IT Central Station is now PeerSpot: Here's why

BeyondTrust Password Safe OverviewUNIXBusinessApplication

BeyondTrust Password Safe is #10 ranked solution in top Enterprise Password Managers. PeerSpot users give BeyondTrust Password Safe an average rating of 8 out of 10. BeyondTrust Password Safe is most commonly compared to Microsoft Azure Key Vault: BeyondTrust Password Safe vs Microsoft Azure Key Vault. BeyondTrust Password Safe is popular among the large enterprise segment, accounting for 68% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 26% of all views.
BeyondTrust Password Safe Buyer's Guide

Download the BeyondTrust Password Safe Buyer's Guide including reviews and more. Updated: June 2022

What is BeyondTrust Password Safe?

Beyond Trust Password Safe is an automated solution that combines password and privileged session management into a single platform. Password Safe delivers secure access control, auditing, alerting, recording, and monitoring.

This free and open-source password manager supports Windows and Linux, and some ports are available for other platforms as well. Their proprietary algorithm, Twofish, is considered highly secure, with the advantage that it is not affiliated with NIST. The Twofish algorithm secures the data while keys are delivered using SHA-256 authentication.

The application is easy to use, and you can download the Windows app from several sites. Additionally, the application is available in 14 languages.

Beyond Trust Password Safe Key Features

  • Continuous automated account discovery: Scan, identify and profile assets with the discovery engine. The solution has dynamic categorization that enables the automated onboarding of assets into groups.

  • Application-to-application password management: Password Safe offers an adaptable API interface including an unlimited number of password caches, therefore providing scalability and redundancy.

  • Secure SSH key management: The system automatically rotates SSH keys to enforce granular access control and workflow. Private keys securely log users onto systems without exposing them.

  • Adaptive access control: Evaluates context and provides access requests by considering factors such as time of access and location to determine the user’s authorization level.

  • Enhanced privileged session management: Admins can record, lock, and document suspicious behavior without disrupting productivity by managing sessions live.

  • Advanced privileged threat analytics: Password Safe monitors assets and user behavior every day, analyzing what are normal patterns and detecting deviations.

  • Multi-factor authentication: Password Safe supports 2FA (two-factor authentication) using Yubikey 4, Nano, or Neo.

What can you do with Password Safe?

  • Cross-device and cross-platform syncing: You can safely store encrypted password files online, where you can access them via Password Safe-compatible apps.

  • Drag and drop password: Password Safe has a “Dragbar,” which you can use to complete forms by dragging and dropping icons over the form - for example, passwords, usernames, design tiles, and emails.

  • Autotype: With Password Safe, when you click on a web page or login box, the autotype feature will try to fill in your credentials automatically for you.

  • Import and export: You can import passwords from text, XML, or CSV fails. You can also export passwords in text, XML, and the PSAFE format.

  • Password generator: Generate secure passwords by using the algorithm. You can also define your password rules.

Beyond Trust Password Safe Benefits

  • Controls third-party access: Password Safe secures the connection and automatically checks privileged credentials. The solution records all sessions.

  • Uses context to determine access: Password Safe considers risk factors like location, day, or time of access and uses them to adjust the permissions and privileges of each user.

  • Manages access for privileged and non-privileged accounts: By integrating with SailPoint IdentityIQ, Password Safe effectively manages user access for privileged as well as non-privileged accounts.

  • Reduces cloud risk: Password Safe simplifies secure storage and session management. It supports major cloud providers such as Azure, Amazon, Google, Rackspace, and GoGrid. It also supports social networks - Facebook, LinkedIn, and Twitter.

  • Integrates password and privilege management: Integrates with Endpoint Privilege Management to control the resources users can access and the actions they are allowed to take

Reviews from Real Users

A PAM Architect at a tech services company says, "BeyondTrust Password Safe's features that I have found most valuable are really those that are knitted in. That is their Smart Rules and Smart Groups, where you design your administration model so you create your AD groups and your asset groups, and configure Password Safe."

An I.S. Architect at a insurance company mentions that "Session recording, password rotation, and password vaulting are the most valuable features."

    "One of the most valuable features is that this is a product designed with enterprises in mind," adds a Cybersecurity Architect at a tech vendor.

        BeyondTrust Password Safe was previously known as BeyondTrust PowerBroker Password Safe.

        BeyondTrust Password Safe Customers

        Aera Energy LLC, Care New England, James Madison University

        BeyondTrust Password Safe Video

        BeyondTrust Password Safe Pricing Advice

        What users are saying about BeyondTrust Password Safe pricing:
      • "This solution is not cheap—it's a very expensive solution. Very, very expensive compared to the features and functions that they offer."
      • "It has subscription-based licensing. BeyondTrust is three times less expensive than CyberArk."
      • BeyondTrust Password Safe Reviews

        Filter by:
        Filter Reviews
        Industry
        Loading...
        Filter Unavailable
        Company Size
        Loading...
        Filter Unavailable
        Job Level
        Loading...
        Filter Unavailable
        Rating
        Loading...
        Filter Unavailable
        Considered
        Loading...
        Filter Unavailable
        Order by:
        Loading...
        • Date
        • Highest Rating
        • Lowest Rating
        • Review Length
        Search:
        Showingreviews based on the current filters. Reset all filters
        PAM Architect at a tech services company with 11-50 employees
        Real User
        Top 5Leaderboard
        One of the best kept secrets.
        Pros and Cons
        • "BeyondTrust Password Safe's features that I have found most valuable are really those that are knitted in. That is their Smart Rules and Smart Groups, where you design your administration model so you create your AD groups and your asset groups, and configure Password Safe."
        • "The only negative thing I can say is that BeyondTrust was recently bought by Bomgar and the marriage of the multiple companies coming together in the merger has caused a little bit of a hiccup right now in their software versions."

        What is our primary use case?

        Our clients' primary use case for BeyondTrust Password Safe is managing Windows Privileged Accounts, Linux, and Fit client databases, and for accessing a different database, like Visual Studio, SQL Manager, and things like that. We usually deploy it in a double server, high availability with disaster recovery. It is the primary software architecture.

        How has it helped my organization?

        BeyondTrust Password Safe allows the client to standardize the onboarding of privileged users as well as dynamically onboarding newly discovered assets and privileged accounts and dynamically adding them into Password Safe. Based on administration models, they can dynamically apply policy based on those standards, like a Linux policy versus a Windows policy. Once you create it, it's set and forget until you need to add another platform. Additionally, you can expand your domain if you need to support multiple domain directories, etc. For that you would need to go in and do some administration, but otherwise, the administration model is much lower. CyberArk's is pretty stiff. I told you the CyberArk administrators were very expensive to train and no sooner do you train them, then they get a job for $20,000 more to be an engineer because you trained them too well.

        What is most valuable?

        BeyondTrust Password Safe's features that I have found most valuable are really those that are knitted in. That is their Smart Rules and Smart Groups, where you design your administration model so you create your AD groups and your asset groups, and configure Password Safe. To onboard a new account you can run the discovery engine and use rules automatically to dynamically onboard the asset or the accounts and add them to particular groups based on naming conventions. For example, WADM for Windows Administrator, LIN for Linux Administrator. You'll have a user with their name plus LIN for Linux administrator or WADM for Windows Administrator and BeyondTrust uses those naming conventions for standards, dynamically adds them to the appropriate groups, and then links them dynamically based on them. They would not get added dynamically to Linux. Because you do your administration design upfront, there are very few changes you need to make in the future unless you're adding additional platforms, which is actually what I'm going to do with a client. I'm going to be going there and expanding their platforms, adding network devices, adding application embedded accounts, and probably Windows because they currently are only managing a Linux platform. They have the ability for automatic connections using the remote app. Remote app is like a Windows terminal session. So you do an RDP connection to a server, but when you connect the only thing you can run is a specific application like SQL Server Manager and you don't know the password. The ID and the password are automatically inserted and you connect, do your database work and log out. BeyondTrust has that very nicely, CyberArk has it, Xceedium has it. But not everybody has it.

        What needs improvement?

        There's always room for improvement. But as of right now, I believe BeyondTrust is one of the best kept secrets. The only negative thing I can say is that BeyondTrust was recently bought by Bomgar and the marriage of the multiple companies coming together in the merger has caused a little bit of a hiccup right now in their software versions. For example, the online training courses are two revisions older than the currently released software and some of the guides don't match what you see on the screen. So it's a growing pain. Because they were purchased by Bomgar the people who used to make decisions in BeyondTrust are not necessarily the ones making them now or they've got other people to report to and get approval. Right now they're in a little bit of flux online with their BeyondTrust University.
        Buyer's Guide
        BeyondTrust Password Safe
        June 2022
        Learn what your peers think about BeyondTrust Password Safe. Get advice and tips from experienced pros sharing their opinions. Updated: June 2022.
        608,713 professionals have used our research since 2012.

        For how long have I used the solution?

        I have been using BeyondTrust Password Safe for about six months.

        What do I think about the stability of the solution?

        BeyondTrust Password Safe's stability is like a rock.

        What do I think about the scalability of the solution?

        BeyondTrust Password Safe's scalability is very good.  Of course it's only dependent. The scalability and the horsepower are dependent upon how well you architect it, determining the number of assets and the number of concurrent users.  But you can run these on virtual servers, so you can allocate additional RAM or additional CPU's if you find you're running low on power or, like in the case I'm at, going up from two to six cores on the VM's when we add Windows. Windows requires a lot of overhead so we're going to bump up the CPU, probably to triple the RAM and probably expand the sum volume as well for the storage. This is because they have hundreds and hundreds, if not over a 1,000, Windows servers. Each server is an asset maintained in a database, and the managed accounts are discovered on those assets. You basically just create the rules to add the managed accounts, which are the privileged accounts. Once you create them dynamically you basically do it in Windows platforms. I usually break them up into print servers, file servers, database servers, web servers, and usually application servers. Those will be the five different types of Windows platforms that will have different administrators. You're going to have an OS administrator across all of them, but the OS guy is not going to be able to get into SQL or into Apache Web Service. So you have a great adherence and excellent segregation of duties, and once you create the rules for each platform type, it all happens dynamically. We have a deal in the works for a company with less than a 100 employees. There are only 70 servers, but it is a multi-billion dollar retirement fund management company. They're responsible for billions of assets so they have stiff requirements for security. And their primary is PII. They have to be very careful with the privilege or personally identifiable information. If they get hacked, and there's lots of social numbers out there, there are addresses to banks, most likely bank accounts, because the retirement fund is being attached to somebody's bank so that they can transfer funds for their 401(k) or Roth IRA or whatever. They are very concerned about security. But they're a very small company. There is another one, which is a huge company with a very small footprint, but with an insanely large reach in size and complexity. I can't go into any detail about it.

        How are customer service and support?

        Customer service is off the charts. It is awesome. CyberArk's can be really good as well. But CyberArk can also have a little bit more of a personality. Sometimes I feel like they just want to poke you in the eye. They're now a 150 person company. When I first met CyberArk I think there were only 33 employees. I would give BeyondTrust Password Safe's tech support a 10 out of 10. No problems at all. Absolutely. Abso-freaking-lutely. They are company of human beings and treat you like a human being. CyberArk's is a little silicon, they have a little bit of a harder surface. They're very successful, a top player in the game and they act like it. But BeyondTrust is still a very competitive company to CyberArk, better in some ways. In fact, I would actually say better in most ways. The hardware footprint is significantly lower. But then again, that's also the disadvantage because if you have a disparate network, and let's say you have a global footprint, you're going to have multiple servers in each continent because you don't want the British accessing over here in America. The latency will be awkwardly terrible. So you would have a larger distribution.  One client that I was putting a bid together for had CyberArk. This company was very large,  they had 13 CyberArk instances. They would distribute by corporate standards. They had a separate accounting which had tens of thousands of managed accounts and users. Then they had PAYE for the payroll, and they had accounts receivable, accounts payable, because they were so large, even CyberArk couldn't scale for it. And their hardware footprint at this bank had, I think, 120 total CyberArk servers. I think BeyondTrust would have scaled better for them. CyberArk requires has a huge footprint and BeyondTrust would not require that large a footprint.

        How was the initial setup?

        The initial setup is straightforward. Practically, my daughter could have done it. You can use a standard Windows build or you can use a Linux server. You unpack the files for Linux and run the install or you run the executable for Windows, then you install SQL on both and you're just about done. Then, when it starts, you begin getting ready to populate the database SQL.  You can have it "active active" with high availability so if one server fails the other one takes over. If two of them are up and going, you can do a load balanced pair, and then have a DR server set off in another environment that can take over in the event of a disaster.

        What other advice do I have?

        BeyondTrust Password Safe is very robust and very powerful, very scalable, and very nimble. My advice is to first make sure all their use cases match your need. Then I  recommend to engage with their salespeople, get a good sales presentation and understanding of the cost, and then to get a technical presentation followed by a demo. We have a client whose main use case is Rapid7 SIM with API integration. So far I have found that CyberArk is the only one that can do that. But CyberArk is too expensive for this client. You have to sit down with a client, find out what their use cases, business requirements, and technical requirements are because sometimes they may want you to integrate with ServiceNow, and it's not easy to do that. With CyberArk, Beyondtrust, Thycotic and Centrify it is. Actually BeyondTrust is really a leader. I call them the best kept secret. It's a great product. I like it because the administrative overhead is so much lower. Remember how I said that CyberArk requires a very high administration overhead but because of the dynamic rules and smart rules you basically create a boolean if and then, and you can segregate. If your system or your name ends with dash ADM you're an administrator and you can access these assets and these accounts dynamically. Just by joining the company, getting a username with a dash ADM on the end, which I don't recommend by the way. I recommend having something nondescript because a user account with a _ADM, just screams, "I'm an administrator come and get me." Come up with something else, like an A-3-D. Come up with a different naming convention that would make it discreet. On a scale of one to ten, I would rate it high. I would rate BeyondTrust Password Safe a 10 because the fruits of your labor during the implementation phase pay off for an extended period of time. Rather than the ongoing pretty stiff administration requirements of some tools.

        Which deployment model are you using for this solution?

        On-premises
        Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
        Cybersecurity Architect at a tech vendor with 1-10 employees
        Real User
        Top 5
        Designed for enterprises, but could use more stability and testing
        Pros and Cons
        • "One of the most valuable features is that this is a product designed with enterprises in mind."
        • "I think that BeyondTrust Password Safe could be improved with more testing. In the beginning, they were practically using customers as beta testers. Maybe the product has evolved since I last used it, but if you look at PAM, privileged access management, whatever's out there has already been done. I don't see there being any other enhancements that are being made regarding PAM, except to support more cloud-based applications."

        What is our primary use case?

        There are a lot of customers, worldwide, who use this solution, especially in the education sector. This solution is so niche that it's not like TeamViewer. It's basically designed and developed with enterprises in mind—it's an enterprise solution. It's built for a highly privileged and secure environment. It starts with a virtual appliance and physical appliance and then, now, to what's basically a cloud-based type of access. 

        What is most valuable?

        One of the most valuable features is that this is a product designed with enterprises in mind. 

        What needs improvement?

        I think that BeyondTrust Password Safe could be improved with more testing. In the beginning, they were practically using customers as beta testers. 

        Maybe the product has evolved since I last used it, but if you look at PAM, privileged access management, whatever's out there has already been done. I don't see there being any other enhancements that are being made regarding PAM, except to support more cloud-based applications. 

        For how long have I used the solution?

        I have been working with this solution for over 10 years. 

        What do I think about the stability of the solution?

        The early version of this solution was not stable. It was terrible, but I think they eventually got their act together and it's better now so that they can compete. I haven't tried a cloud version, but if you imagine a solution is 100% on-prem and suddenly turns to the cloud, you can imagine there will be a lot of testing and bugs and all that. I'm not saying the product isn't good, it's just that when you have a vendor that starts out on-premise and only turns to cloud in the past couple years, they have a long way to catch up to leaders such as Thycotic or Centrify. 

        You've got to patch it every month, so how could that be stable? 

        What do I think about the scalability of the solution?

        This solution isn't really scalable because it's Windows-based. How could any Windows solution be scalable? This is strictly my personal opinion, but I would believe that about 80% to 90% of people will agree with me. Windows platforms aren't scalable. 

        What was our ROI?

        I think that customers could see an ROI eventually. A lot of customers purchase the product because they have to get something implemented for GRC: governance, risk, and compliance reasons. So, if you don't buy any of them, then the auditor will say that you didn't pass the audit because you don't have that mechanism in place. This solution is expensive. Is it worth ROI? Yes and no. If they have to meet compliance and whatever standard requirements, I would advise the customer to at least look at two complete products first. This wouldn't be my first choice. 

        What's my experience with pricing, setup cost, and licensing?

        This solution is not cheap—it's a very expensive solution. Very, very expensive compared to the features and functions that they offer. 

        Which other solutions did I evaluate?

        This solution is competing with Thycotic and Centrify, the leaders. Only in the past couple years did BeyondTrust turn from 100% on-prem and start offering cloud services, so of course they still have a long way to catch up with them. 

        What other advice do I have?

        I rate this solution a five out of ten, to be neutral and in the middle. To those looking to implement this solution, I would advise them to fully test it out in their environment before even making the purchase. You've got to thoroughly test it—test everything, otherwise you might regret it. 

        Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
        Flag as inappropriate
        Buyer's Guide
        BeyondTrust Password Safe
        June 2022
        Learn what your peers think about BeyondTrust Password Safe. Get advice and tips from experienced pros sharing their opinions. Updated: June 2022.
        608,713 professionals have used our research since 2012.
        I.S. Architect at a insurance company with 10,001+ employees
        Real User
        Top 10
        A stable and scalable solution with good monitoring, vaulting, and session recording functionalities
        Pros and Cons
        • "Session recording, password rotation, and password vaulting are the most valuable features."
        • "Its documentation can be improved. Its documentation is currently complicated, and it is not good. It needs to be better. Their technical support can also be improved. It is not bad, but it can be better."

        What is our primary use case?

        We are using it for vaulting and proxying the admin session. It is not yet implemented. We will implement it at the beginning of 2021.

        What is most valuable?

        Session recording, password rotation, and password vaulting are the most valuable features.

        What needs improvement?

        Its documentation can be improved. Its documentation is currently complicated, and it is not good. It needs to be better.

        Their technical support can also be improved. It is not bad, but it can be better.

        What do I think about the stability of the solution?

        Its stability is pretty good.

        What do I think about the scalability of the solution?

        It is very scalable. We started with three different sites to implement this product, and we, for sure, will implement it for the fourth site. It is easy to install any kind of component inside this environment.

        How are customer service and technical support?

        Their technical support is not that bad, but it can be improved.

        Which solution did I use previously and why did I switch?

        I use CyberArk and BeyondTrust. In terms of functionality and how they work, they are pretty close, but I prefer BeyondTrust. For vaulting, I like CyberArk a little bit more. For all other things, such as session recording and proxy, I like how BeyondTrust works. To proxy a session on Linux or Unix with CyberArk, you need to create an account each time on the remote site or the device to which you want to connect. BeyondTrust is different. You use a Windows machine, so you can connect with an AD account. It could be a functional account, a privilege account, or any other kind of account, but you use the same account instead of using a new one each time. Monitoring or auditing is easier with BeyondTrust than CyberArk. BeyondTrust is three times less expensive than CyberArk. 

        How was the initial setup?

        It is complex, but it is not only about the product. You need to have good governance and guidelines for password management and session recording and for proxying all those sessions. The process before implementing the product involves more work than setting up the application. It took us one year to design and do some testing in a non-prod environment. We will start the projects and deployment at the beginning of 2021.

        What's my experience with pricing, setup cost, and licensing?

        It has subscription-based licensing. BeyondTrust is three times less expensive than CyberArk.

        What other advice do I have?

        You need to be very clear about how to implement vaulting or the session recording mechanism. If you don't go with an external partner to help you with that, it can very difficult to have a solid implementation of such solutions, whether it is CyberArk, Thycotic, BeyondTrust, or any other solution. Just because you installed these solutions doesn't mean that they would resolve 100% of your work. You need to have some processes for such applications, and you need to do some homework first. With the help of an external consulting company that knows how to implement such solutions, you can progress very fast.

        I would rate BeyondTrust Password Safe an eight out of ten.

        Which deployment model are you using for this solution?

        On-premises
        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        Buyer's Guide
        Download our free BeyondTrust Password Safe Report and get advice and tips from experienced pros sharing their opinions.
        Updated: June 2022
        Buyer's Guide
        Download our free BeyondTrust Password Safe Report and get advice and tips from experienced pros sharing their opinions.