Review: Best password managers for the enterprise

best password managers 1
Credit: Thinkstock
The password is ....

Password managers are an important first step for organizations that want to strengthen their security by helping users cope with multiple logins. In this review, we looked at 10 tools: Dashlane for Business, Keeper Security Enterprise, LastPass Enterprise (now part of LogMeIn), Lieberman Enterprise Random Password Manager, LogMeOnce Enterprise Edition, Manage Engine Password Pro, Agilebits1Password for Teams, StickyPassword, SplashID TeamsID, and SingleID. Here are the individual reviews. See the full review along with a related story on how to evaluate password managers.

Dashlane for Business
Dashlane for Business

Consumer-focused Dashlane recently entered the enterprise market with Dashlane for Business, which we found to be a work in progress. Dashlane for Business adds a thin veneer of additional enterprise and team management software available via a browser window. The Business version lacks an Active Directory agent, although they are working on it for next year. Instead, you have to export a list of AD users and import it into their product. A nice touch is that you can quickly import your entire password vault from several competitors’ products. Dashlane comes with a separate management dashboard web page that shows you summary statistics, such as the number of users and passwords that it is storing and their overall strength.

Keeper Security Enterprise
Keeper Security Enterprise

Keeper supports more mobile versions that its competitors, including BlackBerry, Kindle, Nook, and Windows Phone, plus iOS and Android. The mobile versions bring up a protected browser session, and your username and password information are shown across the top. To login, you tap on each credential and they are placed in the appropriate spots on the app. That method is better than any other product we looked at. If your users need something to support logins from their phones, this should be the first product you look at. Their security scorecard for each user is somewhat basic, but nice to have. Keeper supports a variety of second authentication factors, including RSA SecurID, SMS, voice calls and Google Authenticator. Like the other tools, it has a complex password generator.

LastPass Enterprise
LastPass Enterprise

LastPass continues to have one of the largest collections of supported clients. Their enterprise management has been significantly improved. LastPass has had a busy year. First, there was a well-publicized security breach and then at a session at BlackHat Europe, two researchers were able to compromise an account via a series of exploits. In November, the company was acquired by LogMeIn. Despite these issues, they came in first in our testing. SAML is supported for a variety of third-party apps and also includes the ability to provision and de-provision users on Google Apps, Box, Amazon Web Services, WordPress, etc. LastPass also works with authentication systems such as SecureAuth or RSA SecurID. All of this is impressive, and certainly more useful than any other password utility we tested.

Lieberman Enterprise Random Password Manager
Lieberman Enterprise Random Password Manager

We reviewed Enterprise Random Password Manager (ERPM) two years ago and it is still the gold standard for setting up massive password collections to protect large local server infrastructures. ERPM comes with a Windows app that connects to its database and has both its own user interface and a Web-based one. It has the ability to discover SSH keys and manage them, and authorize users for these keys. Indeed, the goal of the product is to make your logins so effortless that you won’t ever need to remember your passwords. You can schedule how often the passwords change, and have this happen automatically. It has more powerful scheduling features that can update your entire password collection, or be used to create reports, or automate other activities.

LogmeOnce Enterprise Edition
LogmeOnce Enterprise Edition

The newest product on the password management scene is LogMeOnce (not affiliated with another company LogMeIn). They use a browser extension (and a mobile app) and are still a work in progress, which is to be expected since the product was released in November. They have several nice features: First is an app catalog listing several thousand apps. You can choose login/password combination or use SAML to authenticate yourself. Next is support for several multifactor authentication methods. It comes with a complex password generator that you invoke by clicking in the password field from your browser. Its overall security scorecard has a series of reports, including login activity with date, time and IP address along with which sites you’re logged into and their password strength indicators. LogMeOnce also can save notes in its password vault.

Manage Engine Password Manager Pro
Manage Engine Password Manager Pro

Manage Engine’s Password Manager Pro (PMP) is similar to the Lieberman product and designed for enterprise teams that want to manage a large and mostly local server collection. The product takes the form of a server running on either Windows or Linux. Either server uses a Web interface; there are also mobile apps and browser extensions to automate logins that are used by individual users. Once you install the software and setup some basic parameters, PMP stores encrypted copies of passwords in its password vault in a local SQL server. PMP supports several different user access roles including super admin, admin, and regular password users. You can enable two-factor authentication and mobile access for specific users or groups.

Agilebits 1Password for Teams
Agilebits 1Password for Teams

1Password comes as paid Windows or Mac desktop versions with free iOS and Android mobile versions. There are also browser extensions. 1Password has a large collection of items that it can store in its vault besides passwords, including file attachments and free-form text notes. 1Password has two major weaknesses: its mobile versions and how it synchronizes its vault. The mobile apps are very bare bones. Adding logins from the browser is clunky. There is also no support for additional authentication factors, unlike most of its competitors. Also, 1Password relies on a third-party synchronization service to keep its vaults communicating with the latest password information.

SingleID
SingleID

SingleID is going in a very different and innovative direction. Rather than build a vault, they approach the problem from the mindset of not having the user deal with passwords at all. You install a smartphone app and set up your identity. Identity information is tied to an eight-digit ID number in their database that is then displayed on your phone. The second component is a piece of open source PHP code that you place on your website. This turns the typical login dialog into a special form that asks for your SingleID login ID number. Once you type in the number, SingleID then authenticates you back to your phone, and asks if you want to login to this particular site. It is a clever hack, which avoids a lot of infrastructure.

StickyPassword
StickyPassword

Sticky comes with desktop and mobile and browser extensions. The mobile versions include Blackberry, Kindle Fire, and Nokia X phones, in addition to iOS (7.x and higher) and Android (2.3 and higher) phones. There is a limited SaaS control for certain administrative features, but this is because it doesn’t really have any enterprise management features. Each user has to manage their own account, using the SaaS app. It has limited browser support and limited second factor authentication. Sticky’s complex password generator is also behind the times of its competitors. One nice feature is that Sticky presents you with two browser options on their mobile app: using the phone’s native browser or its own protected version.

TeamsID
TeamsID

TeamsID is a very simple password manager that is designed for enterprises. You set up groups of users within your organization that share the same password collections. It is currently available as a pure SaaS app, other versions are in the works for mobile and desktop apps and browser extensions. By simple we mean that there are none of the other features that most of its competitors offer: there is no support for multifactor authentication and no Active Directory connector. TeamsID stores its vault in the cloud, as you might suspect.