|User's guide (web) - Infinity PasswordSafe WinLogon
(Before reading the user's guide for Infinity PasswordSafe WinLogon, make sure you've read the Infinity PasswordSafe user's guide for all basic PasswordSafe features and settings).
The new Windows logon feature added in PasswordSafe (v1.40 and up) makes it safe and easy to login to Windows with your PasswordSafe card. The Windows logon feature replaces the normal Windows XP / 2000 logon screen with a custom PasswordSafe logon screen adding the possibility of logging on to Windows using your PasswordSafe card. The Windows logon is fully integrated with the PasswordSafe application when a user is logged on to Windows.
Using the PasswordSafe enabled Windows logon makes it possible to have a very strong and secure Windows password which is only stored on the PasswordSafe card and not in memory. By having to use both a smartcard and a password to log on to Windows the security level is raised significantly. The Windows logon screen is customizable from the well-known PasswordSafe application. It is possible to log on to Windows simply by using a PasswordSafe card and the system will automatically log the user off if the card is removed. There are many different ways to combine security and easy access using the Windows logon feature.
Disclaimer: WB Electronics can not be held responsible for any loss of data that may occur using this product.
The Windows logon is setup in the "Windows Logon Settings" window, within the Infinity PasswordSafe software. If this option is not available from the menu, the PasswordSafe Windows logon feature has not been installed.
These settings control how a person logs on to Windows:
“Username” - The Windows username which should be used to logon to Windows when using the PasswordSafe card. For instance “Administrator”.
“Password” - The Windows password that matches the username.
“Domain” - (Optional) The Windows domain that matches the username.
The Windows logon username and password are stored on the specific PasswordSafe card just like all other passwords. In order to raise the security level of the Windows logon sequence a strong complicated Windows logon password should be used. This password is then stored on the card and does not have to be remembered. Only by having the physical PasswordSafe card and the PasswordSafe password can one log on to Windows. Even if there is physical access to the workstation the Windows logon password would be too strong to guess at random.
It is possible to customize the logon requirements for logging on to Windows for further security or easy access.
Using the PasswordSafe Windows logon feature quickly raises the level of Windows logon security and makes the logon sequence simpler.
- Username and password requirement (normal login)
- PasswordSafe card and password requirement (safe login requires both a psysical card and a remembered password)
- PasswordSafe card requirement (semi safe login requires a psysical card only)
- PasswordSafe card or username and password requirement (both normal and PasswordSafe card login possible)
- PasswordSafe card and password or username and password requirement (both normal and PasswordSafe card login possible)
“Login methods allowed” - Select which methods are allowed to logon to Windows. Choose between “Keyboard or PasswordSafe card”, “Keyboard only” and “PasswordSafe card” only. Warning: Only select “PasswordSafe card only” if you are an experienced user, and if you have made a PasswordSafe card with a verified WinLogin password, since this could prohibit you from logging on to Windows.
“Perform this action when PasswordSafe card is removed” - If you have logged on to Windows using your PasswordSafe card, you can choose an action which will be performed if you remove your card. Choose between “No action”, “Lock workstation”, “Log off”, “Suspend”, “Hibernate”, “Shutdown”.
“Only execute action if logged in with PasswordSafe card” - By selecting this option, the system will only perform the selected action if a PasswordSafe card has been used for Windows logon.
“Disable Windows logon if PasswordSafe password is blank on PasswordSafe card” - This option disables the possibility of using a PasswordSafe card with a blank password as Windows logon. By selecting this the Windows logon security level is raised.
For maximum security, follow these basic rules:
- Choose a strong password as the master password for a card. If you loose the PasswordSafe smartcard or it gets stolen, somebody else can only decrypt the card and get access to your passwords by guessing the master password.
If you choose to use a blank master password (for convenience), the contents of the card is still encrypted, and therefore only accessible if another person knows it's a PasswordSafe card. Don't write "Infinity PasswordSafe" on the card.
- Choose a unique (and strong) password for each of your accounts, ie. one for your webbank, a different for your mailaccount etc.
- Users often choose the same (simple) password for all accounts because it is easier to remember, but this leads to security problems if just one webservice gets compromised.
With the Infinity PasswordSafe you don't need to remember 10 different passwords.
- Remove the PasswordSafe smartcard when it's not being used. If you're leaving the PC for a while, take the PasswordSafe card with you.
- Do not let your browser store web passwords, and don't use the "remember me" function on some websites. If somebody steals your entire PC they'll easily be able to access all your personal information using the stored passwords.
- Use a strong complicated Windows logon password and store this on your PasswordSafe card using the PasswordSafe WinLogon feature. Remember to always have a remote copy of your Windows password if you should loose your PasswordSafe card.
Name, description, passwords and usernames are stored in the external EEprom on the smartcard, encrypted using a 128bit Blowfish algorithm.
No passwords or any other secure information is stored on the PC.
The size of the external EEprom directly determines how many sets (Name / description / passwords / username sets) can be stored on a card:
- Funcard / Funcard2 (AT90S8515 + 24C64) - 62 items
- Funcard3 / PrussianCard (AT90S8515 + 24C128) - 126 items
- Funcard4 / PrussianCard2 (AT90S8515 + 24C256) - 254 items
- Funcard5 / PrussianCard3 (AT90S8515 + 24C512) - 510 items
- Funcard6 / PrussianCard4 (AT90S8515 + 24C1024) - 1022 items
- Funcard7 / PrussianCard5 / DragonLoaderCard AVR (AT90S8515 + 2*24C1024) - 1022 items
- Goldcard (PIC16F84(A) + 24C16) - 14 items
- Silvercard (PIC16F87x + 24C64) - 62 items
- Greencard (PIC16F87x + 24C128) - 126 items
- Greencard2 (PIC16F87x + 24C256) - 254 items