If your organization does not have an adequate password policy in place, you should make it a priority to write one and get it implemented. Once you have a policy in place, a product from Mandylion Research Labs can help make it stronger and easier for users to adhere to.

I recently spent an afternoon with the president of Mandylion Research Labs, Joe Grajewski, and I learned a great deal about passwords, password policies, and security in general. It was an eye-opening conversation. I’m going to discuss the challenges of password security and show you how Mandylion’s password manager can help improve the situation.

Policy challenges
A lot of password policies are well written but may have unintended consequences. For example, the requirements might be too complex or the passwords might require changing too often, resulting in users writing down their passwords where they shouldn’t. If you have well-behaved users who don’t write down their passwords but you have a complex password policy, you may also have a high number of password-related calls to the help desk from users who have forgotten their passwords.

Neither situation is good. When users write down passwords, you have a security problem on your hands. Having an inordinate number of password-related calls to the help desk is both inefficient and costly.

Account lockout isn’t enough
Locking out accounts when a certain number of bad passwords have been entered is a good idea to deter the casual attacker. However, a determined attacker typically isn’t going to use the operating system’s login routine to attempt access to a system. Instead, the hacker will capture the password’s encrypted hash as it travels over the network and attempt to decrypt it until arriving at the original password. At the end of the process, the hacker has the password and can simply log in.

Mandylion’s solution
To mitigate these password security problems, Mandylion Labs offers an affordable product called the ebp lite Personal Password Manager. It’s a surprisingly simple piece of technology—on the surface, at least—that can help bolster the security of your passwords.

The ebp lite is a small unit (Figure A) that attaches to a keychain and both generates and stores up to 20 complex passwords according to your password requirements.

Figure A
The ebp lite Personal Password Manager

Unlike other products from companies such as RSA, the ebp lite does nothing more than generate and retrieve passwords in a device that is physically separate from the network and its authentication mechanisms. In other words, the ebp lite is a completely self-contained unit with no ports and no access to the internal processor. In fact, opening up the unit reveals a special epoxy over its processor and all of its leads to prevent a determined hacker from soldering connections to gain access to the data (if the hacker is able to get physical access to the unit).

Using the ebp lite
Once you get accustomed to it, the ebp lite isn’t hard to use. On first use, you are asked to enter a code to access the unit. Mandylion refers to this as the personal finger authentication pattern. This authentication code is a five-keystroke pattern performed on the unit using the four arrow keys followed by the middle button (the enter key) when done.

The ebp lite is intended to be kept in the possession of the user, and the authentication is in place to prevent unauthorized access to the passwords stored on the unit. If the unit is lost, the user should notify a central administrator so that accounts with related passwords on the ebp lite can have the password changed or be disabled in the unlikely event that someone is able to access the stored passwords on the unit.

Once the authentication sequence has been verified, the ebp lite is ready for use, and new passwords can be added, stored passwords viewed, and options changed.

An example
I decided to test the password-creation capabilities on my ebp lite unit to see whether it was a truly unique password and difficult to guess. Using the menus, I told the unit that I wanted an eight-character password made up of any of the 94 printable ASCII characters, and the unit supplied me with ita’M|*Q as a password. The ebp lite can also be configured to generate a more structured password. For example, an uppercase letter in character positions 1, 3, and 7, a number in character positions 2 and 8, and symbols in character positions 4, 5, and 6.

Mandylion provides a spreadsheet on its Web site that estimates how long a password might be able to survive based on certain criteria in the event of a hacker getting the hash. For example, if you have a weak password policy that dictates eight characters, all of which must be uppercase, this provides your users with a potential total of 208,827,064,576 passwords—which would take one of today’s PCs with a utility such as l0phtcrack just over six hours to crack.

If you instead used the ebp lite to generate an eight-character password using any of the 94 printable ASCII characters, there are 6,095,689,385,410,820 potential combinations, which would take more than 7,300 days to crack using a single PC and more than 175 hours using a distributed network of 1,000 PCs. Most hackers aren’t going to have that kind of power at their disposal, and they won’t be that patient.

Cost considerations
A single ebp lite is $69.95 from the Mandylion Web site, but the price drops to $44.95 in quantities of 300 and $37.80 for quantities of 300 for government organizations using the GSA schedules. When you consider how much password change requests due to forgotten passwords cost the help desk (Gartner estimates that 20 to 50 percent of help desk calls involve password resets), the ebp lite becomes a very good value. In addition, it can help users maintain secure, difficult-to-crack passwords that adhere to the organization’s password policy, which improves overall network security.

The future for Mandylion
One new product on the immediate horizon for Mandylion Research is the ebp lite Autoload Version. This unit differs from the unit we’re discussing here in one key way: It includes a small port for a cable that is attached to a PC to allow an administrator to preload a unit for a user. This involves one-way communication only—from the PC to the unit. Nothing can come from the unit to the PC. This preserves the integrity of the data inside the unit.

Mandylion is also working to release a version of the unit that will use biometric data to further secure network communications. I will provide more details on that once it is closer to fruition.

A password policy is a great first step toward securing an environment. Providing users with tools to help them adhere to your policy can be an important second step, especially in environments where security is critical. The ebp lite offers a simple way to help users generate and remember secure passwords. And the best part: No infrastructure changes are required.

To start, this could be a great tool to give to administrators as well as users who deal with highly sensitive data (e.g., accounting and HR employees), since those are the people whose passwords are most likely to be targeted by hackers and who represent the greatest risk to the organization if they have their passwords cracked.