As administrators and dispensers of technical support help, we often face one particular challenge that makes us want to pull our hair out: convincing our users of the importance of good password security. It is a challenge we’ve all faced at one point or another.
Users end up doing one of two bad extremes. The first is the usage of known information as a password, such as using their SSN, birthdate, username, spouse/partner’s name, child’s name, etc. Or worse, they’ll use dictionary words such as “password” (the most common dictionary word) or no password at all (blank).
On the other side are the users that single-handedly keep 3M and other “sticky” manufacturers happy. Their monitors are gardens of colorful stickies that hold everything from reminders of anniversaries, projects, and shopping lists to account information, passwords, and PINs — all in plain sight!
Some figure they will be creative and hide their passwords under their keyboards, behind their computers, or in their top desk drawers. This is particularly true when administrators provide users with longer, more complex passwords. Users have notoriously short memories and seem to have difficultly remembering a password even if they use the same one for months. So how do administrators go about resolving the password challenge?
Compelson Laboratories has come up with a pretty nifty tool called Password Officer 5.0 Deluxe that is designed to remember passwords for users and store them in an encrypted file. The program is intelligent enough to know which applications and/or Web sites are associated with which usernames and passwords. It can also optionally be used with a smart card environment.
Password Officer 5.0 Deluxe is for Windows-based systems (Windows 95, 98, ME, NT, XP) and interacts with Internet Explorer as its browser of choice (more on this later in the article). It has two “installs”: one is the standard double-click and install into the system, while the other is to use the product directly from disk (useful for users who don’t have administrative rights on their NT/XP boxes — which was my situation).
I decided to experiment with it on a few Web sites and a few applications. Once I set up the sites and applications, I selected the option for them to reside in the systray. This meant I could now just go to the icon and select which site I want, and, viola, I was in!
Password Officer 5.0 Deluxe launches Internet Explorer, loads the page, enters the username and password, and even automatically clicks on the “Press Enter to continue” box. When using it with an application, it isn’t too difficult to configure but can sometimes require a few minutes of getting the exact sequence of keystrokes, text, enter commands, tabs, etc. I was able to get my Password Officer to launch my SSH GUI client without trouble — a rather nifty use of the application, as some of the accounts I use with the SSH client have very difficult passwords to remember.
Now you may think that anyone could launch your copy of Password Officer, right click on the icon in the systray, and easily connect to your password-protected Web sites and/or applications. Compelson obviously thought of this and put a master password on the encrypted file it uses to store the passwords. This means that if you try to load the password file, you’ll need to first enter the master password.
You can also opt to keep the encrypted file locally or on removable media (a USB pen drive might be a good choice). The file itself is relatively small (2 Web sites and one application with keystroke combinations and such created a file of 482 bytes). Even the application itself is small at less than 2MB (including all DLLs needed).
Password Officer can even go so far as to create passwords for you (say you are signing up for a new online account at a Website), with the length and character mix you want (you can specify which special characters are valid), and with one of three algorithms of your choice: Twofish, FIPS 181 DES, or FIPS 181 AES.
There are two drawbacks I’ve found with Password Officer. The first is its dependency on Internet Explorer for the Web portion of password recall. I’m not fond of Explorer due to the many problems that seem to crop up with it and the many vulnerabilities that have appeared of late. Try as I might, I couldn’t get Password Officer to work with Netscape.
The second issue is that it doesn’t pick up on application requests for changing the password (at least it didn’t detect when the Linux box I was connecting to required a password change). Because it doesn’t capture the password change, you have to manually go into Password Officer and change it for that specific application.
Keep in mind that while Password Officer does all the username and password entry for you, it doesn’t take care of encryption over the wire. The security of the Web sites users visit and/or the insecurity of clear-text transmittal is still something that needs to be taken into consideration by the ever-vigilant network admin.
That all said, this application could prove beneficial for the administrator that attempts to get users to use their passwords safely. In fact, the administrator could set up all applications to be launched by Password Officer, put in the appropriate information, and off they go. At the very least, it may cause a few “sticky” gardens to fade away.