Assignment 1

Whisper home page

Within the last decade ecommerce has gone from an unheard of event into an industry that fetches billions of dollars a year.There are hundreds if not thousands of sites on the internet that offer secure transactions over the internet for purchases of everything from books to barns. There is so much competition now for your ecommerce dollars that are even sites that scour the internet looking for the best prices for whatever product you’re interested in.   With the rise of this incredible marketplace comes the rise of a unique security concern.  Due to the inherent limitations of ecommerce, companies rely on informational tokens in order to confirm customer identity.   In other words they almost invariably require usernames and passwords.  In order to place an order with an online merchant the customer will usually be asked to register with the site providing personal and financial information.   These days due to the afore mentioned plethora of ecommerce sites the average consumer may be a member of (i.e. have an account with) quite a few sites. This is notwithstanding the fact that many people now access their bank and credit card accounts over the internet.     

Due to this trend, I feel that the need for basic computer security for the consumer in this arena has become more and more important.  It is not uncommon for users to use standard passwords for multiple accounts.   These passwords are usually chosen because they are easy to remember and quite commonly can be based on easily accessible personal information.  Even if they are "good" passwords, the fact that they are used more than once can create further security vulnerability.  For instance a few years ago, it was announced that an ecommerce site that I had used had been compromised by a group of hackers from Russia.  Had they retrieved my password it would have been possible to use this information to access my accounts with other vendors.   

Therefore, for my software evaluation I have chosen to evaluate a piece of software called Whisper32.  It is a freeware password manager suitable for running on Windows operating systems (http://www.ivory.org/whisper.html).   It is a small program, about 362KB that is easily installed.  When it is this simple program creates a proprietary .wsp file that contains a list of usernames and passwords that can be set to expire with a set period of time.   This file is encrypted and may only be accessed by providing the correct password.  This way you can create multiple password documents encrypted by different passwords.  According to its developer, Shaun Ivory, this file is protected by "Karn (MDC) encryption -- Based on 'Phil Karn, sci.crypt, 13 Feb 1992' which is in turn derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm."   While this may not be the most advanced or complex security application I think it provides a very basic and important service that users would do well to take advantage of.

Although this level of protection is by no means good enough to dismay any serious cracker it is sufficient to stave off the average user although I believe this is not really the salient objective of this software.  The point being that it is very unlikely for a professional to aim all his efforts at a single consumer, but it is more likely that an ecommerce vendor will be compromised allowing the consumer’s password to fall into unsavory hands.   This could have a domino effect if the cracker were to try to use this password to compromise other vendors.   From the standpoint of the system administrator it is also important that a user’s passwords be sophisticated enough to prevent a system from being compromised by an easily guessed password.  To this end, Whisper comes with a password generator that can randomly generate passwords consisting of symbols, numbers, and digits so that the user can create unique and unintelligible passwords for every account.  These usernames and passwords can be easily accessed, cut, and pasted when they are needed, and the file itself can be saved in multiple locations to prevent loss.  Since the .wsp file is so small (around 10-20 kb), it can be easily stored in multiple locations.  I actually email a copy to all my email accounts as an attachment whenever I update my file.

In Conclusion, I feel that this is vital software that all Users should take advantage of.  Number one on Toxen’s "Seven most Deadly Sins" is lack of adequate password protection.  This program provides a simple, basic and important service that can have real benefits when it comes to computer security for not only the consumer but for the system administrator.