Credential Management Systems (CMS) are available both on an individual level and as an enterprise-wide service. A key feature of CMSs is that they can distribute credentials in a closed-loop system, removing the need for operators to know the passwords being used.
This is particularly important for organizations that manage systems on behalf of other businesses. A CMS increases confidentiality by removing the risk of insider threats.
Here is our list of the six best credential management systems for IT professionals and MSPs:
- N-able Passportal A cloud-based credential management system that automatically discovers all user accounts on a system, lists them for management and synchs all changes with onside AD and LSAP implementations.
- NinjaOne Credential Exchange A credentials manager that is integrated into the cloud-based NinjaOne RMM remote monitoring and management system.
- ManageEngine Endpoint Central A unified endpoint management system that includes its own credential management system.
- Dashlane Business A cloud-based credentials manager that allows employees to use the service for personal use as well as for work logins.
- Zoho Vault A cloud-based credential management service that coordinates on-premises and cloud-based access rights systems and also includes secure document storage space.
- LastPass Enterprise A cloud-based credentials manager that creates a single-sign-on account for a long list of business applications.
Credential management components
A central feature of the CMS architecture is password management. The CMS should also be able to generate complex passwords and store them in an encrypted format without disclosing them to administrators running the CMS software.
The second main element of a typical CMS is a password distribution mechanism. Operators that need to access a protected system don’t need to log in to that computer or network. Instead, the facilitating utility requests the credentials from the CMS without human intervention. The CMS then delivers the credentials which feed to an automatic login routine in the system access software.
The credentials distribution process is more than just a messaging system. It integrates encryption and authentication procedures to ensure that the requestor for the credentials is not an intruder and also to protect the transmission of sensitive information from wiretappers.
Most CMSs use a public key encryption system that enables the requestor to prove its identity and also protects transmission without needing to distribute encryption keys. This is very similar to the security procedures used by Transport Layer Security (TLS), the authentication system deployed by HTTPS to protect web traffic.
Another important feature of CMS software is that it can log every credentials request. This enables a business to know exactly which service had access to a resource and at what time. Should a data breach occur, tracing all possible culprits is an essential task, and activity logging provides that information.
CMS services offer extra security features, such as two-factor authentication (2FA) and automatic password rotation. Setting up initial credentials requires an interface to a business’s access rights system. Once a resource’s allowed user accounts have been set up in the CMS, further communications with access rights systems are required whenever passwords are replaced.
The best credential management systems
The need to keep passwords secure and free from disclosure is important in any organization. In the past, IT departments created a weak point in system security because support technicians needed to know system passwords in order to log into a resource and fix a problem.
The creation of credential management systems removed the need for technicians to know passwords in order to carry out their tasks. The automated credentials request procedures built into system access software also removes the need for an operator to get involved with system or user passwords.
Managed Service Providers (MSPs) have an even higher priority for password security. Their technicians not only risk the security of the MSP’s system if they have to acquire credentials, but they also could compromise the security of every client of the MSP. An MSP would find it difficult to win new business if its technicians had to get direct access to the passwords of all users. The implementation of a CMS enables the MSP to demonstrate to potential customers that there is no way any of the staff of the service provider could find out access credentials.
Our methodology for selecting a credential management system
We reviewed the market for credential management tools and analyzed the options based on the following criteria:
- Password distribution without users getting visible access
- Login screen autofill
- Secure password locker
- Activity logging
- Permissions levels
- A free trial or a demo service that allows an assessment to be made before paying
- Value for money, provided by an affordable but comprehensive package
Using this set of criteria, we looked for credentials management services that can be used throughout the organization for support access.
You can read more about each of these options in the following sections.
1. N-able Passportal
Passportal is a cloud-based credential management system. It centralizes the controls of identity management and access management in one console. The system is able to manage access rights to resources on many sites, so it is a good tool for centralized IT departments. It is also built to enable an MSP to support credential management for multiple clients.
Key Features:
- Designed for managed service providers
- Integrates with Active Directory and LDAP
- Access to on-site and cloud-based systems
- Creates temporary access accounts
- Password generator
Why do we recommend it?
N-able Passportal combines password management with document security. The encrypted vault stores all your corporate passwords and also sensitive documents. Credential distribution is implemented behind the scenes without the user seeing passwords. Documents can only be accessed by specific users. The console also acts as a front end for Active Directory.
The Passportal system supports Microsoft-produced access rights systems based on Active Directory and LDAP. It is able to manage credentials for access to a network, endpoints, email, file servers, and cloud-based services, such as Azure and Office 365.
When beginning service, Passportal searches for all AD-controlled services and software and compiles its own user account list to enable credential management to be driven within its own console. The system administrator then works with user accounts listed in Passportal with the ability to add, alter, and delete accounts. All changes made within Passportal get synched to local AD instances.
Passportal is able to create temporary access accounts to allow the technician access to a system without having to use permanent credentials that could be disclosed. The creation of each technician account is recorded and the temporary account gets deleted once the technician’s task is complete.
The password management features of Passportal include a password generator and the enforcement of password rotation. Passwords for each user are held in a personal vault and can be distributed automatically for autofill functions in many applications. The credentials manager integrates with-able Take Control, N-central, and RMM, ConnectWise Manage, Automate, and Control, Datto Autotask, NinjaOne, and Kaseya VSA and BMS. When dealing with these integrated services, all credentials get exchanged behind the scenes, so the user never needs to know what they are.
Who is it recommended for?
This system was specifically designed for use by managed service providers. The credentials that it stores relate to access for MSP systems and also access to the assets of clients. The N-able platform includes an RMM package and Passportal integrates with that. It can also manage passwords for a list of other RMM systems.
Pros:
- Supports automatic Active Directory sync via LDAP
- Can run access audits to easily identify internal changes made during a period of time
- Supports compliance reporting to identify weak passwords and force changes base on policy
- Users generate their own encryption key, securing their cloud data from third parties, including Passportal
Cons:
- Smaller networks may not benefit from the MSP/enterprise-specific tools Passportal offers
Passportal is charged for by subscription, paid monthly in advance. There is no contract, deposit, or minimum service period. You can schedule a demo.
Passportal is our top pick for a credentials management system because it centralizes all credentials management activities for multiple sites and even for multiple businesses. The Passportal service is cloud-based and so can be accessed from anywhere through a standard browser. The system automatically discovers all protected hardware and software and generates a list of user accounts in order to begin the credentials management process from within Passportal. There are no initial setup costs for Passportal. Schedule a Demo: https://www.passportalmsp.com/demo OS: Cloud-basedEDITOR'S CHOICE
2. NinjaOne Credential Exchange
NinjaOne is a remote monitoring and management system, which can manage several sites from one central location. This makes it a good tool for IT professionals operating a central IT department. Multi-tenant features in the system also make NinjaOne an ideal software platform for Managed Service Providers.
Key Features:
- Manages access to client systems
- Confidential credentials distribution
- Supports patch management
- Activity logging
Why do we recommend it?
NinjaOne is a rival to the RMM packages offered by N-able. It has its own integrated credential management tool – this is the NinjaRMM Credentials Exchange. This tool specifically operates for technician access to the devices on client sites. It stores passwords for endpoints running Windows and macOS.
Credential Exchange is a credential management system that is built into NinjaOne. It is specifically designed to enable technicians to run scripts behind the scenes on endpoints. The system is able to manage access to computers running Winds and macOS and those scripts will be run without requiring the device’s user to log off. The user won’t even realize that troubleshooting and maintenance tasks are going on.
The Credential Exchange service integrates with NijnaRMM’s patch manager and software management functions. It enables automated and manual software updates to be implemented in bulk or individually on any of the managed endpoints running Windows or macOS. It also facilitates access to endpoints using the NinjaOne remote desktop utility.
Credential usage events are logged for an audit trail along with all technician activity logs that are built into other utilities in NinjaOne.
Who is it recommended for?
The NinjaOne platform was designed for use by managed service providers and it is now also being marketed to corporate IT support departments. The credentials exchange is a part of the NinjaOne RMM package – remote access for technicians won’t work without this tool. The credential manager is also relied upon for remote task automation.
Pros:
- Supports over 120 integrations making it a solid option for already established organizations
- The interface can be customized to both monitor clients as well as manage device inventory
- Builtin remote access with remote commands allows technicians to troubleshoot without initiating a session
- Flexible pricing packages – great for all size networks
Cons:
- Would like to see a longer trial period for testing
NinjaOne is a cloud-based service and is charged for by subscription. The RMM is available as a total package and includes Credential Exchange. It is available on a 30-day free trial.
3. ManageEngine Endpoint Central
ManageEngine Endpoint Central – formerly Desktop Central – enables a central IT department to manage endpoints and servers on multiple remote sites. The functions of this system also extend to mobile devices, making it a unified endpoint management system. None of the functions of Endpoint Central would be possible without being able to access the operating systems of all of the devices that it serves. For this purpose, the Endpoint Central system has its own Credential Manager.
Key Features:
- Manages credentials for technician remote access
- Secure credentials distribution
- On-premises software
Why do we recommend it?
ManageEngine Endpoint Central is an RMM package that is designed for use by IT support departments. This tool includes remote access for automated processes and also for manual troubleshooting and maintenance tasks. The Endpoint Central package includes a password locker to facilitate these operations without technicians needing to see passwords.
The Endpoint Central system automates many IT department tasks. It includes patch management, software management, mobile device management, configuration management, IT asset management, and endpoint security functions.
Endpoint Central allows multiple access accounts for access to the dashboard with a superuser status for system administrators. So, each technician using the system has an individual account.
The Credentials Manager operates on two levels – a secure anonymized central credentials store and a local user-accessible credentials system. The system administrator is able to manage a pool of credentials for automated access to remote devices. These account details are not visible to other users of Desktop Central. Each technician can access a personal section of the Credential Manager to organized allocated access accounts.
The Endpoint Central dashboard includes a remote access console and remote desktop system for use by technicians engaged in troubleshooting. The entry into remote devices through this system can be made possible either through administrator credentials or through a personal account of the technician. In either case, the credentials are communicated to the remote access console automatically without visibility or the need for manual input.
Who is it recommended for?
This package is for in-house use – Endpoint Central MSP is offered to managed service providers. The full package has a Free edition for 25 endpoints, which includes the credential manager. The software for the bundle installs on Windows Server, Azure, and AWS and there is also a SaaS version.
Pros:
- A good option for administrators who prefer on-premise solutions
- Can be installed on both Windows and Linux platforms, making it more flexible than other options
- Offers in-depth reporting, ideal for enterprise management or MSPs
- Combines endpoint and credential management
Cons:
- Better suited for MSPs and larger multi-site organizations
Endpoint Central is on-premises software that installs on Windows Server and Linux. Credential Manager gives access to devices running Windows, Linux, macOS, iOS, Android, and Windows Mobile. The system is available for a 30-day free trial.
4. Dashlane Business
Dashlane Business is a credential manager based in the cloud. Dashlane also offers a password manager for personal use. All user account information is stored in a secure, encrypted vault that is held on the Dashlane cloud server, so it can be accessed from any device in any location in the world that has Internet access.
Key Features:
- Cloud-based
- Encrypted password vault
- Password generator
Why do we recommend it?
Dashlane Business offers a combined identity protection system that includes secure password storage and distribution and a Dark Web scanner that identifies password disclosure. Users don’t get to see passwords, which is a good block against insider threats and the risks presented by departing employees.
Each user registered in the system gets a personal vault space and there is also a company-wide credentials management system included with a Dashlane Business account. Employees are able to use their Dashlane service for personal use as well as getting their business passwords managed by the system. The Dashlane service includes a password generator, which creates impossible-to-remember passwords. A Dashlane app on the protected device communicates securely with the Dashlane server to autofill all login screens. The Dashlane app is available for Windows, macOS, iOS, and Android.
Communications between the Dashlane server and protected devices are protected by encryption and access to the dashboard is facilitated through any browser and protected by TLS encryption and authentication. Two-factor authentication is also available but this needs to be activated by the system administrator.
Dashlane Business includes a web protection system that scans any requested web page for malware and blocks it from loading into protected browsers if any hacker tricks are detected.
Who is it recommended for?
Small businesses can get the reasonably priced Starter pack, which provides protection for 10-user accounts. Higher plans have per-user pricing, which makes the package very scaleable. The two top plans, called Teams and Business include extra features, such as a VPN for WiFi protection and a single sign-on mechanism.
Pros:
- Available cross-platform for Windows, Mac OS, iOS, and Android
- Supports autofill for convenient website access without copying and pasting
- Built-in password generator makes it easy to pick new secure credentials
Cons:
- Would like to see better support for browser-based features, these often break with new updates from their creators
Dashlane Busines is a subscription service with a rate per user per month. You can access the service on a 30-day free trial.
5. Zoho Vault
Zoho Vault is a cloud-based secure storage system that includes a credentials management service and a secure document storage space. Zoho Vault includes a multi-account bundling feature that gives each user a personal space while also creating a group-wide credential management service for system administrators. This means that employees can use their account for personal use as well as for work.
Key Features:
- Encrypted password locker
- Credential for on-premises and cloud-based resources
- Option for shared credentials
Why do we recommend it?
Zoho Vault is an online package that is very easy and quick to set up. The tool is able to manage passwords for on-premises systems as well as for other cloud platforms. The package stores credentials in an encrypted vault and distributes them unseen. You can also store important documents in the vault.
The Zoho Vault is protected by uncrackable 256-bit key AES encryption. The system is accessed through any standard browser and the internet data transfers for console traffic is protected by HTTPS. Zoho also produces an app for access from iOS and Android devices.
The management dashboard syncs with many on-premises or cloud-based access right systems including Active Directory, Azure AD, Google Cloud Platform, and Office 365. This means that Zoho Vault will become your central credentials management dashboard and you won’t need to visit each access rights system because changes made in Zoho Vault get rolled out automatically.
Permissions can be set up per group and you can allocate each user account to a group to automatically set a list of permission per account. Individual permission level settings are also possible.
Each user gets login screens filled in automatically. This means that the complex passwords generated within the management console don’t need to be remembered, and they are not even seen by the end-users. End-user facilities include the ability to grant access to files or directories to other team members registered in the Zoho Vault team account.
A team account of Zoho Vault logs all of the credential-related activities of team members, creating an audit trail that is useful for data security standards compliance and can also be used to investigate data breaches.
Who is it recommended for?
There are three versions of Zoho Vault: Individual, Teams, and Enterprise. Businesses need to look at the Enterprise system to get full features, such as on-site controls as well as website password storage. This plan gives you coordination with your Active Directory instances and includes a single sign-on system.
Pros:
- Organizes passwords by service makes it easy for non-technical users
- Leverages cloud storage for credential access from anywhere
- Access control can be managed by single users or groups, great for larger environments
- Free for personal use
Cons:
- Would benefit from a longer 30-day trial
Zoho Vault is a subscription service and it is available in three editions for business: Standard, Professional, and Enterprise. The business plans are charged at a rate per user per month. There are no setup fees or minimum service periods. All paid versions are available for a 15-day free trial.
6. LastPass Enterprise
LastPass offers a free credential management service for individuals and has a paid package for business, called LastPass Enterprise. This is a cloud-based service that is able to coordinate with other access rights management systems based on-premises and in the cloud.
Key Features:
- Manages single sign-on environment
- Secure password distribution
- Multi-factor authentication
Why do we recommend it?
LastPass Enterprise is a business plan from one of the most widely-used password managers in the world. This system provides each employee with a personal vault and links it into the browser’s user account. This means that as long as the user is logged in, passwords can be accessed from any device.
The LastPass Enterprise system offers a central dashboard to system administrators where Single Sign-On accounts can be set up for all users. The credential management system is able to integrate with a long list of applications and communicate account credentials without the user getting any sight of passwords. This makes it ideal for use by IT departments and MSPs for technician access.
Among the long list of systems that LastPass Enterprise can manage credentials for are AWS, Salesforce, Datadog, GitHub, Evernote, Google Cloud Platform, Dropbox, and Office 365. Once an application is linked to the LastPass system, all user accounts can be managed centrally through the LastPass system because they will be replicated in the local authorization systems of those other systems.
There are three other LastPass plans for businesses, which are called Teams, MFA, and Identity. However, the Enterprise system is the best of all editions because it includes procedures for multi-factor authentication as well as team credential management services.
Who is it recommended for?
The Enterprise plan is the top plan of the Business division of LastPass. There are two lower plans available for those who don’t need all of the features. One problem with this system is that it only stores passwords for online services, not for on-premises software.
Pros:
- Sleek front end and admin console
- Tracks logins and login attempts through auditing features
- Supports safe password sharing and individual protected folders
- Access passwords from anywhere through secure cloud storage
Cons:
- Would like to see a longer trial period
LastPass Enterprise is a subscription service with a charge per user per month. You can test the system on a 14-day free trial.
Credential Management Software FAQs
What is credential management software?
A credential management system (CMS) is a password locker. This service is available for individuals and will automatically instantiate login values from the stored data. Team versions transmit passwords to application login screens across a network. Transmissions are usually protected by a public key encryption system.
Why is credential management important?
Credentials management enables the use of unique, complex passwords, which can be created by a password generator. Credentials management systems (CMSs) often include a password generator along with secure storage space for all passwords. When used for teams that access the systems of external businesses or individuals, such as support technicians, the automatic population of password fields means that the employee never gets to discover the login and so cannot access the protected system outside of the controlled and monitored work environment.
Does Microsoft have a password manager?
The Microsoft Edge Web browser has a password manager built into it. This can generate complex passwords and store them securely. The tool will automatically populate remembered login screens when they are accessed.
