Password management is a term that has come to mean a lot of things. This is a case where marketing has gotten in the way of clear, unambiguous definitions. We may think of password management as a sub-context of ID management, access management and policy management. In this set of reviews, we are looking at ways to manage access to passwords themselves.
This is another somewhat ambiguous way of looking at the problem. For example, is single sign-on (SSO) password management? Some - me included - would argue that it is. In fact, at least one of the products we looked at this month acted a bit like a SSO tool. Caching a collection of passwords for different applications and platforms and accessing the cache with a single password certainly smells like single sign-on. But, without some of the enterprise management capabilities of full-on SSO systems, this probably is a bit simplistic to think of as a solid SSO system.
For our purposes, then, we viewed these products as variants on what I refer to as "password carvers." These can be one-to-many or many-to-one tools. We saw both. One-to-many tools allow the user to access a collection of systems or applications with a single password. We see some simple examples of that with another type of access control we've looked at in the past. These products allow you to build a table of passwords for various websites and, using a USB dongle with some biometrics, you can log into all of the sites automatically.
Many-to-one tools are the true carvers. These typically allow multiple users to access some administrator functions on a system or application without using the true superuser password. There are a few products such as this and they all have good functionality. We saw some of them too.
What to look for
For starters, you need to know in a fair amount of depth for what exactly you want to use this type of password management. We emphasize this principle almost every month, but it is critically important today because there are enough variants in functionality for current generations of several types of products to make a one-size-fits-all approach impractical.
It is conceivable that you may need more than one of these products. In that case, be sure that you are aware of any agents that need to live on client machines and that, if more than one needs to be used, there are no conflicts.
Another important factor to consider is whether you need enterprise management, and whether you will need to deploy these products over a wide geographic area to thousands of users. For some of these products, that may pose a challenge. Not all password managers are intended for use in an enterprise. And if they are, they may be targeted at a specific system or application - usually at the administrator level. Probably the most important factor to consider is the password manager management functionality. Lost passwords, role mismanagement and general access controls all are part of the considerations for managing the manager.
Another important aspect of these products is auditing. Not all offered robust auditing. However, when you are managing access to a superuser account, you need to know who is doing what.
How we tested
Testing was straightforward. We set up an environment representative of the setting the tool was intended to manage. Since we had appliances and software - the appliances being solid enterprise-class products - we needed to set up a simulated enterprise with tools such as Active Directory for a few of these products.
Overall, we were pleased with the way this crop behaved. However, we were struck by the variety of use cases that they are intended to support. Those different use cases required a bit of creativity in the lab. Surprisingly, Mike didn't have many challenges deploying the various products.
The bottom line with this type of password manager is to fit the tool to the app, and don't be afraid to mix and match to get what you need. Sadly, that may be necessary and, of course, it adds a level of complexity. Do not expect a tool intended for single users or small enterprises to work well in a large distributed environment. When buying one of these products, one should get a current user reference from an organization similar to one's own.
Mike Stephenson contributed to this Group Test.