Love ’em or hate ’em, passwords are our central means to access everything: e-mail, VPNs and physical entrance to company facilities. But passwords have an inherent weakness: They are under users’ control (think “Post-it notes”) and are therefore largely out of reach of administrators. In most cases, the best IT can do is create a functional password policy and cross its fingers.

That’s where Mandylion Labs comes in; its device aims to help users generate strong passwords and store them in one secure place. The Mandylion system consists of “tokens” that store and generate cryptographically strong passwords, with a PC-based application and a USB connection.

If your company demands extremely strong passwords and regular access to a wide variety of systems, this is a valuable product to consider. Users who manage a minimal number of passwords may find the Mandylion manager helpful in remembering log-ins—but it could also be more effort than it’s worth.

The Mandylion token weighs less than 1 ounce. It’s also small, at just 2.5 inches long. It looks like a purple plastic automobile remote door lock, with a notch at its base so you can throw it onto a key ring. The token has a tiny LCD display above its five-button navigation mechanism (four directional buttons and an Enter key).

Administrators initialize the tokens via the Mandylion cradle. They configure specific users or groups by entering up to 50 log-in record accounts, user names and password parameters into the Policy Master software. You can manually assign a password to log-in records or automatically generate passwords that meet structured or randomized guidelines. Passwords can be up to 14 characters long, using any ASCII character. Administrators can require users to change the password at regular intervals such as 30 days or 90 days. (We didn’t have the token long enough to evaluate the renewal prompts.)

A new user is prompted to enter and confirm a five-digit access code using the directional keys. Then he must update the passwords on applications and websites with the ones supplied by the token.

Administrators can lock the log-in records for specific users so that names and accounts cannot be modified without the admin Policy Master template. Network admins can also decide whether the token should be used strictly for work purposes (by blocking the users from entering personal log-in records) or if users can input new records themselves.