Keeper (password manager)

Keeper Security, Inc. (Keeper) is a global cybersecurity company founded in 2009 and headquartered in Chicago, Illinois. Keeper provides zero-knowledge security and encryption software covering functions such as password and passkey management, secrets management, privileged access management, secure remote access and encrypted messaging.

History
In 2009, Craig Lurey developed the original Keeper app with Darren Guccione. In 2011, Lurey and Guccione officially co-founded Keeper Security, Inc. As of March 2022, Keeper had offices located in Chicago (US Headquarters); El Dorado Hills, California (Software Development); Cork, Ireland (EMEA Business Sales); and Cebu, Philippines (International Customer Support).

In October 2019, Keeper launched KeeperMSP, a password management platform designed specifically for managed service providers (MSPs), managed security service providers (MSSPs), and their customers. In August 2020, Keeper received a $60 million minority investment from venture capital firm Insight Partners. In March 2021, Keeper launched Keeper SSO Connect. In January 2022, Keeper announced the launch of Keeper Secrets Manager.

In February 2022, Keeper acquired remote access gateway company Glyptodon Inc., creator of Glyptodon Enterprise and Apache Guacamole, and commenced integrating Glyptodon Enterprise into its product suite. In May 2022, Keeper launched Keeper Connection Manager, a rebranding and revamping of Glyptodon Enterprise into a commercial-grade remote desktop gateway with expanded capabilities, advanced integrations, and ongoing feature development.

In August 2022, Keeper Security became Authorized on the FedRAMP Marketplace at the Moderate Impact Level. In November 2022, Keeper Security became Authorized on the StateRAMP Marketplace at the Moderate Impact Level.

Software
Keeper offers a password manager that uses a freemium model for one device and a subscription-based model for households and businesses. Keeper provides storage for passwords and passkeys, identity data, and financial data, along with a password generator and two-factor authentication. The premium version offers unlimited storage on an unlimited number of devices, along with cross-device syncing and record-sharing.

Keeper Security developed and launched KeeperMSP, a password management system for managed service providers (MSPs) and managed security service providers (MSSPs). Keeper Security has also launched the Keeper Security Government Cloud, a FedRamp Authorized cybersecurity platform for government agencies.

Keeper supports multi-factor authentication methods such as Google Authenticator, Duo Security, FIDO U2F, hardware keys, and biometrics. Keeper’s encryption uses AES-256 keys combined with PBKDF2 encryption so that only encrypted ciphertext is sent to Keeper’s servers.

Keeper also allows file-sharing using PKI encryption, including Keeper One-Time Share for sharing files with non-Keeper users.

In 2023, Keeper Security added passkey support for all desktop browsers. In the same year, Keeper Security added a Password Rotation feature that allows organizations to automatically change their credentials for various services.

Reception
PC World named Keeper an Editor's Choice in 2019 and Most Security-Minded Password Manager in 2022. PCMag named Keeper “Best Password Manager for Businesses" (2022), as well as Best Password Manager and Editors' Choice for the previous three consecutive years. Tom's Guide named Keeper one of the best password managers of 2022. U.S. News & World Report's 360 Reviews team named Keeper Best Overall Password Manager of 2021.

Incidents
In December 2017, Keeper was bundled with Windows 10 by Microsoft. Google security researcher Tavis Ormandy disclosed that the software recommended installing a browser addon which contained a vulnerability allowing any malicious website to steal any password. A nearly identical vulnerability was already previously discovered and disclosed to Keeper in 2016. Within 24 hours, the company issued a patch.

Reporting and lawsuit
Dan Goodin of Ars Technica appears to have been the first to report about the vulnerability in the press. Days later, the company that makes Keeper sued Goodin and Ars Technica, claiming their article was defamatory and misleading. A number of security experts decried the lawsuit as "bullying" or "ridiculous" and said that "the lawsuit will cause more damage to the company than the article" did. The lawsuit and Ars Technica's anti-SLAPP response lawsuit were dismissed on March 30, 2018, and Ars Technica added further clarifications to their article.

Following the lawsuit, Keeper launched a public vulnerability disclosure program in partnership with Bugcrowd.