the left can be defined password lists or folders to group lists, and on the right the content of those lists. Here the interface is broken down into two key areas: password entries, and recent activity. The former provides an at-a-glance view of accounts with passwords (including a rating for password strength out of five) from which those who have access can create or modify entries, set password policy, share lists or logins, or attach documents. When a list is shared, it shows up in the users tree with the permissions set by the administrator or list manager. The latter is an excellent addition and allows you to see recent changes to the list without opening a separate screen, though more in-depth reporting is also available (including comparing changes between edits).
Permissions on passwords can include view only, modify, or administrator privileges as well as making them time limited, which is handy for sharing logins with a contractor for example, as well as making access to a password conditional to approval by up to two other list administrators (to which an email is sent asking to confirm).
When it comes to manipulating passwords there are plenty of options. The password entries themselves allow the administrator to set password strength policy, password generator policy (the two are distinct as a user can use their own generator settings while matching the strength policy), as well as the ability to copy permissions from templates or other password lists. One nice feature is that each list has a Guide tab, which is a text entry box (though HTML can also be used) for a description of the list, and any instructions related to it the user might need to know.
And, while not breaking it out as a distinct feature like Roboform's Safenotes or Lastpass' Secure Notes, Passwordstate's document attach feature allows you to select any file type. These are stored encrypted in the database along with other records for an entry.
Speaking of which the database is encrypted with 256-bit AES as the other products here do, but also includes salting fields in the database to prevent exploit by copied fields, and obfuscates its own code to prevent reverse engineering of Passwordstate to unravel its encryption mechanisms. On the other side of the coin, Passwordstate provides a documented API to allow IT to write their programs or scripts to interface with Passwordstate, thereby extending its functionality for custom tasks.
Users can be generated local to Passwordstate or synchronised from Active Directory, making it easy to populate and find hosts on a clean install. Building on this, two-factor authentication is available through a dozen optional methods that include RSA SecurID, Google Authenticator, Scramblepad, and one-time passwords.
Finally, extensive auditing and reporting options track everything from password synchronisation through to failed login attempts. There's also helpful graphs and charts for administrators to see an instant overview of password strength and recent activity broken down by users and lists.
About the only feature missing from Passwordstate is form-filling. While not the core remit for password managers, most of the products we looked at here support it, and its inclusion makes it much easier for employees to use the product. According to Clickstudios this is coming in the next version, currently in beta, and will support a Chrome extension with other browsers to follow.
Passwordstate is Windows only as as server, with client support on Windows, MacOS X, Linux and mobile platforms through any browser (though an optional mobile client is also provided with support for iOS, Android, Windows Phone and Blackberry).
Pricing is per user on a sliding scale, with 100 users coming in at $1,920. An unlimited user license is $4,272. On top of this an optional High Availability Module, which runs as read-only on a failsafe server, is $1,423 while optional annual support and upgrades comes in at $668.
1. Roboform
2. LastPass
5. PassPack