Enabling Compliance with Password Policies
Mandylion Research Labs
 
  Main | Products | Purchase | Regulatory Compliance | Company Info | News



Platform Components



Overview

 

Features/Benefits

The Tokens




Configuration Utilities

Configurations

Search
Google

www mandylionlabs.com
 

Self Launching Application
The Policy Master Utility Software is a self launching and configuring application consisting of following files on the Disk:

bullet Policy Master Application (Setup.exe)
bullet Policy Master Manual
bullet Token ManualToken
bullet Quickstart Guide.

The Mandylion tokens work with any application or operating system which utilizes the durable password as its means for authenticating the user and granting it access privileges. The Mandylion solution was specifically designed to work with and improve the vulnerabilities inherent in the MS LANMANv2 hash and its backward compatibility with previous versions of LANMAN. LANMAN is the central utility used in all MicrosoftOS products to authenticate users and secure their passcodes. The Configuration Management Utility software runs on any Wintel platform including Microsoft Win32 (Windows 98, ME, NT 4.0, 2000, XP).

Template Based
The Policy Master Configuration Software is a template based application. It provides a great deal of “cut and paste” flexibility in creating login records for a single token or multiple tokens for whole classes of users. The basic Policy Master Template screen is shown below. This is the default file which appears on the screen when the application is launched. The template is divided into three logical areas; user information input area; selection of default parameters to the device including locks, alarms and default password g eneration; Login Record Area.

Extensive Administrative Controls
The software suite provides the enterprise with a great degree of control and authority over each token that is licensed to it. A Policy Master “Public” Utility is supplied as part of the suite. This utility can be freely distributed within the organization due to its limited configuration capabilities.

If control among token administrators is sought by the enterprise, the Policy Master software has a unique ability to associate and control specific tokens by administrator or group administrators.

Through an intuitive and secure Windows based interface and a common USB port, each token can be customized and pre-configured on behalf of the user or class of users. For convenience, software is template based. All of the user’s logins, user ID’s and specific password requirements are entered onto the template then saved and downloaded into the device to which the user has been assigned. With this new template approach, it is easy to configure a single unit or 5 thousand.

It’s as simple as a copy, paste and "print" exercise from one unit to the next. When provisioned with a token, all the user has to do is create their own fingerpattern for access and they are done! Unused login records can be set by the administrator to allow for the user’s personal use.

For security purposes, only the publicly available Login Policy (i.e. length, composition and renewal period) is downloaded to the token. For administrative ease, in those situations where the administrator is responsible for the control of the login for certain individuals or groups of individuals, the actual password (temporary or permanent until changed) for a particular login record can be generated and displayed in the configuration utility prior to its download.

Tokens can be incrementally updated by login record for password composition. This allows for multiple tokens to share identical login records.

Alternatively, a user can configure their own token from their own PC or a shared “kiosk” type station without the assistance of an administrator.

Due to a unique lockout control, Login records set by the enterprise cannot be reconfigured or erased by the user. Alternatively, Login records set by the user cannot be reconfigured, erased or even accessed by the enterprise.

Describing Your Password Policy
The Mandylion autoload token / password management utility supports Lotus Domino applications including iNotes, Lotus IM and Web Conferencing and Team WorkPlace. The Mandylion solution works with any application or operating system which utilizes the durable password as its means for authenticating the user and granting it access privileges. Via the Configuration Management Software Module, user passwords can be specified by length, composition and renewal interval. Composition of each password can be specified down to the keyspace (position) within the passcode to be generated. Composition can be randomly drawn from the entire printable ASCII character set (base 94) or throttled to any or a combination of the following subsets of the printable ASCII character set:

Upper Case Letters (base 26)
Lower Case Letters (base 26)
Upper and Lower Case Letters (base52)
Numbers (base 10)
Special Characters (base 31)
Any but Special Characters (base 63)
National Character Set (base 3) (a mainframe legacy convention)
Upper Case and Numbers (base 36)

The Mandylion solution does not have any client side software. All logins are made by the user via their native applications and OS’s.

The following options can be enabled or disabled by the Administrator in the creation of a password’s composition, by login record:

  1. Minimum length; Maximum length;
  2. Password to be totally random; i.e. cannot contain the username or word;
  3. Can specify minimum representation of each ASCII character set;
  4. Password must contain a configurable number of characters;
  5. Password must contain a special character (from a customizable list)
  6. Password must contain at least one lowercase character
  7. Password must contain at least one uppercase character
  8. Password cannot be set to a previously used password
  9. Password cannot contain any variation of the users name
  10. Password cannot can not be a dictionary word

Via a combination of its configuration software utilities, the host OS and application authentication utilities and subsystems, and the end user token, password quality is assured. All of the above composition parameters of a password can be enabled or disabled by the administrator utilizing the Mandylion Configuration software utility.

Setting Password Length, Composition and Renewal
Setting an individual login record’s password length, construction and renewal interval policy is easily accomplished via simple Preference Boxes accessible for each login record on the template. There are 4 ways to specify a password’s schema; Default, against a predefined schema set for the token, Structured, Randomized and Manual.

Selecting the Structured Option in the Preference Box sets the device to generate a purely random password of a specific length for a specific login record. With this option, the device’s random number generator can be further throttled to only generate specific subsets of the ASCII character set in each position within a particular password. This feature allows for the creation of passwords that fit the schema requirements of applications/hosts which might require, for instance, only an alphanumeric in the first position of the password.








Setting Minimum Count of Special Characters, Letters, Numbers in Password
Selecting the Randomize Option displays a Preference Box that sets the token to generate a purely random password of a random length within a specified minimum and maximum length range for the login record selected. This option also allows the administrator to set the minimum and maximum count of characters within the password from specific subsets of the ASCII character set.

Unlike the Structured Option above, this option calls on the powerful random number generators to select the position within the password of where these specific character sets will fall.
















Of course, a manual password may also be entered into any record as its password of record or as an initial bootstrap, one time password.

Individual passwords can be set to be generated by the device or securely loaded via the cradle from the individual template by login record. This latter feature allows for the input of host generated passwords or group passwords and their coordination among users.









When provisioned with a token, all the user has to do is create their own fingerpattern for access and they are done! Unused login records can be set by the administrator to allow for the user’s personal use. Alternatively, a user can configure their own token from their own PC or a shared “kiosk” type station without the assistance of an administrator. Due to a unique lockout control, Login records set by the enterprise cannot be reconfigured or erased by the user. Alternatively, Login records set by the user cannot be reconfigured, erased or even accessed by the enterprise.



The Mandylion Configuration Management utility software sets the parameters for both the “bootstrap” or Expire on First Login password as well as the ongoing password policy for each login record. The administrator or user has the option of setting the Expire On First Login password to expire upon first use and automatically generate a new password for the user that complies with ongoing policy. Alternatively, the Expire On First Login password can be delayed to first policy change date or held static, as in the case of group or manual password login records.

Password expiration intervals can be set and controlled by login record. Intervals included in the standard configuration are:

bullet Upon First Use
bullet 30 Days
bullet 45 Days
bullet 60 Days
bullet 90 Days
bullet 180 Days
bullet One Year
bullet Two Years
bullet Never

Mandylion autoload token/password management utility allows for a “grace period” for password change to accommodate synchronization with other logins and applications as well as to temporarily delay password updates to a more convenient time to the user. Various lockouts and alarms prevent this grace period from being abused.

 
© 1999 - 2006, Mandylion Research Labs, LLC. All rights reserved.