For many of us, losing a laptop PC is simply an inconvenience and perhaps a financial burden if the cost isn’t covered by an insurance company. For many, however, losing a PC means losing sensitive data, and the last thing we need is for a third party to read that data. PassHolder Pro attempts to solve this issue.
The device is a USB token that looks rather like one of the solid-state disks you can buy. It ships with a USB cable, which is a neat touch – although you’d generally plug the token straight into the PC, the casings of many machines (our test PC included) are built such that the plastic case of the token won’t physically fit into the PC’s USB port.
The idea is simple: instead of logging in with a username and password, you use the token to log in – so in order to access Windows, you have to both plug in the token and give the appropriate passcode (the latter is encoded in the token’s in-built memory – it defaults to ‘12345678’ but you can change it if you wish, and fairly obviously you should do so). The idea is simple – in order to log into the machine, you not only need to know a password, but you need the token as well, and the token’s something that you can carry around on your keychain, separate from the computer.
The token itself is quite a clever little bit of kit. Rather than storing just a basic identity, it can store any number of user IDs, which means that if you have a number of systems and a number of identities (or, perhaps, a different password on each of a number of systems) you can store each identity in the same token. The setup of the device itself is done via a simple wizard, which asks you for your user/domain/password combination for each of the identities you wish to store. Then when you come to use the token, you just pick the identity you want to use – once you’ve identified yourself to the token, it passes your credentials to Windows and away you go.
Although you can set the system to allow both Windows and PassHolder logins, once you’ve set up the tokens you’d turn off the Windows login box. You’re given a new PassHolder login box, which invites you to insert your token; when you do, you’re prompted for the eight-digit PIN number and then the system logs you in (if you’ve defined multiple identities, you’re given a list of them to choose from). We chose the “Lock computer” option as the action to take when the key was unplugged, and this is exactly what happens – pull the token out and you’re given a PassHolder-flavoured version of the box that you’d get by selecting “Lock Workstation” in Windows 2000/XP.
The token can also store digital certificates and encryption keys (the “Pro” version of the system can encrypt data on your hard disk as well as acting as an extra authentication barrier). Setting up certificates is very straightforward, and again is done via a short, simple wizard. To encrypt the data on you disk, you don’t actually encrypt the drive data itself; instead, you use the PassHolder setup utility to create a virtual disk, which is actually a file that resides on one of your local hard disks and which is mounted under Windows as a virtual drive (a bit like a network share). Anything written to this drive is encrypted using one of the keys stored in your PassHolder token, which means if someone nicks the PC, your data is encrypted.
In practice, we found that the system worked okay, but with a few ragged edges. Although sold under the PassHolder banner, the actual underlying kit comes from Eutron and the software installs into two program groups – one under this name and one under the PassHolder name (the installer also combines the PassHolder look-and-feel with the Eutron one, which would be puzzling to non-experts, and you get two entries in the Windows background service taskbar).
We’d like to see the software integrated properly, so it looks more professional (if you’re buying a security product, you need to have confidence in the company you’re buying it from, so the least they can do is write a proper installer). Also, despite working fine with one ID installed in the token, when we defined a second ID we started to get “WINLOGON has caused an exception” errors that prevented us from logging on at all on our Windows 2000 SP3 machine.
PassHolder Pro is an interesting idea but the product (mainly just the installer and the look-and-feel of the various components) needs to be tidied up if it’s going to be a credible security package that large companies will buy. For laptop users, there’s no point at all buying something like this unless you go for the Pro version that encrypts data on the disk. That’s because, regardless of whether you authenticate via Windows or a USB token, there are plenty of simple downloads on the Net that let you bypass NT security completely and read files off a stolen disk. But if you choose the disk-encrypting version, the idea actually works quite well.
Moving away from laptops for a moment, PassHolder does also have some interesting uses in the office. Many modern PCs have USB ports in the front panel, and the idea that you can increase network security by making users carry their token around the company with them (particularly if you have a lot of hot-deskers) and insert it in any company PC to log on is really rather an interesting one – particularly given that you can code not just the user’s Windows identity but also personal digital certificates into the token.
In short, then, PassHolder is a neat idea and does more than just basic identification. It’s carried off well except for a few teething troubles and a bit of an identity crisis.
Be careful when choosing ‘extra security’ devices, because sometimes (as we’ve explained here) the additional protection doesn’t prevent someone from pulling the disk out and sucking the data off it using another operating system or disk analysis tool.