{"id":87,"date":"2008-01-31T17:17:05","date_gmt":"2008-02-01T01:17:05","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/2008\/01\/31\/security-review-mandylion-password-manager\/"},"modified":"2008-01-31T19:03:24","modified_gmt":"2008-02-01T03:03:24","slug":"security-review-mandylion-password-manager","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2008\/01\/31\/security-review-mandylion-password-manager\/","title":{"rendered":"Security Review: Mandylion Password Manager"},"content":{"rendered":"<p><font face=\"Calibri\"><strong>Summary<\/strong><\/font><\/p>\n<p><font face=\"Calibri\"><a href=\"http:\/\/www.mandylionlabs.com\/products.htm\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" align=\"right\" width=\"100\" src=\"http:\/\/www.thinkgeek.com\/images\/products\/additional\/large\/policy_master-fob.jpg\" height=\"92\" \/><\/a>Password complexity and policy enforcement in today&#8217;s enterprise\u00a0has forced users to take unsecure measures to ensure recollection of the many passwords they use.\u00a0 Users may put passwords in text files on their computer, re-use old passwords frequently, or write them down on Post-It notes.\u00a0 Mandylion has created a convenient portable device to help store important passwords while providing military-grade protection for them. <!--more--><\/font><\/p>\n<p><font face=\"Calibri\"><strong>Assets and Security Goals<\/strong><\/font><\/p>\n<ul>\n<li><font face=\"Calibri\">Store and protect passwords entered into the device.<\/font><\/li>\n<li><font face=\"Calibri\">Prevent unauthorized users from discovering and reading passwords.<\/font><\/li>\n<li><font face=\"Calibri\">Provide portable, easy to use interface for password storage.<\/font>\u00a0<\/li>\n<li><font face=\"Calibri\">Provide generated passwords, password policy enforcement, and password change intervals to the user.<\/font><\/li>\n<\/ul>\n<p><font face=\"Calibri\"><strong>Potential Adversaries<\/strong><\/font><\/p>\n<ul>\n<li><font face=\"Calibri\">Any person who would want to discover passwords for malicious purposes.<\/font><\/li>\n<li><font face=\"Calibri\">Any person who may want to cause disruption to user\u2019s work ability by stealing or destroying the device.<\/font><\/li>\n<\/ul>\n<p><font face=\"Calibri\"><strong>Potential Weaknesses<\/strong><\/font><\/p>\n<ul>\n<li><font face=\"Calibri\">Four key keypad is used to enter a five keystroke password to activate the device.\u00a0 This allows for only 1024 combinations for access.<\/font><\/li>\n<li><font face=\"Calibri\">Size of device could potentially make it easy to misplace or be stolen.<\/font><\/li>\n<li><font face=\"Calibri\">Adversary may see password as it is displayed by shoulder-surfing.<\/font><\/li>\n<\/ul>\n<p><font face=\"Calibri\"><strong>Potential Defenses<\/strong><\/font><\/p>\n<ul>\n<li><font face=\"Calibri\">Unauthorized access control allows the device to permanently destroy all data when a preset amount of unauthorized access attempts are made.<\/font><\/li>\n<li><font face=\"Calibri\">Device attaches to key ring which allows good physical protection due to continuous possession.<\/font><\/li>\n<li><font face=\"Calibri\">Device indicates failed activation attempts by displaying a message on the screen following successful activation if it has been tempered with.<\/font><\/li>\n<li><font face=\"Calibri\">Limited viewing angle on LCD display may help prevent shoulder-surfing.<\/font><\/li>\n<\/ul>\n<p><font face=\"Calibri\"><strong>Risks<\/strong><\/font><\/p>\n<p><font face=\"Calibri\">The risk of losing logons and passwords to an adversary could be potentially devastating.\u00a0 This device has several nice features to protect the data within it should an adversary attempt unauthorized access.\u00a0 However, if the protection features are not enabled, an adversary could brute force the device in a relatively short period of time and gain access to all the information within it.<\/font><\/p>\n<p><font face=\"Calibri\"><strong>Conclusion<\/strong><\/font><\/p>\n<p><font face=\"Calibri\">The Mandylion Password Manager is surely a convenient device for the storage of passwords.\u00a0 The password entry may be difficult due to the limited keypad and size of the device but the manufacturer states it is simple.\u00a0 The protection built into the system was designed to meet Military standards and, if used properly, could definitely provide more than adequate protection.\u00a0 When used in an enterprise environment, the configuration utilities can ensure password policy enforcement as well.<\/font><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary Password complexity and policy enforcement in today&#8217;s enterprise\u00a0has forced users to take unsecure measures to ensure recollection of the many passwords they use.\u00a0 Users may put passwords in text files on their computer, re-use old passwords frequently, or write &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2008\/01\/31\/security-review-mandylion-password-manager\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":28,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-87","post","type-post","status-publish","format-standard","hentry","category-security-reviews"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/87","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/28"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=87"}],"version-history":[{"count":0,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/87\/revisions"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=87"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=87"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=87"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}