Analysis: Enterprise password management tools have room to improve

While we all have too many passwords to deal with, few of us have the proper tools for promoting better password hygiene in our day-to-day working lives. Despite the variety of consumer-oriented products available, finding an enterprise password management product or tool can be quite difficult.

In this tip, we'll briefly examine the landscape of password management offerings and highlight the benefits and drawbacks of today's tools in an enterprise context.

After conducting a detailed analysis, I have concluded that these products basically fall into two categories.

Requires Free Membership to View

One of several password management tools available, 1Password has numerous security options, including the ability to automatically lock the vault after inactivity or when the screensaver comes on.

The first group, let's call them Type A, consists generally of consumer tools that create a secure vault where users can store IDs and password data. From here, users can generate new and more complex passwords and have them automatically filled in at login times from a Web browser. These products are typically an outgrowth of the traditional endpoint security products from TrendMicro Inc., Kaspersky Lab, Symantec Corp.'s Norton division and others. For most of these, IT managers don't have any mechanism to manage the tool or to determine if users are actually storing anything in their vaults. A few of these vendors offer enterprise options, including LastPass Enterprise, SplashID and RoboForm Enterprise.

Most Type A tools offer three important capabilities: generating a random complex password to meet certain specifications, synchronizing a password vault in the cloud and supporting a variety of Web browser plug-ins to operate more smoothly with Software as a Service based services. Some also have versions that run on a variety of mobile devices and operating systems.

Kaspersky Pure has a lot of additional security tools besides its Password Manager module, such as the ability to erase history securely and shred files.

The synchronization feature is a significant one. Given the state of mobility today, it is important for users to be able to log in from office desktops, home PCs and smartphones. Having a single product that delivers the correct password to users' various devices is vital. Of course, this means trusting the password-synchronization service to encrypt login data and keep it secure. Some of the vendors, such as TrendMicro or LastPass, have their own cloud service while others, such as 1Password, rely on third-party services (in this case Dropbox or iCloud) to provide the connectivity. As the market stands now, RoboForm has the widest mobile OS support.

Roboform's configuration screen, showing the various security options among other menus.

The pricing for Type A products varies dramatically: Trend Micro charges $15 per user per year, while RoboForm goes for a one-time fee of $5,000, but includes licenses for 50 users. The others fall in between.

The second category, Type B, is geared toward local resources such as corporate servers, databases and the like. These logins are typically shared among a group of network administrators, which makes them much easier for a hacker to exploit. Two of the tools I evaluated -- Lieberman's Enterprise Random Password Manager and Secret Server from Thycotic Software Ltd. -- aim to fortify privileged accounts and shared administrative access to critical local Windows and Linux servers.

Lieberman's ERPM main dashboard, which is a Windows application, and the variety of servers that it supports.

These products, which discover and strengthen server passwords and then encrypt and store them in vaults, change passwords as often as your policies dictate. Lieberman also works with a variety of configuration management tools such as Microsoft System Center, HP Operations Center and Arcsight. Lieberman's entry-level price tag is a steep $25,000, but that includes unlimited users and accounts. Secret Server starts with a one-time payment of $2,500 plus $69 per user per year and an additional $550 annually in support fees.

Lieberman's password complexity settings area.

One major problem users are likely to encounter occurs when a login screen is detected by the latest version Web browsers. These browsers automatically save the credentials users provide, which makes improving password hygiene more difficult because the third-party password management tool must first disable this service and then clean out previously stored passwords from the browser's files.

Kaspersky supports a wide collection of browsers, some of which you might have never heard of

It should be noted that there is some loss of convenience when using mobile apps. For example some apps, such as LastPass, require an extra cut-and-paste step to copy the password from the vault to the app's login screen -- but isn’t the added security worth it?

This is the main policy management screen for LastPass Enterprise, showing its granularity.

Here are a few final considerations and recommendations for those in search of an enterprise-caliber password management system:

  • Look more closely at LastPass. The standalone version is free for individual desktop use or you can upgrade to the enterprise version, expand it to your mobile devices and add the management console at a price tag of $24 per user, per year.
  • Understand what each tool stores in your vault. Some products, such as RoboForm and LastPass, provide this feature to keep everything encrypted and safe. Think of them as poor substitutes for whole disk encryption, but at least this offers some protection for the contents therein. (1Password can store the largest collection of items in its vault, including credit card numbers, text notes and software license information.)
  • Does the product support your particular browser portfolio? Some products support older browsers or oddball ones -- make sure yours is included. (Kaspersky has the widest browser support.)
  • Can they protect you from human errors? Some of the products have features that secure passwords further, such as automatically closing their vault after a certain amount of idle time, turning off auto-fill options on your browser or warning you of other dangerous security practices.
  • Consider single sign-on (SSO) tools as an alternative. This is a more well-established market with a dozen different tools of its own that can strengthen your password collection and make it easier for users to keep track of business-oriented Web services. For more information, check out SearchSecurity's review of two SSO security products. I recommend also looking at my favorite SSO tool, Okta.

About the author:
David Strom is a freelance writer and former editor in chief of several information technology publications. He has written for many TechTarget properties since 2000. His blog can be found at strominator.com and is @dstrom on Twitter.

Editor’s note: The contributor does not have a paid relationship with any of the vendors mentioned in this article.

This was first published in October 2013

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.