Computer professionals now have to remember passwords for routers, servers, VPNs, ISPs, Web pages, and even their own ATM PIN. (Heck, my wife and I even have one for our kid’s Upromise account!) And to further protect the security of these systems, you are being required to choose more complex passwords that include numbers, mixed-case letters, and even special characters. Is it any wonder that software developers have created password storage programs for Palm PDAs? The difficult question for you and your users is, “Do these programs enhance security or lower it—or have no effect on it at all?”
People react in various ways when given a password to remember. Some people immediately write down the password on a sticky note and plaster it to their monitor. Others will select a generic password and use it for every system they access. Some will store their passwords on a piece of paper in their files or as a generic Memo item in their PDA. All of these methods compromise security in dramatic ways. If you or your users are faced with issues like this, using a PDA to manage passwords might be a big step forward.
Although most people are aware of the built-in password protection available on their PDAs, few actually use it. The inconvenience of having to remember and enter yet another password seems like too much of a burden. Furthermore, this password system is easily bypassed. A number of utilities are available online to do just that. Using this password system is better than nothing, but there are freeware, shareware, and commercial software products that can add a deeper level of security.
The most basic password storage products allow you to set a master password, which then allows you to access your list of stored passwords. This additional level of password protection makes it more difficult for an unauthorized person to gain access to all the passwords but it still suffers from the “master key” syndrome. Once the master password has been guessed, stolen, or broken, the other passwords are freely available. This is one of the large trade-offs in using a password storage program. In a perfect world, where users choose unique passwords for each system, only one password and system would be compromised in the event of a security failure. If a master password is compromised, the effect on your systems could be more profound. Still, as most of you already know, the realities of password security are far different. In most cases, users may have chosen the same password for many systems, so they share the same vulnerability.
Many password storage products come with PC companion software that allows you to manage your passwords on both your PDA and your PC. In most cases, users will be more comfortable entering data on the PC, rather than typing it into the Palm itself. Some of these companion products simply open the password data files created in your Palm Backup folder, while others are complete conduits that update the password entries during each Hotsync operation.
The most important aspect of using a PDA and password storage product is the physical security of the data. Given enough time, it may be possible to break the master password or the encryption of these programs. Therefore, you will need to impress on your users the importance of not misplacing their PDAs or putting them in situations where they might be easily stolen. Should a PDA be stolen, you will need to treat the situation much as you would a lost or stolen credit card. Passwords should be changed immediately on all systems that might be affected.
The physical security of PCs should also be reviewed since every file on your PDA is copied to the PC to create backup during each Hotsync. When testing any password storage program, you will want to investigate these backup files to ensure that they are encrypted and unreadable by all but the most extensive efforts.
Despite your best efforts, your users, and even your high-tech coworkers, might be choosing passwords that are insecure. It is a simple fact of human nature that once a person has too many passwords to easily remember, they will start to write them down or choose passwords that are easier to remember.
If you want your systems to be protected by the best passwords possible, you may need to consider using one of the programs listed below in order to allow people to reference their passwords at any time. This will allow you to assign more difficult passwords, while still allowing your users to access the systems they need. You may find that even with the limitations of these programs, your overall system security will be enhanced.
Trio Vault from Trio Security is a high-end commercial product that uses three-factor authentication (password, physical possession of the appropriate device, and biometric input via signature) to ensure the identity and access of the user. A 500-seat license will cost you $62,000, but this price includes a Palm PDA for each user.
SafeInHand from HandAble.com is a straightforward password manager that can generate random passwords and the price is right at $8.95 per seat. This is probably the Palm program that I will start using to manage my password collection. I especially like the random password feature, shown in Figure A. This feature allows you to generate passwords on the fly using various criteria. This helps you to use different passwords for every service, like Web page logins, and yet still remember them. At $8.95 per seat, SafeInHand is the lowest priced product listed here.
CryptInfo from NormSoft is a nice password manager that includes a conduit for Hotsyncing to Windows PCs so you can enter passwords on either the PDA or the PC. This product's nicest feature is the ability to create and store a variety of custom information, as shown in Figure B. You can choose from a variety of built-in fields like URL, phone number, and expiration date, or you can create your own according to your needs. CryptInfo uses 168-bit, 3DES encryption, and will set you back $14.99 per license.
All Access from Stylustap is a relatively simple password manager. The user interface is a bit cryptic, but it does what it promises. The program stores user names and associated passwords (as shown in Figure C), allows custom categories, and includes a conduit for Hotsyncing to Windows PC, which allows date entry on Palm or PC. All Access uses 168-bit, 3DES encryption, and costs $9.95 per license.
KeyCode Plus from BMS Web Development stores users IDs, passwords, server addresses, and basic notes about each account, as shown in Figure D. It uses a master password to access the categorized login information and costs $9.95 a license.