Keeper is one of the most used password managers according to a survey conducted by security.org; however, as our Keeper review demonstrates, it is also one of the most flawed, one of the most complicated to use, and – depending on how many add-ons are required to support HIPAA compliance – potentially one of the most expensive.
When you are in the process of selecting a password manager, commercial review sites are not necessarily the best sources of information. Many have a financial motive for recommending one password manager above another; and – in the case of Keeper – commercial reviewers can get $5 for every business lead they generate even if the lead does not turn into a customer.
Unfortunately, many people are swayed by positive Keeper reviews – which helps to explain why Keeper came second in a survey conducted by security.org. The problem with this is, once you have committed to any password manager, abandoning it in favor of a more secure and effective solution can be time-consuming – notwithstanding that security leaks that may have already occurred.
What are the Problems with Keeper Security?
The problems with the security of the Keeper password manager are well chronicled. In 2016, it was reported that the Chrome extension for Keeper injected its trusted UI into untrusted websites – potentially enabling untrusted websites to steal users´ login credentials. Although quickly resolved, a similar vulnerability appeared in a later release of the Keeper Chrome extension the following year.
Bugs are not uncommon in proprietary software releases (which is why password managers built on open-source software are generally considered to be more secure); but it is less common for installer files to be unprotected in the cloud – a flaw which in 2018 would have allowed hackers to access Keeper´s installer files and insert key logging software to expose the password of every user.
There are also issues with Keeper´s zero-knowledge model, which – it is claimed – prevents Keeper employees accessing users´ password vaults. In 2018, it was discovered that anybody in control of Keeper´s API could unlock users´ accounts, while more recently, a customer claimed Keeper had sent her an email informing her there were no passwords saved in her vault. How did Keeper know?
Is the Keeper Password Manager Complicated to Use?
When most people start using a password manager, it is usually a browser-based manager (i.e., Google Chrome) or an OS-based manager (i.e., iCloud Keychain) with limited functionality. Transitioning to a vault-based password manager such as Keeper can be difficult depending on the individual´s technical capabilities and understanding of how vault-based password managers work.
In its defense, Keeper provides a comprehensive selection of user guides, training documentation, and 101 videos. However, these resources make a lot of assumptions about individuals´ technical capabilities and are presented in a manner that a vault novice will find difficult to understand. For example, many users will find it easier to manually import passwords from Google Chrome or iCloud Keychain than follow the complicated instructions for using the import feature.
Even for technically advanced individuals, Keeper has a steep learning curve when implementing the password manager for personal use; and, at the business and enterprise levels, the learning curve gets steeper due to add-ons you may be required to pay extra for in order to achieve the objectives of implementing a password manager (i.e., secure storage, breached password notifications, and compliance reports – features that are included as standard in many password managers).
Keeper Password Manager Plans and Prices
Personal and Family Plans
Keeper´s plans for personal and family use ($34.99/year and $74.99/year respectively) are fairly basic. They include the ability to save and synchronize an unlimited number of credentials across an unlimited number of devices but have limited two-factor authentication options and only allow individual users to share text files – not documents, images, or videos.
Every other feature you might expect to find in a premium personal or family plan costs extra. Secure storage (for saving documents, images, and videos) starts at $9.95 per year per user, and the “Breachwatch” service (for breached password notifications) costs $20.00 per year per user. You may be able to save some money by taking advantage of a “bundle deal”, but even then, the cost of implementing the Keeper password manager for a family of five is in excess of $200 per year!
Compared “like-for-like” with other password managers, Keeper is expensive. For example, Bitwarden charges just $10 per year for its fully-featured personal plan and $40 per year for its six-person family plan – although the compromise is you have to run data health checks manually. Bitwarden also has the advantage of being built on open-source software, so Bitwarden customers are less likely to experience the same security issues as Keeper customers.
Business and Enterprise Plans
Keeper offers both a feature-limited business plan for $45 per user per year and an enterprise plan with “customized pricing”. The business plan is not much more than a glorified family plan with an additional policy engine and team management console. The enterprise plan includes bells and whistles such as SSO authentication, Active Directory synchronization, advanced two factor authentication and a host of provisioning tools. Everything else costs extra.
You can get “powerful add-ons for superior team protection” similar to the personal and family plans (i.e., secure storage and breached password notifications), advanced reporting capabilities, and a “KeeperChat” messaging service. You can also “secure your environment” with the Keeper Secrets Manager, “secure your IT infrastructure” with the Keeper Connections Manager, and access “world class support” (the top level of which doesn´t include phone support, provides chat support during office hours only, and guarantees an email response within a day – for $750!).
Even at the most basic level, a business plan with secure storage and breached password notifications is going to cost a business $74.95 per user per year plus $750 per year for support. When compared to Team Plans offered by Dashlane ($60/user/year), LastPass ($48/user/year), and Bitwarden ($30/user/year) Keeper looks very expensive; and, if you want all the bells, whistles, and customer support, even Dashlane at $96/user/year looks good value. LastPass ($72/user/year) and Bitwarden ($60/user/year) only offer email support.
Keeper and HIPAA Compliance
For businesses subject to HIPAA, it is important to be aware that although Keeper claims its password manager is HIPAA-compliant, the company will not sign a Business Associate Agreement with Covered Entities and Business Associates. This is despite the Department for Health & Human Services stipulating vendors who store ePHI meet the definition of a Business Associate even if they “cannot view the ePHI because it is encrypted and the [vendor] does not have the decryption key”.
Consequently, Covered Entities and Business Associates using the Keeper password manager have the additional management overhead of ensuring ePHI is not stored in password vaults. Additionally, members of the workforce will not be able to share ePHI via the secure sharing feature nor the “KeeperChat” messaging add-on. It may also be necessary to restrict passwords to systems that contain ePHI – rendering the Keeper password manager virtually useless for Covered Entities.
Keeper Review Conclusion
Our Keeper review demonstrates why you should choose your sources of information carefully. Keeper pays a lot of money to affiliates for “bigging up” its capabilities – money that is recovered from customers by inflating subscription costs above market standards. There are also concerns about the complexity of using Keeper in an enterprise environment and the security of data – notwithstanding that the Keeper password manager is unsuitable for any business subject to HIPAA regulations.