Password recall

Password management is a headache. That much was made clear by all the e-mail I’ve received in response to my column a couple of weeks ago about stupid user tricks.

Virtually everyone agreed with my assessment of the problem, but they all agreed that I didn’t mention a real solution. The reason I didn’t is that getting users to handle their passwords appropriately is a serious problem, and solutions are rare.

But that doesn’t mean they don’t exist. In fact, one such solution is not only easily available but also fairly inexpensive. It’s a personal password manager from Mandylion Labs in Oakton, Va., (www.mandylionlabs.com) that provides secure, portable storage of passwords and generates secure passwords. This device is about the size and shape of the key fobs for cars’ keyless entry systems — it includes several buttons and an LCD screen.

I borrowed one of the devices from Mandylion Labs and tried it out. It’s handy and easy-to-use, and it remembers a lot of passwords. Called the “ebpLite” on Mandylion’s Web site, the device is designed to allow access by pressing the buttons in a sequence you choose. It can be set so that an incorrect sequence will lock it down until an administrator can open it. In fact, you can protect your passwords even further by setting the ebpLite so that even one incorrect sequence will wipe the memory completely.

To retrieve a password, you press the buttons in your chosen sequence, and when the screen appears, scroll down to the password you need and enter it into whatever you’re using. That’s all there is to it.

You can enter the passwords and PIN numbers you already have into the ebpLite’s memory fairly easily, and when the device generates a password for you, it will remember that, too. You can have the device generate passwords of any length, following whatever pattern you like. For example, if you require that passwords have at least one upper-case letter, one number, and one special character, you can set up your password generation to follow those rules.

The nice thing about this type of device is that you can create passwords that are nearly impossible to guess. Even better, it makes recommended periodic password changes much less onerous for the users — they can generate a password anytime and don’t necessarily have to think of one that they must remember by themselves. It also means that the IT staff doesn’t have to get as involved in password issues, and that alone would probably cover the modest price of these password devices (the price ranges from about $35 in enterprise quantities to about $60 retail). You can find them at places ranging from Black Box to the International Spy Museum in Washington, D.C.

The bottom line, however, is that the means to manage all those passwords does exist. Of course, there are other technologies aside from ebpLite that also do this, including SecureID and some types of smart cards. But Mandylion’s password manager is one of the best solutions I’ve seen, and one of the easiest to implement and use. Even better, it’s inexpensive and reasonably convenient. All you have to do is require secure passwords, and your employees can do the rest.