Zoho Vault Review
Views: 5030
2023-11-01 09:56
When we last reviewed Zoho Vault in 2021, we were pleased with the app's basic

When we last reviewed Zoho Vault in 2021, we were pleased with the app's basic functionality and security features, though we noted some shortcomings, such as a lack of web form-filling capabilities. Since that time, the standards for password management apps have changed. It's not enough to offer multi-factor authentication (MFA); users now expect MFA adoption to be seamless. Zoho Vault offers product integrations for its business accounts that may offer value for enterprise customers. But when it comes to personal password management, Zoho Vault comes up short, with difficult-to-set-up multi-factor authentication and no form-filling ability. Furthermore, it stores some personal information in an unencrypted state. Competitors such as Bitwarden and Dashlane have made significant changes to their products over time to improve security and the user experience, earning them our Editors' Choice recommendation.

How Much Does Zoho Vault Cost?

Zoho Vault offers a free plan that includes core password management features, including multi-factor authentication and cross-platform syncing, but it saves password sharing and password inheritance for paid plan subscribers.

For a monthly fee of $1.00 per user, Standard plan subscribers can share passwords, transfer ownership of their passwords, enable vault access restrictions based on IP addresses, enable user management tools, and integrate the password manager with Google Workspace and Microsoft 365.

What Is Two-Factor Authentication?

The next tiers are designed for businesses and teams rather than individuals. The stated price and features are limited to accounts with at least five users. The Professional plan is $5.00 per month for each user in the organization. Subscribers can create and manage user groups and access activity and breached password reports.

The Enterprise plan is $8.00 per month per user and adds single sign-on capabilities, integration with Okta and OneLogin, and help desk integration.

The price for the personal standard plan is lower than most of the competition. Bitwarden is less expensive, at just $10 annually for a premium account. Zoho Vault's business pricing plans are a little more expensive than similar offerings from their competitors. 1Password and Dashlane both offer flat-rate business plans for $20 per month for up to 10 users, which is pretty hard to beat.

What Are Zoho Vault's Authentication and Security Features?

Getting started with Zoho Vault includes taking a short tour of the password manager's features. The tour of the web version of the password manager shows users where the features are located on the screen.

(Credit: Zoho)

We prefer product tours that teach new users how to use a password manager. 1Password, for example, offers subscribers step-by-step tutorials for importing old passwords and generating new credentials.

After your tour, you'll want to enable MFA for your account. You can only enable MFA and other security settings from the web vault.

(Credit: Zoho)

First, click the Settings tab on the left sidebar and navigate to the tab labeled Enforce MFA. Then click the Enforce MFA button on the next screen. Zoho Vault then requires users to log out and log back in to add an authenticator to the account. It's a clunky process that could be streamlined. We haven't had to log out to add an authentication method while testing any other password managers.

The next time you log in, Zoho Vault prompts you to download its free authenticator app, Zoho OneAuth. If you'd rather use your own authentication method, Zoho Vault accepts codes from mobile authenticator apps, SMS-based OTP, and hardware security keys.

After setting up an MFA method, Zoho Vault prompts users to save backup codes for their accounts. From your account screen in the app or on the web, you can set up a passkey for your Zoho Vault account and store it on your authenticated device or in a different password manager's vault.

Unique Security Features

Zoho Vault brings enterprise security features to its personal password manager with options such as device sign-in logs, an IP address allowlist, and application-specific passwords. Set up the security features by navigating to your Zoho Vault account page on the web and clicking on the Security tab.

(Credit: Zoho)

The IP Address List feature lets users block login attempts originating from IP addresses that are not specified on your allowlist. The Device Logins section shows the location and device information of the Zoho Vault activity associated with your account.

We're particularly impressed with Zoho Vault's unique application-specific password feature, which allows users to create special passwords for applications with accounts that are most likely to be targeted by hackers, such as email clients or social media apps. Zoho Vault stores your new password in the vault instead of your real account password. When you go to log in, Zoho Vault fills in the fake password instead of your true account password. This adds a layer of protection in the event that a hacker is able to get past your MFA method and guess your master password to unlock your password vault and steal your passwords.

Data Privacy With Zoho Vault

Before reviewing and testing a password manager, PCMag sends a list of questions to the password management company inquiring about its privacy and security practices. Check out Zoho Vault's responses to the questions below.

Q: Has your company ever had a security breach?

A: No

Q: What unencrypted information does the password manager store in user vaults?

A: All fields are encrypted except for Password Name, Description, URL, and Tags. This is to simplify in-product search and auto-login experience. Please refrain from saving sensitive data in these fields.

Q: What is the company's policy regarding master passwords?

A: We don't store the master password anywhere on our servers, and [our customers] should create a strong one and enter it every time to access their vault.

Q: What is the company's policy regarding user data collection and data sales?

A: Your data is always yours - that is our commitment to users. We don't have an ad-based revenue model, even in our free plans.

Q: How does your company protect user data?

A: We follow the industry-standard best practices to protect user data. The company's trust information page includes the following statement: "Our robust security framework based on OWASP standards, implemented in the application layer, provides functionalities to mitigate threats."

Q: How does your company respond to requests for user information from governments and law enforcement?

A: Yes, if required by law, personal data and service data may be disclosed or preserved in order to comply with any applicable law, legal process, regulation, or governmental request, including to meet national security requirements.

We are satisfied with most of Zoho Vault's answers to our questions, though the reply about password vault storage raises significant alarm. Unencrypted vault data, no matter how trivial, could give criminals information about you. When LastPass divulged the details of its 2022 security breaches, the company revealed that hackers made off with their customers' vault data, which contained encrypted passwords and unencrypted data, including website URLs.

The URLs stored in your vault can reveal what sites you have accounts for, which, when combined with another malicious act such as phishing, can give hackers the data they need to target and take over your accounts. We encourage existing Zoho Vault customers to divulge as little personal data as possible in the password name, description, and tag sections in your user vaults.

We urge Zoho Vault to consider encrypting all user vault data, especially because its competitors, including 1Password, Bitwarden, Dashlane, and Keeper, all told PCMag that unencrypted data is not stored in user vaults on their platforms. The insecure vault storage issue is a big problem, and it's enough to drop Zoho Vault's review score by a considerable amount.

As for the company's privacy statements, the answers above reflected Zoho's privacy policy. PCMag encourages users to browse the privacy policies for all apps to learn more about how companies collect, sell, or store user data. Decide how comfortable you are with data collection and how companies use your data and act accordingly.

Hands On With Zoho Vault

After setting up your MFA and security settings, you'll want to import your old passwords stored on your devices, in your browsers, or from 20 other password managers. Zoho Vault's password-importing process is more complicated than the competition. Bitwarden can import passwords from more than 50 competitors, and the process only takes a few clicks.

While testing Zoho Vault, the app could not read our Dashlane test account credential file, though we've been able to open it with Bitwarden and 1Password. We uploaded the CSV version of the file and had to label our entries manually—a time-consuming process.

Zoho Vault Credential Capture and Replay

After importing your passwords, install a browser extension. Click on your profile in the top right corner of the dashboard and select the icon representing your browser of choice. Zoho Vault has browser extensions for Brave, Chrome, Edge, Firefox, Safari, Opera, Ulaa, and Vivaldi browsers, which work on Windows, macOS, and Linux.

(Credit: Zoho )

Whenever you log into a website with a credential that you haven't saved in your vault, Zoho offers to store it for you. You can give the saved password a label, and you can also add notes or tags at this time.

When you visit a site with a login form, you click the tiny Zoho icon in the entry box's right corner, and Zoho Vault fills in your saved credentials. We used the Chrome browser extension to fill in passwords around the web, and the feature works as expected.

The password creation process with Zoho Vault's browser extensions is dated. To create new logins for websites and to modify current logins, the browser extension opens a new browser window containing your web vault, where you can save and change new passwords. It's an extra step that competitors such as 1Password manage to bypass by keeping the functions within the browser extension application.

You can set the Zoho Vault browser extension to lock your vault after a specified period of up to one week, and you can also set up a clipboard-clearing schedule in the Settings menu. The browser extension also has a password generator, which we'll discuss in the next section.

(Credit: Zoho )

Once you've captured, entered, or imported a few passwords, you can go back to your dashboard on the web and check out your Password Assessment Score. We like that Zoho Vault offers password hygiene monitoring for all levels of service, including free accounts. Dashlane offers a similar password monitoring feature, but it's only available for business accounts. Zoho's password assessment score tells you whether your passwords are weak, reused, recycled, or old or if they contain your username or dictionary words.

Zoho Vault's Password Generator

If you're familiar with password managers, you will find Zoho Vault's password generator familiar. Clicking it to create new credentials fills in a new, random password matching your specified password length, strength, and other requirements.

Zoho defaults to the predefined Strong policy, which requires passwords to be 8 to 14 characters in length, using all character types. This doesn't seem very strong to me. You can add your own password policy rules by visiting your web vault, clicking on the Settings tab, opening the Password Policy menu, and clicking the plus sign.

(Credit: Zoho )

You can create custom password policies, and passwords can be up to 99 characters. We recommend using a password with at least 20 characters containing mixed-case letters, numbers, and at least one special character. Check the box in the corner of the window to make your policy the default. In a multiuser situation, Zoho lets administrators enforce password policies other users can't change.

Storage and Form-Filling With Zoho Vault

The previous review of Zoho Vault stated that the password manager could not fill in web forms using data stored in the vault. In testing, Zoho Vault still failed to populate form fields with the personal data we stored in our vault. Form-filling using vault data is a core function for most personal password managers, and competitors such as Bitwarden, Dashlane, and Keeper all do it with ease. The lack of this core functionality is a factor in Zoho Vault's rating.

Zoho Vault's file storage system is confusing. To add a certain kind of data, like, say, a credit card or driver's license information, navigate to the section labeled "Passwords" in your web vault. Click on the Add button, then choose the data type under the Add Password section. Data types are limited to bank account credentials, credit card numbers, health insurance information, social security numbers, or logins for Unix and Windows. You can also upload documents up to 2MB in size by choosing the option labeled File Store.

(Credit: Zoho )

Zoho Vault does not offer the option to store personal data such as your mailing address, phone number, email address, or driver's license number. Zoho Vault's storage system offers far fewer data storage options than Dashlane's well-organized Personal Info and Secure Notes sections.

Password Sharing With Zoho Vault

If you must share your passwords, it's best to do it safely. You can share credentials with other Zoho Vault users or non-Zoho subscribers, but only with a paid account.

(Credit: Zoho )

To share credentials with someone who doesn't use Zoho Vault, select a password to share, click Share, then select the Third Parties tab. Next, enter the email address of the person you want to have your password and click Share Password. The other person receives an email containing an encrypted link to the password that expires after a predetermined time. The app suggests that you change the password once the need for sharing is over.

RoboForm and a few others offer password transfers to make sure your loved ones can access your accounts in the event of your demise. Zoho Vault has something similar. You can transfer ownership of any password you own to a designated person. For business accounts, the administrator can forcibly acquire all the business-related passwords a user owns in case of a firing or other not-so-pleasant parting.

Zoho Vault Mobile Apps

Zoho offers apps for Android and iOS. For this review, we tested the Zoho Vault app using an iPhone 12 mini running iOS 16.6.

(Credit: Zoho )

A previous review stated that iOS users had to either use Zoho's internal browser or copy and paste in their credentials manually. The current version of the app is slightly better because it fills in your existing passwords with ease. That said, we could not automatically generate new login credentials using the iOS app, which is pretty unusual for a password manager. The app has a password generator, but it's separate from the credential-filling process.

Here's the complicated process for creating a new credential with the Zoho Vault iOS app:

  1. Open the Zoho Vault app.

  2. Tap the plus sign in the Passwords section.

  3. Paste the URL of the login page into the Search bar.

  4. Enter a username and generate a new password.

  5. Tap to save the credential.

  6. Open your browser, and tap the empty field to enter your new credential.

It's a far-from-seamless process, and it's another reason for Zoho Vault's significant score reduction. Creating a new credential on a mobile app is not a multistep process for 1Password, Bitwarden, Dashlane, or Keeper users.

Zoho Vault for iOS supports logging in using FaceID. Security and privacy options can only be changed from the web vault or your account page, which is not unusual for password manager applications. 1Password also only allows security changes in the web vault.

Is Zoho Vault Good for Business?

Zoho is known for its enterprise products, so it's no surprise that Zoho Vault offers many business-focused features. For example, Zoho Vault's paid tiers include collaboration tools such as password sharing, user provisioning, and integration with Google Workspace and Microsoft 365.

The Enterprise tier also includes password access control, allowing management to grant and restrict employee access to password-protected data. Single sign-on configurations for cloud apps and a user audit system (so administrators can see all password-related activity as it happens) are other important features for large organizations.

(Credit: Zoho )

In business-critical situations, having just one person holding the keys to the castle is a recipe for disaster. One convenient feature for Professional and Enterprise users is the Break Glass account for emergency access to passwords. You set up an emergency contact who has access to all the enterprise passwords, eliminating the dependency on a single password owner or administrator.

Zoho Vault Has Fallen Behind

Zoho Vault's free tier and inexpensive personal plan may be tempting, but since our last review, it has failed to address its lack of form-filling capabilities. It also has a messy, complicated data-storage system, and creating new passwords in its iPhone app is far from seamless. Worse is the revelation that the company is storing unencrypted information in user vaults; this could present a significant security risk for users. For a free password manager, you should try the reliable, open-source Bitwarden, an Editors' Choice winner. For premium password management, Dashlane is our Editors' Choice for it superior usability and plentiful features.

Tags password managers