Hypervault is a password manager for teams and companies. Its impressive team password management functionality, however, is let down by flawed software and server-side encryption. In this Hypervault review we take an in-depth look at how secure this password manager is and ask is it worth your money?
Pricing for Hypervault is very reasonable, with discounts available for bulk licenses and a 10 percent saving for annual purchases. Payment is via card or PayPal.
A 7-day free trial is available which only requires an email address which is not verified.
- Password templates
- Team functions
- White label
- 2-factor authentication (optional)
- Chrome browser extension
- iOS app
- Self-hosted solution promised soon
Passwords are encrypted server-side, meaning that Hypervault does not provide end-to-end encryption (e2ee).
You can customize Hypervault to replace its logo with your own and you can link Hypervault to your own domain.
You can improve security by enabling 2-factor authentication using the Google Authenticator app.
Chrome browser add-on
The browser add-on for Chrome (only) is supposed to auto-fill passwords and save new passwords as they are entered. Unfortunately, enabling the extension in Chrome broke many login pages we visited. The login fields simply stopped responding. It also simply failed to autofill logins or save new passwords on any pages we visited.
A quick check on Hypervault’s Facebook page confirms that others find the Chrome extension to be very buggy.
A self-hosted on-premise solution is not available at the time of writing this review but is open for pre-registration. It will require a hosted domain and will not run on a local machine.
In theory, self-hosting could solve many of the privacy and security issues we discuss in the next section, but as it remains a subscription-based service, we can only presume that Hypervault continues to have full access to your data.
Privacy and security
As always with this kind of thing, the first point to mention is that Hypervault is a closed source product. This means there is no way to verify anything that it says about its service. We have no particular reason to distrust Hypervault, but at the same time, we have zero reasons to trust it.
Hypervault is headquartered in Belgium, and so is subject to the GDPR. Belgium is a Fourteen Eyes spying partner, however, and in 2016 it was reported that Belgium was introducing intrusive new surveillance legislation similar is scope to the UK’s highly controversial Investigatory Powers Act (aka the Snoopers’ Charter).
We have been unable to determine, though, whether this legislation is now enacted in law.
Bucking the recent (good) trend in security software, Hypervault does not offer end-to-end encryption. Passwords at rest are hashed server-side using PBKDF2, hardened with random salt added multiple iterations (the amount of salt and number of rounds of iteration used are not specified).
No details are provided on the website about encryption during transit, but the web console is protected by HTTPS so we think it fair to assume that is what is used.
All of which is fine as far as it goes. This setup should keep passwords secure from hackers, and for many users, this level of protection will meet their threat model.
Those with a more rigorous threat model, should be wary. Encryption is performed server-side, which means that passwords are not secure against internal threats such as rogue employees or if Hypervault was required by law to collect or hand over passwords in plaintext.
Support primarily comes in the form of a knowledge base which provides some basic documentation for using the service, but which is rather sparse.
The website features a live chat-style widget, but support was always offline when we checked. At the time of writing it has been around a day since we asked a question and have not received a reply.
There is also a Facebook group. This seems to be moderately active, although a lot of posts relate to issues encountered by Hypervault customers (notably the buggy Chrome extension). Judging from the responses, Hypervault is something of a one-man operation.
Ease of use
Hypervault is primarily a browser-based web application which can be accessed from any internet-capable device. It also offers a (very buggy) Chrome browser extension and an iOS app. An Android app is promised soon but was not available when this review was written.
The web application
The web dashboard looks quite smart, but we immediately ran into problems. Although we could create new entries, every attempt to import passwords from existing CSV files failed. Even when the CSV files were test files offered by Hypervault itself!
In theory, you can upload CSV files to a number of pre-defined templates. Unfortunately, when we tried to do this in we were either informed to use compatible CSV files (even when using Hypervault’s own test files) or were told the import was successful but couldn’t find the passwords anywhere! We tested on a number of platforms.
It should also be possible to manually map CSV entries to template fields. But in both Chrome and Firefox in Windows, no “Next” or “Import” button appeared with which we could complete the operation. On a Mac and a Chromebook, an “Import” button did appear but nothing happened when we pressed it.
It is possible that we have failed to understand the import process, but the documentation offered us no help.
We fared better at creating new groups and passwords. Hypervault creates a Company and a Personal group for you, but groups can be created, deleted, and edited at will. Each group can be further subdivided into any number of “clients’ or “projects” in order to provide fine-grained management of your passwords and other data.
Within each group, different categories of data, such as mail, website, commuter accounts, and so on, can be added using the relevant templates. You can then simply add new entries to each category.
Individual passwords can then be shared via email or with any team you have created. If shared by email, the recipients do not need to be Hypervault users - a link is sent which allows them to view the shared password.
In addition to individual passwords, any group or subgroup of passwords can be shared, although to view these the recipients will need a Hypervault license. Shared passwords expire after 24 hours by default, although this can be easily disabled.
In the team management window, you can create teams and add license holders to them.
You can also create group permissions and assign them to individual team members.
This is a very handy feature as it means you do not have to create new permissions for each user.
The iOS app
The iOS app is basically just a front-end for the regular web interface. Which is fair enough.
In its current state, it is hard to recommend Hypervault. The Chrome browser extension and CSV import function are core features of this service, yet they are both buggy to the point of being unusable.
From a security and privacy standpoint, we are never going to be happy with a closed source product which uses server-side encryption.
Which is not say Hypervault is without merit. At its core, it offers powerful and flexible team password management with multiple layers of group, team, and permissions structuring to provide team leaders fine-grained and highly scalable control.
That Hypervault appears to be one-project almost certainly explains many of its faults and does not offer much reassurance that they will be fixed anytime soon. That does not take away, however, from the fact that there is about Hypervault to admire.
Most people don’t care about NSA-style surveillance, so if developer Glenn Van Croonenborch can find the time and resources to fix its bugs, many businesses may find Hypervault’s fine-grained team management functions ideal for their needs.