Updated with overhaul of mobile apps and resolution of Google login process. This review was originally published Dec. 17, 2017.
For those of you who aren't familiar with Zoho, the company offers a comprehensive suite of software tools for business managers. In 2013, the company debuted Zoho Vault, the password-management component of that suite, as a way for coworkers to manage and share passwords.
But Zoho also made Vault free for individual, non-business users, and the service has since gained a lot of attention as an alternative to subscription-based password managers.
Although the enterprise roots of Zoho Vault are apparent in many areas, the fact that a personal user can get by on a completely free plan, complete with syncing of unlimited passwords across unlimited devices, makes it a tempting prospect.
The increasing interest in Zoho Vault may have played a role in LastPass' decision to make unlimited-device syncing free in late 2016. And, truth be told, LastPass' free option now beats Zoho Vault in most areas; the latter doesn't fill out personal details in online forms, and until recently had trouble with Google logins. (A Zoho representative told us that issues has been fixed.)
Zoho Vault is really worthwhile only for its inexpensive group plan, a bargain for families of four or fewer who want to share passwords.
Zoho Vault costs and what's covered
Zoho Vault follows the same freemium model as many password managers, but offers one of the more fully featured free options. Both free and paid users can save unlimited passwords and notes, attach files, sync across all of their devices, generate passwords, import and export passwords, use two-factor authentication and receive a password assessment.
The cheapest paid version costs $12 per user per year, and adds features that a small business or a family would use. You can share passwords, add user management controls, receive password expiration notifications, perform automated account backups, receive priority tech support and restrict access by IP address. But watch out for the mounting costs as you add users: families ranging from four to six members might be better served by LastPass' $48-per-year family plan.
Zoho Vault on the desktop is entirely browser-based, so there are no platform compatibilities to worry about.
More expensive paid versions of Zoho Vault, costing $4 and $7 per month per user, are strictly for enterprises and add a bulk password changer, emergency account access by managers and a whole host of administrative tools.
Like LastPass, Zoho Vault on the desktop is entirely browser-based, so there are no platform compatibilities to worry about as long as you can use Google Chrome, Mozilla Firefox or Apple Safari. Even if you don't, any modern browser can log in to the Zoho website interface. On mobile, there are native apps for Android, iOS and Windows Phone that you can find in their respective app stores.
For this review we used Zoho Vault on an Apple laptop running Windows 10 and macOS 10.12 Sierra, an iPad Pro 12.9, a Samsung Galaxy S8+ and a Google Pixel. Google Chrome was our primary browser across all platforms, but we also used Safari on macOS and iOS.
Zoho Vault setup
Getting started with Zoho Vault is simple enough. You just enter your email address and a password to make a Zoho account, and then create a passphrase that serves as the protection for the Vault itself.
This passphrase is the equivalent of the master password on most other password-management services. You'd better not forget the passphrase after signing up with Zoho Vault, as there is no way to retrieve it.
Zoho then guides you through installing the browser extensions to enable one-click login going forward. Although Zoho Vault supports importing credentials from a quite a few other password managers, it will not pull in data from the built-in password savers in web browsers.
Mobile setup is simple as long as you do it after the desktop setup. Download and install the app, log in with your Zoho username, password and Vault passphrase (don't forget that the latter two are different items), and then everything syncs up as expected.
If you enabled two-factor authentication (2FA) during the setup on your computer, then that will be necessary as well.
Zoho Vault on the desktop
As mentioned previously, Zoho Vault is entirely browser-based on a computer, so the only ways to access your data are via the Zoho website or its browser extensions.
This is certainly convenient, but it does limit your options. You can't use any of the biometric login options available on Windows or macOS, such as Windows Hello or Touch ID, which would have saved you the hassle of repeatedly typing out your lengthy passphrase.
Unlike most other password managers I tested, Zoho is definitely a business-first service. The enterprise focus is evident throughout the user interface, although some of the language choices, such as "Secrets" — as Zoho Vault calls stored items — and "Chambers" feel a little odd, even in a business context.
Although Zoho Vault lets you save items such as credit-card numbers or passport numbers, it doesn't have the convenient form-filling functions most consumer password managers offer.
You can't store your name, address, email address, phone number and so on, and then just click a button to fill in the appropriate fields while creating an account or shopping online. (Some web browsers offer this, but it's much more secure when a password manager does it.)
The website interface defaults to the Secrets tab, displaying all of your login credentials in an alphabetical list. There aren't any other sorting options, but you can narrow the displayed list's contents by clicking on the "Show" drop-down menu at the top of the column, then filtering according to options such as "favorites," "my most used" and "secrets shared to me."
When you click on a "Secret," its information displays in a small column on the right. But if you need to edit an entry, you can click the pencil icon in the main column for that secret. You can add extensive information to each secret, including notes and attachments.
Gmail users should be aware that when we tested Zoho Vault, it didn't handle Google's two-page login process very well. The Google account credentials that I successfully imported into several other password managers failed to register in Zoho Vault.
To correct this problem, I had to edit the entry for your Google account to include the full URL of the Google login page: https://accounts.google.com/ServiceLogin?sacu=1&scc=1&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&hl=en&service=mail.
Even after doing this, I still needed to click on the Zoho Vault browser extension to enter my Google password, as it didn't automatically appear in the entry field as other passwords would. This issue appeared to be limited to Google, but given the widespread usage of Google's online services, it was a fairly substantial annoyance.
However, a Zoho representative told us that this issue has now been resolved. We'll confirm that with hands-on retesting soon.
Chambers is the folder system for Zoho Vault, and you can create chambers and subchambers with descriptions and as many secrets as you would like to include. This is particularly useful for business or family users who want to share only some of their secrets, but it has its place for individual users who just like to keep everything organized.
Sharing is generally limited to those users in your designated group, but there's a way to "share with outsiders," as Zoho puts it. Enter the recipient's email address, and Zoho Vault sends him or her a link with the "secret" encrypted with a brand-new key. You get the brand-new key code, and have to communicate it to the recipient within 30 minutes before the code expires.
Features on the Tools menu aren't likely to come up too often, but they let you download an encrypted HTML version of your vault for offline access, export your secrets for use on another service or import secrets from another service.
You can download your current vault at any time, and can then access it offline from any standard web browser after you enter your passphrase. Your vault is read-only in this state, but you can export it as a general CSV file, or in a special Zoho Vault CSV format.
In the Settings tab, you access the browser extensions, the auto-login bookmarklet, sharing settings, general settings, password policies, secret types and passphrase changes.
Both the sharing menu and the password policy have a strong enterprise feel, with references to the "super admin," through whom all password-sharing approval passes, and "your organization's IT policy."
Audit won't be relevant for most personal users of Zoho Vault, but it provides time-stamped entries and other details for any changes, including which secrets were changed, what the changes were and which users made them. You can also see which changes a specific user made.
Admin is split between enterprise and general-use features. User management controls the privileges for any users beyond the primary administrative user. Data backup lets you automate daily or weekly backups. You can also require 2FA for certain users, and view the status of your current subscription along with the option to upgrade.
The final tab in the website interface is your password-assessment report, and it's one of the more comprehensive implementations I've seen. It breaks out your passwords by complexity, and dings you for using part of your username, recycled passwords, reused passwords, old passwords or dictionary words.
The browser extension for Zoho Vault is pretty basic, but it handles everything it needs it to. You can view and edit all of your secrets and chambers. You don't have as many options for parsing this data, but the search bar at the top should usually get you where you need to go. Beyond that, you can add new secrets, sync your vault or make general settings changes.
Zoho Vault mobile apps
When we tested Zoho Vault, its iOS and Android apps were fairly rudimentary, although we managed to replicate the majority of the features from the web interface. We liked the apps' look and usability better, as they adhered to current design standards for both platforms.
Zoho recently overhauled both its iOS and Android apps, adding a Dark Mode as well as smoother form-filling. We'll be re-testing both apps soon and will update this review with our findings.
Zoho Vault is really worthwhile only for its inexpensive group plans.
The mobile apps' primary screens will show you a complete list of your secrets, which you can view or edit as needed. Not all of the category filters from the website interface are available, which feels like an odd omission, but you can still filter by favorites or shared items. Chambers are also accessible separately, which may be motivation enough for users to organize their secrets.
The password generator is accessible in either the edit screen for each secret, or by tapping "Others" (another odd choice) in the main menu, which will then display Password Generator and Settings.
Zoho Vault didn't support the auto-fill features on iOS that many other password managers offer, but the new overhaul promises to fix this omission. In Android, you can turn on Zoho Vault in the general accessibility settings in order to autofill passwords for other apps. Both iOS and Android support Zoho Vault's fingerprint login.
Zoho Vault security
Zoho Vault relies on the same AES-256-bit encryption that most password managers use. Your data is always encrypted on Zoho's servers or in transit to your device over SSL, and is decrypted only on your devices. Without your master password, it is virtually impossible for a hacker to do anything with your data.
Zoho Vault supports 2FA through SMS text messages, phone calls or authentication apps such as Google Authenticator. All worked fine in my testing, and if you're on a multiuser plan, you can set 2FA requirements for users individually. Settings to adjust your 2FA parameters are available only in the website interface, but changes made there will apply to the mobile apps as well.
For users who would rather keep their vaults offline, there doesn't seem to be any easy mechanism for Zoho Vault software to sync data locally, such as over a Wi-Fi or Ethernet network. It may be possible to copy Vault files from one PC to another, but we haven't tried.
Zoho Vault manages to hit many of the must-have features for a password manager, but ultimately the service simply can't compete with its more consumer-focused rivals.
The relative weakness of form-filling capabilities, and the somewhat frustrating user interface, should scratch Zoho Vault from consideration for any personal users who don't need its enterprise feature set.
If you simply can't justify paying for a password manager, then I would strongly recommend the free tier from LastPass. It offers a superior interface and feature set along with the option to bump up to one of the most feature-rich (but still affordable) premium services on the market.