Software Review: Password Officer 5.0 Deluxe

security features

Software Review: Password Officer 5.0 Deluxe
October 13, 2003
By Lyne Bourque

As administrators and dispensers technical support help, we often face one particular challenge that makes us pull our hair out: convincing users the importance of good password security. It is a challenge that we've all faced at one point another.

Users end up doing one of two bad extremes. The first is the usage of known information as a password, such as SSN #, birthdate, username, spouse/partner's name, children's name, etc. Or worse, they'll use dictionary words such as "password" (the most common dictionary word) or no password (blank).

On the other side of this are the users that single-handedly keep 3M and other "sticky" manufacturer's happy. Their monitors are gardens of colourful stickies that hold everything from reminders of anniversaries, projects and shopping lists to account information, passwords and pins & ndash: all in plain sight!

Some figure they will be creative and hide their passwords under their keyboard, back of the computer or top desk drawer. This is particularly true when administrators give users longer, more complex passwords to use. Users have notoriously short memories, even if they use the same password for months. So how do administrators go about to resolve this?

Compelson Laboratories have come up with a pretty nifty tool in this battle: Password Officer 5.0 Deluxe. This product remembers the passwords for users and stores them in an encrypted file. It's intelligent enough to know which applications and/or websites are associated with which username and password. It can also be used with a smart card environment if you want.

This product is for a Windows-based system (Windows 95, 98, ME, NT, XP) and interacts with Internet Explorer as it's browser of choice (more on that later in this article). It has two "installs": one is the standard double-click and install into the system; the other is to use the product directly (useful for users who don't have administrative rights on their NT/XP boxes $ndash; which was my situation).

I decided to experiment with it on a few websites and a few applications. Once I setup the sites and applications, I selected the option for them to reside in the systray. This meant I can now just go to the icon and select which site I want, and viola! You're in!

It launches Internet Explorer, loads the page, enters the username and password. And it even "pressed Enter to continue". When it came to using it with an application, it wasn't too difficult but might require a few minutes of getting the right sequence of keystrokes, text, enters, tabs, etc. I got my Password Officer to launch my SSH GUI client. Quite nifty as some of the accounts I use have very difficult passwords to remember.

Now you may think that anyone could then launch Password Officer, right click on the icon in the systray and connect to your websites and/or applications. Compelson obviously thought of this and put a password on the encrypted file that is used, in turn, to store the passwords. This means that if you try to load the password file, you'll need to enter a password.

You can also opt to put that file locally or on removable media (USB pen drive would be a good one). The file itself is relatively small (2 websites and one application with keystroke combinations and such created a file of 482 bytes). Even the application is small at less than 2MB (including all dlls needed).

Password Officer can even go as far as to create passwords for you (say you are signing up for a new online account at a website), with the length and character mix you want (you can specify which special characters are valid), and which algorithm you want to use: Twofish, FIPS 181 DES or FIPS 181 AES.

There are two drawbacks I found with Password Officer. The first was the dependency on Internet Explorer for the Web portion of password recall. I'm not fond of Explorer due to the many problems that seem to crop up with it and the many vulnerabilities that have appeared of late. Try as I might, I couldn't get it to work with Netscape. Perhaps in the next version this could be addressed.

The second issue is that it doesn't pick up on application requests for changing the password (at least it didn't detect when the Linux box I was connecting to required a password change). Because it doesn't capture the password change, you have to manually go into Password Officer and change it for that specific application.

Keep in mind that while Password Officer does all this for you, it cannot take care of encryption over the wire. The security of the websites users visit and/or the insecurity of clear-text transmittal is still something that would have to be taken into consideration.

That all said, this application could prove beneficial for the administrator that attempts to get users to use their passwords safely. In fact, the administrator could setup all applications to be launched by Password Officer, put in the appropriate information and off they go. It may cause a few sticky gardens to fade away.