Associate Security Consultant at CyberSec Consulting
Reseller
Top 10
Oct 14, 2025
I have faced stability issues when upgrading BeyondTrust Password Safe solution. The upgrade process can be lengthy compared to other modules. For example, upgrading the appliance and reconfiguring HA is easier in PRA. However, in BeyondTrust Password Safe, the upgrade activity can take longer, and I have occasionally experienced being stuck during appliance version upgrades, sometimes duplicating the upgrade. Regarding additional features, we have good features in BeyondTrust Password Safe compared to other modules, such as Secret Safe to secure secrets and the check-in, check-out functionality. We already have the main features, but I think it would be helpful if BeyondTrust implemented a heartbeat check feature on the privileged account level. This feature would allow PAM to check the credentials of privileged accounts, indicating if they are correct or not, showing if the heartbeat has failed if they are wrong.
Lead Engg. Information Assurance at ACPL Systems Pvt Ltd
Real User
Top 5
Jun 25, 2025
We do not utilize the dynamic privilege elevation and delegation feature yet, because the customer is not planning to use this feature. They want to control the manner of user creation processes in their system with an approval flow, so they are not going to use dynamic user creation and deletion. Tracking those users apart from admin is very tough. The effectiveness of BeyondTrust Password Safe's session management capabilities for SSH and RDP is pretty much robust, but it needs more improvement for other applications and web-based applications. In terms of analytics, there needs to be more improvement, particularly from a connectivity point of view, so it's a bundle. SaaS-based applications and other things should be included, along with their password management options for web applications.
While generally a strong product, BeyondTrust Password Safe has a few areas that could use some polish. From an administrator's viewpoint, we sometimes see keystroke capturing fail. More significantly, RDP sessions occasionally disconnect without any error messages on the client side. This leaves us administrators in the dark, unable to identify the cause of the problem
Contractor at a financial services firm with 5,001-10,000 employees
Real User
Top 20
Apr 9, 2025
I believe one improvement could be having the last used passwords appear more automatically whenever I check for passwords associated with a frequently used system.
If they can create a single platform to create a connector, it would be better than using the RBS server. There are limitations when accessing or creating connectors for each application. From PVW, I can create any connector, which provides ease compared to Password Safe.
As of today, I haven't found any issues. Adding user behavior analysis to the server or messaging would be beneficial. This would help in identifying suspicious activities immediately when users log in.
PAM Architect at a comms service provider with 10,001+ employees
Real User
Top 10
Aug 21, 2024
The only improvement I could suggest would be standardizing documentation, but that's more the responsibility of the implementing engineer rather than BeyondTrust Password Trust itself. The documentation must be specific and narrow for implementation, not just broad guidelines.
Architect at a tech services company with 11-50 employees
Real User
Aug 8, 2023
Documentation is the primary area of improvement. Their documentation has improved over the last three to five years, but there's still room for improvement. A more intuitive search and not having disparate documentation categories would be helpful. While they are quick to market for improved features, there are still additional features that other vendors have that they don't have like a credential injection for the users' web browser extension.
There are multiple features that have issues, although they could be specific to our environment. What we have seen is that whenever a user gets added to the authentication store, the sync between Password Safe and the authentication store, which is generally easy, takes a lot of time. It does not occur immediately. This is persistent for Password Safe used by administrators who require immediate access. If immediate access is not possible, then access should be made possible at least within one hour or so. This does not happen in our environment. The access takes more than three to six hours to happen. Whenever a new end user is provisioned for access, it would take twelve hours to twenty-four hours. Since they are end users, the time taken is fine. However, when we consider administrators, they might need access at different times. The three-hour time frame for the administrators in our environment is a lot of time.
Senior Specialist at a financial services firm with 1,001-5,000 employees
Real User
Oct 24, 2022
I'm not too fond of the Smart Rules feature, mainly because too many features can cause complexity. There is a limited capacity on the appliance, which I wasn't informed about when I purchased the product. I can have a maximum of 150 rules per appliance; any more than that and rule processing becomes very complex, especially regarding password revision. Hitting a capacity limit you don't know about can be problematic. Ideally, we would not have a limited capacity, allowing us to be in a completely managed state with password rotation for every service account, not just the highly privileged ones. The solution does not indicate an issue, but when we hit the capacity limit, rules can become erratic, resulting in password resets during the middle of the day when they're in use. This can be an issue, especially as there is no performance counter so we can track how close we are to the limit, nor is there an indication of when we cross it. This is an element that could use a redesign. Another feature that could be improved is the password rotation schedule; as a financial organization, that's very important to us. We sometimes require the maintenance window to be on a Saturday instead of during the week. The solution gives the option for the fifth day of the month, the tenth day of the month, the first day of the week etc., but not more specific. I want to be able to set the rule that password changes only happen on a Saturday, for example, and I can't do that. To compensate, BeyondTrust tells us we can write scripts to set the password resets. This needs to be improved because it results in additional work for us, and they could fix the small scheduling gap in their product. The MSA element of the solution is fine; there are no significant issues implementing MSA with the interface. However, the interface can be somewhat complicated for admins, though not for end users. Precisely, when troubleshooting user issues, we encountered strange errors. We needed to go into the appliance log to understand what was happening, and the UI needed to be more intuitive to help us. We were late refreshing the UI, so it had pretty old components until about 2020, and we experienced browser issues. After 2020, the UI improved, but the look and feel of the application are still dated. I carried out POCs for CyberArk and SafeGuard, and both of their interfaces are much better than Password Safe's. I liken the solution to a Toyota; it's a good all-rounder, and it isn't bad though it has some issues. We had an issue with the Team Passwords feature: the privilege concept needed to be improved. There was no differentiation between contributors of privileged information and the consumers of it. Additionally, until very recently, there was no REST API integration with Team Passwords, so we couldn't publish secrets using REST API. This could have been better, as it meant we needed a different team for CI/CD and Team Passwords, resulting in some cases of duplication.
The database instance onboarding should be simplified. The problem is that you can scan the assets and databases inside a server, but you cannot onboard them or manage them with the smart tools. It has to be done manually. I think they should try to include more custom platforms. With the databases, there were some issues. The databases are inside the servers, and it was a bit difficult to scan the databases. Apart from that, the rest of the assets were easy to scan and integrate. It's difficult to onboard the database. You can scan and find them, but you have to onboard the databases manually. You cannot onboard databases using Smart Rules databases. Database instances are difficult to onboard and must be done manually. The applications should be more like in the SDK. They have good API support now.
If there was one thing, it would be having the documentation standardized. They should keep the documentation consistent. For example, when BeyondTrust updated one of their admin guides, they left out the information on the discovery account requirements, and then over a period of time, we ended up having to search multiple different documents to put together a string of information for a specific topic, which was problematic. It was minor, but it was problematic. Standardized documentation would be the one thing I would suggest.
PAM Consultant at a insurance company with 10,001+ employees
Consultant
Jul 28, 2022
I find it a little bit confusing because you have the management console, and then within the management console, you have access to different admin consoles. There are probably two or three different ones. I wish they would place all those different types of consoles into one main one so that we don't have to access two or three different consoles to do the work. When we deploy BeyondTrust, we have to deploy our own database on a SQL server. It doesn't deploy the database. I wish BeyondTrust packages the whole solution in one and includes the MySQL database so that when you deploy it, it deploys everything for you. BeyondTrust gives you the software, but you are in charge of setting up your own database. It is a single appliance just for the BeyondTrust portion but not the database. Unless that has changed in later releases, you have to set up your own database for BeyondTrust Password Safe. I find that part complex because we then need the expertise and help of the database team to set it up, which also increases the deployment time. If they can deploy the database, it will reduce the deployment time. Their documentation is not very detailed and thorough. In case of any issues, a lot of times, we have to go through their professional service. They need to update their documentation and create a good knowledge base for us so that when we run into problems, we can go there and search for common issues or problems.
Technical Lead at a financial services firm with 5,001-10,000 employees
Real User
Jul 25, 2022
The banners could be improved because they aren't informative. For example, if something is not correct and I open the error notification, the dialogue box simply says, "This is an error." It would be great if they could provide some valuable comments about how to fix the errors. If I try to remove something, the error box says it cannot be removed, which isn't helpful. I have to wait for the account to check in, and then it will be removed. The information description in the logs and the error reporting could be improved. For someone who's inexperienced, it's hard to understand.
Cybersecurity Architect at a tech vendor with 1-10 employees
Real User
Dec 24, 2021
I think that BeyondTrust Password Safe could be improved with more testing. In the beginning, they were practically using customers as beta testers. Maybe the product has evolved since I last used it, but if you look at PAM, privileged access management, whatever's out there has already been done. I don't see there being any other enhancements that are being made regarding PAM, except to support more cloud-based applications.
I.S. Architect at a insurance company with 10,001+ employees
Real User
Dec 23, 2020
Its documentation can be improved. Its documentation is currently complicated, and it is not good. It needs to be better. Their technical support can also be improved. It is not bad, but it can be better.
There's always room for improvement. But as of right now, I believe BeyondTrust is one of the best kept secrets. The only negative thing I can say is that BeyondTrust was recently bought by Bomgar and the marriage of the multiple companies coming together in the merger has caused a little bit of a hiccup right now in their software versions. For example, the online training courses are two revisions older than the currently released software and some of the guides don't match what you see on the screen. So it's a growing pain. Because they were purchased by Bomgar the people who used to make decisions in BeyondTrust are not necessarily the ones making them now or they've got other people to report to and get approval. Right now they're in a little bit of flux online with their BeyondTrust University.
Beyond Trust Password Safe is an automated solution that combines password and privileged session management into a single platform. Password Safe delivers secure access control, auditing, alerting, recording, and monitoring.
This free and open-source password manager supports Windows and Linux, and some ports are available for other platforms as well. Their proprietary algorithm, Twofish, is considered highly secure, with the advantage that it is not affiliated with NIST. The Twofish...
I have faced stability issues when upgrading BeyondTrust Password Safe solution. The upgrade process can be lengthy compared to other modules. For example, upgrading the appliance and reconfiguring HA is easier in PRA. However, in BeyondTrust Password Safe, the upgrade activity can take longer, and I have occasionally experienced being stuck during appliance version upgrades, sometimes duplicating the upgrade. Regarding additional features, we have good features in BeyondTrust Password Safe compared to other modules, such as Secret Safe to secure secrets and the check-in, check-out functionality. We already have the main features, but I think it would be helpful if BeyondTrust implemented a heartbeat check feature on the privileged account level. This feature would allow PAM to check the credentials of privileged accounts, indicating if they are correct or not, showing if the heartbeat has failed if they are wrong.
We do not utilize the dynamic privilege elevation and delegation feature yet, because the customer is not planning to use this feature. They want to control the manner of user creation processes in their system with an approval flow, so they are not going to use dynamic user creation and deletion. Tracking those users apart from admin is very tough. The effectiveness of BeyondTrust Password Safe's session management capabilities for SSH and RDP is pretty much robust, but it needs more improvement for other applications and web-based applications. In terms of analytics, there needs to be more improvement, particularly from a connectivity point of view, so it's a bundle. SaaS-based applications and other things should be included, along with their password management options for web applications.
While generally a strong product, BeyondTrust Password Safe has a few areas that could use some polish. From an administrator's viewpoint, we sometimes see keystroke capturing fail. More significantly, RDP sessions occasionally disconnect without any error messages on the client side. This leaves us administrators in the dark, unable to identify the cause of the problem
I believe one improvement could be having the last used passwords appear more automatically whenever I check for passwords associated with a frequently used system.
If they can create a single platform to create a connector, it would be better than using the RBS server. There are limitations when accessing or creating connectors for each application. From PVW, I can create any connector, which provides ease compared to Password Safe.
As of today, I haven't found any issues. Adding user behavior analysis to the server or messaging would be beneficial. This would help in identifying suspicious activities immediately when users log in.
The only improvement I could suggest would be standardizing documentation, but that's more the responsibility of the implementing engineer rather than BeyondTrust Password Trust itself. The documentation must be specific and narrow for implementation, not just broad guidelines.
The pricing is not cheap, but it could be better.
The integration with Secure Remote Access must be improved. It is in the process of being discontinued.
The product needs to have better integration with SAP products.
Documentation is the primary area of improvement. Their documentation has improved over the last three to five years, but there's still room for improvement. A more intuitive search and not having disparate documentation categories would be helpful. While they are quick to market for improved features, there are still additional features that other vendors have that they don't have like a credential injection for the users' web browser extension.
We face screensaver timeout issues and problems with the server. I would like the product to include a server visibility feature.
We'd like to have incremental backups to ensure the solution's information is protected regularly.
There are multiple features that have issues, although they could be specific to our environment. What we have seen is that whenever a user gets added to the authentication store, the sync between Password Safe and the authentication store, which is generally easy, takes a lot of time. It does not occur immediately. This is persistent for Password Safe used by administrators who require immediate access. If immediate access is not possible, then access should be made possible at least within one hour or so. This does not happen in our environment. The access takes more than three to six hours to happen. Whenever a new end user is provisioned for access, it would take twelve hours to twenty-four hours. Since they are end users, the time taken is fine. However, when we consider administrators, they might need access at different times. The three-hour time frame for the administrators in our environment is a lot of time.
I'm not too fond of the Smart Rules feature, mainly because too many features can cause complexity. There is a limited capacity on the appliance, which I wasn't informed about when I purchased the product. I can have a maximum of 150 rules per appliance; any more than that and rule processing becomes very complex, especially regarding password revision. Hitting a capacity limit you don't know about can be problematic. Ideally, we would not have a limited capacity, allowing us to be in a completely managed state with password rotation for every service account, not just the highly privileged ones. The solution does not indicate an issue, but when we hit the capacity limit, rules can become erratic, resulting in password resets during the middle of the day when they're in use. This can be an issue, especially as there is no performance counter so we can track how close we are to the limit, nor is there an indication of when we cross it. This is an element that could use a redesign. Another feature that could be improved is the password rotation schedule; as a financial organization, that's very important to us. We sometimes require the maintenance window to be on a Saturday instead of during the week. The solution gives the option for the fifth day of the month, the tenth day of the month, the first day of the week etc., but not more specific. I want to be able to set the rule that password changes only happen on a Saturday, for example, and I can't do that. To compensate, BeyondTrust tells us we can write scripts to set the password resets. This needs to be improved because it results in additional work for us, and they could fix the small scheduling gap in their product. The MSA element of the solution is fine; there are no significant issues implementing MSA with the interface. However, the interface can be somewhat complicated for admins, though not for end users. Precisely, when troubleshooting user issues, we encountered strange errors. We needed to go into the appliance log to understand what was happening, and the UI needed to be more intuitive to help us. We were late refreshing the UI, so it had pretty old components until about 2020, and we experienced browser issues. After 2020, the UI improved, but the look and feel of the application are still dated. I carried out POCs for CyberArk and SafeGuard, and both of their interfaces are much better than Password Safe's. I liken the solution to a Toyota; it's a good all-rounder, and it isn't bad though it has some issues. We had an issue with the Team Passwords feature: the privilege concept needed to be improved. There was no differentiation between contributors of privileged information and the consumers of it. Additionally, until very recently, there was no REST API integration with Team Passwords, so we couldn't publish secrets using REST API. This could have been better, as it meant we needed a different team for CI/CD and Team Passwords, resulting in some cases of duplication.
The database instance onboarding should be simplified. The problem is that you can scan the assets and databases inside a server, but you cannot onboard them or manage them with the smart tools. It has to be done manually. I think they should try to include more custom platforms. With the databases, there were some issues. The databases are inside the servers, and it was a bit difficult to scan the databases. Apart from that, the rest of the assets were easy to scan and integrate. It's difficult to onboard the database. You can scan and find them, but you have to onboard the databases manually. You cannot onboard databases using Smart Rules databases. Database instances are difficult to onboard and must be done manually. The applications should be more like in the SDK. They have good API support now.
If there was one thing, it would be having the documentation standardized. They should keep the documentation consistent. For example, when BeyondTrust updated one of their admin guides, they left out the information on the discovery account requirements, and then over a period of time, we ended up having to search multiple different documents to put together a string of information for a specific topic, which was problematic. It was minor, but it was problematic. Standardized documentation would be the one thing I would suggest.
I find it a little bit confusing because you have the management console, and then within the management console, you have access to different admin consoles. There are probably two or three different ones. I wish they would place all those different types of consoles into one main one so that we don't have to access two or three different consoles to do the work. When we deploy BeyondTrust, we have to deploy our own database on a SQL server. It doesn't deploy the database. I wish BeyondTrust packages the whole solution in one and includes the MySQL database so that when you deploy it, it deploys everything for you. BeyondTrust gives you the software, but you are in charge of setting up your own database. It is a single appliance just for the BeyondTrust portion but not the database. Unless that has changed in later releases, you have to set up your own database for BeyondTrust Password Safe. I find that part complex because we then need the expertise and help of the database team to set it up, which also increases the deployment time. If they can deploy the database, it will reduce the deployment time. Their documentation is not very detailed and thorough. In case of any issues, a lot of times, we have to go through their professional service. They need to update their documentation and create a good knowledge base for us so that when we run into problems, we can go there and search for common issues or problems.
The banners could be improved because they aren't informative. For example, if something is not correct and I open the error notification, the dialogue box simply says, "This is an error." It would be great if they could provide some valuable comments about how to fix the errors. If I try to remove something, the error box says it cannot be removed, which isn't helpful. I have to wait for the account to check in, and then it will be removed. The information description in the logs and the error reporting could be improved. For someone who's inexperienced, it's hard to understand.
I think that BeyondTrust Password Safe could be improved with more testing. In the beginning, they were practically using customers as beta testers. Maybe the product has evolved since I last used it, but if you look at PAM, privileged access management, whatever's out there has already been done. I don't see there being any other enhancements that are being made regarding PAM, except to support more cloud-based applications.
Its documentation can be improved. Its documentation is currently complicated, and it is not good. It needs to be better. Their technical support can also be improved. It is not bad, but it can be better.
There's always room for improvement. But as of right now, I believe BeyondTrust is one of the best kept secrets. The only negative thing I can say is that BeyondTrust was recently bought by Bomgar and the marriage of the multiple companies coming together in the merger has caused a little bit of a hiccup right now in their software versions. For example, the online training courses are two revisions older than the currently released software and some of the guides don't match what you see on the screen. So it's a growing pain. Because they were purchased by Bomgar the people who used to make decisions in BeyondTrust are not necessarily the ones making them now or they've got other people to report to and get approval. Right now they're in a little bit of flux online with their BeyondTrust University.
I would love if they integrated Bomgar's SSO with BeyondTrust for the session recording that we use for vendors.