Thycotic Software’s Secret Server (“TSS”) is a competitor to ManageEngine’s Password Manager Pro. We have learned of a document circulated by Thycotic purporting to compare TSS and PMP. Although it is not uncommon for prospective customers to ask for a feature comparison of competing products, unfortunately the Thycotic comparison document is false and misleading on numerous key points. Until now, we have chosen to refrain from responding publicly and instead focused on continuing to build and improve our industry leading solution. Because we have continued to receive comments from customers who have received the Thycotic comparison document, however, we have decided to respond here, and set the record straight.
The Thycotic comparison is inaccurate in numerous respects. For example:
- Thycotic falsely claims that PMP uses only AES 128 bit encryption. In fact, since 2011, PMP has used AES 256 bit encryption
- Thycotic falsely claims that PMP uses only MySQL as backend database. In fact, PMP supports both MySQL and MS SQL Server databases
- Thycotic provides misleading information about platform support of PMP. Actually PMP can be run in both Windows and Linux platforms, in physical or virtual environments
- Thycotic falsely claims that PMP does not support FIPS, the Federal Information Processing Standards. In fact, PMP can run in FIPS compliant mode
- Thycotic purports to compare pricing by stating that PMP is more expensive when licensed on an annual license over a 5 year period, but in doing so Thycotic ignores the facts that PMP is available in multiple editions and also on a perpetual license model, which would be far lower priced over the same five year period
Thycotic’s comparison document also suggests that PMP lacks adequate support because our staff are located in India. Such assumptions, based on cultural stereotypes, are unhelpful.
In addition, as a matter of business practice we believe that a responsible information security company, upon learning of what it perceives to be a security vulnerability in a third party product, should first advise that company so that—if confirmed—it can fix it and disclose it proactively. Here, Thycotic made no such outreach to us. Had they done so, we could have pointed out where their information was simply incorrect.
We have also prepared our own comparison document, which we produced as objectively as possible from information publicly available in Thycotic’s website as on 22nd March 2012. We hope you find our comparison helpful and informative.
Our intention has always been to help prospects choose the best product for their needs. ManageEngine’s approach and attitude has always been to fight hard and fight fair, and be open about it. We will continue doing that and leave it to the market to decide. Let the better product win!
A few updates for the Thycotic guys:
Regarding “Smart Card / PKI / Certificate Authentication” – Secret Server does support it, the appropriate documentation for configuring it is here. https://support.thycotic.com/kb/a545/does-secret-server-support-smart-cards.aspx Rather, to be more specific, the product itself does not support smart cards, however since Secret Server only runs on Internet Information Services, and IIS supports it, that gives Secret Server support for it.
For “Separate Personal Password Management” the answer to that is “Yes”, too. They introduced a feature called Personal Folders in 8.6.
The Licensing Model for Secret Server is a bit more complex than the document lets on. For “No restriction on passwords to be stored.” there is an upper limit for the Express edition of 1000 passwords (secrets).
Thanks for the information Kevin, appreciate your time. We will review this and appropriately update the comparison document.
And BTW, from your email id on the WordPress notification mail I infer that you work for Thycotic. Good to collaborate with you in making sure this comparison document is fair and helps the intended audience. But, would have appreciated a disclosure 😉
I was reading with interest until I got to the 2FA section and then I stopped. If you’re going to have a rant about accurate comparisons of products, you have to get the data for your competitor right.
Secret Server supports Google 2 Factor authentication.
Sean, you are right. We periodically update this document and when we did it last time (july 2014) we had overlooked Thycotic adding support for Google Authenticator. The comparison document is updated now with details available in Thycotic website (http://www.manageengine.com/products/passwordmanagerpro/pmp-thycotic-features-comparison-document.pdf), I acknowledge it is a mistake and we will ensure to do our best not to repeat this.
This objective behind this blog post was to clarify our stand and to publish the comparison for public consumption, so reviews and feedback like yours is possible. In 2010/2011, we heard from prospects that Thycotic wanted this document to be confidential, and we acted to make this public.
I appreciate you taking time and letting us know about this, thank you so much for your time. If you need any assistance or any more information, do let me know.
I see this comparison but I came another one on PleasantSolutions that made it look like Pleasant Password Server is much better than PMP. Is that true?
Max, you are spot on. The other important thing is not just claim encryption with longer key sizes, but implement it well with appropriate key protection. That way, an AES 1024 implementation can be much less secure than AES 128, if implemented poorly.
The Thycotic document just says “AES 128 bit encryption is not as secure as AES 256 bit encryption” discounting all such factors. Unfortunately, selling IT security has become more about selling to the ‘fear’ emotion by creating perceptions.
Thanks for your time and appreciate your comment.
I know that PMP uses AES 256, but the fact that Thycotic lists AES 256 as an advantage over AES 128 shows they are just grasping at straws.
Modern, state-of-the-art computer clusters cannot brute-force crack a strong password encrypted with AES 128, and (unless a vulnerability in AES is found) will not be able to crack it in the foreseeable future.
Obviously AES 256 is much stronger, but why not just skip it and use AES 512 or even AES 1024? Because it’s unnessesary, and by the time we gain the ability to brute-crack AES 128, we will be using a different encryption algorithm anyway.
Thanks for the very objective response and the comparison document. Have always loved the way ME competes.
We are not, at this point, actively looking for a password management tool, but you will certainly be a choice for us to evaluate as and when we do.
Tim
As security is a major concern, and we could all argue endlessly about 128/256/512/1024 bit encryption (personally, I’m not that worried since our PMP server is in our secured subnet on a well protected server), but, the fact of the matter is that PMP is buggy, and their support portal is weak at best.
I hate having to send an email (or enter a “web” request, which is still the same as sending email to support) for every issue I run across with no way to review past tickets w/o having to peruse my sent/received emails from them.
Also, most problems I’ve run across have been responed to with one of the answers “we no longer support that …” or “we’ll enter a request to have that fixed (enhanced) in the next release”. I’m not holding my breath.
I do not trust the product, especially when it reports so many false positives and also as it says that it succesfully changed a password when in fact it did not (it has major issues with Cisco devices [IOS/CatOS], and does not work properly at all when those devices are configured to use ssh [telnet access works fine], talk about a major security flaw!).
PMP has great potential, but was obviously not ready for the market at it’s release and even though they toot thier horn about some of the larger companies using it, I really wonder how happy/impressed those companies are with the software.
Even though it is much cheaper than most similar products, I would not recommend anyone spending the money at this time.
Hi Paul,
Thanks for the candid response. I apologize for the bad experience you have had with the product. The team is working to troubleshoot the Cisco password management issues for you. I can assure that this feature works well for many of our customers and the issue could be the way in which we handle environment specific issues. I will make sure we get this resolved for you soon.
I will also take up the case of opening our support portal to our customers, we had an experimental run for one ManageEngine product and based on the results we will be opening up the support portal for all our products. I will work with the relevant team to expedite this.
Our support will get in touch with you and help resolve the problems. I believe we will be able to make the product useful for you and win your trust back. I appreciate your feedback and support.