Zoho Vault Review

zoho vault password manager

In this Zoho Vault review, I will try to show why it’s among the best password managers in 2020. It’s secure, easy-to-use, and won’t cost an arm and a leg. And even though the company behind Zoho Vault password manager names their product as oriented to teams, non-business users might still like it. Finding out that won’t be hard because there’s a free version for you to try, while Enterprise option has a 15-day free trial.

Users will notice that Vault password manager is just one of Zoho’s business-oriented but also B2C-friendly solutions. Among them you will find Contact manager, Mail, Docs, and Analytics, to name but a few. Naturally, Zoho Vault integrates with them nicely and also offers single sign-on (SSO) for popular third-party software. We’re talking about Windows AD, Office 365, and ZenDesk, among others.

But how safe is the Zoho Vault password manager? Is the free version enough for most users? And should you get the premium offer? These and more questions will be answered in this Zoho Vault review.

Rating:4.2Price:from $0.90/month
Free version:YesPlatforms:Web app, Android, iOS

Zoho Vault pros & cons

Zoho Vault is a business-oriented password-manager that some individuals might find interesting as well. It provides strong security without sacrificing usability. What’s more, there’s a free version that might just be enough for you.

+ Pros

  • Good for SMEs
  • Has cheap plans
  • User-friendly
  • Supports most browser extensions
  • Strong free version
  • 24×5 phone support

− Cons

  • Outdated interface
  • Some premium plans don’t add much
  • Import from Safari is not possible

Zoho Vault features

Zoho Vault password manager is not known as the most feature-rich service. What’s more, it gives away most of them for free, which makes upgrading to a Standard or Professional plan questionable. Nevertheless, Zoho Vault does have some unique features that set it apart from the competition.

Integration with third-party services

It comes with no surprise that Zoho Vault integrates well with their other products like Zoho Mail or Zoho Desk, most of which are B2B-oriented. However, you also get a single sign-on for third-party solutions. It also includes user import and export between the apps and REST APIs for customized operations.

Here’s the list of third-party services that Zoho Vault integrates with:

Zoho Vault integration with third-party apps

Google

  • G Suite (user import, enable SSO)
  • Google Drive (backup)

Microsoft

  • Microsoft Active Directory (user import)
  • Azure Active Directory (user import)
  • Office 365 (import users, enable SSO)
  • OneDrive (backup)

Other

  • OKTA (enable SSO)
  • Amazon S3 (backup)
  • Box (backup)
  • Dropbox (backup)
  • Service Now (access from Zoho Vault)
  • ZenDesk (access from Zoho Vault)
  • Jira (access from Zoho Vault)
  • SSO access for 90+ cloud apps

Sophisticated password sharing

Because of its orientation towards SMEs, Zoho Vault has an advanced password sharing system. Not many competitors can offer something of the save level. That being said, Zoho allows sharing to premium users only while all features are accessible only to the Enterprise subscribers.

To start with, users themselves can send you password requests, which can speed things up both in company and family context. For easier sharing, your passwords can be put into folders. This option is available to Professional and Enterprise plans only.

Moreover, you can set an expiration date for a shared password or folder. This is especially convenient if, for example, you have a new employee and want to give him access for the next three months only because you already know he won’t pass the trial period.

All these features wouldn’t sound so user-friendly if you only could share with Zoho Vault users. Gladly, there’s an option to send an email with a password link that expires in 24 hours or half-an-hour after the receiver opens it. Afterward, you automatically get a suggestion to change that password, which is both a nice and crucial touch.

Users, Admins, and Super Admins

What’s more, you can share passwords and folders with groups of users that have the same access level. You get to choose who gets the petty role of the User and decide who becomes an Admin. The latter has the power to share passwords and enact new rules for password length and strength.

Finally, a Super Admin can see all passwords, invite new users, and revoke access for shady ones. Be careful when delegating such absolute power – it can corrupt one absolutely. For example, if you don’t have confidence in your husband and give him the User level, he can transfer only his own passwords to another account. But if you were foolish enough to trust your wife with the Administrator account and she learns about your infidelity, there’s no way to stop her from clicking “Acquire Passwords.” This transfers all entries to her private Zoho Vault.

Also, if you like to stalk your fiance out of your own insecurity, you can check when he or she added, used, or removed certain passwords. As a Super Admin, you can also check from which IP address she accessed Netflix and determine if it’s not too close to her ex’s workplace. You don’t even have to check it every five minutes – an alert will be sent to you as soon as Zoho Vault notices any suspicious activity.

Emergency access

Most password managers ask for a master password to control the Vault. However, there are cases when people lose memory, be it temporally or permanently. And if there’s no option to recover a lost password, your whole vault is lost too. Luckily, that’s not the case with Zoho Vault.

This service allows you to delegate emergency contacts, which can also include you. If there’s an emergency in the company and you’re offline fishing on some remote island, your most trusted employees can gain access to the whole vault. You can set the time limit for such access and if you suddenly caught wifi, you can immediately stop the emergency protocol.

To increase the amount of panic in your company, Zoho Vault informs not only the trusted members but all available contacts about the start of the emergency. As a Super Admin, you will see all timestamps, usernames, IPs, and actions made inside the Vault. This will help punish employees that didn’t took necessary action and those who crossed the line.

Supports most websites

Zoho Vault allows you to save logins for more than 400+ predefined websites. That includes most social networks, streaming platforms, email services, and so on.

Zoho Vault 400 predefined websites

Just to give an example, we’ll list some less popular websites that Zoho Vault supports nevertheless:

  • Ahrefs, Allrecipes, Asana
  • Bank of Cyprus, Burger King, BestSecret
  • Coinbase, Coursera, Citrus
  • Dell, Drupal, Dyn
  • Epic Games, Evernote, Etsy

As you can see, adding most of your logins will be fast and easy. And if your website is not on the list, you can manually add the URL and other necessary data.

Security and privacy

In this section, we will look at the security and privacy features of Zoho Vault. Minor spoilers ahead – it is both private and secure enough for personal and business use. Let’s look into each feature more closely.

Encryption

Encryption is the core security feature of every password manager. Zoho Vault shows they mean business (both literally and figuratively) by implementing military-grade AES 256-bit encryption. This cipher is strong enough to make a brute force attack an afterthought. Even the fastest computer in the world would take more than a lifetime to try every possible combination.

AES 256-bit has been the industry standard for more than a decade, and rightfully so. It’s also used by VPNs (Virtual Private Networks) and firewalls, not to mention governmental institutions and corporations.

The best part is that Zoho Vault has more security features. Together with strong encryption, they make your password Vault even more secure.

Zero-knowledge architecture

OK, so Zoho Vault encrypts your database. But can they see all your passwords? The answer is no because Zoho Vault uses zero-knowledge architecture.

It means that your passwords are encrypted on your side before they even reach Zoho’s server. Therefore, you’re the only key holder and the only one who can access the vault.

Of course, there’s an element of trust here. There’s no way to prove that Zoho doesn’t have a backdoor for eavesdropping on everyone’s data. But after more than a decade in the password manager business, it still retains a good reputation and manages to keep the clients happy.

Master password

Master password is the key factor in your vault’s security. If it’s weak or if you share or reuse it irresponsibly, you may soon loose all your passwords and credit card details. Another bad idea is to refrain from using two-factor authentication (more on that below).

Luckily, Zoho Vault does what it can to prevent you from misusing your master password. For starters, a PBKDF2 algorithm gives your master password additional strength against brute-force attacks. While it’s no longer the best password hashing scheme as Argon2 took over the key derivation, it still makes things much much harder for hackers.

What’s more, Zoho Vault evaluates your chosen master password and informs if it’s too weak or already used somewhere else. You can also check online if your password has already leaked to the dark web.

Zoho Vault two-factor authentication (2FA)

As we saw in the previous section, cracking Zoho Vault’s encryption is nearly impossible. Enter two-factor authentication, which makes such attempts utterly worthless. Instead of using only “something that you know” (master password) to login, you add “something that you have” (smartphone) or “something that you are” (fingerprint, hand, retina, face). In such a scenario, your database will be hacked only after the attacker gets your master password and either steals your phone or cuts off your thumb.

There are many different two-factor authentication methods, and Zoho Vault offers quite a few:

  • Zoho OneAuth
  • Mobile-based OTP
  • Time-based OTP
  • YubiKey

To start using Zoho OneAuth, you need to download the app on your smartphone – both Android and iOS are supported. Now you get to choose between biometric (Fingering ID or Face ID), push notification, QR code, or time-based one-time password (OTP). You will be able to access your Zoho Vault straight from OneAuth without the need to type-in the master password. You can set it up on other devices as well.

Mobile-based OTP registers not your device but your phone number and sends a one-time code via SMS. Using the time-based OTP gives you a QR code to scan with your authenticator app, which can be either Zoho OneAuth or Google Authenticator. Finally, YubiKey is a physical key that you insert in computer’s USB port.

Security strategy

As a company with more than 40 million clients, Zoho has a robust security strategy, which incorporates privacy policy and GDPR-readiness. All employees must pass a thorough background check before laying hands on tasks that may put users at risk. They also sign a confidentiality agreement and train continually to have the latest information about online security.

Furthermore, multiple firewalls and segmented network help prevent unsanctioned access. In fact, all infrastructure is monitored constantly for any signs of misuse. Dedicated technologies against DDoS attacks and hardened servers make sure the service keeps running uninterrupted.

Every customer’s data is logically separated from the other’s, so there’s no way to get into another Vault if one becomes compromised. What’s more, if a malicious web page is uploaded to zoho.com, HTTP Strict Transport Security header (HSTS) will tell your browser to use an encrypted connection.

Zoho scans their network for spam, phishing, and other vulnerabilities. This also includes user’s files that may contain malware. Full backups are made every week and a user can retrieve it’s data as old as three months. There’s also an ongoing bug-bounty program to fix vulnerabilities faster.

Privacy policy

We should note that Zoho Vault doesn’t have a privacy policy of its own, falling under the general rules of the whole company.

To start with, Zoho stores your name and contact information but not credit card numbers, unless you give a permission. Your website and web application usage is also monitored. Data from Google, LinkedIn, and other social channels is also collected and stored.

Collected info that you provide:

  • Account signup
  • Event registrations and other form submissions
  • Payment processing
  • Testimonials
  • Interactions with Zoho

Automatically collected info from:

  • Browsers, servers, and websites
  • First party cookies and tracking technologies
  • Application logs and mobile analytics

Info collected from third-parties:

  • Signups using federated authentication service providers
  • Referrals
  • Information from our reselling partners and service providers
  • Information from social media sites and other publicly available sources

All the purposes stated for using this info are benign. It’s either to run the service or improve it.

Opt-out, data retention, and exceptions

You can opt-out from certain information gathering, but disabling cookies might stop some website features from functioning. Speaking about cookies, Zoho has disabled all third-party cookies from their products and websites. When it comes to browsers sending “Do Not Track” (DNT) signals, Zoho’s website ignores it.

Zoho Vault and other mobile apps may request for a number of permissions to access your camera, photo library, or device location. You can opt-out, but as always, this might end in the app not working properly.

Your personal data may still appear in blogs and forums after you delete the account. Fortunately, you can contact Zoho and ask to delete it.

Employees, contractors, and third-parties may access your data but only with a legitimate cause. Your personal information will be exposed in case of legal obligation, fraud prevention, or protecting other users.

After your account termination, your data stays in the database for six months and three more months in the backup. Interestingly, user data inside your Vault (in case you share it with someone) is deleted 30 days after user deletion.

As always, this may sound not that good but Zoho explicitly states they have never profited from advertising and don’t plan to do so, meaning your collected data isn’t used to make money.

Password storage and data centers

Zoho Vault has data centers in:

  • United States (Central Washington, Dallas)
  • Ireland (Dublin)
  • Netherlands (Amsterdam)
  • India (Mumbai, Chennai)
  • China (Beijing, Shanghai)
  • Australia (Melbourne, Sydney)

This information may be important to those that have to store their data in a certain country to meet local data retention laws.

For example, Australia has a mandatory data retention law that obliges keeping it for two years. Ireland is somewhere in between, while the Netherlands struggle to stay among the most privacy-friendly EU countries.

There’s no way to tell by yourself where Zoho stores your vault. But it’s not a secret either. You can contact their customer support and learn the whereabouts of your information.

Zoho Vault vulnerabilities

In 20+ years of Zoho and in 10+ years of Zoho Vault, there have been zero breaches or security scandals. The company seems to be sticking to its security strategy and privacy policy, not wanting to let down even one of its 40+ million clients. So does Zoho Vault have any vulnerabilities at all?

Some users might see the option to reset your master password as a weak point. What’s more, you can download the encrypted HTML file with your data. Many competitors don’t offer such features. On the other side, recovery works only for B2C clients – resetting a master password for the Enterprise account marks a new chapter in your business security.

The following one is not a vulnerability by any means but a setting that sacrifices security for convenience. Zoho Vault allows you to mark one browser on one device as trusted. In result, Zoho Vault won’t ask for 2FA in the next 180 days. So if someone steals your device and gets your master password, that will be enough to access your database.

Looking at the CVE database of vulnerabilities, we find Zoho’s name in five instances that are of average or less criticality. One from 2014 was a vulnerability in Zoho Books (who reads them these days?), and the other four were about Zoho SalesIQ plug-in, dating back to 2019. In comparison, our #1 password manager Dashlane had 1 while it’s fiercest competitor LastPass suffered 2 vulnerabilities.

Zoho Vault plans and pricing

Zoho Vault is a reasonably-priced password manager. If you were to compare different plans, you would see that some are actually really cheap. Zoho Vault pricing markets annual plans, but the discounts are insignificant when compared to a monthly option.

Here are the pricing plans of Zoho Vault password manager:

  • Free
  • Standard (monthly) – $1/month
  • Standard (annual) – $0.9/month (save 10%)
  • Professional (monthly) – $4/month
  • Professional (annual) – $3.6/month (save 10%)
  • Enterprise (monthly) – $7/month
  • Enterprise (annual) – $6.3/month (save 10%)

Zoho Vault pricing plans (yearly)

No matter which pricing plan you choose, you get the same 10% discount for going long-term. On the other hand, most password managers offer no discounts at all.

Like most password managers, Zoho Vault doesn’t offer anonymous payment, which wouldn’t be an option for companies anyway. You get to choose between Visa, MasterCard, American Express, and PayPal. Yearly subscriptions can be paid by bank or check transfer.

If you’d like to give this password manager a shot, visit the Zoho Vault website.

Pricing plan comparison

Zoho Vault has a strong free plan that will let you feel what this service is about. It has the core features of every password manager, letting you store unlimited entries, autofill and autosave logins, generate passwords, and use 2FA. For only a buck a month, Standard plan will give you password sharing, adding vault users, cloud backup, integration with G Suite & Office 365, and priority support.

The last two plans are business and family-oriented because you buy at least five accounts. The per-user price of the Professional plan is in line with most password managers, but the value it adds is questionable. By paying more than three times the price of the Standard plan, you’ll get more control over users, folder sharing, and emergency access account. It probably makes more sense to look at his plan as a lite Enterprise version, not as an upgrade from Standard.

Speaking of the Enterprise plan, it costs nearly two times as much as the Professional. Again, the marginal gains will probably be acknowledged by bigger companies only. We’re talking about SSO for cloud apps, even more control over users, custom alerts, and integration of Okta, OneDrive, Help desk, and SIEM. The Enterprise plan has a 15-day free-trial but it works for up to five users.

Zoho Vault setup

Setting up your Zoho Vault is really easy because it works as a web application on desktop computers. You don’t have to install any apps, only create an account on zoho.com, and come up with a strong yet memorable master password. Now you can connect to your database from anywhere.

Zoho Vault login screen

Not all Zoho Vault settings are available in the web application. For turning on 2FA, adding email addresses or restricting access to selected IPs, you will have to login to Zoho Accounts. You will find the link at the top-right corner of your vault interface.

The interface of Zoho Vault’s web application is outdated, but there’s a beta version of the upcoming re-design that will probably be a more popular choice. Once you’re in, you can immediately start adding passwords by pressing the “plus” icon at the top-right.

Zoho Vault web app, adding password

Once you have the first batch of passwords, you can organize them into folders, run an audit, and see more security insights in the Dashboard. At the bottom of the left sidebar-menu are Settings. Clicking on this will lead you to other features, which depend on your subscription plan.

Importing and exporting passwords

Zoho Vault is one of the best when it comes to importing passwords. This service supports more than 20 different browsers and password managers, in addition to the good old .csv format. Unfortunately, importing from Edge and Safari browsers is still unsupported.

To import your passwords, go to Settings > Import passwords, and choose your desired format. If you have logged in with Google account, you can import from Google Drive as well.

Zoho Vault password import options

Exporting passwords from Zoho Vault is just as easy. Simply go to Settings > Export passwords, and choose the desired format. It can be either .csv or Zoho Vault format .csv file. Additionally, you can export only one particular category or folder.

Mobile and desktop apps

Zoho Vault password manager offers apps for the following platforms:

  • Android
  • iOS

There are no apps for desktop users. Instead, they can login to zoho.com and access their vault from a web application, which is device-agnostic. Therefore, we will review Zoho Vault apps for Android and iOS.

Zoho Vault for Android

The Android Zoho Vault Password Manager is not that popular – only 10K+ installs for such seasoned service, released in 2014. However, the reviews are positive – at the time of writing this review, the overall score on Google Play Store was 4.3/5. The last update came in June 2020, so the provider certainly hasn’t forgotten Android users.

If you already have the Zoho Vault account, everything will most likely start with setting up 2FA. This password manager does a great job of saving users from themselves – that’s why you won’t be able to take screenshots. And that’s why we apologize for the quality of the “screenshot” taken with another phone.

The Android app is simplified. You can manage passwords, folders, and tweak settings. The Dashboard and Audit from the web application are gone.

Zoho Vault for Android - Settings

Here are the main settings available on Zoho Vault for Android:

  • Enable autofill
  • Choose when to lock the Vault
  • Generate passwords

As you can see, the Android app is more of a supplement to the web application that lets you control much more.

Zoho Vault for iOS

The iOS version has only two ratings, even though the app has been around for more than a few years. Just like its Android counterpart, the updates are regular despite the probably small userbase. However, I was unable to send push notification to the Android phone that I chose for 2FA. Therefore, I temporarily disabled it for the iOS review.

After login, the iOS app automatically offers to use Touch ID (which was already enabled). What’s more, there was an offer to access a password by asking Siri to open it for you. Interestingly, we were able to take screenshots.

The Settings menu looks similar to that of Android, but there are extra options to tweak. In addition to Siri shortcuts, you can add passwords to Apple Spotlight and enable access from Apple Watch. Moving to Security sub-menu, we find an extra option to use Touch ID. Android, in the meantime, has an option to lock Vault when your device gets locked.

Zoho Vault app for iOS

Interestingly, the iOS app has sharing usage statistics and sending crash reports turned on by default, while Android version uses the opt-in approach.

Zoho Vault: Browser Extensions

Zoho Vault has browser extensions for:

  • Chrome
  • Firefox
  • Safari
  • Edge
  • Brave
  • Vivaldi

Some users will miss Opera, but the addition of Brave and Vivaldi more than makes up for it. To install any of these extensions, you must first login to the web application, click My Profile at the top-right corner and then click the appropriate icon. In terms of features, they are comparable to Zoho Vault mobile apps.

Zoho Vault chrome extension

Chrome extension is up-to-date, but has only 40,000 installs. You can choose which URLs will omit autosave, generate passwords, and stop warnings about filling passwords in insecure page. Firefox extension counts less than 2,000 users and is identical to Chrome. The Brave extension also didn’t offer anything new, allowing us to believe that other add-ons are not much different.

Customer support

Zoho Vault has one of the better customer support among premium password managers. You can seek help by:

  • Email
  • Submitting a ticket
  • Calling the 24/5 line
  • Reading Knowledgebase
  • Searching in Forum

Zoho Vault customer support options

The call line is available from Monday to Friday, which is good for business clients. However, a 24/7 live chat would be more beneficial to individuals, who might consider Keeper or NordPass instead. Zoho Vault has been working with millions of clients for multiple years, so you can expect quality customer support all over the globe. In fact, there are multiple call centers in the US, the UK, India, and Australia, covering most of time zones.

Those who like to solve things on their own can dig into the Knowledgebase. It’s split to three thematic sections: Admin guide, User guide, and Integration guide. While the first two are self-explanatory, the latter deals with pairing Zoho Vault with third-party applications, such as Microsoft Office 365 or Azure. What’s more, all guides are print-ready so you can handout them to your staff.

Zoho Vault forum

Finally, there’s a pretty active user Forum. At the moment of writing this Zoho Vault review, the top post was four days old and had two answers. All posts fall under one of these categories: idea, announcement, question, problem.

Zoho Vault alternatives

As you probably saw from our Zoho Vault review, this password manager is oriented towards the business sector. So are there any services more tailored for individuals? Actually, there are quite a few alternatives to Zoho Vault, but we’ll look into just a couple.

Zoho Vault vs LastPass

Both password managers are among the top services in 2020. LastPass costs a bit more, but it also has a more feature-rich free version. Just like with Zoho Vault, you can authenticate not only with a proprietary tool but also Google, Microsoft, Sesame, or YubiKey. LastPass has Opera and Edge Legacy extensions, but at the price of Brave and Vivaldi.

What really separates Zoho Vault and LastPass is the customer support.The latter has only email, and no matter how fast it is, it cannot substitute a phone call or a live chat. So if none of LastPass’s features intrigue you, you might as well stick with Zoho Vault or try our second option.

Zoho Vault vs NordPass

NordPass is cheaper than LastPass and has a 24/7 live chat, which beats Zoho Vault’s 24/5 call line. The free version is also very strong, covering the main needs of generating, sharing, and auto-filling logins. Just like the Zoho Vault, NordPass also lets you put your passwords into folders. It also uses next-gen XChaCha20 encryption that beats the industry-standard AES 256-bit.

This password manager also adds Opera while still offering all Zoho Vault extensions. However, moving from Zoho to NordPass will be tricky because the latter cannot import from the former. Finally, one unique feature of NordPass is the option to pay using Amazon or cryptocurencies when most providers accept only credit cards.

For more NordPass features, see our NordPass review.

Should you get Zoho Vault in 2020?

If you’re looking for a password manager that your family or company can use together, then Zoho Vault is your choice. It’s web application works on all major platforms and there are extensions for most browsers, including the likes of Brave and Vivaldi. It’s easy to use and the free version will let you feel whether you will be happier with premium subscription.

What’s more, Zoho Vault lets you import from more than 20 browsers and password managers, so you should be able to start right away. There’s also a list of third-party services that integrate well with Zoho Vault, such as Office 365 or Dropbox. Last but not least is the 27/5 phone line and responsive email support.

When you shouldn’t get Zoho Vault? There are only three instances. First, you have an extensive database in Safari or Edge, which is impossible to import. Second, you don’t want to manually scan the dark web to see if none of your accounts appeared online. And the last – you want a password manager for strictly personal use.

To learn more about the best password managers, check this article

FAQ

Is Zoho Vault free?

Zoho Vault isn’t free for enterprise customers. However, if you’re using it as a private individual, it’s a completely free service. However, there are some limitations available only to paying customers. You can try them for 15 days trial.

Has Zoho Vault been hacked?

It would be tough to hack Zoho Vault, considering that your data isn’t in plain text. The copies that reach their servers are already encrypted chunks of data. They become readable data only when unencrypted, which is impossible without your master password.

How to use Zoho Vault?

To begin using Zoho Vault, you’ll need to create an account. Go to the Zoho Vault homepage and sign up. Once you create your account and set a master password, you’re all set. You’ll be able to access Zoho Vault and store your passwords there instantly.

Is Zoho Vault trustworthy?

Zoho Vault relies on AES-256 encryption, plus it encrypts your data before uploading anywhere. These are quality security measures. If you need a password manager to avoid the hassle of typing passwords, this password manager is a valid and secure alternative.

What is the worst place to store passwords?

Ultimately the worst place to store your passwords in a .txt file on your desktop named “Passwords.” Should your system became compromised, the hacker would get direct access to all your online accounts. At the same time, it’s hard to remember all passwords that you have, especially if you’re trying to make them safe and unique. The password manager seems like a much better and more secure option.

Related articles:
Leave a Reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Privacy Policy.

Table of Contents
Subscribe for Security Tips and CyberNews Updates

© 2020 CyberNews – Latest tech news, product reviews, and analyses.