3 Pitfalls of On-Premises Password Managers

3 Pitfalls of On-Premises Password Managers

Poor password practices are one of the biggest threats to enterprise cybersecurity. Stolen or compromised passwords cause over 80% of successful data breaches. When employees use weak passwords, reuse passwords across accounts, or store their passwords insecurely (sticky notes, spreadsheets, etc.), they put their employers at risk.

Organizations often leverage enterprise password managers to alleviate poor employee password practices. Unfortunately, many companies use legacy password management solutions that require on-premises deployment. Compared to modern cloud-based solutions, on-premises deployments possess three challenges: scalability, security and reliability.


Cloud password management solutions can instantly onboard or offboard users whenever needed. Even the initial setup is quick without needing to deploy infrastructure or make network changes such as DNS, SMTP, etc. On the other hand, on-premises solutions require deploying servers and other extensive infrastructure changes.

Furthermore, cloud password management solutions eliminate buying, deploying, and maintaining password management hardware and software. On the other hand, on-premises solutions require deploying servers requiring more cost, time and manual labor.


Cloud password management providers often make significant investments to ensure data protection and privacy. Many cloud password management data centers adhere to stringent security certifications and frameworks such as SOC2, ISO 27001, GDPR, and FedRamp. Cloud password management providers handle all security and IT patches and issues. On-premises password managers require your IT and security teams to keep the infrastructure secure.

In addition, some legacy on-prem password management solutions were designed without the principle of zero-knowledge encryption. These on-prem solutions may encrypt the data at rest, but the keys for decryption could be available to the Administrator with access to the infrastructure. Storing the encryption keys alongside the data at rest is a recipe for disaster.

In a zero-knowledge encryption model, the keys for decrypting data are never stored, and they are derived from the end-user’s master password. In this model, an administrator does not have the ability to arbitrarily decrypt any user’s vault.

There are several attack vectors to consider when both encryption keys and encrypted passwords are stored in the same location. An insider with access to the hosted software or backend database could gain access without any trace. Or, a malicious software update from the vendor could exfiltrate data.


Access to login credentials is crucial for any business, making uptime and reliability a vital factor when choosing password managers. Cloud password management solutions usually offer a 99.9%+ uptime rate, as well as offline access that allows users to access passwords during an unlikely downtime. However, on-premises password managers require your IT teams to keep the infrastructure running at peak performance and availability, which is costly and time consuming.

Many organizations have chosen cloud-based password management solutions over on-premises solutions with the mentioned technical hurdles. Here is how Keeper’s cloud-based password management solution can help.

Secure and Scalable Password Management that Easily Integrates with Your Security Infrastructure and Processes

Keeper deploys at an enterprise scale across any number of users, from small entities to organizations with hundreds of thousands of employees and contractors. The Keeper Cloud Security Vault is hosted with Amazon AWS in North America, Europe, Japan, Canada and Australia, for localized data privacy and geographic segregation to host and operate the Keeper solution and architecture. Utilizing Amazon AWS allows Keeper to seamlessly scale resources on-demand and provide customers with the fastest and safest cloud storage environment. Keeper Security operates both multi-zone and multi-region environments to maximize uptime and provide the fastest response time to customers.

In addition, Keeper seamlessly and quickly integrates with any on-premises or cloud-based identity solutions, including AD, LDAP, Azure, SCIM, as well as IdPs that are SAML compliant. This includes SSO solutions such as Azure, Okta, Centrify, BeyondTrust, Google Workspace, JumpCloud, OneLogin and Ping Identity. Keeper also provides developer APIs, which allow Keeper to be integrated with any type of on-premises, cloud-based, or hybrid-cloud environment. For event tracking and reporting, Keeper seamlessly integrates with all major security information and event management (SIEM) solutions, including Splunk, Sumo Logic, LogRhythm, IBM, DEVO, Datadog and any system that supports Syslog-formatted events.

Zero-Trust and Zero-Knowledge Password Security

Keeper holds the longest standing SOC 2 and ISO 27001 certification in the industry. For customers in the EU, Keeper is GDPR compliant with data centers isolated to the EU region.  

For public sector customers in the US, Keeper Government Cloud is FedRAMP Authorized (Moderate Impact) and ITAR Compliant. Keeper’s ISMS ensures that strict security controls are in place to protect customer data and ensure the secure operation of products and services.

Keeper Security creates its products using a zero-trust security framework that is based on not trusting any user within the architecture. Zero-trust assumes that all users and devices could potentially be compromised and thus, each user must be verified and authenticated before they can access a website, application or system. This cybersecurity framework underpins Keeper’s cybersecurity platform. The platform provides IT administrators full visibility into all users, systems and devices they are accessing which helps ensure compliance with industry and regulatory mandates. In order to have a zero-trust framework in an organization, it must have world-class password security that is supported with a zero-knowledge security architecture. 

Zero-Knowledge Encryption

Keeper is a zero-knowledge security provider. User credentials are encrypted locally on the device, and the ciphertext is stored in an encrypted form in Keeper’s AWS environment.  Keeper implements a multi-layered encryption system based on client-side generated keys. Record-level keys and folder-level keys are generated on the local device, which encrypts each stored Vault record (e.g. Password). Keys are generated locally on the device to preserve Zero Knowledge and to support advanced features such as record and folder sharing.  For users who log in with SSO or Passwordless technology, Elliptic Curve cryptography is used to encrypt and decrypt data at the device level. The multiple layers of encryption ensure that even if a single key were compromised, access to other records would be contained. We call this limiting the “blast radius.” Since Keeper’s cloud only stores encrypted ciphertext, Keeper Security employees and infrastructure providers have no ability to access or decrypt customer data.

More Reliable Uptime and Offline Access

Keeper is hosted on AWS with a 99.99% commitment for uptime and availability. Other password managers are hosted on their own custom data-centers, which cause repeated downtime. Keeper knows that your questions matter and gives you the option to speak to a live person over the phone. Keeper live support is available 24×7. Keeper also offers product training and onboarding with your subscription. Click here for Keeper’s uptime status. 

Keeper Offline Mode allows users access to their vaults from any device when they are not able to connect online to Keeper or their identity provider. Offline access is available for Keeper Web Vault, Desktop App, iOS and Android mobile apps. The vault data is stored in an encrypted format which is only accessible if the user provides their Master Password or biometric authentication. Multiple users can share a single device (e.g. a laptop PC) and all will have their vault stored safely on that PC when offline.  Self-destruct protection will erase all locally stored data after 5 failed login attempts.


Legacy password management solutions that require on-premises deployment pose scalability, security, and reliability challenges compared to modern cloud-based solutions. If you are interested in a secure, all-in-one cloud-based password management solution, request a demo from a member of our team.

Vince Lau

Vince Lau is the Director of Product Marketing at Keeper Security. He has over two decades of marketing and security experience helping various industries and clients manage cybersecurity risks. Vince has also worked for other notable security vendors, including Imperva, ThreatMetrix, Tigera, Anomali, and Kiteworks. Vince holds an MBA from Santa Clara University, BS in Computer Engineering from Cal Poly San Luis Obispo, and a CISSP.