HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Padloc Review

Some previous Padloc reviews have not been too kind to this open source password manager due to its lack of capabilities; but, in July 2022, a new version of Padloc (V4) was released that improves its feature set significantly. So, does Padloc now live up to the ideal of being “as simple as possible to use without making compromises in terms of security or performance”?

One of the challenges encountered by any organization implementing a password manager is ongoing user adoption. It is often the case that users are willing to “try it out” when a password manager is first deployed due to the novelty value. However, security is inconvenient, and as soon as users tire of the novelty, find it doesn´t work as well as promised, or stops them “getting the job done”, they often revery to unsecure methods of saving and using passwords.

Padloc has tried to overcome these issues by designing the user interface so it becomes a second nature to use the password manager rather than a struggle. Additionally, being built on open source software ensures bugs are kept to a minimum and quickly fixed if they occur. However, with regards to preventing users “getting the job done”, Padloc does have a big hole in its capabilities inasmuch as the password manager does not have an autofill capability – a potential deal-breaker for many.

Padloc Review for Individuals and Families

Although this Padloc review is aimed at organizations subject to the HIPAA Privacy and Security Rules, it is worth discussing the plans for individuals and families because these illustrate how much the latest version of the Padloc password manager differ from previous versions. For example, the free plans for individuals previously limited users to saving a maximum of fifty passwords across two devices. Those limits have now gone, and the free plan now has no limits on passwords nor devices.

With regards to the premium plan for individuals ($34.90 per year), this now includes security reporting and a built-in authenticator as well as the existing 1GB of storage and multi-factor authentication capabilities; while the biggest change to the family plan is the pricing structure – now charged at a flat $59.50 per year for up to five members of the same family, rather than the $12 per year per family member. Consequently, the family plan is more expensive for smaller families.

Padloc Review for Teams and Businesses

Considering that extra capabilities have been added to both the Teams and the Business plans, it is worth noting that the subscription costs for both plans is now lower than they were prior to the release of V4 (now $34.90 per user per year and $69.90 per user per year respectively). Also, both plans now include automatic security reporting (previously manual), advanced Multi-Factor Authentication (previously basic), and a rich notes capability with markdown support.

The major differences between the two subscription types are much the same as before. The Teams plan only supports up to 50 users, whereas the Business plan supports an unlimited number of users. The Teams plan also places limits on the number of groups you can create (ten) and the number of vaults you can share (twenty) while both of these features are unlimited in the Business plan – which also now supports directory sync and automated provisioning.

There also exists an unpriced Enterprise plan which claims to include unlimited encrypted file storage compared to the 5GB per seat in the Teams plan and 20GB per seat in the Business plan. If true, this could be used as a cheap way to store archived documents. For larger organizations interested in implementing an open source password manager, it may be worth contacting Padloc to see how their best offer compares to Bitwarden´s Enterprise Plan.

Padloc for Covered Entities and Business Associates

If you go through the documentation, security whitepaper, and user guide provided by Padloc, the password manager has all the mechanisms in place to support compliance with the Security Rule (access controls, automatic log off, audit reports, etc.). However, there is no indication in any of the documentation about whether Padloc is willing to sign a Business Associate Agreement. This is important if your organization intends to use the password manager to store or share ePHI.

If your organization is not intending to use the password manager to store or share ePHI (or archive ePHI), there is still the elephant in the room concerning autofill. If users have to copy and paste each password into a login box each time they want to access a password protected database, it could be an obstacle to ongoing user adoption; and although Padloc supports FIDO standards for biometric logins, not all password protected databases and online accounts are FIDO ready.

In conclusion, there are pros and cons for adopting the Padloc password manager. The pros highlighted in our Padloc review include a very friendly user interface will encourage adoption (initially at least), while the layout of the administration console simplifies management tasks such as the application of Role Based Access Controls. It is also a bonus that the password manager is built on open source software to mitigate the risk of bugs and security vulnerabilities.

However, for many organizations, the cons of no autofill, no Business Associate Agreement (we assume), and price will be good enough reasons to look elsewhere. Bitwarden was previously mentioned in our Padloc review and this password manager doesn´t have these cons. However, it too has a user-friendly interface, an intuitive management console, is built on open source software, and supports FIDO standards for biometric logins. Maybe Padloc V5 will be better.