Zoho Vault Review
Zoho Vault is a great password manager for business, but misses the mark when it comes to catering to individuals. While we feel fairly confident in recommending it, if you're easily annoyed by puzzling interface design check out a few competitors instead. For the details, read our full Zoho Vault review.
Zoho Vault is a business-oriented password manager that excels with its low price and excellent integrations. It has a few issues, though, including a free personal plan that doesn’t stack up to the best password managers.
In this Zoho Vault review, we’re going to go over everything we liked and didn’t like after spending time with it. We’ll discuss features, pricing, user-friendliness, security and support before giving our verdict.
Vault’s strongest aspect is its features and integrations. It’s a corporate solution that allows administrators to take control over their employee and business accounts. Unfortunately, there are a few strange design decisions that make managing your accounts difficult.
- Extremely secure
- Mobile & desktop apps
- Automatic password changer
- No multi-device sync on free plans
- Difficult to set and manage categories
- Offline sync
- Guided install
- Backup & recovery
- No browser UI
- Lackluster support
- Limited 2FA options
- Excellent security
- Easy to use interface
- No free plan
- No password import
- No live chat or phone support
- Top-notch security
- Deep user control
- Mandatory password requirements
- Password policies
- Lots of sharing options
- Strange free plan
- Difficult to use
- Limited contact options
Zoho’s focus is on business and, as such, many of Vault’s features are, too. While that’s not a good thing for single users, it is an upside for teams. If you’re looking for an individual password manager, we recommend Dashlane (read our Dashlane review).
One of Vault’s greatest strengths is the level of control it gives you over users. You can establish ownership over each account, so no sensitive information is seen by someone who shouldn’t see it. By default, the user who added the item will be the owner, but the administrator of the account can change who has access.
Users on your account have one of three roles, which we’ll talk about in the user-friendliness section below. One interesting feature of super admins, the highest user role, is that they can acquire secrets from disgruntled employees. If a user leaves on bad terms, a super admin can acquire all their secrets with a single click.
Super admins have other unique features. They can implement password policies that Vault’s built-in generator will follow. For example, they could force email passwords to be a minimum of 15 characters long with up to three special characters.
Vault also has more sharing options than most password managers. LastPass, for example, only allows you to share items with users, not modify the user permissions. Read our LastPass review to see why we still think it’s a good free option, though.
While modifying user permissions isn’t of the utmost concern for a single user, it’s important when you’re managing a team. Vault allows you to add users to an item with different permissions, including view only, modify and manage. You can add multiple users at the same time, too, which helps with ease of use.
The most expensive plan, which we’ll go over in the next section, has integration with Windows Active Directory and Lightweight Directory Access Protocol. You can use those to import users and user groups into Vault, as well as use their authentication mechanisms.
Vault includes an auto-login feature that will open your accounts with a single click. It isn’t auto-fill, but rather a feature that will immediately log you in to your account. While it’s a nice feature to have, we have concerns about its security.
Auto-login comes from a browser extension. The hashed version of your master password is stored in your browser, which is used to decrypt the password you’re looking for. Browser-based malware could access that data, though, potentially exposing your plain text password.
You can read our what is browser hijacking guide to learn more about that sort of attack.
There isn’t anything Zoho can do to remedy that if the feature is something it wants to maintain. That’s not so much a criticism of the service’s security as it is of the feature. We’d recommend avoiding auto-login, especially if you haven’t run a scan with the best antivirus software.
Outside of the extended management controls, Vault is a straightforward password manager. You have tools for import and export, full vault backup and offline access. Given Zoho’s target market, the feature set makes perfect sense.
Zoho Vault Features Overview
Vault is built for businesses, so plans are priced per user, per month. That said, it was able to make our best password manager for families and best free password manager guides for its lower tier offerings.
The free plan stands apart from the rest of Zoho’s lineup. It provides unlimited password and note storage for a single user. Some of the more advanced auditing features don’t make sense in that context. Vault Free isn’t set-up for multiple users, so having functionality aimed at multiple users just makes the interface more confusing.
Standard is where Vault comes into its own. You’re paying less than a dollar per user and can fully command the reports that Vault can generate. Plus, you can assign user roles, share entries with third-parties and backup your data.
It is the plan we’d recommend for most small businesses, as it provides a solid amount of control over who has access to what without going off the deep end in price. The next tier quadruples the rate and the extras aren’t useful if you have a small team.
Professional is best for larger operations. There’s a mandatory minimum of five users, which makes sense given its features. You can create and share password groups, create and manage user groups and export multiple reports to .pdf.
The highest tier plan is similar in functionality, but twice the price. Like Professional, Enterprise requires a minimum of five users. The main differences are single sign-on for cloud apps, authentication for directories and password event notifications.
It also comes with the most control over the users on your account. You get instant notifications on password events and can set time-limited access to vault items. For small businesses, families and individuals, the top tier offering is too much. That said, for large operations that require specific integrations, it’s one of the best options on the market.
The integrations are what sets each plan apart. Small outlets that just need to manage a few accounts are fine with a Standard plan, but if you need additional features, such as integration with Microsoft Azure Active Directory and advanced reporting, one of the higher tier plans will suit you well (read our Microsoft Azure review to see why that may be a good idea).
Things get strange in this section, as comparing Vault to consumer password managers would put it at a severe disadvantage. It provides a lot of control over users and user permissions, which makes it more complicated than most consumer offerings. That said, considering its positioning as a business password manager, it handles the power very well.
As with all Zoho applications, Vault is based in your browser. There’s a browser extension that allows quick access to your vault items, but you’ll need to log in with your Zoho account to open the full user interface.
When you do, Zoho will send you to your dashboard, which is the worst part of the interface. Though you’re already using Vault, it shows you a video on why you should use it, as well as a small summary of how many passwords you have, a link to download mobile apps and a section for tags you’ve set up in your account.
The dashboard doesn’t handle functional tasks. It can link you to other parts of Vault, but the majority of the screen real estate is taken by the irrelevant embedded video. The area would benefit from presenting more broad data about your account instead of just being an unnecessary menu option.
The rest of the interface is better. Navigation is handled through a top menu, and you’ll spend most of your time in the “secrets” section, which is where you’ll find all of the information stored in your vault.
Adding a secret is different from most password managers. Vault shows you a list of websites to choose from and clicking on one will bring up the necessary fields for the account you’re trying to add.
At the top of the “add secret” screen, you can select the second tab, “others,” to create a custom entry. We think Vault should direct you to the custom entry right away. Having a tab filled with websites you can add just makes the process confusing.
The only difference between adding a custom entry and adding an entry by website is that the name of the secret is automatically filled in with the latter. Like the dashboard, it is a feature that doesn’t provide any real functionality.
Creating a custom entry has more power, anyway. It has the standard password manager fields, including username, password, tags and description. You can specify any number of custom fields, though, including file attachments. This makes it simple to store all information relevant to an account in a single entry.
Every secret has a type, and you can create new types from the custom entry menu. You can fill the custom secret type with any fields you want, as well as configure if certain ones are mandatory. Because it is a business-focused password manager, Vault allows you to implement entry guidelines that employees have to follow.
You can also view password chambers in the secrets section of the UI. Chambers are password groups that can be shared just like a normal entry. They can also have sub-chambers if you need to organize a large number of entries.
The rest of the interface is dedicated to management. “Tools” allows you import, export and download secrets for offline access; “settings” is where you can set password policies, manage secret types and setup sharing; and “admin” gives you control over vault backup, user management and two-factor authentication.
The Browser Extension
Vault’s browser extension gives you a lot of control over your data. You can view secrets and chambers from it and edit them. What’s so surprising about it, though, is that it provides most of the functionality of the web client in a much smaller space.
You can also add new entries from the extension. Adding an entry with it doesn’t allow you to create custom fields, but you can still set custom secret types if you’ve already made them in the web client. Vault will automatically fill the “secret name” and “URL” fields for whatever webpage you have pulled up, but you can add your own if you need to.
The “settings” section of the extension is a concise list of the most important Vault settings. You can set the time frame for when your clipboard is cleared, enable or disable password saving prompts, configure auto-fill and more.
We were surprised to see a “recognize subdomains for auto-fill” setting. Auto-filling on subdomains can be dangerous, as an attacker could set a phishing domain that your password manager would auto-fill on.
RememBear had that problem, as you can read in our RememBear review.
It’s disabled by default, and we recommend you keep it that way, but its existence shows that Zoho’s head is in the right place.
Vault uses host-proof hosting for your data. In this case, Zoho is the host and it has proofed itself from your data. That is also known as a zero-knowledge model, where Zoho has no knowledge of your master password or the data stored in your account.
In fact, your master password is never even sent to the server. Your data is encrypted with AES-256 and stored on Zoho’s servers. Encryption and decryption happens locally, too, meaning that your password is never transmitted. Some password managers store master passwords in hashed form, which opens up security vulnerabilities.
Hashing is a mathematical result of an algorithm meant to disguise a string of text. Unlike encryption, though, hashes cannot be reverse engineered. You learn more about that in our description of encryption guide.
A few things happen when you sign up for an account. An RSA public-private key pair is generated and it will be the chief mechanism for encrypting and decrypting your information. Your master password is used to encrypt the private key, which is stored in Zoho’s database.
A separate AES-256 key is generated, which is encrypted using the public part of the RSA key pair. The same process happens for users on your account. An RSA key pair is generated and the private portion is encrypted with the user’s master password.
The encryption is like a row of dominoes that will come tumbling down when you enter your master password. Your master password decrypts the private key, which is then matched to the public key to decrypt the AES-256 key. That final key is used to unlock your vault.
If you don’t understand the first thing about cryptography, just know this: Vault is safe to use. The only potential vulnerability would be someone getting ahold of the AES-256 key that is used to decrypt your vault. Zoho has no data breaches on record, though, so that is a minor concern.
Zoho is a large company with many products, so we didn’t have high hopes going into this section. Thankfully, it segregates the Vault support resources from its other products, meaning you can find tutorials and FAQs related to it without sifting through other product guides.
The “resources” option from the Vault menu is where you’ll find support. Zoho offers nine areas of support, including a blog, forums, help documentation, webinars and more. The help documentation is like a knowledgebase and we suspect most users will consult it first.
There is a list of topics from basic functions, such as sharing, to advanced integrations, such as setting up Azure AD SSO. The guides are excellent. Zoho clearly lays out instructions, prerequisites and more for each topic and provides plenty of screenshots. The only issue is finding the topic you need, which is remedied by using the search bar at the top of the page.
The forums are barren. Most of the topics come from Zoho, which show up every few weeks. The area is like a more advanced version of the blog with a larger amount of user interaction. You can ask questions on the forum, and it seems Zoho is quick to respond, but it looks like most users don’t take advantage of it.
You can contact Zoho using the “customer self-service portal” in the resources menu. It’s a simple contact form which is, unfortunately, the only way you can get ahold of the company. You can also use the [email protected] email address, but it goes to the same place.
The response time is snappy, though. Zoho got back to us within an hour of sending our test message.
The admin and end-user guides are useful and extensive tools for familiarizing yourself and your employees with Vault’s functions. Other than that, the support section is straightforward. Zoho has a strong focus on self-service support and, thankfully, the tools are there to do that.
Zoho gives you much more for your money than competing business offerings. The Standard price is unmatched, even with a fairly robust feature set. Some of the design decisions in the web UI are confusing, but there’s nothing that can’t be accepted after spending time with it.
Price isn’t everything, though, and you usually get what you pay for. A more expensive business solution such as 1Password (read our 1Password review) offers a more modern interface and better usability. If you need an alternative to Vault, make sure to read our other password manager reviews.
Do you plan on signing up for Vault? Let us know how your experience goes in the comments below. As always, thanks for reading.