Best tools for protecting passwords
For enterprises trying to get a handle on password management, the good news is that there are products that can help implement stronger password policies for end users logging into corporate and personal Web-based services, as well as for employees who share a local server login.
The goal here is to make the password process more secure, and also to let users login to particular resources without having to remember all of their individual passwords.
We looked at six products, ranging from consumer-oriented to enterprise-only. They are: Kaspersky Pure, LastPass Enterprise, Lieberman Enterprise Random Password Manager, 1Password, RoboForm Enterprise, and TrendMicro DirectPass.
All of these products use a master password vault to store all their information in encrypted form. And all but TrendMicro have a way to generate a complex password and insert it into the login process so users don't have to try to come up with something on their own. This makes life easier for end users and also eliminates the security problems associated with users picking one password for all their logins.
To be included in this review, each product had to have the ability to synchronize passwords across a different collection of clients and servers. For Lieberman, this means synchronizing the logins to internal servers across multiple users who want to share the same password. For the other products, it means having the same user with multiple devices keep track of passwords for Web services.
Because we included such a variety of tools, we can't directly compare the products and didn't score the software programs or declare an overall winner. But here are the highlights:
n LastPass Enterprise offers excellent price/performance and boasts strong management features. LastPass also has the widest desktop and mobile platform support of any of the products we tested.
n Lieberman has the best features for local server password management, and the Lieberman tool was the only one in our tests that worked flawlessly.
n Kaspersky's Pure offers a basic password manager as part of a larger suite that includes other security tools. The downside is that it is Windows only, which means you can't sync your vault with non-Windows devices.
n 1Password is a consumer-focused product that allows you to store more than just passwords in your vault.
n RoboForm has a nice balance of enterprise features and strong bulk password management, but we had some support issues.
n TrendMicro's software is the least developed, although the next version is expected to fix many deficiencies.
Here are the individual reviews:
Like other traditional anti-virus vendors, Kaspersky is getting into the password management game. Kaspersky has two products for password management. One is its Password Manager stand-alone software that sells for $25. This doesn't include the ability to synchronize your password vault (although the vendor promises to include it later this fall).
We decided to review Pure, which is Kaspersky's security suite. Pure includes a variety of tools, including anti-spam, backup, parental controls, data encryption, advanced browser protection and password manager. This latter module does synchronize passwords using the cloud-based accounts maintained on Kaspersky's website.
The Pure password manager covers the basics well, with a complex password generator and options to close the vault automatically after the PC has been idle. You can also store text notes and contact information in the vault.
Pure also has modules that improve browser security, and this is probably more of a reason to purchase it than just for password protection and management. For example, the SafeMoney module sets up protected browser sessions for online banking and ecommerce sites, and another module can securely erase your browser history or analyze your Internet Explorer settings.
Pure will run on Windows 8 in addition to earlier versions back to Vista. The password manager module is only for 32-bit PCs, however. On the other hand, there is a long list of supported browsers, some of which we have never even heard of. Given its Windows-focus, this means that the synchronization feature is of limited value since you can't transport your vault to your smartphone or move between Macs and Windows PCs. Pure is priced at $65 for licensing on up to three PCs.
LastPass is an enterprise-grade product that comes with a separate management console. This software is Web-based, which is also a nice touch. It comes with the widest collection of clients supported, ranging from Windows (including both 32-bit and 64-bit and from XP to Windows 8) to various smartphones. There is also a Web client where you can view your password vault contents. It also combines the best features of a consumer product with a solid enterprise flavor.
The best enterprise security products have flexible policy creation and administration tools, and this is the case here. For example, you can set up a policy to override the default auto logoff protections for PC shutdown, or when in screensaver mode, or when idle, or when the computer is locked. There are dozens more policies to choose from, including support for multifactor tokens such as Yubikey, its own "Sesame" tool, and Google Authentication one-time passwords. You can also strengthen your online access to your vault by restricting access to specific countries, and excluding any access from anyone using the Tor file-sharing network.
You can also federate your LastPass logins across other cloud services such as Wordpress, Salesforce.com, Box and others using SAML. There is a long list of potential notifications that can be setup, including users who have a certain number of duplicate or blank passwords. These come with pre-written warning messages that can be easily customized for your circumstances. The tool also has a few simple reports available from the admin console. There is API access to its reporting engine, which is a nice touch.
LastPass can integrate with the standard Windows Login process to automatically create new users and sign existing users in.
One of the things we liked about LastPass is that upon install (and you can run this security check afterwards as well) it tells you which insecure passwords your browsers (or password vault) have already saved, and gives you the option to remove them.
Another is that it synchronizes your logins via its own cloud service: once you create a login to its cloud, things are updated for your various entries. Sometimes the updates took a few minutes to propagate around the Internet. In addition to logins, their vault also stores text notes securely and can auto-fill online forms.
LastPass automatically installs its browser plug-ins, where you can manually add sites, or notes, to its vault, along with other configuration tasks.
Also included in the software is a complex password generator that has a few interesting options, such as the ability to set a password that you can easily pronounce and with a minimum complexity. You can either bring this up from the browser plug-in menu or from the Web client.
LastPass is free for the individual user, and you get the full functionality of the tool this way so IT managers can easily check it out and see how it works. Once you are ready to upgrade to the enterprise version, you can start a free two-week trial, after which it will cost you $24 per user per year. This includes the ability to use all of its smartphone clients; otherwise you will need to subscribe to a Premium account, which is $12 a year per user. We like this simplicity and ease of getting familiar with the product.
Finally, the various client modules for LastPass have better interface consistency among themselves than most of the other tools we reviewed.
Lieberman Enterprise Random Password Manager
Lieberman's password solution is aimed at a different market than most of the other products in this review. Their idea is to strengthen privileged accounts and shared administrative access to critical local Windows and Linux servers. Typically, many users access the same privileged account and all of them need to know the password.
Given that many enterprises have dozens if not hundreds of servers, it is easy to overlook that many of them have stale admin accounts or don't know where they are located. A common situation is being able to change all local admin passwords on a regular basis.
The Lieberman tool discovers and strengthens all server passwords and then encrypts them and stores them in a special database. You can choose from 128- to 256-bit lengths for AES encryption as well. ERPM creates unique and complex passwords that you don't need to remember, and changes them as often as your password policies require, including daily if you are ultra paranoid. Each account login can have a different schedule and complexity requirement.
ERPM handles passwords on Windows service accounts, IIS accounts, SQL Server and Oracle database accounts, SharePoint, Directory Services, and Linux and other major platforms, both physical and virtual servers. As an enterprise product, it is designed to work with a variety of configuration management repositories such as CA, IBM and BMC's CMDB software and with system management tools such as Microsoft System Center, HP Operations Center and Arcsight.
All of these accounts are discovered without the need to install any agents on individual servers. Once it does find these accounts, ERPM will automatically detect password changes and make the updates across all the various systems and devices.
Installation is a bit of a hassle with a huge list of prerequisite software to support its services. We installed it on a box running an early version of Windows 8.1 and chose the default mySQL database for its password store. But once you get through this process, it is easy to maintain. One of its advantages is a continuous real-time automated account discovery of potential target accounts. You can also add accounts from your Active Directory store, from scanning particular IP address ranges, or individually. The new accounts are placed into a batch "change control" job that can be run regularly to update your password collection.
ERPM also includes a variety of audit reports so you can satisfy various compliance requirements and can output its information to various file formats for further processing by security management software. A number of preconfigured reports come with the software to get you started.
Lieberman supports various multi-factor authentication tools, including RSA SecurID and YubiKey, along with other one-time methods. Users can be authorized for particular accounts to either recover or reset specific passwords too.
One nifty feature of ERPM is being able to recover a password through its Web client. Any user with the right access rights can use it, and these requests are logged as well. You can also set up rather complex workflows to approve privilege escalation requests.
Lieberman also works with a third-party tool called Balabit's Shell Control Box, an activity monitoring appliance, to restrict user access to privileged resources.
The biggest downside to ERPM is its cost. The entry-level price tag is a steep $25,000, but that includes unlimited users and accounts. Given the rather unique market position for ERPM, this could be a reason why it is so pricey.
1Password is an individual consumer product without any enterprise management capabilities. It has versions for Windows including Windows 8, Mac, iOS and Android phones. The Windows 8 support is fine with non-IE browsers: if you use IE, you have to bring it up from the desktop and not from the Metro interface, although they are working on fixing that.
The software sets up a local password vault and then synchronizes the vault using a variety of cloud-based external services, such as Dropbox or iCloud. We had issues getting this synchronization to work initially because the instructions are somewhat ambiguous. But once this is setup it works as intended. When you bring up the app either on your desktop, in your mobile smartphone, or the browser plug-in -- you are asked for your master vault password to unlock it. You can then add new services or recall particular passwords or information from the vault.
One of the biggest advantages with 1Password is that it has an extensive collection of different kinds of things that it can protect inside its vault, including credit card numbers, text notes, and software license information along with the usual login identities. Everything placed in the vault can be accessed on every other platform, which is very convenient. You can also add file attachments to each login record, this could be useful to include copies of your emails or pictures of your contract signatures as handy references.
There are a number of additional features for the iOS version, such as sending you to a secure browser session where you can clear any Web-based data for additional security. There is also a demo mode where you can show your associates how the software works without revealing any actual passwords, since mobile users like to share their apps more often. Eventually, these features will find their way into the desktop and browser versions.
The software also has a number of protective options that keep you from tripping your own mistakes on its preferences screen. This includes the ability to clear the clipboard and lock the vault on exiting the app or when the desktop screen saver is active. On the desktop preferences, you can see at a glance which browser plug-ins you have installed and which isn't protected, that is a handy reference.
All 1Password versions include a strong password generator, where you can set up a random password. You can adjust the slider control for particular length and complexity (the highest grade of password beyond Excellent is Fantastic). On some of its generator tools, you can also choose whether the password is pronounceable, uses non-ambiguous characters, and allows for repeating characters. It would be nice for Agilebits to update its versions to offer consistent features across the browser, desktop and mobile versions.
1Password doesn't support as many smartphones as LastPass, and its synchronization could use some attention, but otherwise is a fine tool for individual password use. Pricing is also simple: each copy sells for a $50 one-time fee.
RoboForm, as you might surmise from its name, approaches bulk password management from the forms automation business. It is a study in contrasts. In its favor are its solid password management features. There are two disadvantages: how the software is constructed and supported.
Getting the software installed is a bear, and will require a certain sequence of prerequisites that aren't well documented. This isn't helped by the lack of support that we received. Our problem was unique: In the middle of our review, the team responsible for supporting the Enterprise software left the company. Hopefully, by the time you read this, this vacuum will be filled. Once you get everything installed, you shouldn't have too many issues getting it deployed to end users because it comes in several handy packages, including Windows MSIs.
The software is sold in several versions, including Pro, Enterprise, and managed console (which seems like an odd name). Each are priced differently in two basic configurations: a standalone Workstation version and an Enterprise version. The console software costs $5,000 for the first 50 users, with volume discounts, and an annual maintenance fee of $1,000 on top of that. The Workstation licenses are charged by user and by device, so you want to stick with the Enterprise pricing. Yes, this is confusing.
The managed console includes the cloud synchronization service called Everywhere. This means that every hour (or more often if you change the default), users' passwords are synchronized from their vaults, so they can access them from whatever device they choose. There is another add-on module called 2Go, where you can copy your password vault to a USB thumb drive and move it around. And there is also a Web client, which is useful on a borrowed PC for example.
The tool comes with a browser plug-in that can access its features like other products reviewed here, including bringing up a complex password generator and a button to force synchronization with its cloud service. The plug-in also contains various menus, such as for configuration control, to set up new logins, and to support a Windows biometric fingerprint reader.
You can set up autologoff time outs for screensavers or when the PC goes into standby, as most of the other products reviewed here also can do. One differentiation is that it creates a portal start page where you can directly click on your saved logins, similar to how Single Sign On products operate. You can save both files and logins to its vault, and you can also assign files to particular users or groups for secure collaborations.
The product has the second widest mobile OS support, including iOS, Android, BlackBerry, and Windows Phone. It supports Chrome, IE, Firefox and Opera browsers and has a status screen showing you which browser plug-ins have been installed, although IE information is segregated to another set of screens for some odd reason.
The Enterprise version of RoboForm includes the ability to recover any of your user's master passwords, because they are stored encrypted on a network share. This is something most of its competitors currently lack. It also has the ability to bulk import Active Directory users to help with the initial setup.
Like the other consumer-grade tools, DirectPass has no enterprise management features. It also had the fewest overall features and the most issues in its use, and we would recommend that you wait until its next release before seriously evaluating it. For example, of the six products tested, it was the only one that didn't include a password generator. Trend promises to include this feature in its next release. Instead, it just captures logins from when you bring up a Web browser session. There is no way to manually add the website and its associated password to a separate list.
DirectPass synchronizes your vaults through its own cloud-based service, which is simple. Its vault can contain text files and also general Web form data. You can force the synch through buttons on the interface, or it should automatically do so when you bring up the software.
We had problems using DirectPass with our Pro Preview version of Windows 8.1. It worked fine with XP or on our iPhone. It took an hour before all the identity listings and notes were initially synchronized but thereafter the sync happened pretty much in real time.
Also, the capture dialog on Windows 8.1 would appear at the same time the browser-based "save this login" message would appear. Trend acknowledges all of these items and is working on fixing them and making an updated client available when Windows 8.1 is released later this fall.
The good news is that it supports Windows from XP-SP2 up to and including the original version of Windows 8 and on both 32 and 64 bit versions. It is also available for Android (running at least v2.3) and iOS (running at least v4.3). DirectPass has a simple pricing plan: $15 per user per year. You can use it free if you just want to save at most five passwords with the tool.
Strom is the founding editor-in-chief of Network Computing magazine and has written thousands of magazine articles and two books on various IT and networking topics. His blog can be found at strominator.com and you can follow him on Twitter @dstrom. He lives in St. Louis.
How we tested password managers
We installed each product on a Windows 7 or a pre-release version of Windows 8.1 desktop. We also used Android and iOS phones and Mac desktops (if a client was available for these systems) as well as Windows servers, and various Web-based services such as Dropbox, Gmail, and a Wordpress blog site to test these logins.
We connected to the various websites with at least Firefox and Chrome browsers to try out the associated plug-ins, too. When there was a cloud-based service available to synchronize our password vault, we signed up for that service and observed whether our password data was propagated across to the various clients. We also took notes on the relative differences in the clients across different OSs both in terms of functionality and user interface.
Read more about wide area network in Network World's Wide Area Network section.