Everyone in your company needs a password manager -- and there are lots of great options. But two cross-platform tools rise above the rest, thanks to their excellent support for enterprise networks.
The weakest link in every network -- the one that makes security professionals lose sleep at night -- is the little box on the sign-in page of your users' favorite web destinations. You know, the little box that allows them to unlock access to online services and apps.
Online criminals do their best to break in to those services. If a user chooses a weak password (123456 and letmein are horrifyingly popular examples), an attacker can probably gain access with just a few guesses.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
Bad guys use phishing messages to lure victims into typing their credentials into deceptive web forms that can look almost exactly like the real thing. Even if your users take all the right precautions, they can still be betrayed if a hacked website gives up its password database. And if that pilfered password was used on multiple websites (so the user could avoid having to memorize too many complex strings of numbers and letters), well, the problems just multiplied.
For important corporate resources, you can and should require strong passwords and turn on multi-factor authentication so that an outsider who steals or guesses a password can't break in. You can also use single-sign-on solutions to link your company's web apps with domain credentials to enable your users to seamlessly access those apps and services instead of having to memorize multiple passwords.
But what about external websites and services? For that, you need a password manager. Seriously, everyone in your organization absolutely must have a password manager as part of his or her security toolkit.
Password manager essentials
A good password manager does a variety of tasks, most of them designed to make users' online experience more secure. Here's a checklist of essential features:
- A password generator capable of creating complex, random, impossible-to-guess passwords containing mixed-case letters, numbers, and symbols.
- A password database that stores the username/password combination that allows access to each individual website or network resource so users can enter those credentials on demand. Ideally, they can create unique credentials for every account and avoid reusing passwords.
- Encrypted storage of the password database, so an attacker who gains physical possession of the device can't retrieve a user's list of saved credentials. The user just needs to memorize a single password or pass phrase, which is used as the private key that decrypts those credentials when needed.
- Synchronization of saved passwords between devices and (optionally) to the cloud.
- Automatic entry of saved credentials using browser extensions and apps. Because this feature works only when the web address matches the one in the saved record, it's a powerful anti-phishing tool.
- The capability to save and sync additional information, such as name, address, and credit card numbers, for quickly filling in browser-based forms.
For this article, I've chosen to focus on a head-to-head comparison between two commercial products with broad, cross-platform support: LastPass and RoboForm. Both include enterprise editions that allow businesses to exercise some management over each user's password databases.
I also looked at -- but did not include -- two other enterprise-focused programs: Password Manager Pro, which is available for Windows and Linux, and the Windows-only Password Vault Manager. And I excluded a handful of popular and full-featured personal password managers that lack enterprise features. Dashlane is a new product that has garnered impressive reviews; 1Password has earned its excellent reputation primarily among Mac users. Two similarly named open source options are good candidates as well: Password Safe (designed by security expert Bruce Schneier) and KeePass Password Safe. For individuals and small businesses that don't require central management, these are all excellent options.
- Product overview
- Enterprise features
- Supported platforms: All popular browsers in Windows, OS X, and Linux; iPhone/iPad/iPod; Android; Windows 8 (Metro) and Windows Phone; BlackBerry; Firefox OS.
- Price: Free version supports PCs, Macs, and tablets (including Microsoft's Surface RT); multi-factor authentication and installation on mobile platforms (iPhone, Android, BlackBerry, Windows Phone) requires LastPass Premium, at a cost of $12 per user per year.
LastPass has been around long enough to have earned a stellar reputation among power users and security experts. Like other products in this category, it's most effective when installed as a browser plug-in on a Windows PC or a Mac. When using the LastPass app on a mobile device, you must use the embedded browser instead of the native browser for that platform.
One of the most crucial differentiators between LastPass and its rivals is its robust support for multi-factor authentication mechanisms. You can set up a link between a LastPass account and the Google Authenticator app (which is available on Android, iOS devices, and BlackBerry devices). If you use Windows Phone, the Microsoft-authored Authenticator app is fully compatible. LastPass also allows you to connect your LastPass account to a fingerprint reader or to use a YubiKey -- a small USB device that fits on a keychain and automatically enters a lengthy private key when pressed.
The enterprise version of LastPass integrates smoothly with your Active Directory environment to allow you to add and remove users automatically. It also includes a policy editor that lets you set master password requirements, restrict access to specific devices and networks, and apply policies at a group level, among many other features. Users can connect the enterprise and personal password vaults so that they're accessed from the same interface without compromising the security of the managed enterprise passwords.
- Product overview
- Enterprise edition
- Supported platforms: All popular browsers in Windows, OS X, and Linux; iPhone/iPad/iPod; Android; Windows 8 (Metro) and Windows Phone; BlackBerry
- Price: $29.95 perpetual license for PC/Mac, with additional licenses $9.95; RoboForm Everywhere costs $19.95 per year ($9.95 for first year) for single-user RoboForm Everywhere license allowing unlimited installs on PCs, Macs, and mobile devices
RoboForm is one of the oldest password managers around, dating back to 1999. But it remains robust, well supported, and frequently updated. It has an exhaustive set of features and supports every major computing platform, including both Windows 8 tablets and Windows Phone devices.
One feature that sets RoboForm apart from other competitors in the cloud era is that it gives you the choice of storing your data locally (allowing you to synchronize manually between devices) or using the RoboForm Everywhere service, in which your passwords are backed up to RoboForm's servers and synchronized automatically between devices.
It's worth noting that RoboForm Everywhere requires that you enter a password to access and synchronize the password database files. Another password, which is not stored by or shared with RoboForm, is required to decrypt the files. Decryption happens only locally, meaning that if an intruder were able to compromise RoboForm's servers and access your saved passwords, they would still need to crack your encryption key to use that data.
RoboForm follows the same basic model as LastPass, working best as a browser add-in (which appears as a toolbar in Internet Explorer and Firefox and a command bar in Chrome, as shown below).
The Enterprise edition is built on the same base as the consumer version but adds deployment and management features that network administrators and IT pros will appreciate. You can automate installation using a variety of software deployment tools, with offline activation. In addition, RoboForm Enterprise includes a centralized policy editor that makes it possible to customize and enforce enterprise password policies and to enable or disable user access to every option and feature in the program.