Product Review: Mandylion Labs’ Log-In Manager Tokens Take On Password Overload

Password overload got you down? Looking for relief without resorting to Post-it notes? Mandylion Labs’ über password manager promises a simple, secure method to manage password proliferation, and the gizmo can generate passwords based on administrator-specified schemas. The U.S. Defense Department has deemed the token secure enough for use in its facilities, but it’s not for everyone. We’ll tell you why.

Love ’em or hate ’em, passwords are our central means to access everything: e-mail, VPNs and physical entrance to company facilities. But passwords have an inherent weakness: They are under users’ control (think “Post-it notes”) and are therefore largely out of reach of administrators. In most cases, the best IT can do is create a functional password policy and cross its fingers.

That’s where Mandylion Labs comes in; its device aims to help users generate strong passwords and store them in one secure place. The Mandylion system consists of “tokens” that store and generate cryptographically strong passwords, with a PC-based application and a USB connection.

If your company demands extremely strong passwords and regular access to a wide variety of systems, this is a valuable product to consider. Users who manage a minimal number of passwords may find the Mandylion manager helpful in remembering log-ins—but it could also be more effort than it’s worth.

The Mandylion token weighs less than 1 ounce. It’s also small, at just 2.5 inches long. It looks like a purple plastic automobile remote door lock, with a notch at its base so you can throw it onto a key ring. The token has a tiny LCD display above its five-button navigation mechanism (four directional buttons and an Enter key).

Administrators initialize the tokens via the Mandylion cradle. They configure specific users or groups by entering up to 50 log-in record accounts, user names and password parameters into the Policy Master software. You can manually assign a password to log-in records or automatically generate passwords that meet structured or randomized guidelines. Passwords can be up to 14 characters long, using any ASCII character. Administrators can require users to change the password at regular intervals such as 30 days or 90 days. (We didn’t have the token long enough to evaluate the renewal prompts.)

A new user is prompted to enter and confirm a five-digit access code using the directional keys. Then he must update the passwords on applications and websites with the ones supplied by the token.

Administrators can lock the log-in records for specific users so that names and accounts cannot be modified without the admin Policy Master template. Network admins can also decide whether the token should be used strictly for work purposes (by blocking the users from entering personal log-in records) or if users can input new records themselves.

Why You Want One of These

According to the company, Mandylion’s password manager solution was designed for the U.S. Department of Defense. Its main strengths are its multilevel, “defense-in-depth” security safeguards. We appreciate the level to which you can customize these safeguards.

For instance, the token’s five-button code is not in itself particularly secure. A determined hacker could easily run through the list of possible combinations. However, depending on the level of security required, administrators can set the device to lock after one, three, five or 10 failed log-in attempts, and optionally erase the token’s contents. An erased device can be “reprogrammed” only by the user (if company policies permit it) or re-initialized by an administrator.

Because there is no bilateral communication between the token, cradle or software, one component cannot be used to pull information from, or to “interrogate” another.

Organizations whose security policies prohibit passwords from being documented can employ the token as a password reminder using a system of offsets. For instance, users can be taught that all uppercase letters should be read as lowercase. Or the user could be instructed to add five sequential letters to uppercase letters. Using these offsets, a password that reads ABDE123A on the device might actually be fgij123f.

One cool feature lets users know if their tokens have been tampered with. If an incorrect log-in attempt is registered, the word “Tampered” appears on the screen the next time the correct access code is entered.

Another plus is that the token’s memory is unaffected by battery life or power loss. According to Mandylion, the token’s battery should last for a year of regular daily use, at which time a new, 3-volt “coin cell” style lithium battery can be inserted with no effect on the log-in records.

Why You Might Not Want One

Our biggest complaint is one of trust: We never felt completely comfortable relying solely on the token. One reason was that we encountered issues with template settings that caused new passwords to be generated without initiation. To be fair, we were constantly creating new templates, associating them with our token and then running tests, which is atypical. We also had problems with passwords that we entered manually via the Policy Master software; we couldn’t edit the passwords using the token’s directional buttons. We could not auto-generate new passwords for these records; the token generated only a blank field or, in some instances, two or three characters that didn’t fit any default password guidelines or any others we’d specified. Mandylion is aware of this last issue and says it plans to address it in a later release.

Many organizations rely on users to change their passwords. That’s how the Mandylion token is designed, too. But administrators can’t ensure users actually are updating passwords, unless password policy is assigned on the server.

Entering log-in records is easy. However, typing in new records or editing existing ones on the token was a task we quickly learned to avoid. The token’s gum-rubber buttons are not particularly responsive, and scrolling through 50 records could drive even the most patient CIO to tears. To edit an existing record, you must scroll through the entire alphabet until you find what you’re looking for.

Like the token’s password field, both the account name and user or log-in name fields are limited to 14 characters. This was frustrating, as we have several longer log-ins.

Since the token doesn’t communicate with the user’s PC or even the Policy Master template beyond the unilateral communications when transferring records, an administrator has no way to know if a token is compromised. You can’t know whether the device was stolen and is being hacked, or if it rolled under a user’s car seat.

The size and shape of the Mandylion token is suitable. If you don’t keep very many keys on your key ring it won’t be a problem, but it was somewhat awkward when attached to a ring with many keys. The token also feels rather delicate; after only a week and a half of regular use, it was a bit dinged up.

Finally, Mandylion’s password manager works only with PCs, so Mac and Linux users will want to steer clear.

Would We Buy One? Probably Not

Passwords are imperfect. They depend on people to secure and update them regularly. However, tools like the Mandylion password manager help administrators ensure that users comply with password security policies by making it as easy as possible.

Users must change passwords on their own, so this device is very much human dependent. But users who make Mandylion’s solution a part of their routine will benefit from its strong password-generation capabilities and security safeguards. The Mandylion token could also be an invaluable tool for users in extremely sensitive environments with large numbers of log-in records. However, average users—or users with 10 or fewer regularly used passwords, like us—may be better off sticking with the good old-fashioned memory found inside your head.

Empty Mandylion Policy Master Template

The problems we encountered seemed to stem from the software’s advanced features. Users who are simply handed a preconfigured token (with all editing functions locked) will find the token very simple to use, if a bit frustrating to navigate. However, administrators working with group templates may consider the Policy Master unwieldy.

Overall, we were impressed with the “defense-in-depth” approach to password security that Mandylion’s password manager affords. However, we encountered enough issues with unintended password regeneration and editing that we would be hesitant to rely solely on the token for our authentication needs.