App Wanted: An Improved Password Manager

Editor’s note: Our friends at ArcStone reached out to us to talk about their experiences with password management software. Here’s their take, written by Chloe Mark. What do you think about password managers? Is there one you like? How can password managers be better?

With the plethora of apps available to businesses in 2016, many of us have come to rely on these tools for our work. At ArcStone we manage projects in Basecamp, communicate to clients via Basecamp and Trello, coordinate with team members in Slack, and manage company hours and invoicing in Harvest. This doesn't account for the several other apps each of our team members use personally. 

One of our main issues is not the apps themselves, but managing the security of each unique login. A password manager is one method for keeping these accounts secure, but we have yet to find the right fit. In this post we'd like to point to the issues we have with the current state of password managers; review one of the most popular managers out there, LastPass; and suggest changes future developers should consider. 

The Current State of Password Management

We wanted to make sure we tried out several popular password managers to understand what's missing from all of them. Our head of IT, Alicia, has used Master Password and KeePass finding them both effective for personal use. However, as a business we crave an app that can easily set up accounts for all of our employees. This would mean the app can set up new accounts for a new employee and remove accounts for any former employees.

This is why we also tried LastPass Enterprise (now joining forces with Meldium). which is intended for company use. It seeks to make all your apps more secure by keeping your employees' passwords strong and removing the accounts of anyone who no longer works with you. 

 

According to a few of our employees, here are some pros of LastPass:

  • It was easy to use. Once you install LastPass, with each new site it detects a login for, it will ask you if you want to store your password. If you select yes, it walks you through a simple two-step setup. If you select no, you can disable the app from remembering a password with just one click. It also makes it easy to generate and install a new password. Command line interface is available, also improving its UX.
  • It sends alerts. Alicia especially liked how it notifies administrators whenever an employee is reusing a password across several accounts, so you can kindly ask them to update their passwords. An administrator can track logins on each account if there is a need for more thorough monitoring.

However, the cons were what dissuaded us from committing to this tool:

  • It doesn’t work outside of a browser. It didn't ask to save passwords for any desktop apps, which becomes problematic when half of our apps aren't used in a browser.
  • You’re always logged in. It keeps you logged into LastPass even when you've shut down your computer, so if any unauthorized user gains access to your computer, they also have access to ALL your accounts within LastPass unless you manually logged out of it. 
  • It makes input fields look strange. We found it seems to mess with the way some input fields get displayed. Especially if the field has a placeholder.
  • The admin interface is not user friendly. From the perspective of our head of IT, it has a fairly "clunky" admin interface.
  • Updates are a challenge. It's difficult for admins to add new users or distribute login information for any additional app
  • It’s not transparent. It's closed-source software, making it harder for IT workers to find bugs before they commit to the product and slowing down the response time to security threats. 
  • Most importantly: It shows signs of being insecure. It has a "forgot password" tool, which means that the strength of your master password is only as strong as your email account’s password, which is only as strong as the password for the old email account you set up in 2001, etc.

What Our Dream App Would Look Like

We recognize the challenge this type of app entails, keeping recent security hacks in mind. Still, in our dream world, a password manager app would include:

  • A secure application holding all required certifications.
  • Password storage and generation so that employees are encouraged to create secure passwords, plus automatic notifications to admins when users don't do so.
  • The ability to manage all passwords—both within browsers and with desktop apps. This includes a feature that logs the user out once they have left their computer.
  • A great user experience for both employees and admins, especially to make onboarding and removing employees is not such a hassle.
 

 

Comments

1Password

The app 1Password has served me well for years. They recently rolled out "1Password for Teams." It's worth a look: https://blog.agilebits.com/2016/01/18/staying-organized-with-1password-f...

Several factual errors re: LastPass

Password management is a great topic for Idealware to be covering, so thanks for this blog post. Unfortunately, several of the points above about LastPass are either completely untrue or are based on non-recommended configurations. I'm writing as a happy individual user of LastPass Premium; I'm not affiliated with LastPass and I can't speak to the Enterprise features.

  • LastPass offers a Windows tray app to fill passwords outside of the browser. The Android app also does password fill in non-browser apps; I'm not familiar with the iOS app.
  • LastPass allows you to remember your password, and thus be "always logged on," but it doesn't require it. In fact, they recommend against that. I have LastPass configured so that I have to log-in with my master password or fingerprint scan every day, and again if the app is idle for an hour. On my phone, the login persists for an even shorter period, and I have to re-enter my password for sure if the screen turns off. You can set an Enterprise policy to disallow your users from being able to remember their password.
  • It absolutely does not allow you to reset your password by email. The "Forgot Password?" link allows you to email your self-selected password hint to yourself. But you still have to know and enter your password to get back into your vault. As LastPass says on their password recovery FAQ, they are "never sent your Master Password, so we cannot send it to you or reset it for you."

I agree that LastPass isn't perfect, and the concerns about proprietary security software are valid. But for me, LastPass strikes an excellent balance between convenient usability and security that makes me comfortable that I am doing a better job protecting my online accounts and identities than I would without it.

Hello - From Zoho Vault

 Take a look at Zoho Vault. I'm sure you would like it.