I have a three-ring binder beside my desk with dozens of passwords. From one point of view, it’s a lousy password manager — it isn’t in alphabetical order, if someone breaks into my place it could be stolen and if I spill a drink on a page it’s probably gone.

But arguably it is a perfectly safe system because those passwords aren’t linked to any Web site that has my personal or financial information. These are passwords for Web sites that offer everything from PC support to access to forums for the hobbies I’m interested in. Another strategy is to never allow my browsers to store passwords.

On the other hand, corporate employees may need to have a number of passwords at hand to access more sensitive materials like specialized databases and applications. That’s where a business-grade password manager can be useful.

These include LastPass, Dashlane, KeePass and others, which create a secure vault for storing passwords. CSO Online has a review of a number of them.

Here’s a quick run down:

Dashlane lets users change all passwords with one click, and covers more than 160 of the most popular sites, including Facebook, Twitter, LinkedIn, Pinterest, Amazon, Dropbox, and Evernote;

— LastPass‘ enterprise version has Active Directory sync, configurable management policies, onboarding, offboarding and provisioning, and single sign-on for many popular cloud applications, including Office 365, Google Apps, Salesforce, WordPress, and others;

KeePass is an open source tool for individual use. But I note from checking its site there’s a company called Pleasant Solutions that makes a server-based KeePass manager for enterprises.

1Password, a Canadian entry, which includes a strong password generator;

–Montreal-based PasswordBox, recently bought by Intel. The company says it will soon introduce what it calls True Key, which includes smart identity technology from Intel that lets users include facial recognition for more secure login.

As with any application, CSOs need to check whether these and other managers are suitable. And employees need to check with IT before adding any of these applications to their devices.


  1. ID federations (single-sign-on services and password managers) create a single point of failure, not unlike putting all the eggs in a basket. It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It should be operated in a decentralized formation or should be considered mainly for low-security accounts, not for high-security business which should desirably be protected by all different strong passwords unique to each account. Needless to say, the strength of the master-password is crucially important.

    At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

    By the way, some people shout that the password is dead or should be killed dead. The password could be killed, however, only when there is an alternative to the password.
    Something belonging to the password(PIN, passphrase, etc)and something dependent on the
    password (ID federations, 2/multi-factor, etc) cannot be the alternative to the password. Neither can be something that has to be used together with the password (biometrics, auto-login, etc).


Please enter your comment!
Please enter your name here