Latest posts by Timothy Warner (see all)
- Check Azure VM status with PowerShell - Wed, Dec 13 2017
- XIA Configuration - Easy network inventory and documentation solution - Wed, Nov 29 2017
- Backup AWS EC2 instances with NAKIVO Backup & Replication - Mon, Nov 27 2017
You probably already know that the most secure passwords are those that are complex, pseudo-randomly generated, and are unknown even to the credential owners. An equally important principle of solid password hygiene is to use a separate password for every service you use.
To adopt this high-security password posture, it's mandatory that you use an online password manager. Many independent software vendors (ISVs) exist in this space: LastPass, KeePass, 1Password, and Dashlane are four products that spring to mind. Today I'd like to introduce you to Zoho Vault, an online password manager that is free for personal use.
Getting started ^
Zoho Vault is a traditional software-as-a-service (SaaS) web application. Browse to the account signup page and create a free account with no credit card required. You can also create your account through federated identity with your Google, LinkedIn, or Microsoft accounts.
The next step is the most important. Your vault passphrase is what Zoho Vault uses to encrypt all of your secrets. Although Zoho stores your vault data on its cloud servers, it does not ever see plain text. Specifically, your vault passphrase along with AES-256 encryption keeps your secrets safe.
If you lose your vault passphrase, Zoho is unable to retrieve it for you, so be sure to secure this passphrase!
After login, the application takes you by default to the All Secrets view. Note that Zoho gives you Enterprise Plan access free for 15 days. After the trial period, you can either convert to a paid plan or continue using the free tier for personal use forever.
Creating and organizing secrets ^
The primary way to add secrets to your Zoho Vault is to use the web administration console. Take a look at the following annotated screenshot, and I'll explain.
- A: Built-in secret types are bank account, file store, health care, social security number, UNIX credential, web account, and Windows credential. You can add your own secret types as well; the Add Secret dialog changes to adapt to the properties associated with each type.
- B: Use the Enterprise classification to share this secret with other users. If you're using the product in free mode, choose Personal.
- C: The key icon represents the built-in complex password generator. Click Show to reveal the secret in plain text
- D: Include additional key-value pairs for metadata tracking purposes.
Another way to add secrets to your Zoho Vault is to use the Firefox, Safari or Chrome browser extension. Search the appropriate online store to locate and install it, and unlock the extension by supplying your vault passphrase.
Whenever you attempt to log into a web application for which Zoho Vault does not contain the secret, it will prompt you "Do you want Zoho Vault to save this password?" As you can see in the next screenshot, it will then give you an abbreviated version of the Add Secret dialog we just saw a moment ago.
You organize your Zoho Vault secrets by creating virtual folders Zoho calls chambers. As you can see by inspecting the following screen capture, creating a chamber is as simple as giving the chamber a name and adding the appropriate secrets to it.
Using and sharing secrets ^
You can use your existing secrets in a couple ways. In your Zoho Vault web console, navigate to Secrets > Auto Logon. As you can see in the next image, you'll have entries for each website for which you've defined a secret. Click the icon, and it will automatically log you into the appropriate web application in a separate browser tab. Easy!
The other way to use your stored secrets is, of course, through the Zoho Vault browser extension. Navigate to the target website, open the extension, find the appropriate entry, and click Auto Logon as shown here:
If you have a paid subscription, you can share your secrets selectively with team members and even non-Zoho users. Navigate to Admin > Users and populate your Zoho Vault organization; each user will receive an email invitation to join.
After that, you can click the share icon next to an individual secret or even an entire chamber and complete the Share Secret with Users dialog. Permissions include the following options:
- One-click login only
Various other features ^
Offline access is a key (pun intended) concern for any online account holder. In the Zoho web console, navigate to Tools > Offline Access to download an encrypted HTML file that contains all of your secrets. Use the vault passphrase to unlock the file.
Somewhat similarly, you can export your secrets from Zoho Vault to comma-separated value (CSV) format. Be careful—the output here is plain text.
You can import existing secrets from a number of other online password managers, including LastPass, KeePass, and 1Password.
The Audit section of your vault enables you to see who, what, when, and where your secrets are being used. The Admin section allows you to set up two-factor authentication (2FA), change your subscription level, configure a backup schedule, and perform other general administrative tasks.
Native mobile apps (iOS & Android) for access to passwords while on the go.
Configuring an additional layer of security with password access control workflow. Users are forced to enter a reason to access passwords every time.
The bottom line ^
The free edition is for personal use only, as I said earlier. The paid tiers are:
- Standard: Suitable for small teams with simple password management and sharing requirements
- Professional: Best for large teams with bulk password sharing, emergency access & comprehensive reporting requirements.
- Enterprise: Tailor made for SMBs and enterprises alike with active directory integration, password request-release workflow and advanced password management requirements.
The pricing here is traditional SaaS, which is to say, per-user, per-month.
In sum, I'd say Zoho Vault is fine for personal use and for small-to-medium IT teams. Depending on your industry/regulatory compliance requirements, Zoho Vault may or may not meet your needs. I'd suggest you create a free account, "kick the tires," and read the documentation to find out for yourself if the product is a fit for you and your business.