What’s a password manager?
A password manager is a program that stores passwords and logins for various sites and apps, and generates new strong passwords when a user needs to change an old one or create a new account. Users can sign into a password manager with a single strong password or by using biometrics, and access all their login information.
Most password managers allow users to sign in on multiple devices (including Macs, Windows machines, and iPhone or Android smartphones) and work with multiple browsers (including Chrome, Firefox, and Safari) to automatically fill in username and password info, storing password information encrypted in the cloud and sharing it across platforms as needed. And while these tools got their start in the consumer world, most offerings now have editions aimed at businesses with enterprise features.
Is a password manager a good idea?
While it may seem counterintuitive at first to entrust security to a single password manager app accessed by a single password, using a password manager is in fact a very good idea. Most people have difficulty remembering more than one strong password, so they often end up either reusing a password across sites—meaning that a hacker who discovers the password can go on a break-in spree—or using weak passwords that are easy to defeat by brute force.
A password manager will autogenerate random new strong passwords for all of a user’s accounts, and users can access them with a single strong password that’s all they need to remember. Most password managers also have additional security features, like multifactor authentication.
Business password manager: 4 features to look for
A password manager isn’t just a boon for individual users; it can boost the security of enterprises as well, and there are a number of business-focused features that you should look for if you’re aiming to roll one out for your company:
Administrative capabilities for managing multiple users and applications. Some offerings include capabilities to automatically provision and de-provision user access to applications based on their group membership. Tools to manage password policies are a must-have and should include the ability to manage complexity rules and change requirements.
Interoperability with enterprise software and networking. You’ll want the ability to synchronize with LDAP or Active Directory, or the option to leverage authentication from cloud services like Office 365 or Google Workspace, to streamline deployment of the password manager to your users.
Advanced authentication capabilities. We’re talking about the ability to handle authentication using the Security Assertion Markup Language (SAML) standard, a step above simply filling login form fields, and dynamic authentication policies that can make sure your users are using a registered device or are attempting to log in from an accepted geographic location. Some vendors even support capabilities like password management for VPN software, on-premises apps, or RADIUS servers.
Audit logging, reports, and alerts are key capabilities for a password manager focused on business users, whether you’re monitoring app usage, auditing administrative actions, or simply looking to get a read on what passwords are weak, have been re-used, or are due to be changed. Password managers are also sometimes used to provide access to an application to multiple users with the same set of credentials; normally, this prevents auditing processes within that application from identifying who performed an action, but a password manager can to track and report on which users accessed an application at a particular date and time. Alerts can help keep you in the know about known compromised accounts, when user accounts are locked, or potentially when anomalous behavior is detected.
Support for accessing passwords programmatically with scripts. Secrets management is a real concern in the devops world, as hard-coded credentials are almost as bad as those stored in plain text. Command-line tools or the ability to access password vaults using an application programming interface (API) are common methods password management tools can offer to securely retrieve passwords from your vault, but secrets management could also involve native support for common tools like Kubernetes or Ansible.
What is the best password manager?
Which vendors offer password management for businesses and bring enough features to the table to warrant consideration? Here are the ones worth looking at.
- Keeper Business and Keeper Enterprise
- Password Boss
1Password is one of the more established names in the password manager arena, and in addition to their personal password management services they also offer solutions for teams, business, and enterprise. The teams tier offers admin controls for sharing and permissions, two-factor authentication (including support for Duo integration), and five guest accounts to extend secure sharing reach for $19.95 monthly. Customers of the business tier are looking at a $7.99 monthly cost per user, but gain policy-based administrative security controls, logging and reports, and provisioning through Active Directory, Okta, or OneLogin. Starting at $29 monthly 1Password also offers a Secrets Automation add-on for secrets management that supports a variety of tools including Andible, Kubernetes, HashiCorp Terraform and Vault, and code libraries for Go, NodeJS, and Python.
Dashlane is another popular password manager choice for personal use that successfully bridges the gap to the business world. Like 1Password, Dashlane offers both a teams and business tier, for $5 or $8 monthly per user, respectively. Aside from a suite of administrative management tools and reporting capabilities, Dashlane also supports both provisioning and de-provisioning of apps (including remote removal of company credentials). Dashlane also offers SAML-based single sign-on (SSO) for users of their business tier, directory integration, and policy-based management.
Keeper Business and Keeper Enterprise
Keeper Security boasts the most popular mobile apps of any password manager, and its individual accounts and apps compare well with the competition in that space. Like much of the competition who offer password management solutions for business, Keeper offers both a business and enterprise tier starting at $45 annually per user. The business tier offers policy-based management, reporting, and two-factor authentication, while enterprise customers gain SAML support, more robust two-factor (DUO integration and RSA tokens), command-line provisioning tools, and API support for things like password rotation and basic interaction with your vault. An add-on is available for more advanced reporting and alerting for $10 per user each year.
LastPass is something of the big name in the group. Its business solution offers an intuitive admin interface with security policies, MFA settings, and reporting. Federation from Active Directory Federation Services (ADFS) or Okta couples nicely with built-in provisioning and de-provisioning to streamline your administrative workflow. LastPass for business is available for $6 monthly per user, but limits you to three SSO apps, which is a pretty serious handicap. The Advanced SSO add-on gives you unlimited apps for an additional $2 per month for each user, and the Advanced MFA lends some serious power and flexibility to the authentication process for $3 monthly. Business customers can bundle with both add-ons for $9 monthly per user all told.
NordPass is made by the same folks as NordVPN, which just means they have experience and something of an established reputation when it comes to privacy and security. Not gonna lie though, NordPass business could use some maturing, particularly on things like directory integration, MFA options, and reporting. Not that NordPass doesn’t offer options for each of these categories; it’s just that they don’t offer a lot of flexibility or depth compared to the competition. Business accounts start at $3.59 per user monthly, with enterprise tiers requiring a call to the sales team.
Password Boss may not be as well known as other vendors on this list, but it offers a business solution that’s worth at least a cursory look. Connectors for both Active Directory and Azure AD are available to help onboard your users, and MFA support is available using Google Authenticator or another time-based one-time password (TOTP) authenticator. While certainly not as sophisticated or mature as some of the other solutions on this list, if you’re looking for a simple, straightforward password manager Password Boss may fit your business needs nicely.
Securden is another name you may not have heard of, but it has a few different solutions for business account security, including their password manager for enterprises. Securden’s password manager has a long list of features including a robust array of admin tools like the typical group-based management and reporting, but it extends beyond that. Securden offers request-based permission workflows, where a user must request access to a resource and have it approved prior to authenticating to the resource. This not only ensures users are authorized but provides an additional audit point. Securden also offers automatic password rotation, API access, management of Windows service accounts, and even SSH key and secrets management. If that wasn’t enough Securden will integrate with your corporate Active Directory or SAML-based SSO solution, as well as your existing security information and event management (SIEM) and helpdesk ticketing systems.
Copyright © 2022 IDG Communications, Inc.