Password management software sounds like more trouble that it’s worth for a small network, but here’s a software product that deserves to become an essential tool for a whole variety of expert and professional users. In fact Password Protector 2006 2.1, looked at here, would suit many types of user, and could even find a home in larger companies where a more complex password management system hasn’t had to be mandated for reasons of security compliance.

But what is it that makes passwords hard work in the first place? The same few issues crop up again and again.

- Any admin or expert user will accumulate a large number of them, not only for websites but for internal network devices and systems.

- They end up being hard to remember, doubly so because you also have usernames and sometimes encryption keys to make a mental note of.

- Even people who should know better tend to use insecure passwords (i.e short and lacking randomness), because they are easier to remember. Then they use the same insecure passwords again and again.

- Passwords rarely get changed often enough no matter what sysadmins claim in surveys.

This is a shopping list for disaster on a number of levels, but can a software tool really get round the problem without itself compromising security or becoming a never-fulfilled chore?

Password Protector 2006 is designed let the user create a database for every type of password imaginable, creating a single store for everything. The obvious examples are websites and devices such as routers or other systems, but it goes way beyond that. Specific files can be password protected, as can a range of programs, including email accounts or course.

The database itself it encrypted (256-bit AES) and itself protected with its own passphrase (se below). Setting up the software involves entering the password and username for every account or device being accessed, a one-time chore with a big pay-off. From that point on, not only will the user not have to remember any of this information, he or she will be able to fire up Password Protector in the background and – bingo! - access each service or device directly from the software itself using a drag-and-drop routine.

Best of all, the only password you’ll ever have to actively remember is the one for accessing the Password Protector program itself. Forget this and you’re stuffed. But at least you’ll have discovered it’s time to go and work in Starbucks and stop pretending to be a network sysadmin, a reasonable compensation.

The entry for each password/user name can even be used to store static encryption keys in the notes field though these are in cleartext; passwords can either be stored in asterisk format or, less securely, in cleartext. Data can be stored in a single database or using separate databases for different users.

The software includes a basic password generator to create passwords (it assesses a user’s passwords as well), and will remind the user to change the password at pre-defined intervals, both significant security features. Similarly, the database is automatically backed each time it is saved up to a chosen location, in case the primary file becomes corrupt. The data can also be exported to a .csv, text, html or xml file or imported from the same.

External password generators can also be specified including one produced by Kristanix Software itself. For most uses, the internal one will be more than enough, as it allows passwords of any character length to be created using any combination of randomly-generated strings of upper and lower case characters, symbols, and numerals.

Want to use the same database on more than one PC? Install the program on separate computers and then either port the database file or just carry it around on a USB flash drive. Or perhaps put the file on a network drive. Just make sure you don’t get mixed up with versioning.

Things we’d have liked. Securing the primary database file is essential and so the fussy might want a choice of encryption schemes do this. Although the database design is comprehensive, it would have been useful to include a specific field to store static encryption keys or passphrases used to generate them so that are not in plaintext.

We noted two minor glitches that were being fixed at the time of going to press. Creating an entry for an internal IP address (192.168.x.x say) would unaccountably cause the software to chop off the last two address fields causing it to fail when accessed (this is now fixed - ed). Attempting to install the database to a removable device would also cause the program to crash if there was no external device to save to.

Things we liked that we didn‘t expect. The obvious flaw with any software for storing sensitive data is that the database itself is vulnerable while it is open on the desktop. However, Password Protector has a built-in mechanism that minimises this possibility whereby the database locks itself after a specified number of minutes of inactivity. Once the database has been populated, this needs to be turned on by default.

Another weird one: this is also a file encryption product of sorts. Files can actually be attached so that they encrypt along with the database. The main thing to watch for is that these files aren’t too numerous or large.

Password Protector is a delightful piece of software that can be used to take the stress out of passwords once and for all. Publishing using shareware licensing used to have the overtones of cheap and cheerful, but nowadays some of the best applications come out of small developments houses. Password Protector is one of them.

OUR VERDICT

There are, broadly speaking, two types of password management system; those for server-based systems that control and manage administrator-level passwords in a way that complies with best practise, and workstation-level system for simply keeping track of long lists of passwords and usernames. The latter category tends be ignored, because few realise just how passwords have multiplied like bunnies in recent times.