Accessible from any browser, any platform. Actionable password strength report. Permits sharing and transferring of logins between users. Free edition available.
Browser extensions only for Chrome, Firefox, and Safari. Doesn't handle Gmail or other two-page logins. Lacks Web form filling ability. Doesn't import passwords from browsers.
- Bottom Line
Zoho Vault does everything a password manager must, and there's even an impressive free version. However, it lacks form filling abilities and it can't handle passwords for some key sites, such as Gmail.
It's bad enough that you have to remember passwords for your own social media, email, and other accounts. Then you go to work and have another whole set of passwords you need to know. But Zoho Vault has both situations covered. This password management tool lets you keep business and personal logins separate, and includes business-friendly user management and collaboration features.
//Compare Similar Products
Many password managers offer a free edition with stringent limits, such as no more than 10 passwords, or no multi-device syncing. Zoho's free edition puts no limits on passwords or devices, but it omits the multiuser features and a few other advanced features. The Standard edition, reviewed here, costs $1 per month, and is well suited for individual or family use. With a price of $4 per user per month and a minimum of five users, the Professional edition means business. Its advanced features include automatic password changing for 50 popular websites and an emergency mode that lets the master administrator gain access to every nonpersonal password for a limited time. At the top tier, the Enterprise edition ($7 per user per month) adds big-business features such as Active Directory integration and single sign-on.
The price of the Standard edition, which comes to $12 per year, is quite reasonable. LastPass used to go for the same rate, but that cost doubled earlier this year. Sticky Password costs just under $30, while Dashlane and LogMeOnce Password Management Suite Ultimate both go for almost $40 per year.
Zoho Vault is just one of several dozen applications supplied by Zoho. Most are business-focused, things like project management, bookkeeping, and email. However, they're all free to individuals for personal use. As with Zoho Vault, the free editions tend to omit central administration and other business-specific features.
Starting a new Zoho account is a snap. You just enter your email and a password for the new account, then click a link in the confirmation email. Don't worry about the prompt that asks whether your business already has an account. When you click No, the next page clarifies that, for personal use, you just enter your own name. The final step is to create a passphrase specifically for Vault, separate from the Zoho account password. Note that during the trial period you have access to all features, so you don't have to commit to a subscription right away.
Zoho will prompt you to "start saving secrets" but there are a few things you should do first, for convenience. If you're moving from a different password manager, you can import your existing passwords. Zoho imports from LastPass, Keeper, KeePass, Roboform, True Key and quite a few others. You can also import a CSV file containing password data. However, Zoho doesn't import passwords stored in your browsers. You'll want to transfer those yourself, and then you should turn off browser password capture, too.
There's an option for offline mode, which simply saves your data as a local encrypted HTML file. You log into it just as you would your online account. With a paid account, you can also set Zoho to periodically email you a backup of your encrypted data.
Next, install the Zoho extension in your Chrome and Firefox browsers, which work under Windows, macOS, or Linux. New since my last review, there's also an extension for Safari, and a Windows Store app. The browser extension gives you the expected password capture and replay features. If you're using some other browser, or if you're using a machine that doesn't permit installing extensions, you can add a Login button to click. This button lives on the bookmarks toolbar. You click it to autofill existing credentials for the current website, much as you do with Intuitive Password.
Password Capture and Replay
When you log in to a secure website using a supported browser, Zoho offers to save your credentials as a secret. You can give the saved secret a friendly label like Alternate Amazon, and you can also add notes or tags at this time. In a business setting, you'll need to indicate whether this is a business or personal password. If you're just using it for yourself, the distinction doesn't matter.
In testing, I found that Zoho handled sites with standard login screens, but didn't do well with oddball logins or two-page logins. When I logged into Gmail, Zoho did nothing, because the username and password entry boxes are on separate pages. The same was true of Eventbrite. My contact at the company confirmed this limitation. Not handling Gmail passwords is a pretty big limitation!
When you return to the site, Zoho puts a Z icon in the username and password fields, and fills in the saved credentials. You can click the icon to select a different set of credentials, if you've saved more than one. You can speed things up by choosing your saved login from the browser extension's menu. As expected, this navigates to the site and then logs you on.
In testing, I hit a few snags. Sometimes the banner offering to save my credentials vanished before I could use it, or didn't appear at all. And dueling popups from Zoho and Facebook caused Chrome to hang completely.
When you don't have a browser extension available, perhaps because you're using Internet Explorer, the process is different. You log in to the Vault online, click the link for the desired login, and finally press the Click-to-login button in the bookmarks toolbar. You can log in to your Zoho Vault from any browser, on any platform. Of course, if you don't have a browser extension or login button installed, you'll have to enter your credentials by copying and pasting.
Zoho offers apps for iOS and Android. Both include an internal browser that launches by default when you tap one of your saved logins. On Android, Zoho can fill in credentials in other browsers, and in apps. Those using it on iOS must either accept the internal browser or copy and paste credentials.
Like Sticky Password Premium, Zoho Vault requires one password for your account and a separate passphrase to actually open the treasure trove of passwords. You always need the password the first time you log in with a particular browser or device. By default, the device or browser becomes trusted, meaning Zoho doesn't ask you to verify the account again for 180 days. You can manage trust online, for example to remove a lost device.
You can also configure Zoho for two-factor authentication. Once the administrator turns on this feature, at the next login each user must enter a phone number and choose to receive authentication information via SMS or phone call, or through Google Authenticator. Thereafter, the first login on a new browser or device will require both the password and a verification code.
Of course, this process could break down if you have no cell reception, your battery is dead, or your phone is lost. Don't worry. As part of the setup process, Zoho creates a handful of backup codes for login. These one-use codes let you bypass smartphone-based two-factor authentication in an emergency. The company recommends keeping these in a safe place. If you use them up, or lose them, you can generate more using the online console.
Chambers and Secrets
Zoho supports several other types of stored secret data, among them Bank Account, Health Care, and Windows login. However, Zoho doesn't use these entries to fill Web forms.
You (in your capacity as administrator) can also create custom types. This is more likely to be useful in a business setting. Each secret type can have as many data fields as needed, and you can flag those that are mandatory.
As noted, you can enter tags for each secret as you capture it, or add them later in the editor. Tags can help narrow the search if you have a lot of secrets. You can also define as many such "chambers" as you like. These function much like folders in other products, except that a secret can belong to multiple chambers. New in this edition, you can create nested chambers. Nested folders in LastPass and a few others become nested menus that appear when you click the browser extension. That doesn't happen with Zoho.
I didn't see Zoho's password generator at first. It's represented by a simple key icon next to the password field in the editor. Clicking it immediately replaces the password with a new, random password matching the selected password policy.
Zoho defaults to the predefined Strong policy, which requires passwords to be from 8 to 14 characters in length, using all character types. Settings include a few unusual ones, like forcing passwords to start with a letter, and listing characters not permitted in passwords. You can define your own password policies; I'd recommend creating a super-strong policy that raises the minimum password length to at least 12, and the maximum to at least 16.
LastPass, RoboForm 8 Everywhere, and many others let you configure the password generator right where you're using it, and they also rate the strength of the created password. I prefer this to Zoho's system that separates password policy from password generation. Note, though, that in a multiuser situation Zoho lets administrators enforce password policies that mere users can't change.
New since my last review, Zoho offers a password assessment report. Like the similar feature in LastPass 4.0 Premium and Dashlane, it lists all your passwords, from weakest to strongest. It also reports on specific problems including passwords that contain dictionary words and passwords that haven't changed for a long time. As expected, the report flags duplicate passwords. Zoho also flags what it calls recycled passwords—ones you've used before. My report was pretty dismal, because many of my sample logins were fakes. Oddly, Zoho did not flag the password "password" in the dictionary words category.
Sharing and Transferring Secrets
LastPass, Dashlane, and a few others let you share credentials with other users of the program. The mechanism varies; some let the recipient log in without getting a view of the password, while for others the sharing goes both ways. Consistent with its business emphasis, Zoho emphasizes sharing only the company. In a home setting, this would translate to sharing within the family. As noted, the free edition doesn't include sharing.
There's a new option to share with someone who doesn't use Zoho. You provide the email address and a personal message. Zoho displays a one-off encryption key that you send under separate cover. Sharing ends after 24 hours, or 30 minutes after the recipient makes use of the login. Zoho suggests that once the need for sharing is over, you should change the password.
Password Boss Premium, RoboForm, and a few others offer a kind of password inheritance, ensuring that your heirs can access your accounts. This feature typically includes some kind of waiting period. If your heir requests access, you get an email, and if you're not dead yet, you have some time to cancel the request.
With Zoho, it's not about you, it's about the business. An employee who's on the way out can select some or all saved secrets and choose Transfer Ownership to immediately transfer them to another user. If the parting wasn't so amicable, an administrator can choose Acquire Secrets to forcibly transfer nonpersonal secrets.
Worth a Look
As long as you stick with Chrome, Firefox or Safari, Zoho Vault gives you the fully automatic password management most users expect. You can still auto-fill passwords on unsupported browsers, and you can log in to your saved password data from any browser, on any platform. Paid editions add user management, login sharing, and more.
Zoho does have some unusual features, but it also has limitations. It still can't handle two-page logins like those used by Gmail, Yahoo, and others. It doesn't fill web forms, and doesn't support Internet Explorer. Automatic password changing isn't part of the Standard edition, and in any case, it supports just 50 websites.
Top picks Dashlane, LastPass Premium, and LogMeOnce Password Management Suite Ultimate all offer secure password sharing, password inheritance, and automated password updates, among many other features. And Sticky Password Premium's unusual features include extra-secure syncing via local Wi-Fi and management of application passwords.
Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted by readers. By 1990, he had become PC Magazine's technical editor, and a coast-to-coast telecommuter. His "User to User" column supplied readers with tips… More »
More Stories by Neil J.
- Trend Micro Antivirus+ Security
- Trend Micro Password Manager
- McAfee AntiVirus Plus