Enterprise password managers
- 04 December, 2014 16:43
Password management is big business, and with good reason: the weakest link in your network's security is the human component -- the one that can succumb to social engineering, phishing, or inadvertently running the wrong program at the right time (for the keylogging malware, at least).And then there are passwords, the proverbial keys to the kingdom.
It's an unfortunate fact that a password that is easy to remember is also easy to guess or crack. Dictionary attacks on passwords are as old as the trees, and so inherently it's the long randomised passwords mixing alphanumeric characters, often with some special characters thrown in, that are both more secure and hard to remember -- enough that your average user will likely just write down on paper somewhere, or store in their phone in plain text, defeating the purpose of a secure password in the first place.
It also doesn't help that, even if a user has a relatively decent password, most people will use the same one across many sites and services (think water and the path of least resistance), leaving a gaping hole in security if this password is discovered. And it doesn't always take a hacker or phishing to exploit them -- with the big breaches we've seen over the last year, millions of user accounts have been published online for [i]other[/i] less well-meaning individuals to take advantage of.
Humans aren't designed to remember multiple long complex sequences (except for that chap who can recite Pi, maybe). But computers are. And that's where password managers come in: instead of needing to remember a range of passwords for the networks and applications a person uses, they need to remember only one -- their master password. The password manager will use this as the seed for encrypting all the other passwords they use for sites and services, remembering their logins for them, conveniently stored and managed by the password manager.
Most will go a step further and even auto-generate strong passwords for you (the long, cryptic type). So hard to crack passwords can be used system-wide for network logins, online services, web sites and applications, and the user only has to remember the one.
There are plenty of consumer-oriented products that do this, but enterprises can also benefit from these tools. They can make password management for IT much easier by consolidating passwords and logins into a centralised, simplified, platform. Less time is spent with employees calling help desk, and password recovery is simplified for IT. They can even make it easier to set and change policies for who can access what and when, without bothering the user with new logins or credentials, since it's all centrally managed via their one password managed login.
So here's our look at some of the big players in enterprise password management, as well as a few of the less well known options:
1. Roboform
2. LastPass
5. PassPack
Page Break
RoboFormRoboForm has been plying its trade for fifteen years now, and while it initially began as a consumer product it has since branched out to include mobile devices and sport enterprise features.
True to its name, RoboForm began as more than just a password manager and aims to make life easier for its users by auto-filling web forms with name, address and other details as well as the core of securely storing passwords. This comes in the form of Passcards, which includes data like user ids and associated passwords, and Identities which can include personalised information such as credit card numbers and driver’s license. Passcards also store web site data to help prevent phishing attacks -- if a user visits a fake site, it won't be recognised by RoboForm.
Finally, RoboForm sports another data type: Safenotes. These are essentially anything you want securely stored that doesn't fit into a Passcard or Identity, such as telnet passwords, ATM card PINs, software activation codes and the like.
In use, RoboForm adds a bar or drop-down menu (depending on browser) that allows you to fill out contact info, login to websites, and bookmark popular pages. Tutorials are included to help users make use of RoboForm's form-filling features, whilst an extensive set of options provides for managing Passcards and Identities, syncing with the cloud (if taking advantage of RoboForm Everywhere), and configuring the level of security for stored data (which can optionally include biometric fingerprint as a means of authentication). A password generator is also provided to automatically create strong alphanumeric passwords to a given length -- such that you can create strong passwords for a login and not have to worry about remembering them.
Much like some secure cloud storage services where if you forget the encryption key the host can't retrieve your data, if using RoboForm's cloud the database is encrypted using 256-bit AES based off the master password. If this is lost, not even RoboForm can recover the data for you, which is a good thing security wise. Alternatively, the database can be stored locally, also encrypted, anywhere that it can remain accessible (including over a network).
The Everywhere cloud does have another benefit however -- being able to sync Passcards, Identities and Safenotes among multiple devices, both workstation and mobile endpoints, means you can take your logins with you wherever you go.
All of these features are extended for the enterprise with support for easy bulk installs via SMS or Group Policy, Active Directory integration, master password recovery, leased logins, and the ability to share logins between users. You can also define user/administrator passwords (user can see but not edit for example form data). The RoboForm Console version provides for login and form-filling to be automated from the command line, which may be of use for IT wanting to issue commands from a start-up script.
Recent releases of RoboForm have expanded to support Windows applications too, such that auto-filling details can work with applications that have similar fields for entry. Lastly, a Roboform2Go variant allows for storing data on a portable USB drive with a browser so that secure logins can be taken on the road.
RoboForm supports Windows, MacOS X, Linux as operating systems; iOS, Android, Blackberry, Windows Phone, Palm and Symbian for mobile devices; and IE, Firefox, Chrome, Safari and Opera as browsers. Which pretty much covers all bases (though note the Linux browser plugins appear to lag behind its Windows counterparts, and not all features are available on Linux).
In terms of cost, RoboForm has a bit of a confusing mix between the license cost of the top tier Console edition with the individual licence costs per workstation that's different from also having the RoboForm client per workstation. But in general it’s around US$36 per workstation and US$1995 for the Enterprise Management Console. This is a one-time fee; however, there's a compulsory 1-year maintenance fee included in this initial pricing, providing 24/7 tech support and upgrades and updates to RoboForm. Ongoing, the maintenance cost for an enterprise of 100 users would be around $640 a year.
2. LastPass
5. PassPack
Page Break
LastPass is well known in the password management business, and, just like the other managers looked at here, eases the headache of logins and browsing by form-filling for the user and managing identities and profiles that contain private information.
By default, LastPass uses its cloud to manage accounts and so logging in to LastPass is required. From here, a user is presented with the Vault, a summary view of sites and email accounts that LastPass is storing data for. From here, you can edit a profile, add form-filling data, delete an entry or share them with other users. This latter includes a useful function: allowing for logins to be shared with other LastPass users without revealing the login details itself, for example to share access to a 3rd-party site among temporary contractors.
As with RoboForm, LastPass extends the secure storage of logins and profiles to ancillary information which it calls Secure Notes. Here a user can store anything from general information in a free text field through to bank account details, passport information, insurance specifics and even server logins and Wi-Fi passwords through neatly categorised pre-defined forms. It also sports the ability to attach documents or images to a note, effectively creating a personalised secure vault for any data.
Form-filling works as you would expect but also provides support for multiple profiles, for example having multiple credit-card or login details for a site and choosing which one you want to use at the time. When it comes to choosing a password for a new login, there is an automatic password generator that has all the frills for case, length or special characters. It also features a Pronounceable option which, while reducing the complexity of the password, does at least make it possible to remember or easily pass on if desired.
As before, LastPass uses the cloud by default so all these settings are synced with the LastPass account and can be accessed on other machines or devices -- anywhere there is a browser in fact, as support is quite extensive. Apart from Windows, MacOS X, and Linux it also directly supports iOS, Android, Blackberry, Windows Phone and Microsoft's Surface RT with their own clients while browser support covers all the bases with IE, Firefox, Chrome, Opera, and Safari.
There is also a portable version with LastPass On-the-Go which comes in flavours for IE, Firefox, and Chrome to be launched from a USB thumb drive or similar. Adding to the mix there is a LastPass Pocket version which, unlike the main product which is browser-plugin based, is a stand-alone application for Windows, MacOS X, or Linux. It's intended for offline use, and enables, for example, access to logins or Secure Notes from a USB drive even if internet access isn't available.
The enterprise features build on this solid feature set to encompass a dashboard allowing IT to set and enforce security policies, which include everything from IP address restrictions and logoff overrides to password strength and multi-factor authentication. There are also special cases, such as disallowing logins from the TOR network, or ensuring only one LastPass login for an account can be active at one time.
The dashboard also provides for quickly adding or removing users, recovering passwords, sharing site logins among teams, and running a security audit. The latter presents a score for each employee and the logins associated with their account, helping to identify any logins with weak passwords. LastPass also works with PwnedList (pwnedlist.com) and can alert admins of breaches at sites where your employees have accounts, thereby instituting a password change as soon as possible.
Multi-factor authentication options can include trusted devices as well as third-party products for YubiKey, Toopher, Transakt, and Google Authenticator, as well as biometric using a fingerprint scanner or card reader.
Finally, support for a range of cloud services such as Salesforce, Office 365, Box and the like can be managed through SAML to provide single sign-on to these services through an employee’s LastPass login, all presented through a single-click portal.
Pricing starts at $24 per workstation for 100 employees or less, reducing to $18 a workstation for 1000 employees or more. This is a recurring yearly fee.
5. PassPack
Page Break
Password Vault Manager
Password Vault Manager is different to RoboForm and LastPass in the sense that it's primarily a separate application with browser extensions, rather than being built around web interfaces.
It's a clean interface, utilising Windows 8's ribbon architecture with an administration tree on the left for users, groups, and credentials.
Entries can consist of multiple data types, for example: account, bank, and passport information, choosing as few or as many types as you need per entry. On top of this, all sorts of files can be attached and, for file types that are recognised, viewed through Password Vault Manager itself. This extends to logins, too, so you can test a login and view the web page directly with Password Vault Manager itself without the need to launch a browser.
There are also plenty of tools to make it easier to manage groups and logins that include batch-editing and creating templates out of entries. Each entry can support a range of optional extra meta data that includes hardware information about a client device, effectively acting as an auditing tool, with its fields able to be populated via system variables pulled from the client.
As expected, a password generator is included with settings to create everything from readable or pronounceable passwords to, inherently unintelligible, but much more secure, strong passwords, and extends it with a nice feature for blacklisting specific passwords.
The database is encrypted with 256-bit AES as expected, but you have the option of storing it locally or using other data sources like Amazon S3, FTP and services like Dropbox. The in-built help has an excellent overview of the pros and cons for using these different data sources. There is also the option of Password Vault Manager online, with its own cloud storage solution, which is currently free though this may change in future.
Administrators can create security groups to allocate access rights to users, providing access to logins via browser-based extensions over the network to the Password Vault Manager server. Extensive reporting and logging works with the password analyser, providing an at-a-glance view of password strength for all the entries in the database, giving administrators all the information they need.
Two-factor authentication is supported via Yubikey or Google Authenticator, and an extensible add-on feature allows third-party additions to the server, for which a decent selection can be found at the Password Vault Manager's website (though under its sister product, Remote Desktop Manager) as well as in the site's forums.
The server itself is Windows only, while browser support is limited to IE, Firefox and Chrome. There is no direct support for mobile device platforms such as iOS and Android, however this is apparently in development.
Overall, Password Vault Manager isn't as flexible as say RoboForm or LastPass, but the client itself has considerable depth in the type of data you can associate with entries and the level to which you can organise identities and logins among users and groups. Definitely give the trial a spin if you're interested in seeing if it works for you.
Pricing is roughly $50 per user per year as a maintenance cost; however, by buying a three-year license in advance you effectively get one year free. Renewing after this is half price. There are plans for up to 15 users, but after this it jumps to an unlimited site license for $999. Support is sold separately, and the Standard level is included in the base price of the above license costs. This can be upgraded to Extended or Premium, providing quicker turn around on support and adding phone support on Premium.
5. PassPack
Page Break
Pleasant Password ServerPleasant Password Server is unique among the products looked at here in that it's based around the free open-source password manager KeePass Password Safe.
KeePass itself has a large following with versions for Windows, MacOS X, and Linux, as well as iOS, Android and Windows Phone and, of course, a portable version for USB thumb drives. As a client, it has one of the cleaner interfaces looked at here, and breaks down logins into categories like Windows, network, internet, and email, though you can also define your own.
The database is encrypted with AES 256-bit as is the norm among password managers, but KeePass takes this a step further and encrypts sensitive data in memory as well, ensuring even if the machine on which KeePass is running has its memory dumped (or is swapped out to disk) private details remain secure. On top of this, any data like logins copied to the Windows clipboard is automatically wiped after twelve seconds, and the database is automatically closed when a machine is locked (such as when the user is away from the PC).
The master password can be alternatively replaced or combined with a key file, increasing security for access to the database, as well as lock the database to a Windows user. This is not merely linking it to the name and password of the user, but the actual Windows account (and its associated Security ID, which is generated unique and associated with the hardware).
The password generator is perhaps the most advanced of the tools looked at, with plenty of options to define how a password is derived, including adding your own pattern or algorithm to the mix.
An extensive set of plugins expand the functionality of KeePass to provide integration with popular browsers Firefox, Chrome, Safari, as well as support for Remote Desktop, online backup providers, and extended functionality like an on-screen keyboard or pronounceable password integration. Pleasant Password Server by comparison is closed source but builds upon KeePass -- and provides its own special version of it -- to supply more enterprise focused features via a centrally managed console and web interface. This includes adding users from Active Directory or LDAP, editing user's profiles, creating Roles to assign permissions to groups of users, and setting password policy.
Bucking the trend somewhat, Pleasant doesn't use or provide a cloud service to store password databases, and instead is designed to be used with a locally managed server.
On the whole this is already a solid offering, with all the features you're likely to need for management via the Pleasant Password Server and secure password management and form-filling via KeePass. However, this can be further extended with another Pleasant product called PasswordProxy, a framework that makes it possible to store and control access to company passwords and other sensitive data, but without employees being able view or access passwords themselves. Instead users are assigned a PasswordProxy account, which is then used via Pleasant Password Server to login to services and websites directly for the user. This prevents not only inadvertent (or otherwise) exposure of passwords via employees, but also stops any malware grabbing login credentials, as they are never exposed on the client system or mobile device.
While KeePass is multi-platform, Pleasant Password Server is Windows only, though it can be managed via any computer through its web interface.
The only feature that appears missing is an in-built method for mass deployment, but beyond this Pleasant Password Server and KeePass offer a tight solution to enterprise password management. In terms of pricing there are no on-going license costs, instead just a one-time fee for the product. A office of 100 users costs $2,720 for 100 copies including the Enterprise addition. Adding PasswordProxy bumps this to $5,745. While there are no on-going license fees, optional support plans are available. These are a fraction of the per-unit cost, but one year is included for free as part of the initial purchase price.
5. PassPack
Page Break
PassPack
Opposite to Pleasant Password Server, PassPack is an entirely online-only and web-browser driven solution. This means no client support is needed for Windows, MacOS X, or Linux and indeed any support for a mobile platform at all. Any device with a browser will provide access to both a user's PassPack account.
When a user first joins PassPack they will be prompted for what's called a 'Packing Key'. This is distinct from the user's login and password, and is used to encrypt their data on PassPack's servers. Just like RoboForm, this is the key to the castle for that user. If the Packing Key is forgotten, the data is irretrievable, even by PassPack. This means even if PassPack's servers are compromised, the data is encrypted to any third party. No one knows the decryption key, aka the Packing Key, except the user. The administration functions for IT do not support recovering this, either, though if the Packing Key has changed over time, a roll-back to the previous key is available.
PassPack touts its '1Click Login' feature as a key feature, which allows users to login to favoured websites automatically, though this functionality is available in other products like RoboForm and LastPass.
PassPack is designed with sharing in mind and here sharing logins among teams of people is easily done through the interface -- each user needs to choose a nickname and, from this, the administrator can add them to groups. In a group, users can share passwords with each-other as well as send secure messages much like popular messaging applications, which is unique among the products we looked at here. It's a nice touch, as it allows secure communication for employees on the road who might be connecting via insecure networks. When sharing passwords, the owner can elect to make them viewable only, or viewable and changeable. Note, however, there is no feature to share a login without the login credentials being known to the shared party, unlike products such as LastPass or Pleasant Password Server that are also looked at here.
For the administrator, all employees are effectively treated as shared users, and groups can be defined to organise users via the departments they work in. This also makes it easy to add or remove external or contract users on demand as required.
Just like the other password managers looked at here, PassPack comes with a password generator under the Tools heading. It's not as fully featured as the other products, but is in-built to the browser interface so it is quick to access.
Accounts can be configured to automatically lock with inactivity; single-login sessions can be enforced; a customisable welcome message can be defined; disposable one-time logins can be made for an account to be used at insecure locations, which is an innovative touch. Finally, two factor authentication is provided by Yubikey support or a one-time password sent over email, useful for giving access to a third party while making use of a second authentication mechanism.
In overview, PassPack sounds forward thinking and complete, and the fact it doesn't require any client-side support except a recent browser makes it highly versatile. However, it's not perfect: there are no auditing, logging or reporting features and no automated password strength checking tools for users being administered. The inability to provide secure logins without revealing password details could be a deal-breaker for some organisations.
Compared to the other products looked at here, pricing is exceedingly competitive. Plans are priced not so much on features (all plans except for the free edition can, for example, provide for groups of users to collaborate), but on number of passwords stored and the number of users supported and groups that can be defined. The pricing is a monthly charge, but costs a meagre $4 a month for up to 15 users, or $12 a month for up to 80. That's total, not per user. For up to 1000 users it's $40 a month, and beyond that PassPack asks you to contact them for plans.
Page Break
Passwordstate
Produced by Australian developer Clickstudios, Passwordstate aims to be the definitive enterprise password manager. Built around role-based access, Passwordstate breaks down managed passwords into lists that can be organised via department or function. The interface itself is web-based, and so will work anywhere a browser is present, and is much the same between users and administrators, with administrators having access to more features and options.
Considering its web-based focus Passwordstate provides a clean, simple design. On the left can be defined password lists or folders to group lists, and on the right the content of those lists. Here the interface is broken down into two key areas: password entries, and recent activity. The former provides an at-a-glance view of accounts with passwords (including a rating for password strength out of five) from which those who have access can create or modify entries, set password policy, share lists or logins, or attach documents. When a list is shared, it shows up in the users tree with the permissions set by the administrator or list manager. The latter is an excellent addition and allows you to see recent changes to the list without opening a separate screen, though more in-depth reporting is also available (including comparing changes between edits).
Permissions on passwords can include view only, modify, or administrator privileges as well as making them time limited, which is handy for sharing logins with a contractor for example, as well as making access to a password conditional to approval by up to two other list administrators (to which an email is sent asking to confirm).
When it comes to manipulating passwords there are plenty of options. The password entries themselves allow the administrator to set password strength policy, password generator policy (the two are distinct as a user can use their own generator settings while matching the strength policy), as well as the ability to copy permissions from templates or other password lists. One nice feature is that each list has a Guide tab, which is a text entry box (though HTML can also be used) for a description of the list, and any instructions related to it the user might need to know.
And, while not breaking it out as a distinct feature like Roboform's Safenotes or Lastpass' Secure Notes, Passwordstate's document attach feature allows you to select any file type. These are stored encrypted in the database along with other records for an entry.
Speaking of which the database is encrypted with 256-bit AES as the other products here do, but also includes salting fields in the database to prevent exploit by copied fields, and obfuscates its own code to prevent reverse engineering of Passwordstate to unravel its encryption mechanisms. On the other side of the coin, Passwordstate provides a documented API to allow IT to write their programs or scripts to interface with Passwordstate, thereby extending its functionality for custom tasks.
Users can be generated local to Passwordstate or synchronised from Active Directory, making it easy to populate and find hosts on a clean install. Building on this, two-factor authentication is available through a dozen optional methods that include RSA SecurID, Google Authenticator, Scramblepad, and one-time passwords.
Finally, extensive auditing and reporting options track everything from password synchronisation through to failed login attempts. There's also helpful graphs and charts for administrators to see an instant overview of password strength and recent activity broken down by users and lists.
About the only feature missing from Passwordstate is form-filling. While not the core remit for password managers, most of the products we looked at here support it, and its inclusion makes it much easier for employees to use the product. According to Clickstudios this is coming in the next version, currently in beta, and will support a Chrome extension with other browsers to follow.
Passwordstate is Windows only as as server, with client support on Windows, MacOS X, Linux and mobile platforms through any browser (though an optional mobile client is also provided with support for iOS, Android, Windows Phone and Blackberry).
Pricing is per user on a sliding scale, with 100 users coming in at $1,920. An unlimited user license is $4,272. On top of this an optional High Availability Module, which runs as read-only on a failsafe server, is $1,423 while optional annual support and upgrades comes in at $668.
1. Roboform
2. LastPass
5. PassPack