What happens to password managers?
How password managers fail?
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’ve written in the past about how certain companies might fail or certain categories of companies might fail. I was thinking of writing something similar here, but password managers are an interesting space because they involve both enterprises and consumers. Sometimes, they intertwine… So, this post might be a bit rambly, but it walks through my thoughts on the password management space and how it could succeed or fail — I’m not picking a side as I usually do.
What are password managers?
To say the least, they are interesting products, and it makes one wonder why they weren’t more popular before. Is it because more online products require passwords? Have enough passwords been leaked so people now want unique passwords for each site?
Regardless of the reason, password managers are my favorite type of security product. Using a password manager actually makes life easier for the customer — the customer doesn’t have to type in the password, it auto-fills. On top of that, it makes it easier to create unique passwords, thus increasing security. In other words, using a password manager makes password entry easier and increases security. That’s the best of both worlds!
Of course, users can find their own ways to manage passwords, such as spreadsheets, notebooks, or even building their own managers. However, password managers have delivered good value because they provide “expertise.” It’s based on a reasonable assumption that users themselves aren’t good at security or managing passwords because it’s hard. As a result, for a small price, you can have someone else with expertise do it for you. This seems like a great security product! (Of course, sometimes, they mess up, such as LastPass, but that’s better than
So, what’s the problem?
Several problems make this market hard. First, users only want one password manager. It doesn’t make sense to have more than two because it becomes confusing, which password is in which manager. As a result, this is definitely a “winner takes all market,” making it hyper-competitive. Markets like these require a lot of sales and marketing as well as efficient product development. This means that the company will likely have to burn a lot of capital in pursuit of growth, making it unclear when the company will be profitable, especially just as a singular product.
Second, the pricing model is difficult. These are applications, so they have to be priced per user rather than on usage. However, like a lot of applications, as the user uses the application more, it will increase costs, such as storage, computation, etc., which might make the margins look worse. Also, raising prices might cause churn. This makes it tough for a product like this.
Third, the product has to be sold to consumers. It’s hard to have ordinary consumers pay for security, but in this case, there seems to be a good value proposition and added convenience. Not having to manage passwords and having more security sounds great! However, it’s still hard to get the money out of consumers when they can be spending it on something else that gives them more value, such as music or television. As a result, companies like 1Password and LastPass have decided that enterprises are better customers than consumers. In fact, to encourage more adoption, they are offering the consumer version for free. This makes me feel that they are making good money on the enterprise version and not so much on the consumer side. That makes sense given that’s how Google Enterprise works. Gmail is free, but business Google Workspace costs money. Similarly, individuals can use Notion for free, but they charge businesses for the enterprise features.
What’s next for password managers?
Password managers are like any SaaS product. It’s hard to monetize off one product, and in order to have a healthy margin and amortize costs in sales and marketing as well as product development, you have to sell a platform and charge for multiple applications. In other words, you can’t build a company with one product in SaaS.
So, what else can password managers charge for? It seems hard to charge for usage, e.g. more passwords is more money. That’s usually reserved for infrastructure products. It’s hard to charge for more security features. It’s similar to charging more for a “better” helmet. A cheap helmet should be pretty good already and protect you, so what’s the marginal value of a better helmet? It feels like a difficult upsell. Of course, you can always do the upsell, but expanding costs are high. Would you charge to use secure notes? Would you charge to store 1-time passwords? Maybe, you can sell support and some security dashboards or monitoring. Although it does feel like this is important enough that you should probably send these logs to a SIEM or MDR since having audit logs is table stakes. Expanding the market feels hard here.
Both Dashlane and LastPass seem to struggle to find where they should expand their product. 1Password seems to be the most aggressive in expanding. They have tried to use their password vault as a competitor to Hashicorp Vault with 1Password Developer by helping to manage secrets. This seems like a potentially good expansion. But, that’s historically been a hard market as evidenced by IBM acquiring Hashicorp.
It seems that 1Password is expanding into endpoints with the Kolide acquisition. I’m a bit unclear what decision is being made there. Is it that they want to understand the posture of endpoints because it’s likely that passwords are stolen through out-of-date endpoints? As a result, maybe they don’t want to unlock 1Password vaults if computers aren’t up-to-date, but I’m not sure how that will capture value. Or, do they want to get into the endpoint management space? This seems pretty competitive with strong incumbents, such as Crowdstrike.
Either way, it feels like this is a hard product to expand into a platform.
What might happen to these password managers?
Honestly, I don’t know. It feels like they are one step away from being commoditized if Apple or Google decides to ramp up their commitment to password managers. The problem is that companies like Google and Apple aren’t incentivized to build a multi-platform password manager. They are building ones that are constrained to their ecosystems, e.g. Macs and Chrome. However, a lot of passwords are on Chrome but not all, and it’s annoying to have multiple password managers (nor does it make sense for a user to have multiple password managers! That defeats the purpose!).
It’s tough because it’s one of those products where people are willing to pay some cost but unwilling to pay large costs or else they would move to a free one. As a result, there’s not a lot of pricing power, and as I talked about above, it’s not clear you can get more out of enterprises and consumers without expanding the product.
These companies might stick around. One of the companies might try to sell itself to a big tech company as a “brand name.” I avoid saying they will be bought for the technology because it feels that the technology is not hard or super defensible, i.e. delivers value in and of itself. It feels that the users that matter. Another option is the private equity route where they cut down on development and costs to become profitable and become a private equity target. I find it hard for these companies to be acquired for a strategic reason, and I don’t know if these companies can expand into a security platform that can go public.
I do think password managers are useful and have definitely improved security for consumers and across the internet. It’s not clear to me how they become a large, growing security business.