Table of Contents
1. Executive Summary
Every organization has employees who are buried in username and password combinations for both business and personal use. The average user has dozens, if not hundreds, of passwords to manage. But these are not the only passwords to consider: there are also machine passwords used for connectivity or the too-often-used practice of having secure keys held in code. Together, this presents a very challenging landscape for IT teams targeted with managing password security, and it comes with a high operations overhead that can be costly, complex, and can easily lead to mistakes. The complexity and frustration of managing passwords can often lead to poor practices that include reusing passwords, writing them down (on paper or a device), saving them in browsers, or holding credentials in code.
These frequently used poor practices make passwords a high-priority target for cybercriminals. They know that compromising passwords can give them control over key systems and sensitive data. This should make tackling the challenge of password management a priority for organizations, but often it is not.
Enterprise password management can be an answer to that challenge. Password managers provide a centralized platform that coordinates the password process, enforces more stringent password controls, and provides users with more secure and simple ways to manage them.
With enterprise password management, passwords are stored in a secure vault that is accessed through a single master logon. Managed passwords often can be applied automatically at a login prompt without the user, machine, or service needing to know the password. This helps to greatly reduce the risks posed by manual entry. Furthermore, password managers help highlight potential password security risks and automate password management, creating unique and complex passwords for users automatically and rotating them to increase password quality. Password managers can often be extended to offer secrets management as a way of handling the complexity of secure key management and rotation.
Password managers are increasingly part of a broader identity management platform, adding capabilities such as single sign-on (SSO) and identity lifecycle management. Password managers also provide a bridge to the goal of removing passwords from organizations entirely by using passwordless technology such as biometrics and passkeys—without the need to refactor the entire authentication process.
The enterprise password management sector has many mature vendors with long-established products. This provides a robust platform to build upon and should provide confidence to the IT buyer. Finding the right password management solution will deliver significant improvement. While its deployment will call for both user education and process change, it can greatly enhance the security of password and other credentials, both human and machine, across an organization. Compromised passwords are a serious threat, and the impact can be significant if they are compromised, so improving password security posture should be a priority for organizations of any size.
This is our third year evaluating the enterprise password management space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.
This GigaOm Radar report examines 13 of the top enterprise password management solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the market, identify leading enterprise password management offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.
GIGAOM KEY CRITERIA AND RADAR REPORTS
The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.
2. Market Categories and Deployment Types
To help prospective customers find the best fit for their use case and business requirements, we assess how well enterprise password management solutions are designed to serve specific target markets and deployment models (Table 1).
For this report, we recognize the following market segments:
- Small-to-medium business (SMB): In this category, we assess solutions on their ability to meet the needs of organizations ranging from small businesses to medium-sized companies. Here, ease of use and deployment are more important than extensive management functionality and feature set.
- Large enterprise: Here, offerings are assessed on their ability to support large and business-critical projects. Optimal solutions in this category have a strong focus on flexibility, performance, scalability, and the ability to effectively integrate into existing environments.
- Public security/federal: While the infrastructure of these environments is likely to be similar to those of SMBs and enterprises, these organizations typically have some constraints, especially around needing suppliers to meet specific requirements laid out in buying and supply frameworks. Solutions must therefore be able to meet such framework demands.
- Managed service provider (MSP): In this category, vendors are assessed on whether they provide a managed service partner program to allow service providers to use the technology to deliver bespoke services to their customers. This is an increasingly attractive option for customers trying to tackle the ever-increasing cybersecurity threat.
In addition, we recognize the following deployment models:
- SaaS: These solutions are available only in the cloud. Often designed, deployed, and managed by the service provider, they are available only from that specific provider. The advantages of this type of solution are simplicity, ease and speed of scaling, and flexible licensing models. In these instances, the primary vault will be centralized. While user devices may hold copies of some or all of the vault, the authoritative copy is SaaS-based.
- On-premises: With these solutions, the main management and vaults will be installed wholly on-premises and self-hosted. This can be in the customer’s data center or a cloud tenant. They are not shared and are specific to a single customer.
- Cloud marketplace: With these solutions, the main management and central vault are deployed and supported as a public cloud-based service. The main components can be deployed either as a cloud-native service or as a public cloud image, usually—although not exclusively—available from a cloud provider’s marketplace. In these instances, they are not shared and are specific to a single customer.
- Endpoint: With these solutions, there may be a central management platform, but the vault and its security are installed on endpoints with no replication to a central vault. There can be replication between individual devices. However, this is a fully decentralized model that does not include a central vault.
Table 1. Vendor Positioning: Target Market and Deployment Model
Vendor Positioning: Target Market and Deployment Model
Target Market |
Deployment Model |
|||||||
---|---|---|---|---|---|---|---|---|
Vendor |
SMB | Large Enterprise | Public Security/Federal | MSP | SaaS | On-Premises | Cloud Marketplace | Endpoint |
1Password | ||||||||
Bitwarden | ||||||||
CyberArk | ||||||||
Dashlane | ||||||||
Enpass | ||||||||
JumpCloud | ||||||||
Keeper Security | ||||||||
LastPass | ||||||||
ManageEngine | ||||||||
NordPass | ||||||||
Securden | ||||||||
Siber Systems | ||||||||
Zoho |
Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1).
“Target market” reflects which use cases each solution is recommended for, not simply whether that group can use it. For example, if an SMB could use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for SMBs.
3. Decision Criteria Comparison
All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:
- Encrypted password vault
- Automated password generation
- Administrator control panel
- Existing user directory integration
- Password sharing
- MFA controlled access to vault
Tables 2, 3, and 4 summarize how each vendor in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.
- Key features differentiate solutions, highlighting the primary criteria to be considered when evaluating an enterprise password management solution.
- Emerging features show how well each vendor implements capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months.
- Business criteria provide insight into the nonfunctional requirements that factor into a purchase decision and determine a solution’s impact on an organization.
These decision criteria are summarized below. More detailed descriptions can be found in the corresponding report, “GigaOm Key Criteria for Evaluating Enterprise Password Management Solutions.”
Key Features
- Identity provider (IdP) integration: Password managers cannot exist in silos. We expect leading vendors to offer broader integration than a single IdP. This will include popular directory platforms, dedicated IdP solutions, and other SaaS apps that may hold user information.
- Passwordless support: Passwords remain cumbersome and present security problems. Password managers should help to remove this friction by enabling organizations to remove reliance on passwords altogether. This should include methods for accessing the manager’s vault without passwords, but also providing mechanisms for users to expand use of other passwordless technologies.
- Platform security: Password managers are a strong security bullwark, but they can pose a risk in themselves as a single source of authentication information. As a result, they must offer robust protection from breach or loss of the vault. Leading solutions should offer a range of controls, including hardening of access to vaults, resilient deployment, and strong data protection approaches.
- Security auditing: Leading solutions can further reduce password-related risks by offering security assessments that evaluate password security posture. This should provide insight into current password usage, indicate where password practices are poor, highlight password reuse, and flag failure to follow password standards. More advanced solutions may include breach warnings identifying passwords that have been compromised.
- Secrets management: User passwords are not the only authentication issue organizations need to deal with. Machine and service account password management is a complex task, especially for organizations with internal development teams. Bringing this into a single platform with password management has real value. Leading solutions will offer the ability to manage authentication tokens like SSL certificates or access keys.
- Password policy management: Leading solutions should allow organizations to apply a range of password controls quickly and easily. Solutions that can offer flexibility and granularity will be useful to larger organizations, as will tools that help enforce these controls with external applications.
- Cross-platform support: Users juggle passwords in many locations including on laptops, desktops, browsers, and mobile devices. Providing a consistent password management solution across all platforms can be hugely beneficial in driving adoption and improving password security. Leading solutions will offer the broadest coverage.
Table 2. Key Features Comparison
Key Features Comparison
Exceptional | |
Superior | |
Capable | |
Limited | |
Poor | |
Not Applicable |
Emerging Features
- Privileged access management (PAM): Addressing credential security goes beyond password management. If users have access to services beyond the time they need them—such as after leaving a team or organization—that also presents risks and opens up the potential impact surface of any breach. PAM solutions provide a method for addressing account access separate from passwords. Increasingly, we expect to see this capability integrated into leading password solutions.
- AI-assisted password management: AI is becoming an increasingly useful tool when it comes to cybersecurity. Its ability to study large-scale data sets and identify trends and risks is a powerful supporting tool. We expect AI capabilities to be used in password management tools in a variety of emerging features such as suggesting stronger passwords, aiding in identifying password risk and exposures, and helping users to more effectively deal with these risks at scale.
Table 3. Emerging Features Comparison
Emerging Features Comparison
Exceptional | |
Superior | |
Capable | |
Limited | |
Poor | |
Not Applicable |
Business Criteria
- Cost: Businesses need to understand the full cost of a potential technology investment. This includes the price of a license, price transparency and terms, and its adoption and running costs. Vendors that make pricing and licensing clear so that customers can evaluate costs easily will be helpful. Leading solutions make adoption easier by providing useful guidance and easily accessible information to help users quickly deploy the solution.
- Ease of management: Password management is already complex and adding solutions should not add complexity. Businesses will welcome tools that ease management, provide central administration and reporting, and automate repetitive tasks. Moreover, it is more than the technology that’s important here: vendors that provide services such as support, training, and proactive account management will help ease the overall management burden of a solution.
- Ease of use: Driving effective adoption is key to the success of any IT project. Adoption can be eased in a number of ways, including good integration with existing platforms and the ability to add the new solution to existing workflows. Solutions that make adoption easy for both operations teams and users add significant value to a successful technology adoption.
- Scalability: As organizations grow, they need solutions to grow with them. This means scaling to support increasing numbers of users and to meet new requirements. This may include support for new infrastructure such as applications and IdPs, as well as newer technologies such as automation, which can help organizations scale without adding undue pressure on existing resources.
- Flexibility: Customer environments differ and change. Password management tools must be flexible as well, offering different deployment models and adoption techniques, as well as commercial flexibility to fit a broad range of potential customer needs.
Table 4. Business Criteria Comparison
Business Criteria Comparison
Exceptional | |
Superior | |
Capable | |
Limited | |
Poor | |
Not Applicable |
4. GigaOm Radar
The GigaOm Radar plots vendor solutions across a series of concentric rings with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s evolution over the coming 12 to 18 months.
Figure 1. GigaOm Radar for Enterprise Password Management
The enterprise password management field continues to evolve as the challenge posed by passwords grows in complexity. The sector has evolved from one focused on the consumer market to one growing into a core enterprise technology. This is reflected in the positioning of our vendors, with many well-known providers in the space still identifying themselves as innovation-focused. Those vendors continue to evolve their platforms, bringing in increased threat detection as well as tackling new challenges such as secrets management and the adoption of passkeys.
In the third iteration of this report, we continue to see movement of vendors in the market that’s reflected in the Radar chart. Some of this is based on changes in GigaOm’s scoring scale, which has seen some vendors shift slightly from previous positions. Some of this movement is also a consequence of changes in our decision criteria, which include new metrics driven by changing customer demand.
As you can see in the Radar chart, the majority of vendors are categorized as Platform Play vendors. These vendors offer strong integration into existing environments, including a broad number of IdPs, and provide broad coverage across many types of end-user devices. The Platform Play vendors are also likely to provide extended capability beyond user passwords, specifically those offering a level of secrets management.
The vendors on the Feature Play half of the chart did not demonstrate the breadth of the Platform Play vendors, focusing more on user passwords than broader capabilities such as secrets management.
Overall, the majority of vendors were identified as innovation-focused password platform providers, which shows that the industry recognizes both the evolving nature of the password management problem and the need to expand solutions to cover areas such as secrets, passwordless, and passkey technologies—developing a password platform rather than simply a password manager. This is a positive development for those looking to invest in this space.
In reviewing solutions, it’s important to keep in mind that there are no universal “best” or “worst” offerings; every solution has aspects that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.
INSIDE THE GIGAOM RADAR
To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.
Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.
For more information, please visit our Methodology.
5. Solution Insights
1Password
Solution Overview
1Password has grown from providing personal password management to supporting enterprise password management. It provides centralized password management, biometric authentication and passkeys support, role-based access controls (RBAC), and employee provisioning and deprovisioning.
The 1Password management platform is SaaS-based. Password vaults are held locally on devices, and copies are synchronized back to the central vault for resilience. It uses Two Secret Key Derivation (2SKD), which combines an account password and a 128-bit, machine-generated secret key to ensure a stolen vault cannot be accessed. It also provides a secrets management tool that includes code integration and key rotation for developers.
1Password’s Watchtower capability is a powerful endpoint client that offers password risk insight including identifying passwords stored on local devices and guidance on importing them into the password vault.
1Password’s acquisition of Kollide adds device trust and application insights, extending password security to include support for biometric access and passkeys and to secure access to all managed and unmanaged applications (BYOD) from any device (mobile, browser, desktop app). Contextual access management policies grant or deny access based on contextual signals, such as state of device health, credential strength, and device location. This check also integrates with a customer’s existing identity provider to further enhance access security.
Strengths
Areas where 1Password is particularly strong include:
- Security auditing: This is especially true in conjunction with the solution’s Insights and Watchtower functions. Insights provides an overall view that covers breach checks, password health, and team usage. Watchtower provides insights to end users including compromised passwords, unsecured websites, and passwords saved locally that should be in the vault. Activity logging and reporting is also included in 1Password Business and can be ingested by leading SIEM players for further analysis and remediation.
- Secrets management: 1Password provides management and automation workflows that secure secrets in the code of a company’s apps and cloud infrastructure, removing the risk of developers placing hard-coded keys in code. Management can be automated using 1Password Service Accounts or 1Password Connect servers. This includes automatic detection of secrets in code and replacing them with VS Code Extension, verifies and signs code commits with the built-in SSH agent, and supports high availability and redundancy for secrets with 1Password Connect servers.
- Security focus: 1Password protects vaults with a 128-bit secret key generated on each individual device and an account password. It also encrypts vaults, vault and item names, and website URLs with Advanced Encryption Standard (AES) using 256-bit keys that are generated by the client on the device.
Challenges
Areas for improvement include:
- SCIM bridge: 1Password currently lacks a hosted version of its SCIM bridge to automate provisioning and deprovisioning of users and groups between the 1Password service and IdPs. It can be done with a self-hosted SCIM bridge, with a hosted version to be made available in 2024.
Purchase Considerations
1Password no longer supports on-premises deployment of the central vault and management platform, making it unsuitable for organizations needing that capability.
1Password offers flexible license options, from personal and family tiers to small-business-focused Teams Starter Pack, as well as Business and Enterprise tiers. The 1Password Extended Access Management (XAM) offering that provides access management, device health, and insights features is available for all segments and requires direct contact with their sales team.
For organizations with 75 or more users, 1Password offers dedicated customer onboarding and customer success support to help ensure the organization can quickly adopt and get results from the solution. In addition, 1Password’s strong interface and management insights help reduce the overall management and adoption burden.
1Password is a popular password management tool for individuals and may already be familiar to some users within an organization, making onboarding easier. In addition, 1Password’s tools have a long track record—and licensing options—well-suited to SMBs and individual teams within an organization. 1Password offers good developer capabilities that will be attractive for those looking to improve secrets management for their developer teams. There is no focus on supporting the public sector or federal agencies.
Radar Chart Overview
1Password has continued to develop its application and is positioned as a Leader in the Innovation/Platform Play quadrant. Breadth of coverage, including strong cross-platform support and an extensive secrets management capability, has moved it from Feature Play to Platform Play in this year’s Radar.
Bitwarden
Solution Overview
Bitwarden provides a solution for storing, managing, and sharing sensitive information across all accounts and devices, ensuring data security through end-to-end zero-knowledge encryption within a trusted open-source framework.
The solution provides password and secrets management. Its architecture is built around a centralized vault with local client caches. It has broad client support, including across desktops, laptops, mobile devices, and the web.
Secure access to the vault is through end-to-end zero-knowledge encryption, and all vault items and attachments are encrypted. Designed with the enterprise in mind, Bitwarden provides directory access via both prebuilt directory integrations and SCIM.
The Bitwarden vault design includes an individual vault for users and a separate vault for organizations. Within the organization, vault items can be organized via “collections” where multiple users and groups can be added for password and item collaboration. It also includes the ability to securely share passwords, text, and files with non-Bitwarden users, via Bitwarden Send. The central management feature provides a range of reports including exposed passwords, data breaches, and unsecured websites. Organizations do not have access to a user’s individual vault—if a company does want visibility into user data, then individual vaults must be disabled and all data saved to the organization vault.
Bitwarden provides secrets management for developers, ensuring keys and credentials are stored securely and not revealed in code. Bitwarden also has passkey support. The solution is open-source with its code hosted on Github—Bitwarden sees this transparency as essential.
Strengths
Areas where Bitwarden is particularly strong include:
- Passwordless support: Bitwarden offers a range of options here, including the use of device compliance to authenticate vault access. Its investment in passkey support is also useful in helping organizations transition from password-centric authentication approaches. Users can use passkeys to access their web vaults. This feature uses the WebAuth PRF extension for passkeys, ensuring a secure and convenient login process while maintaining end-to-end encryption. Passkeys can also be used as a form of 2FA, supporting device-bound keys or synced keys.
- Secrets management: The solution has a secrets management capability allowing developers and DevOps teams to securely store, manage, automate, and share machine and infrastructure secrets at scale throughout the development lifecycle. This reduces the risk that can come with such secrets being stored directly in code. The platform is capable of supporting key lifecycle management, allowing tokens to expire automatically or be revoked as needed.
Challenges
Areas for improvement include:
- Ease of use and management: The solution lacks some of the granular policy controls some of its competitors have because it enforces policies at the organizational unit level only. The solution does not provide insight into individual vaults, which may be an issue for those requiring cross-organization insights, although these vaults can be disabled, forcing all data to be saved in organizational vaults. Its interface is also a little dated, although the vendor recognizes this and has begun releasing user interface updates.
- Limited certifications: While Bitwarden’s approach to security is not in question, it does currently lack ISO 27001 and FedRAMP certification, which may be an issue for some potential customers. However, customers could consider self-hosting to address this.
Purchase Considerations
The solution offers multiple deployment methods including SaaS, on-premises, and Kubernetes, giving its customers flexibility. Customers looking at on-premises installs should consider the additional operational costs that come with managing an appropriate server estate.
Bitwarden offers both personal and business-focused pricing tiers, priced on a per-user basis. Larger organizations should contact the vendor directly for a quote. Bitwarden also offers a free seven-day trial for business plans, which can be extended through a conversation with the sales team, aiding with evaluation.
Customized training is available and complimentary for all business customers. Enterprise also offers a complimentary Families plan, which enables free personal vaults for the user and up to five family members to help extend protection to users’ personal lives.
Customers looking for flexible deployment options, especially those looking for self-hosted installation, will find Bitwarden worth evaluating. Those looking for cloud-native modern deployments via Kubernetes may also find it a useful solution. Bitwarden is also a solid choice for those looking for a solution that provides both password management and features supporting developers with secrets management.
Radar Chart Overview
Bitwarden is positioned in the Maturity/Platform Play quadrant. It is focused on stability and continuity in its approach. Though it scored well in our evaluation, gaps in the reporting details and policy granularity mean it is currently identified as a strong Challenger.
CyberArk: Workforce Password Management
Solution Overview
CyberArk is an identity security focused vendor with a range of solutions that cover identity privilege and access as well as DevSecOps tools. Its enterprise password tool, Workforce Password Management, is part of a broad portfolio.
Workforce Password Management is designed around a central vault to securely hold passwords and secrets, with support for multiple vault access channels (web, browser extension, and mobile app). The credentials can be hosted in the SaaS-based CyberArk Identity Cloud vault or in a secure, PAM-based, self-hosted enterprise vault.
Workforce Password Management has extensive integration with existing identity management platforms via Security Assertion Markup Language (SAML), OpenID Connect (OIDC), and Lightweight Directory Access Protocol (LDAP), as well as prebuilt integrations with well-known leading providers such as Entra ID, Google Cloud Directory, Okta, and Ping.
CyberArk delivers a number of other capabilities, including strong sharing controls and the ability to transfer ownership when the primary owner leaves the organization without losing the chain of custody. Users can add secure text-based notes to this platform. However, those wanting secrets management will need to look at its separate Conjour platform (available as SaaS, on-premises, and open source). There is also optional integration with SSO and multifactor authentication (MFA) platforms to extend one-click access to a broad range of applications. Its marketplace also offers a broad array of third-party integrations.
For customers looking beyond password management to a broader identity security solution, CyberArk’s overall identity approach will be attractive. The ability to add other capabilities including PAM, cloud infrastructure entitlement management (CIEM), and secrets management into an overall identity platform will give customers a structured approach to improving overall identity security.
Strengths
Areas where CyberArk is particularly strong include:
- Platform security: Workforce Password Management offers a range of security options to protect access to the vault. This includes integration with several IdPs for SSO access as well as MFA-controlled access to vaults. Its cloud platform is backed by a 99.99% SLA. There are strong additional user access controls that include location restrictions, device restrictions, and granular access to passwords with additional MFA challenges before access is granted.
- Password policy management: Workforce Password Management offers a comprehensive range of password policy controls, from controlling the types of devices that are allowed to access a vault to enforcing MFA controls to specific password access. The solution can extend these controls further when integrating with CyberArk’s broader PAM, SSO, and MFA offerings.
Challenges
Areas for improvement include:
- Cost: Users looking to invest in password management need to be aware of the multiple options that CyberArk’s broad portfolio presents. Capabilities like secrets management are a separate product in their approach and will incur separate costs.
- Lack of personal vaults: Some vendors launched their solutions by offering personal/home vaults, and others offer this as an add-on for enterprise-licensed users. Many organizations find this a useful benefit, encouraging users to extend password management into their personal lives—a well-known avenue of phishing for corporate access. CyberArk does not offer such an option and actively discourages storing personal information within its business vaults. While not a technical limitation, customers should be aware of this preference.
Purchase Considerations
CyberArk Workforce Password Management is a strong solution that will give organizations a clear path to adopting other elements of identity security via the other solutions in CyberArk’s portfolio. However, prospective customers should note that not all capabilities evaluated here are available in Workforce Password Management (for example, PAM, CIEM, and secrets management); they require purchasing other tools in the CyberArk portfolio. However, Workforce Password Manager is included in all identity and PAM license packages. CyberArk offers a full 30-day trial of this solution to aid with evaluation. The solution is available as SaaS as well as self-hosted, which will provide customers with good flexibility, but they should also consider the extra overheads—such as resources, ongoing maintenance, and platform support—if considering self-hosting.
Workforce Password Management provides a comprehensive solution for those needing an enterprise-focused solution. Organizations that need the flexibility between SaaS and on-premises will find its deployment options useful. Those looking at password management as a first step should be aware that some features require investment in the broader CyberArk portfolio. The solution is aimed at business users only and actually has controls to prevent users from adding personal or consumer passwords to the vaults.
Radar Chart Overview
CyberArk offers an extensive password and identity solution; it is positioned in the Innovation/Platform Play quadrant and continues to look at new ways to develop and enhance its identity security approach. It scored well across our decision criteria and is positioned as a Leader.
Dashlane
Solution Overview
Dashlane has grown from providing personal password management to now supporting enterprise password management for SMBs and large enterprises.
Its platform is SaaS-based with client support for popular web browsers, iOS, and Android. It can integrate with a range of IdPs including Azure AD, Okta, JumpCloud, and Google Workspace. Alongside standard username and password storage, it also allows users to save secure notes and passkeys within the vault. The solution includes a basic secrets manager that will be useful for developers, although it lacks secrets-management features such as key rotation.
Administration is via an easy-to-use central console. The console offers insight into overall password health as well as the ability to carry out more detailed individual password health assessments. Its dark web monitor is a valuable addition, providing proactive notification of potential password breaches. A unique real-time phishing alert function helps identify websites that are likely to be phishing sites before any credentials are added. It also provides users with an inbuilt VPN capability that can be rolled out alongside Dashlane.
Strengths
Areas where Dashlane is particularly strong include:
- Security auditing: Reports give an overview of an entire organization’s password usage. Administrators can drill into detail to understand individual usage and access profiles. It also provides real-time phishing insights to warn users of potential phishing attempts when they browse to malicious websites. Its dark web monitoring is also a useful feature that will help operations teams and users to maintain better password security.
- Password policy management: Dashlane provides the range of policy controls that would be expected of an enterprise password solution. However, it also delivers some additional features, such as a personal VPN for all users as part of their subscriptions, the use of which can be managed and enforced by policy. The solution also provides the ability to analyze password strength and suggest improvements, making online accounts less vulnerable to attacks.
- Ease of use: Its background as a consumer product moving into the enterprise space means it focuses well on the end user experience. It also provides good support for users to store and manage passkeys, which will help them adopt this developing technology.
Challenges
Areas for improvement include:
- Moving from personal to enterprise password management: Coming from a consumer background, some of its enterprise features are less well developed than some of the more mature vendors we evaluated. For example, its IdP integrations are not as broad as some, and its browser extension integrations are also more limited. Customers will need to evaluate whether these limitations will present a challenge to them.
- Limited secrets management: While the solution does provide secrets management for its customers, it is more limited than some other solutions evaluated. It lacks the ability to automate key management and also lacks the CI/CD integrations others offer for developers and DevOps.
Purchase Considerations
Dashlane provides individual and business tiers, a friends and family “team” offering, and an Enterprise offering. It is priced per user. The Enterprise tier includes a dedicated customer success manager, onboarding customer support specialists, and access to onboarding technical engineers. For those looking to simplify their purchase, its site license may be an attractive offering, removing concerns around individual license management.
Dashlane does not currently provide FedRAMP certification for its solutions. It is well suited for SMBs and large enterprises but does not support federal agencies or MSPs.
Radar Chart Overview
Dashlane is positioned in the Innovation/Feature Play quadrant. Although its solution offers a broad feature set, it’s not as strong across all features as some other solutions we evaluated. The vendor continues to focus on innovation and scored well across our criteria, retaining its position as a Challenger.
Enpass
Solution Overview
Enpass supplies password manager solutions for both commercial and personal markets. Its technical approach is different from others evaluated in this report, as Enpass does not use a central vault. Instead, all vaults are stored in locally accessible storage that can be cloud-based with a local cache or directly on the local device.
Enpass supports a range of endpoints with clients for Windows, Mac, Linux, iOS, and Android, as well as extensions for popular browsers. Deployment of the endpoint vaults can be centralized using a customer’s existing endpoint management approach, including unified endpoint management (UEM) and mobile device management (MDM).
User provisioning is done via SCIM integration with leading directories including Entra and Okta, allowing for quick import of users into the platform. Users will then store their vaults in an enterprise cloud location with a local cache—Microsoft 365 and Google Workspace are the currently supported locations for business customers—or vaults can be stored directly on local devices. Cloud vaults are required for sharing passwords between teams.
The admin dashboard highlights Enpass adoption and can be used to set central policies around both the security setup of the platform as well as some basic password and sharing policies. Breach reports can be generated for users that contain the name of the breached website, breach date, the types of data compromised, and recommended actions to secure the account.
For organizations requiring more control, the Enpass Hub enables powerful additional features for both admins and users, including comprehensive security audits, access recovery, and simplified vault sharing.
Strengths
Areas where Enpass is particularly strong include:
- Cross-platform support: Enpass’ broad support includes desktop applications for Windows, Linux, and macOS—an increasingly rare feature among the vendors we evaluated. It also offers good browser extension support and Android and iOS apps.
- Security auditing: Enpass provides both a good overview for admins and useful insight for end users with its breach reporting. While it is not as comprehensive as some solutions, the identification of potential breached passwords for users, alongside guided actions to help remediate that risk, is a valuable feature.
Challenges
Areas for improvement include:
- Deployment model: While the vendor may argue that its completely decentralized model reduces the risks posed by central models, some customers may be troubled by losing the control that comes with a central vault. The additional deployment work this may entail could also be an issue, even though Enpass provides templates and guidance to help roll the product out using popular MDM and UEM tools.
Purchase Considerations
Those requiring additional features, including advanced security reports, easier sharing, and vault access retrieval, will need to consider adding the Enpass Hub, which is available as both SaaS and a self-hosted solution. Starter and Standard plans only include the SaaS Enpass Hub; therefore, customers wishing to self host will need the Enterprise Plan (which also includes the SaaS hosting option). Self-hosting customers will also require additional internal resources and effort to deploy and maintain. Customers will need to evaluate this additional effort.
Like other vendors with both end user and business focus, Enpass offers individual and family plans, along with business offerings such as the team-focused Starter Plan and per-user priced Standard and Enterprise plans.
The Enterprise Plan, alongside the self-hosted Enpass Hub, is required for advanced corporate policy enforcement, automatic user provisioning via SCIM, and UEM/MDM configurations for deployment. A free family plan for licensed users is included.
Organizations looking for a simple approach to password management with good integration to Entra, Okta, and other SCIM-supported platforms will find this a good starting point. Customers looking for a decentralized architecture will also find this approach appealing.
Radar Chart Overview
Enpass is positioned in the Innovation/Feature Play quadrant. It is limited in or lacks some of the capabilities we looked for in this report, placing it on the Feature Play side of the chart as a Challenger.
JumpCloud
Solution Overview
JumpCloud is an integrated identity, device, and access management platform designed to allow users to connect to any resource from any location using a trusted device with one secure identity.
JumpCloud is a full identity platform with password management as a component, although it is also available as a standalone solution. It uses a decentralized model with vaults deployed individually on and synchronized between end-user devices. JumpCloud claims this reduces the risks of centralized vaults (a single vault to compromise) and offers a more resilient experience. However, admins can enforce central vault protection with backup and restore capabilities.
When purchased alongside the full platform, the password manager can use JumpCloud’s broader identity information and endpoint management capabilities to protect vault access and simplify the user logon experience. It does this by using machine compliance and IdP integration across multiple platforms to provide a smooth SSO experience.
The JumpCloud Go tool helps with passwordless adoption and enables secure passwordless authentication to JumpCloud-protected web resources on managed devices. The broader solution also integrates with MFA and certificate-based authentication to provide additional password and access protection.
While JumpCloud’s password manager is a good solution, its true value comes from its integration with broader platform capabilities that help to simplify identity and machine management.
Strengths
Areas where JumpCloud is particularly strong include:
- IdP integration: The JumpCloud password manager benefits from the broader platform’s integration capability. It also does not need to synchronize those users into the platform, instead acting as a bridge between any current IdP, the password manager, and third-party apps. JumpCloud can securely pass through password information and federate authentication to another third-party provider like Okta, Microsoft AD/Entra ID, and Google Workspace.
- Passwordless support: JumpCloud’s capabilities as an IdP can provide an integrated passwordless experience for customers. It can provide metrics using identity and device health as part of the authentication experience, reducing or removing reliance on passwords. Its JumpCloud Go capability further enables secure passwordless authentication to JumpCloud-protected web resources on managed devices, aiding the transition to passwordless for its users.
Challenges
Areas for improvement include:
- Support for large enterprises: With an SMB focus, JumpCloud does not support larger enterprises. While the technology can scale, the company itself is not focused here, and other vendors may be a better fit.
- Distributed architecture: While there are some risks associated with central vault architectures, the distributed nature of JumpCloud may prove unattractive for large organizations that want to ensure the security, availability, and protection of their central password repository.
- Limited secrets management: JumpCloud has limited secrets management capability and other tools offer stronger options.
Purchase Considerations
JumpCloud offers password management as a feature of various pricing tiers, all of which are licensed on a per-user basis. Password management is an included feature of the SSO, Core Directory, Platform, and Platform Prime tiers. Passwordless JumpCloud Go features are part of the Platform and Platform Prime tiers. Professional services are available.
JumpCloud is focused on the SMB market (especially sub-1,000 seats), so larger organizations will need to evaluate whether JumpCloud can support them appropriately. As an SMB-focused vendor, there is no current certification for FedRAMP and no plans to add it. JumpCloud also has offerings tailored for education and nonprofits.
Radar Chart Overview
JumpCloud is positioned in the Innovation/Platform Play quadrant. Its approach in this space is on overall identity management, of which password management is a component. It continues to develop a strong solution and has high scores across many of the decision criteria we evaluated, positioning it as a strong Challenger in this iteration. Changes to decision criteria and our scoring scale have resulted in the vendor moving from the Leaders circle in last year’s report into the Challengers circle.
Keeper Security: Password Manager
Solution Overview
Keeper Security provides full lifecycle credential management, including Keeper Password Manager, a highly secure password and passkey management solution for individuals, families, and organizations of any size.
Keeper Security takes a modern approach to PAM by bringing together passwords, secrets, and connection management into a single interconnected solution, and its password management is capable in its own right. Keeper Password Manager integrates with a range of IdPs to provide user access to its central password vault, reducing adoption overhead. It has comprehensive policy granularity to enable administrators to separate task and password access into individual organizational units, including limiting or blocking password sharing.
It offers excellent insight into password risk, including its new Risk Management Dashboard that aggregates risks and provides remediation actions. Its BreachWatch dark web monitoring capability offers impressive real-time notification of any corporate identity breach, helping operations teams quickly take action and reduce risk.
Keeper Password Manager offers comprehensive secrets management for developers, allowing for machine accounts and keys to be stored and managed within the platform. It also provides a useful ability to transfer the vaults of users who leave an organization to new users. It recently launched passkey support across all of its products and PAM-type Time-Limited Access and Self-Destructing Records to offer further security enhancements.
Strengths
Areas where Keeper Security is particularly strong include:
- Secrets management: Keeper’s vault provides comprehensive capability for managing infrastructure secrets such as API keys, database passwords, access keys, and certificates. It integrates with DevOps and CI/CD platforms to support the full key management lifecycle, including automated key rotations either on a schedule or manually, helping to reduce the risk of compromised machine credentials or the need for developers to place keys inside of code.
- Compliance: Keeper Security claims to be the most secure, certified, tested, and audited password security platform. It has the longest-standing SOC 2 compliance and ISO 27001 certification in the industry and complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). It also has FedRAMP and StateRAMP certification.
- IdP integration: Password Manager can be deployed with any third-party SAML 2.0-based IdP. Its SSO Connect cloud allows it to securely authenticate users into its vault and dynamically provision users to the platform. It works with popular SSO IdP platforms such as Entra ID, AD FS, Okta, Google Workspace, OneLogin, Ping, F5 BIG-IP APM, and JumpCloud. It can also use SCIM for automated provisioning. When deployed this way, all encryption of data uses 256-bit elliptic curve keys to wrap the data key and 256-bit AES keys to encrypt each vault record.
Challenges
Areas for improvement include:
- No on-premises deployment: The solution is SaaS only and not available as an on-premises solution, so organizations wishing to place vaults within their own data centers will need to look at alternative solutions.
- PAM limitations: While the solution has the potential for building PAM on top of enterprise password management, it is still not a fully featured PAM solution—it is more about using PAM capabilities to enhance the password management solution. While this does not affect the effectiveness of the password solution, customers looking at password management as part of a PAM deployment will need to consider whether Keeper Password Manager’s capabilities here are strong enough.
Purchase Considerations
Keeper’s solution is SaaS only and isn’t available for on-premises or endpoint deployment. It has plan tiers for individuals and enterprises. Pricing is per user per year.
Keeper Security’s password management solution provides strong integration with a wide array of IdPs. Those looking for strong credential management and reporting will appreciate the BreachWatch service. Those needing a vendor that is FedRAMP certified or complies with other security frameworks will find Keeper an attractive offering.
Radar Chart Overview
Keeper Security is positioned in the Innovation/Platform Play quadrant. Its broad range of capabilities and ability to execute, scoring high across all of the decision criteria we evaluated, places it as a Leader in this report. The vendor remains focused on innovation, and its execution of the capabilities in the emerging features category and rate of progress in the market result in its Outperformer status.
LastPass
Solution Overview
LastPass is one of the better-known vendors in the password management space. It provides solutions for a range of customers from consumers to large enterprises. It allows customers to create and enforce password policies, share passwords and notes securely, and monitor user activity and security reports.
The solution is SaaS-based with a range of clients including browser extensions, desktop applications, and mobile apps. The solution provides MFA, SSO, and biometric authentication to its vault for added security and convenience. It is a simple and flexible solution that will work well in smaller businesses, and it offers extensive integrations with a wide range of IdPs to ease its adoption into larger enterprises.
Architecturally, LastPass uses a centralized vault with users accessing local versions of their vaults. Personal vaults can be co-managed with the enterprise vault. It provides over 140 predefined policies that enterprise customers can use to deliver password policy across the organization.
Its central console provides an overview of password security across the organization and local reports for individual users, including dark web monitoring. LastPass offers a broad range of reports, plus the ability to export audit trails to key stakeholders as needed. Reports include user activity, admin activity, site login activity, and other security reports.
Strengths
Areas where LastPass is particularly strong include:
- Integration: The solution provides a range of IdP integrations that includes AD, Entra ID, ADFS, Google Directory, Okta, Ping Federate, PingOne, One Login, and an API for custom integrations. This will help ease adoption for many customers and allow end users to access their vaults with familiar enterprise credentials and controls.
- Support for passwordless access: LastPass enables organizations to move to passwordless, with a strong range of options including forthcoming support for passkeys and biometric logon to both admin consoles and user vaults. It also provides its own authenticator app and support for FIDO2 biometrics and hardware keys. It will help organizations with the move to passkeys, supporting the creation, storage, and sharing of passkeys within user vaults.
- Cross-platform support: LastPass comes with a range of client support across browsers, mobile apps, and desktop apps. This gives users a consistent experience and the ability to access their password vaults in the most convenient manner.
Challenges
Areas for improvement include:
- Limited advanced features: As more enterprises look to better manage credentials, they seek tools that can support full secrets management and increasingly PAM-like capabilities. LastPass supports secure notes but does not offer full secrets management that developers and DevOps processes could use.
- Reputation: While it has made huge strides in its security and remains a popular solution, the impact of its 2022 breach is not forgotten. This is likely to hurt its chances with some potential customers.
Purchase Considerations
LastPass offers Teams and Business tier licenses. These are required for access to the federated login, SSO, directory integration, and SEIM integration elements of the solution. It is licensed on a per-user basis. Free personal and family licenses are included as part of the Business offering. Additional add-on capabilities are available to provide enterprise-grade solution features. However, the platform lacks advanced capabilities such as secrets management, and those looking for that would need to consider additional solutions.
While the 2022 LastPass breach may still raise questions, it is fair to point out that LastPass has continued with an ongoing commitment to secure its services. This has included platform, infrastructure, and endpoint security enhancements, hardening, enhanced logging/alerting, and validation of the security of its cloud storage environment. It has deployed a cloud security posture management (CSPM) solution to continually evaluate security, and continues to accelerate product enhancements and advance the development of security-related roadmap items.
Those looking for an easy-to-adopt and manage solution with good coverage across multiple platforms will find LastPass a sound option, and those seeking a transition to passwordless will find LastPass provides some good capabilities to assist them.
Radar Chart Overview
LastPass is positioned in the Maturity/Feature Play quadrant. It is a well-established and well-known vendor in this space, and its approach is focused on stability and continuity rather than rapid innovation that may invite disruption. It scored well across most of the decision criteria we evaluated and is positioned as a strong Challenger in this report.
ManageEngine: Password Manager Pro
Solution Overview
ManageEngine offers comprehensive IT management solutions for global organizations and MSPs. Password Manager Pro is designed to control, manage, monitor, and audit privileged accounts and their access within an enterprise,
Unlike the majority of its competitors, Password Manager Pro is installed as a self-hosted server application that can be installed in the data center or public cloud. To ease installation, it ships as a single full binary that includes all required elements. It can also be integrated with SQL, Azure SQL, and RDS databases if required.
It is designed for enterprise account management rather than individuals and teams. Its capabilities include password vaults, secrets management, and a certificate lifecycle management platform. Certificates can be autodiscovered from both the user directory and local machine stores. It has a session manager to allow admins to start remote sessions to other systems from within the password manager and includes session recording.
Password Manager Pro offers PAM capabilities and includes access request workflows. It provides a powerful agentless auto-discovery capability, which can find all machine and service accounts in a directory and bring them under password management, including the ability to change passwords either as a scheduled or manual task.
Strengths
Areas where ManageEngine is particularly strong include:
- Password policy management: The Password Manager Pro solution can discover, via agentless scan, all accounts on any system in a domain. It allows admins to centrally reset the passwords of servers, databases, network devices, and other resources. This capability enables enforcement of enterprise controls and management and reduces operations overhead of what is often a cumbersome process.
- Ease of management: This is a solution designed for the management of enterprise accounts rather than individual accounts and teams. This shows in some of its strong enterprise management capabilities, including PAM capabilities such as account and sessions management and elevation and delegation management. It also has a full API that allows customers to automate Password Manager Pro’s capabilities from external management tools.
Challenges
Areas for improvement include:
- FedRAMP support: Because of the on-premises nature of its deployment, the solution cannot be supplied under FedRAMP. This will rule it out as an option for some customers.
- Secrets management: ManageEngine offers capabilities around secrets and certificate management. However, there are some limitations to its secrets capability, with limited ability to fully manage secrets lifecycles.
Purchase Considerations
This solution is self-hosted only. This will be challenging for many customers with a SaaS-first policy, and they will need to determine if the value the solution provides outweighs the drawbacks of self-hosting, including the additional overhead of system maintenance.
The platform is available in three editions—Standard, Premium, and Enterprise. Licensing is based solely on the number of administrators required to operate the system. Once licensed, password vaults can be made available to an unlimited number of users. This makes the solution commercially competitive and removes the overhead of vault license management. The Enterprise license is needed for advanced features such as API integration, database back-end flexibility, and SIEM integration. However, there are no family vault licenses for users, unlike with a number of the other vendors we considered.
ManageEngine is focused on large organizations accustomed to managing on-premises deployments and building out API-based integrations. For customers looking for a self-hosted solution, this will prove attractive. Its comprehensive APIs will be interesting to those looking to build enterprise password management into their existing tools and workflows. Those keen to simplify the management overhead of local machine accounts or looking for a self-hosted certificate management solution should consider Password Manager Pro.
Radar Chart Overview
ManageEngine is positioned in the Maturity/Platform Play quadrant. It provides a wide range of capabilities and is focused on the stability and continuity of its well-established technology. It scored well in many of the decision criteria we evaluated, positioning it as a Challenger in this report.
NordPass
Solution Overview
NordPass is the password management component of Nord Security’s solution suite, which includes the well-known NordVPN service. It is built around a secure centralized password vault, with local vaults available for desktops, mobile devices, and browser extensions. It uses an end-to-end encrypted zero-knowledge architecture to provide strong privacy protection.
The main management dashboards are clear and intuitive. Provisioning of users is aided by automatic provisioning/deprovisioning capabilities from Active Directory. It has added support for passkeys, which will help users transition to a passwordless environment, and provides some nice user functions around password vulnerability insight. This includes checking for leaked data, vulnerable password identification, and the ability for users to mask passwords, allowing them to create disposable passwords when signing up to external services.
Strengths
Areas where NordPass is strong include:
- Cross-platform support: NordPass provides comprehensive coverage of a wide range of endpoints including browsers, mobile devices, and desktop apps. This will help customers provide a consistent experience for their users, helping to drive adoption and improve overall password security.
- Security auditing: As an organization, NordPass has invested in security and holds a number of external certifications including ISO 27001. It adds to this by providing its users with good security insights to help reduce the risk of poor password practices. This includes checking for data leaks and identifying vulnerable passwords with its password health tool.
- Passwordless support: The solution offers several tools to help users move to a passwordless future. This includes passkey storage management, allowing users to create, store, and manage passkeys within their vault. It offers good biometric support for controlling access to the vault, and its native authenticator tool is a useful addition.
Challenges
Areas for improvement include:
- Enterprise scale: This is a solution that has grown from a good consumer offering, and as such, it lacks some features that enterprises value, such as API management and secrets management. It also takes a basic approach to password policies, lacking the granularity of some of its competitors.
- Secrets management: While it does offer the ability to store some non-password information, such as secure notes, it lacks the secrets management capability that most organizations require, which means prospective customers will need an alternative solution to fill this gap.
Purchase Considerations
The platform is SaaS-based, with data centers in the US, and has recently added EU data centers. It’s available with either a business or enterprise subscription license, though some functions, such as provisioning integration with Active Directory and SSO integration, require the enterprise license.
NordPass comes from the well-known Nord Security stable of solutions. However, it has grown from a consumer background and this does show in its lack of some enterprise features, such as granular password policies and secrets management, and its limitations in IDP integration. It does support Entra ID, Google Workspace, Okta, and ADFS for on-premises Active Directory integration.
NordPass offers a user-friendly, clearly priced password management solution. It’s well-suited for SMBs, large enterprises, and MSPs that don’t require advanced functionality. It does not support federal public security organizations.
Radar Chart Overview
NordPass is positioned in the Maturity/Feature Play quadrant. It’s focused primarily on delivering password management and lacks some of the broader capabilities we evaluated. It continues to develop its feature set within the framework of its well-used and stable password management solution. It scored well across most of the decision criteria we evaluated; however, it’s limited in or lacking some features, and its scores position it as a Challenger in this report.
Securden: Password Vault for Enterprises and Unified PAM
Solution Overview
Securden is an identity security vendor that offers a range of solutions including password management and PAM. Password management is included in both the Password Vault for Enterprises and Unified PAM solutions. For clarity, it should be noted that for this report we have evaluated its Password Vault product only.
The solution has prebuilt integrations with Azure AD, Entra ID, and LDAP databases, which can be used to import users. Users are then categorized into types and groups. Securden provides a useful function in that accounts can also include remote machine access, allowing operations teams to connect to machines directly from the platform without knowing or sharing passwords. It also offers a functional secrets management capability that can hold SSH keys and certificates that can be called via APIs. Password sharing is available across groups, and it also has an innovative secure share option with third parties.
Securden offers good reporting with comprehensive risk reports, a dark web breach module to look for internet-leaked credentials, and business and personal vaults for users.
Securden supports a broad range of application SSO integrations, and new ones can also be added. Some of its PAM capabilities can be found in its Password Vault Enterprise PAM license. This includes additional capabilities such as finding accounts on endpoints, managing local privileged accounts, and the ability to reset remote machine accounts, but this is not its full PAM solution.
Strengths
Areas where Secureden is particularly strong include:
- Ease of management: Offers a broad range of out-of-the-box integrations including AD, any LDAP-compliant directory service, any SAML-based SSO solution (Okta, GSuite, ADFS, OneLogin, Ping, Azure AD SSO), MFA tools, ticketing systems, and SIEM systems. This allows the solution to be well integrated into the existing technology stack, making it easier to ensure password management is part of the overall security operations process.
- Password policy management: Securden offers a strong set of capabilities. The ability to scan for local account and machine passwords is useful, and when coupled with Securden’s ability to reset machine passwords at scale, it can be a very powerful tool. It can identify accounts that are non-compliant with password policies and recommends remedial measures through actionable reports and dashboard listings. Policies can be enforced upon identification of non-adherence or non-compliance. Its dark web monitoring capability also adds a significant benefit.
- Cross-platform support: Securden provides comprehensive coverage of a wide range of endpoints including browsers, mobile devices, and desktop apps. Secrets management allows for credentials to be called via APIs by developers rather than leaving them in code. Its remote session manager allows operators to connect to machines directly from the vault (via a native tool or RDP) without needing to share or view passwords, providing a secure remote operations platform.
Challenges
Areas for improvement include:
- Cost: The password management solution is strong, but customers should be aware that a number of the features discussed here are only available when it is part of the Password Vault Enterprise PAM license—remote session management and automated machine account discovery, for example. Customers may find it confusing to determine which elements of the solution are available in each platform.
- Brand recognition: Securden is not as well known in the market as many of its rivals. This can be problematic for some customers who are keen to see third-party validation of potential suppliers from industry sources. While this is not a reflection of its technical quality, it will be an issue with some customers.
Purchase Considerations
The solution can be deployed as a SaaS-based service or as a Windows application. The Windows installer contains all required components including the web server and Postgres database (SQL is also a supported option).
Licensing is a potential point of confusion for prospective customers. We evaluated Password Vault for Enterprise for this report. Securden also offers a Vault Enterprise PAM license, a PAM light offering that brings some, but not all, of its PAM capabilities to the Password Vault solution. There also isn’t transparent pricing, so prospective customers will need to contact the vendor for more information.
Securden services customers across all sectors, from SMB to enterprise and MSPs. In fact, Securden offers a Unified PAM for MSPs product specifically for service providers. Securden also offers a Unified PAM tailored specifically for government agencies.
Radar Chart Overview
Secureden is positioned in the Innovation/Platform Play quadrant. It offers a strong solution, and its approach in this space is to take its customers on a journey to broader PAM, with password management simply one focus area. It scored well across all of the decision criteria we evaluated, placing it as a Leader, and its execution of the emerging features and rate of progress in the market classify it as an Outperformer.
Siber Systems: RoboForm
Solution Overview
Siber Systems offers the RoboForm password management solution for both individuals and businesses. RoboForm is primarily SaaS-based, although bespoke on-premises installations are available when needed. The solution is focused on password management, but it also offers passkey storage and filling, time-based one-time password (TOTP) authentication, and identity management. Siber Systems continues to evolve its enterprise features, including integrations for AD, Entra ID, and SCIM for import of users, and support for SSO login to password vaults. It offers personal and business vaults for its licensed customers.
Passwords can be shared across groups, company members, and non-company RoboForm customers. Shared group passwords have some useful controls including the ability to limit access by IP address and enforcing that vaults are centrally held only.
RoboForm reporting gives a view of password health for both personal and company vaults. However, it does not provide some of the details available from other solutions, such as breach reports.
Strengths
Areas where Siber Systems is particularly strong include:
- Ease of use and management: The solution is focused on delivering password management capabilities to its customers. It offers basic reporting on the security of passwords held in its vault and can guide operations teams on how to improve overall password health.
- Cost: All components are under a single license, so all users will have all RoboForm capabilities.
- Security auditing: Provides a security score for each user based on the average score of all of their saved credentials. Administrators have access to a company security score, which summarizes the security scores of users and groups throughout their company. It also compares all saved credentials against publicly known breaches and identifies any credentials a user has saved that are included in a known breach. This information can be used to help reduce exposure across a business.
Challenges
Areas for improvement include:
- Enterprise capability limits: Focused on password management, RoboForm lacks some of the broader enterprise features other solutions offer, such as a secrets manager, broader PAM functionality, and granularity in password policy management. Its simplicity will be attractive, but limitations must be evaluated.
Purchase Considerations
Siber Systems offers both personal and business-focused plans, and RoboForm for Business is the likely solution for most teams and enterprise users. RoboForm is a desktop solution but is moving to a primarily web-based deployment with extensions for leading browsers and a mobile app.
This is a vendor focused on delivering effective and simple password management. This does mean it lacks some of the more comprehensive features, but it could be a good solution for smaller teams or organizations just starting to explore password management. The solution’s SaaS platform locations are limited to the US (Virginia) and the EU (Amsterdam), and this may prove an issue for those with strict data sovereignty demands. It does offer a self-hosting option as a potential way to address this.
Organizations that need an enterprise-capable password management solution that can securely share credentials with both internal and external users will find its simplicity attractive. For companies that regularly need a form-filling tool, this is still a strong capability of the solution.
Radar Chart Overview
Siber Systems is positioned in the Maturity/Feature Play quadrant. The vendor’s focus is on the stability and continuity of its solution rather than rapid innovation that may invite disruption. It continues to maintain its solution with moderate updates, classifying it as a Forward Mover. It focuses on password and form filing management, and while it has average scores in a number of decision criteria, its lower scores for secrets management and password policy management and lack of emerging features position it as a Challenger.
Zoho: Zoho Vault
Solution Overview
Zoho Vault is part of Zoho’s suite of solutions and a core part of its cybersecurity approach. Zoho Vault uses a central vault that is securely encrypted for synchronization with endpoints. Supported endpoints include iOS, Android, and extensions for most leading browsers. Zoho has also recently added desktop apps for macOS and Windows.
The core solution has more than 90 out-of-the-box integrations to its own applications, popular SaaS solutions, and major IdPs including Azure AD, Google Workspace, and Okta. Zoho Vault has extensive APIs that allow the vault to be programmatically driven by third-party tools and managed end-to-end without the need to access its management platform. Zoho’s Flow platform offers no-code workflow capabilities for building further customizations.
Its reporting is well laid out and easy to navigate and provides a view of personal password security and an overall team view, showing where passwords may be weak and failing to meet business compliance requirements.
The platform continues to develop with areas such as passwordless unlocking of the vault and autofill MFA, which works well with its own OneAuth application. Zoho Vault’s introduction of its own secure browser, Ulaa, is also an interesting addition for those looking for better privacy control for their users. The solution lacks a personal vault option, which many companies find valuable.
Strengths
Areas where Zoho is particularly strong include:
- Platform security: The solution provides good service security capabilities for its users. This includes the ability to allow users to hold individual backups in a range of locations including Zoho WorkDrive, Google Drive, OneDrive, and Amazon S3. It also has the capability to limit vault access based on geolocation, which can help reduce the threat of compromise.
- Zoho infrastructure: Zoho is a broad IT provider offering a huge number of services for its customers. This is all built on its own technology and hosted within its own data centers, giving the company strong control of its infrastructure, direction, platform security, and cost management. Because its solution stack is all built in-house, Zoho can quickly add new features and ensure tight integration across its platform. This is an attractive proposition, especially for those looking at vendor consolidation.
- Security auditing: The solution includes a range of reporting on password posture across individuals and teams. It also includes a breach dashboard that can highlight where passwords have been compromised in external platform breaches.
Challenges
Areas for improvement include:
- Platform dependency: While Zoho Vault is a standalone password manager, gaining full value from that investment will require investment in other tools, such as Zoho Flow for customization. Customers will need to be aware of pricing risks with additional module purchases.
- Secrets management: Although Zoho Vault allows for secure access of nonpassword items, it does not offer secrets management functionality such as the ability to manage authentication tokens like SSL certificates or access keys, and it has a lower score for this key feature.
Purchase Considerations
Zoho Vault is SaaS-based and is hosted within Zoho’s own global data centers rather than in AWS or Azure. This allows it to retain additional control around development and pricing. Zoho has an extensive portfolio and provides integrations into its other tools. This can help overcome some of the limitations the Vault platform has around advanced features, such as secrets management.
Pricing is transparent and published on Zoho’s website, and licensing is per user. Users can test out the solution via a free trial before purchasing. The vendor also offers migration and onboarding assistance.
Zoho Vault is a simple and easy-to-use password management solution for businesses of all sizes. It’s well suited for organizations already using Zoho products that want password management integrated with their other business tools. However, the solution is not certified under FedRAMP, so customers who require this will need to consider alternative solutions.
Radar Chart Overview
Zoho is positioned in the Innovation/Platform Play quadrant. It delivers a quality password management solution that’s well integrated with its broader platform of tools. While it has an established solution to build on, the vendor remains flexible and responsive to market needs, and it’s moved from the Maturity half to the Innovation half since last year. It scores well across many of the decision criteria we evaluated and is positioned as a strong Challenger in this iteration. Changes to decision criteria and our scoring scale YoY have resulted in the vendor moving from the Leaders circle in last year’s report into the Challengers circle.
6. Analyst’s Outlook
The password management challenge is complex. Users are inundated with the need to create and remember passwords, and the operational overhead they present is significant. This presents management challenges to a business and can lead to poor practices as users and operations teams alike find ways to overcome frustrations that can conflict with strong password management. Cyber attackers know this and realize that by targeting user credentials they can potentially gain access to the most sensitive of systems and information.
Enterprise password management can address this significant challenge but is surprisingly still underutilized by organizations of all types. However, addressing password management should be a priority because failing to do so will lead to credential theft and likely security breach.
Our research has highlighted a market that is continuing to evolve to address the changing complexity and demands of password management. This includes more secure ways to store, manage, and share credentials. It also addresses other complexities such as the management of secrets (encryption keys, certificates, and other machine and application credentials), the move to passwordless, and the importance of password lifecycle management.
These solutions also provide a good overall insight into overall password and credential management posture, guidance on how to improve it, and real-time threat information covering areas such as the identification of breached passwords discovered “in the wild.”
For those evaluating the space, it is important to understand the current risks, such as:
- How are passwords stored and managed?
- How are passwords shared between teams?
- How is the complexity of machine credentials managed?
- What is the overall password security posture in an organization?
Answering simple questions such as these will provide an initial insight into risk and gaps in password security.
To then evaluate the space, business leaders should ask some basic questions to understand the types of vendors to evaluate.
- Is a SaaS-based solution appropriate? Is storing key information outside of its own data centers and environments acceptable? More of the vendors in this space are SaaS-based, so a requirement for self-hosting will limit options.
- What current IdPs and applications does a solution support? It’s important that solutions match your current IdP to drive easier adoption and support SSO access to password managers, as well as support the ability to securely share passwords. Solutions should also support key business applications to allow SSO from vault to application, reducing the need for users to access and enter passwords into systems.
- Can the solution support a move to passwordless? The removal of passwords from overall operations should be a priority for businesses. Look for solutions that can aid this by supporting passwordless access using technology such as biometrics, tokens, authenticator apps, and increasingly, the use of passkeys.
- Do you need more than user password controls? Does your business need access to secrets management, for example? The management of machine credentials such as private keys and certificates is complex. For those with development teams and large operations teams, this can be a hugely valuable capability.
The password challenge is not going to ease, but password management platforms will continue to help address it, as we see further embracing of technology that can help remove the reliance on user-generated passwords. The use of AI will also help to improve password security and make password management more straightforward.
Password management should be an essential part of any IT team’s overall strategy. The risk of password compromise is high, and its impact can be significant. Fortunately, there is a good market of established password management tools that can help address this challenge.
To learn about related topics in this space, check out the following GigaOm Radar reports:
- GigaOm Radar for Identity Threat Detection and Response (ITDR)
- GigaOm Radar for Identity as a Service (IDaaS)
- GigaOm Radar for Multifactor Authentication (MFA)
7. Methodology
*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.
For more information about our research process for Key Criteria and Radar reports, please visit our Methodology.
8. About Paul Stringfellow
Paul Stringfellow has more than 25 years of experience in the IT industry helping organizations of all kinds and sizes use technology to deliver strong business outcomes. Today, that work focuses mainly on helping enterprises understand how to manage their data to ensure it is protected, secure, compliant, and available. He is still very much a “hands-on” practitioner and continues to be involved in a diverse range of data projects. Paul has been recognized across the industry and has spoken at many industry, vendor, and community events. He writes for a number of industry publications to share his enthusiasm for technology and to help others realize its value.
Paul hosts his own enterprise technology webcast and writes regularly on his blog.
9. About GigaOm
GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.
GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.
GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.
10. Copyright
© Knowingly, Inc. 2024 "GigaOm Radar for Enterprise Password Management" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.