originally published 10/09/24
updated: 10/10/24
Running a business means administering passwords, recovery codes, and other secrets. Having a designated and managed password vault is core to your business’s security defenses. When we started Zatik Security it was difficult to find any vendor neutral, publicly-available product comparisons or security guidance, so we’re sharing our own business application research in line with our Company Values to pay it forward to the next founder.
None of the companies evaluated sponsored Zatik’s assessment or influenced our recommendations. These are our preferences, based on our review of publicly available feature documentation and professional experience as of October 2024. Gentlepersons can disagree, and your experience might be different
Why use Password Managers for Small Businesses?
The number one attack vector for hackers and ransomware operators in 2024 remains password and identity based attacks - using a password manager to store unique passwords for each website is one way to help your employees maintain secure password habits. With a password manager you can have the security of a unique password for every website, without the mental overhead of having to remember them. This security control protects against password reuse, and securely synchronizes passwords across multiple user devices.
Weak credentials and misconfigurations across cloud systems were the cause of 3 out of 4 network intrusions during the first half of 2024. Systems with weak (or missing) credentials were the top initial access vector, accounting for 47% of cloud environment attacks during the first six months of the year (source: Google Cloud H2 2024 Threat Horizons Report. Microsoft detects almost 4,000 password-based attacks against their customers every second of every day. (source: Written Testimony of Brad Smith, Microsoft Corporation, to the U.S. House Committee on Homeland Security)
The Zatik SaaS Safety Bar: Evaluating Password Managers for Small & Midsize Businesses
When evaluating any software application for use by your business, it's essential to consider specific security features. At Zatik, we've developed the Zatik SaaS Safety Bar, a framework that helps evaluate key security features of SaaS products including password managers. We used this framework to evaluate 5 password managers for small & midsize businesses using Zatik's Safety Bar: 1Password, Bitwarden, Dashlane, Keeper, and LastPass.
Key safety features to look for in SaaS applications include:
Offer Two Factor Authentication
Provide an admin mechanism requiring that all users of a team/tenant/product have Two Factor Authentication enabled
Support SSO integration without requiring Enterprise tier “SSO Tax” upgrades
Offers basic form for Role Based Access Control to split administrative functions from normal users
Offer an Audit Trail inside of the application
Allow for an Administrator to force another user to log out or revoke their access to the SaaS app in some way (not dependent on SSO)
Allow for the Administrator to set a password complexity policy for users of a team/tenant/product
Encryption in Transit
Allows Admins to Destroy their Data
When applying the Zatik SaaS Safety Bar we only evaluate the features that are publicly documented. Based on public documentation, two password managers matched 8 of 9 Zatik Safety Bar criteria: Bitwarden, and LastPass. Bitwarden lacks the ability for an admin to kick out an attacker if they compromise an account. This is a key feature for incident response which LastPass offers.
LastPass’ one missing feature is the ability to specify a customer password complexity policy, however when we dug a little deeper we found an Admin Console policy page which mentions the ability to control password strength. The full details of how the policy works is hidden behind a login prompt, and confirms that there is a way to set a password complexity policy. Our advice to LastPass would be to provide additional public documentation on this feature, similar to their public documentation on Multi-Factor Authentication.
With that 9th safety feature confirmed to exist in LastPass, Zatik recommends either LastPass or 1Password for small and midsize businesses. Both LastPass and 1Password meet all 9 of the key criteria outlined in our SaaS Safety Bar, offering robust admin controls, the ability to log out attackers, and a substantial audit trail. Bitwarden came close but does not offer the ability to log out a user if their sessions are compromised.
update: A helpful blog reader pointed out where 1Password's "force log out" feature is documented. We searched their website for "logout", "session", "account compromise" and couldn't find this feature, but it is included on their add/remove user page. As a result, both LastPass and 1Password offer all 9 safety features we believe are critical for SaaS applications.
Didn't LastPass Get Hacked?
No company can create a product which is immune to security incidents, and in December of 2022 LastPass alerted their customers about security incidents which had taken place earlier that year. LastPass does not have access to decrypted customer passwords, so attackers did not gain access to that data, however, the attackers were able to exfiltrate the encrypted vaults for LastPass customers. LastPass keeps a page updated on their support website with the actions they have taken based on this event. In addition to these security measures As of May 1, 2024 LastPass also completed the process of going independent from their prior parent company, GoTo.
Organizations look to build defense in depth to ensure that a single domino falling does not completely compromise their security model, and constantly learn and iterate based on the changing threat landscape. LastPass has taken engineering steps to address security findings from the incident such as encrypting URLs which were previously stored in cleartext, and increasing the number of rounds of encryption used on customer data.
With these visible and continuous investments in security and the unique feature set that they offer, Zatik is confident in recommending LastPass to our clients based on the Zatik SaaS Safety Bar.
Browser vs. Third-Party Password Managers: Which is Better for Business?
Password Managers are built into most web browsers and/or mobile devices. Since they are connected to the website where they should be filled in, they provide an extra layer of protection against being tricked into entering a password into a malicious site. If you have a password saved for example.com, you will only be prompted to enter it on the example.com website. Unfortunately, browser and mobile password managers do not offer central management functionality for IT administrators to ensure employees are actively using a password manager and unique passwords. They also may or may not sync across devices, depending on each individual’s configuration. For this reason we recommend businesses implement a third party Password Manager solution.
Summary: Strengthen Your Business Security with a Password Manager
Zatik recommends LastPass or 1Password as a password management solution for small and midsize businesses. Both LastPass and 1Password meet all 9 of the key security criteria outlined in the Zatik SaaS Safety Bar, offering multi-factor authentication, robust admin controls, the ability to log out attackers, and a substantial audit trail. Bitwarden came close but does not offer admins the ability to log out a user if their sessions are compromised.
Embracing a password manager is one of the first steps a business owner should take to begin hardening their business, as it is a quick win for managing password security of your staff across all websites and applications. While our recommendations are based on the safety features we prioritize, it's essential to evaluate your specific needs and risk tolerance.
Diving into the details is critical when deciding to adopt a product into your stack. These types of technology security reviews are one of the services we offer at Zatik Security to help our customers secure their environments. If you want us to dive into the details for you, please reach out.
Show Our Work
All services below were reviewed in October 2024 based on publicly available documentation and if the service offering meets the Zatik SaaS Safety Bar.
LastPass
Offer Two Factor Authentication: Yes, Options include authenticator apps and Yubikeys
Require all users to use 2FA: Yes, You can create a Multifactor Policy that requires 2FA at login.
Support SSO Integration: Yes, You can use their directory integrations for your users to access LastPass
RBAC for admin functions: Yes, Super Admin is the most sensitive role in LastPass. There is the ability to create custom roles to separate out admin functions
Audit Trail: Yes, User Activity report provides a log (2 years of history) of every login event, password or username update, attempted, etc.
Force Logout: Yes, You can destroy all active sessions in the admin console
Password Complexity: Yes, You can specify policies to control the strength of you user’s Master Passwords (very briefly publicly documented here). In order to view the full policy list you must be logged into your Lastpass account.
Encryption in Transit: Yes, Data is encrypted in transit per security whitepaper
Data Destruction: Yes, You can delete your account via the UI
1Password
Offer Two Factor Authentication: Yes, Support for Security Keys, Authenticator Apps. Their Passkey support is still in beta
Require all users to use 2FA: Yes, Enforced via Authentication Policy settings
Support SSO Integration: Yes, Supported at the Business tier which is the second tier of the commercial pricing
RBAC for admin functions: Yes, the Default Permissions include: Owner, Administrator, Security, and Team Member
Audit Trail: Yes, Activity Log keeps 365 days of events. They have a number of useful actions that they include. An interesting callout is that for Items (passwords, etc) Audit Log only includes creating, editing, archiving, and deleting an Item. It does not include viewing an Item.
Force Logout: No, Searched their documentation site for "logout", "session", "account compromise" 10/10/24 update: A helpful blog reader pointed out where 1Password's "force log out" feature is documented. We searched their website for "logout", "session", "account compromise" and couldn't find this feature, but it is included on their add/remove user page. As a result, both LastPass and 1Password offer all 9 safety features we believe are critical for SaaS applications.
Password Complexity: Yes, At the business tier you can enforce minimum, medium, strict, or set your own complexity requirements for user's 1Password password
Encryption in Transit: Yes, Data is encrypted in transit
Data Destruction: Yes, Their privacy policy calls out that you can request your data be deleted. There is also a self service option for data destruction
Bitwarden
Offer Two Factor Authentication: Yes, support for FIDO2, Authenticator app, or via email
Require all users to use 2FA: Yes, Per Pricing page policies are on the “Enterprise” tier. However, there is a price listed so we still include it here. There is a policy to require 2FA. Note that since they support email as a second factor a user could not be using TOTP, or FIDO2 and still be compliant with the policy
Support SSO Integration: Yes, Per Pricing page SSO is a feature on the “Enterprise” tier. However, there is a price listed so we still include it here. SSO is supported for Enterprise Organization
RBAC for admin functions: Yes, Per Pricing page SSO is a feature on the “Enterprise” tier. However, there is a price listed so we still include it here. Custom roles support this requirement
Audit Trail: Yes, Event Logs are stored indefinitely by Bitwarden
Force Logout: No, Per this FAQ an individual user seems to be able to force a logout, but there is not documentation that suggest an admin can take action if they think a user has been compromised. Searches on documentation site for "logout", "session", or "account compromise did not surface any relevant documentation
Password Complexity: Yes, Per Pricing page SSO is a feature on the “Enterprise” tier. However, there is a price listed so we still include it here. The Password Requirements policy allows you to set complexity standards
Encryption in Transit: Yes, Details are in a security whitepaper
Data Destruction: Yes, you can delete an account or an organization
Dashlane
Offer Two Factor Authentication: Yes, they support authenticator apps
Require all users to use 2FA: Yes, you can enforce this using a policy on a Professional Plan
Support SSO Integration: Yes, SSO and SCIM are supported on Dashlane Professional Plans
RBAC for admin functions: Yes, a user is a Member or an Admin
Audit Trail: Yes, Activity Logs on Professional Plans allow for admins to monitor activity
Force Logout: No, Individual user can revoke access to devices. There is no mention in the docs of if an admin can do this for their users. Admins can remove users from their plan to remove access to shared items but this does not impact Items in the affected account. Searched their documentation site for "logout", "session", "account compromise"
Password Complexity: No, There was no information the policies page, or any relevant results for "Password complexity"
Encryption in Transit: Yes, All communication is secured using HTTPS per security whitepaper 1.7
Data Destruction: Yes, you can delete an account
Keeper
Offer Two Factor Authentication: Yes, They offer TOTP, or Yubikey as a second factor. Note that They offer SMS as an option for second factor. You can disable SMS using a policy, but you have to enable the policy. SMS is an option by default.
Require all users to use 2FA: Yes, Their Two Factor Authentication (2FA) Enforcement Policy can mandate a second factor.
Support SSO Integration: No, Per pricing page Single Sign-On is on an unpriced Enterprise tier
RBAC for admin functions: Yes, Keeper Administrator is their default admin role. You can create additional roles with “full admin rights” to let other manage. Their product is built on a hierarchy and the Root Node is the source of all privileges. You can have delegated admin at different tiers, and if you would like have their permissions flow down to sub nodes.
Audit Trail: Yes, Activity Reporting use case page calls out that there are activity reports that can be downloaded. However, there are not a lot of specifics about what those alerts can be. In their Advanced Reporting and Alerts module page they list 100+ events that are on offer, but there’s no list of what comes without this add-on.
Force Logout: Yes, Though there is Not great documentation on this process. However, in their info on the user details screen it does appear that you can “Lock” a user which blocks their access to their Keeper Vault. Then you can force a master password reset.
Password Complexity: Yes, The Master Password Complexity policy supports this feature
Encryption in Transit: Yes, Data is encrypted in transit
Data Destruction: No, There does not appear to be a self service option to delete your data. You can manually contact the company per their privacy page. There is a way to delete a company account if a MSP is reselling Keeper but not if you are self administering the account.
None of the companies evaluated sponsored Zatik’s assessment or influenced our recommendations. These are our preferences, based on our research of publicly available feature documentation and professional experience as of May 2024. Gentlepersons can disagree, and your experience might be different.FAQ
What is the best password manager for small businesses?
Zatik Security recommends LastPass for small business owners based on our review of password managers vs the Zatik SaaS Security Bar
How do password managers mitigate credential stuffing?
Credential Stuffing attacks are when attackers try username/password combinations found in other data breaches in other sites across the internet. Password managers make it easier to have a unique password across websites reducing the likelihood of this attack working.
Password managers also allow business owners to see if their employees are using the same password across websites, without revealing the password itself.
Is a browser password manager ok to use?
Yes, it’s an acceptable first step towards improving your password security. Password managers built into the browser can help you have a unique password across each website. However, if you have employees you will not have the sharing or management features of the Password Managers reviewed above.
Why are password managers important for small businesses?
Password managers help employees maintain strong, unique passwords without memorization, reducing the risk of password reuse and breaches like credential stuffing.
They centralize password security and provide administrative oversight for business owners
Does LastPass let you specify a password policy for your users?
Yes, you can apply a Master Password policy to your users. You can view the full policy list you if you are logged into your LastPass account