Do-it-yourself password recovery
- By Michelle Speir
- Sep 17, 2001
If your agency's information technology staff is overworked—and whose isn't?—one way to provide some relief is to reduce the number of help requests from desktop users.
If you think that's easier said than done, take a look at PC Guardian's new Encryption Plus Secure Password Recovery. As the name suggests, the software enables users to recover forgotten passwords without calling the help desk. Because forgotten passwords make up a significant portion of help-desk calls, the program can save time and money by freeing up IT staff to attend to other tasks.
To prepare the program, users create up to three question-and-answer pairs. The questions should ask about personal information known only to the user, such as a grandmother's maiden name or a favorite novel. Later, if a user makes three unsuccessful log-in attempts, the program automatically prompts for the answers to these questions. Upon successful completion, the user is presented with his or her password and logged in.
At first glance this doesn't seem secure, but PC Guardian incorporates a high level of encryption into the program to protect the passwords. The software uses 233-bit elliptical curve cryptography (ECC), a public/ private key technology. In addition, it uses Rijndael—selected last year by the National Institute of Standards and Technology as the U.S. government's Advanced Encryption Standard—with a 256-bit key to protect the ECC private key. If a password is changed, the new password is automatically encrypted and the program's files are updated.
Although the software can be installed on and run from a client PC, most organizations will want to install it on a server and use a combination of network scripting and third-party deployment software to accomplish remote installs.
The program's wizards make it easy to set up Encryption Plus Secure Password Recovery. First, you install the administrator program, which takes just a few steps. Then the administrator configures the user program.
We were impressed with the program's many options. First, the administrator chooses the number of questions (up to three) a user must answer before the password is presented. For each question, there are three configuration options from which the administrator can choose.
The first option allows the user to select a question from a predefined list that the administrator has set up. The second option allows the user to create a question to answer, and the last option requires the user to answer a question chosen by the administrator.
Once the administrator has selected an option for each question, the program is deployed to the user's PC. The user must run through a quick setup process on the client PC before the program is ready to work.
When the user next logs in, the setup program automatically begins. Administrators can choose any of the three options for any of the questions. For example, all three setup questions could prompt the user to choose a question from the predefined list. The primary limitation is that the user cannot use the same question-and-answer pair more than once.
Once the user completes the user program setup, the unique question-and- answer pairs for that person are encrypted and saved. It's important to note that for the program to work, administrators must configure the user's account to lock that user out after a certain number of unsuccessful attempts to log in. Upon lockout, the program automatically runs.
All aspects of setup and use of Encryption Plus Secure Password Recovery are wizard-driven, and instructions are presented clearly.
If your agency's help-desk staff spends too much time helping users recover forgotten passwords, this product should be next on your shopping list.