PentaSafe Adds Password Security With PS-PasswordManager

Taking steps to add another security feature, PentaSafe (Houston) recently announced plans to release PS-PasswordManager, a password scanning utility for the AS/400.

"We view passwords as the first line of defense against security breaches," says Jack McAffee, AS/400 product line manager at PentaSafe.

McAffee says the decision to develop PS-PasswordManager didn't come from any specific customer requests but rather from reports which highlight the growing problem of security breaches. A report by International Data Corp. (Framingham, Mass.) says 70 percent of security breaches are internal. Another one done jointly by the Computer Security Institute and the FBI says unauthorized access has risen 10 percent in each of the last three years. "This was a proactive manner to protect our customers," he says. "Anyone can breach security as long as they have access to the system."

Using a dictionary of 124,000 words, PS-Password Manager scans an AS/400 and pinpoints any weak or easily identified passwords. It then compiles a report displaying a list of the users who use easily guessed passwords.

PS-PasswordManager gives administrators a streamlined method of notifying users of their bad passwords along with a couple of options for making sure a user changes their password. It can shut down the user, force a change of password upon the user's next login, disable the user, or send a message explaining to the user the process for picking a secure password.

The only person that can run the password is the security officer in a corporation. So, even is someone knows the program is out there, they won't be able to run it unless they break the security officer's password code, which is generally very difficult to break.

PS-PasswordManager also has help desk capabilities that keep a detailed list of each user's previous 32 passwords. If a user forgets a password but remembers an old one, the help desk can verify the new password from the PS-PasswordManager without having to go to the user's desk. The information is encrypted to prevent unauthorized access.

The PS-PasswordManager is made up of password cracker programs that employ the same encryption algorithms against a word list and then looks for matches.

Although PS-PasswordManager is composed of 124,000 words, corporations can expand the word list by adding suffixes, replacing 1 with I, or a number of other things.

McAffee says that many users have easy to access passwords, adding that "password" is, in fact, the most commonly used password. "In general, if you have not been auditing passwords, companies most likely will find that a number of people have poor passwords," he says.

According to McAffee, the continuing evolution of the AS/400 can lead to more security breaches. "As the AS/400 gains more momentum from the way IBM is marketing it and putting more technologies on it, it will become much more prevalent to people outside IT shops," he says.

There are two versions of PS-PasswordManager. The first version provides added security, showing only the name of the person, not the password that they use. The second version provides the name of the user and the password. Both versions are scheduled for release in the fourth quarter of 1999.