Review: Password managers help keep hackers at bay
LastPass, Keeper top the field in test of 10 password managers.
By David Strom
Speaking of those security policies, this is a very extensive collection, the largest of any of the 10 products we examined. You can specify password lengths, prevent mobile logins, control logoff behavior, prevent the tool from being used on TOR exit nodes, and restrict to particular IP address ranges. There are lots more choices and they can be applied across all of your users or selectively to specific groups. We tried to get a screenshot showing many of them but the list was too long. Instead, we’ll offer a link to some solid suggestions about how to strengthen your password management techniques in a blog post they wrote in November in response to the BlackHat exploit.
LastPass also has the largest collection of multifactor methods, with more than a dozen vendors and methods supported. You can turn on as many of these as you desire, unlike some of its competitors that only allow a single method per user.
There are also several ways to install its Mac and Windows desktop software, which reflects its enterprise heritage: via an executable, via a “silent mode” with a command line interface, or via a Windows group policy object using an MSI file.
The LastPass vault is stored in the cloud, where each component can access the information. Browser-based products connect to the cloud, while the desktop and mobile versions make and automatically synchronize their copies to the local desktop.
LastPass has an amusing and somewhat annoying way to remind you to update your password portfolio, sending out a periodic email trying to shame you into changing the similar and simpler passwords with a subject line “Improve your passwords sucker!” when it detects more than three similar passwords. Also one of its tools available from the browser extensions menu is called “security challenge” where it will scan your vault and show you how poor your password choices are. Whether this will motivate your users isn’t known, but at least it is a nice attempt.
It also has the ability with one click to change multiple passwords in your vault, like some of its competitors.
One issue for LastPass is you will need to first bring up its mobile app and paste the password into your browser session; it doesn’t transfer this information automatically.
LastPass costs $24 per user per year, with volume discounts starting at 100 users.
Lieberman Enterprise Random Password Manager
We reviewed the Enterprise Random Password Manager (ERPM) product two years ago and it is still the gold standard for setting up massive password collections to protect large local server infrastructures, although Manage Engine has a somewhat nicer interface. ERPM’s menus and basic command structure hasn’t changed much in the past two years.
ERPM comes with a Windows app that connects to its database and has both its own user interface and a Web-based one. Administrators use mostly the former, and ordinary end users the latter. This is because the Web UI doesn’t have the full complement of controls that the native Windows apps does. Passwords are stored in a local database on the server. For example, a user can recover their password from the Web UI.
It has the ability to discover SSH keys and manage them, both the public and private keys, and authorize users for these keys. Indeed, the goal of the product is to make your logins so effortless that you won’t ever need to remember your passwords.
You can schedule how often the passwords change, and have this happen automatically, again, so your users don’t have to bother with this chore. It has more powerful scheduling features that can update your entire password collection, or be used to create reports, or automate other activities.
It performs the logins via its own Remote Desktop connection from its server, what Lieberman calls a jump server. It does this via a series of several dozen Visual Basic scripting apps, which come as part of the product and which you can customize for your own circumstances.
And it also records each of your sessions, and can play them back, so you can view what is going on with your users and see if something is amiss.
ERPM works with a number of trouble ticketing systems, including Jira, CA Service Desk, and others. It supports a number of OATH two-factor authentication tokens. There are extensive reports that can be customized in the Windows interface.
Lieberman’s biggest drawback is its price tag: a $25,000 one-time fee. However, if you are running a large installation of servers in your data center, this is probably one product that you will need to deploy.
The newest product on the password management scene is LogMeOnce (which is not affiliated with another company LogMeIn). They use a browser extension (and a mobile app) and are still a work in progress, which is to be expected since the product was released in November.
Once the browser extension is installed, you go to their website where you see a dashboard with various controls across the top. Here is where you add logins, strengthen your security, and control the tool’s overall behavior. They have several nice features:
First is an app catalog, similar to many of the SSO tools, listing several thousand apps. You can choose login/password combination or make use of SAML to authenticate yourself. The built-in app for American Airlines didn’t initially work but was fixed after we mentioned the issue.
Next is support for several multifactor authentication methods, including sending a SMS text, voice or email message, and Google Authenticator. You can turn on multiple methods and select the most convenient one when you login to your vault. Setting these up is very simple: for example to enable the SMS you send a code to your phone and enter it in the appropriate dialog box on screen. While impressive for its ease of use (this product was the easiest of the 10 to set up for MFA), these MFA tools are just to secure the initial access to the tool: like the other products, there is no way to step up authentication for specific apps.
It comes with a complex password generator that you just invoke by clicking in the password field from your browser. But there is also a separate generator that is available for non-customers via its own web page, should you feel that you are missing out on this action.
Its overall security scorecard has a series of reports, including login activity with date, time and IP address along with which sites you’re logged into and their password strength indicators. LogMeOnce also can save notes in its password vault too.
And there is an add-in that will encrypt your entire Dropbox collection-- this is included in the Enterprise edition.
They are one of the few password vaults where you can choose the location of your vault, depending on your paranoia level: on a USB thumb drive, locally on your desktop, or in their cloud. You can change it at will with a simple click of the mouse. The other tools are less flexible in this regard.
They also support OpenID and SAML in the Enterprise edition, along with connections to a variety of enterprise directory providers such as Oracle and CA.
There are several versions, ranging from the free consumer and Business editions to the more capable Enterprise edition. Pricing is based on particular features: You start with the basic set for $2 per month per user and add items such as directory integration or risk-based authentication (both are another dollar per month per user each), user provisioning ($2 per month per user), with a discount of $5.40 per month per user if you purchase all the options. The mobile apps are free, regardless of which plan you choose.
Manage Engine Password Manager Pro
Manage Engine’s Password Manager Pro (PMP) is similar to the Lieberman product and designed for enterprise teams that want to manage a large and mostly local server collection. The product takes the form of a server running on either Windows or Linux. Either server uses a Web interface; there are also mobile apps and browser extensions to automate logins that are used by individual users.
Once you install the software and setup some basic parameters, PMP stores encrypted copies of passwords in its password vault in a local SQL server, which it calls its resources. It has a long list of different kinds of information that it can contain, ranging from Windows and Linux application servers to fairly esoteric things such as AS/400 minicomputers and Juniper firewalls. One drawback was that it wasn’t as capable with web-based logins: it couldn’t automate the login on our American Airlines site that has three data fields. That is a pretty basic issue on an otherwise capable product. You download the browser extensions and set up your mobile apps from the main console.
You will need to ensure that your users can access the PMP server across your enterprise network by having its default Port 7272 open: administrative users connect via their browsers to run the configuration screens. Normal users can make do with browser extensions to access their pre-configured resources.
PMP supports several user access roles including super admin, admin, and regular password users. You can enable two-factor authentication and mobile access for specific users or groups. Users can be regularly imported from an Active Directory store just by furnishing the Active Directory credentials and setting up a synchronization service in PMP, there is no need for additional agent software. Each resource can be set up to be viewed, modified, or managed according to specific access rights policies.
There is also a unique series of advanced administrative policies where you can set up a resource to require a “double authentication” by two network administrators. All these policies have the effect whereby a user doesn’t have to know their password to access a resource, yet the login can be protected with a very strong password. You can also set up specific circumstances where users can have access to a resource for a limited time, such as a few minutes, to complete a certain task. For highly sensitive servers, this can be very useful.
PMP has similar feature to ERPM where it can record every session that involves making use of a login. It does this by opening a Remote Desktop or SSH connection inside the browser, and connecting from its own server to the network resource. These recordings can then be played back so you can see exactly what each user was doing. You can also “shadow” an active login session and terminate it if something is amiss. PMP also comes with a wide collection of audit and compliance reports.
PMP also supports SSO, and has built-in tools to enable high availability and failovers for its SQL servers.
Finally, it offers on-demand password resets across the board or schedule regular password changes.
Pricing is very transparent and available in either of six configurations: standard, premium or enterprise, and either as a monthly subscription or a perpetual license. The lowest perpetual license is a two-administrator package for $1,238 with an annual maintenance fee of $248 for the standard edition. The enterprise edition supports 10 administrators and will cost $7,488 and $1,498 for the annual maintenance. These licenses include unlimited numbers of resources and users.
1Password comes as paid Windows or Mac desktop versions with free iOS and Android mobile versions. There are also browser extensions. 1Password has a large collection of items that it can store in its vault besides passwords, including file attachments and free-form text notes. But since we reviewed them two years ago the product has somewhat stagnated, although in November they came out with a beta version called Teams for enterprises. The Teams version was still a work in progress, with an admin console that was far from complete. Still, it represents a good direction for the company.
On its desktop version, there are rough indicators of password strength: many of the other products have made this more useful and actionable. And one nice feature in Teams is an “emergency rescue kit” that contains information on how to recover your vault, should you lose your master password.
1Password has two major weaknesses: its mobile versions and how it synchronizes its vault. The mobile apps are very bare bones and bring up ordinary Safari browser sessions, but don’t always autofill the username and password credentials. Adding logins from the browser is clunky; it is far easier to do so when you are on your desktop and the software will capture the information with a single click. There is also no support for additional authentication factors, unlike most of its competitors.
1Password relies on a third-party synchronization service to keep its vaults communicating with the latest password information: you can make use of a local Wi-Fi connection (if all of your devices are on the same Wi-Fi network) using Apple’s Bonjour service. Probably you will use Dropbox to store your vault, which means you have to explicitly synchronize your devices. There is also a way to use iCloud, but only if you have all Apple devices. That is less elegant than some of the other products that have the synchronization built in. This was an issue when we reviewed them two years ago, and others such as LastPass, Keeper and LogMeOnce have made their synchronization much easier.
A desktop license of 1Password costs $49 with quantity discounts. The Teams version is free while it is under beta, and will most likely be priced at $5 per month per user.
We included SingleID in this review because it is going in a very different and innovative direction from the rest of the password tools. Rather than build a vault to store your password collection, it approaches the problem from the mindset of not having the user deal with any passwords at all.