Thursday, March 31, 2011

WebPasswordSafe vs . . .

So how does WebPasswordSafe compare with other similar solutions?

If you are looking for a single-user solution to safely store the various personal passwords you have, you'd probably be better off using Password Safe, KeePass, or LastPass.  These are desktop applications or browser plugins that typically use a single password to unlock access to multiple encrypted password entries you store in it.  They only offer all-or-nothing single-user access.

If you are looking for a complete "privileged identity management" system to take over your enterprise accounts and passwords, you may want to pull out your checkbook and take a look at BeyondTrust, Cyber-Ark, or e-DMZ/Quest TPAM PPM.

Between those two extremes are centralized multi-user password safe products that may include some extra features of the heavy-weight management solutions such as remote password changing.  These solutions target the set of passwords that are shared between groups of people within the organization, most often privileged or service accounts, where you need to securely store them for disaster recovery purposes in a central location with auditing, but need delegated access controls because all-or-nothing access for everyone in the organization is inappropriate.  This is the product space where WebPasswordSafe most closely fits, and examples include Password Manager Pro and Thycotic Secret Server.  These examples, especially the latter, are from which I point out some of the key differences and why WebPasswordSafe may be the best fit for you:

  • Free
  • Open source, with transparent security
  • Multi-platform (doesn't require Windows and MSSQL)
  • Simple and easy to use user interface
  • Plugin modules for audit logging, authentication, authorization, data encryption, and password generation allowing the choice between customizable integration with your organization's existing technology or using the default out-of-the-box implementations
  • Useful and customizable reports
  • Better categorization of passwords based on free-form tags rather than hierarchical folders
  • Permission templates that allow more reusability and flexibility of applying common permission combinations on passwords than forced hierarchical folders
  • More fine-grained audit events, such as the difference between viewing a password's properties and the password's actual decrypted value
  • Basic SOAP web services interface
  • Built with security in mind from the ground up, with features that IT security professionals demand

These differences are all in addition to many other features that it shares with the other products, which you can read about on the main project page and documentation pages on the wiki.