Overall Satisfaction with Secret Server
We currently use Secret Server within the IT department only. It keeps track of all of our shared passwords— systems, websites, support sites—in one centrally located, secure place. The department used to use a shared desktop application that was hard to keep up to date, and frequently resulted in passwords being recorded elsewhere unofficially, and as less secure.
- Password Management: Its entire purpose, really. Secret Server stores passwords in an incredibly easy to use way. They can be organized in groups, they contain all the information about the site or system the password is used for (including URLs for websites), and even a notes field. You can set up specific policies for expirations and complexity, and Secret Server can even generate strong passwords for you. Using a password is simple, too, since you can just click a button to add it to your clipboard; you don't even have to unmask the password.
- Security: The passwords are stored encrypted in a SQL database, and the application requires an authenticated login. This could be local, but we tie it into Active Directory. Each folder of passwords has groups assigned (in our case, again, AD, but you can make them local groups) with different permission levels, so we can compartmentalize passwords. Desktop technicians don't have access to network switch passwords, etc.
- Easy Setup: It took me about an hour to get the server running, from spinning up the VM to importing our old password list. It took a little longer to organize the passwords into proper folders, and then assigning groups, but it was easy to do.
- Personal Passwords: Each user also gets a personal folder, where they can keep their own, unshared passwords. This is nice for sites or systems with individualized logins (e.g., a firewall, VPN, etc.)
- Favorites: Secret Server lets you tag passwords as "favorites" so you can easily find ones you use constantly. The search feature is nice, but this is nicer.
- Granularity in Security Groups: Groups can be assigned per folder, and different groups can have different permissions, but sometimes there are groups of passwords where only some of them should be visible to some users, and there's no good way to organize that. The best way right now is subfolders, which works, but it can clunky if you have a lot of cases like that.
- Direct URL Logins: Secret Server has a feature where, if it works, lets you click the resource link in the list, which should take you to the site directly and log you in. However, in the years I've used this, it has never worked. I always get a weird application redirection error.
- Default Policies: Some of the default expiration/complexity policies are annoying. I recognize that they are trying to meet best practices, but in many cases this is impractical. I end up having to turn off the default policy altogether and do this manually or with my own policy that I can apply later.
- The best return on investment is that all of our passwords are now up to date and usable by everyone in the department. The old way could only be accessed by one person at a time, and it was frequently wrong.
- We save a lot of time in IT by having the passwords easily accessible. We also meet our security audit objectives by using this app instead of, say, an Excel spreadsheet or an old application that is no longer supported, as was the case at a previous workplace.
- With the size of our department, we don't have enough passwords to go beyond the free version. It's fully functional, but it costs nothing (except some resources on a VM). ROI on free can't be beat.
KeePass is fine for individual use, but it does not meet the same objectives. There are a lot of products like KeePass that are just not as portable or robust, and do not have the kind of granularity Secret Server has. Being able to assign password permissions based on user roles is huge, especially from a security standpoint.
Secret Server is really a great solution for any business that needs more than one person to have access to passwords for various devices, systems, and websites. Even an organization with only one person who would need access, if that person was no longer around, a simple change in Active Directory could assign those permissions to their successor. Candidly, the only scenario I can think of where a business might not want Secret Server would be a sole-proprietorship that was unconcerned with succession or security in general. The free version has no cost beyond using a server, and it's pretty low overhead.