RTFM

For as long as I've been into computers, this has been a recurring theme. Read The Fine (or other "F" word of choice) Manual (RTFM) is the mantra of a support analyst. We use this term for those people that don't have the drive or skill with computers that would have lead them to a simple answer.

Unfortunately, every once in a long while, there are circumstances that arise I have to use this against myself.

I recently received a new toy. This little device (just about the size of a OEM car keyless entry box) is soon to become another tool for my computing arsenal. With all of the passwords that I maintain and with all of their various rules of composition, it was starting to become difficult keeping them straight. It really wasn't that big of a deal until a situation occurred just before the wedding with eBay and Paypal. At this point I determined that I needed to do something to better secure my information within the ether world of the Internet.

Bear with me if you are reading this early. I will document the aforementioned situation in a subsequent message. Once it is posted I will create a backlink.

Anyway, after being financially impacted by some unknown means I determined that it was time to increase my security. So I bought two of these Mandylion Password Managers. I could not tell you how long I had been using the same passwords at many of the sites that I was required authentication. Furthermore, majority of the sites were using the same passwords. The exceptions were the ones that required a specific password composition, such as no symbols. Anyway, the more sites and places that require a password that use the same password increase my risk to exposure should it ever be cracked. Although, the password I was using was strong, the more that it is used, the more potential that it can be discovered. The definition of a strong password is one that is not dictionary based and contains a mixture of letters, numbers and symbols.

Well, as with many of the things that I do, as soon as I received my new toy, I grasped on to it whole heartedly and have taken it to the extreme. I've spent several hours with this toy already and almost gave up on it as a publicly consumable item. It has taken me 3 days thus far to get it configured the way that I want it. However, as the title of this message implies, my frustration was due to an issue with the instructions. I didn't read ALL of them.

So, lets recap my experience from the start.

I get this device while I'm working so I have to sit on it until I'm done with work. As soon as I finished work for the day I rip into the packaging and begin the discovery process. I get the device connected to the computer. Install the drivers & associated software and validate that it is what it says it is. So far so good. Now, lets put it to use.

I fire up the software to begin to enter the array of sites and locations that I use a password the most often. I determine what the password template should be for each site. For example, how many characters and what character set (are multi case letters required, numbers, are symbols permitted) to use. The next question is regarding what time period the password should change. Since only at work do any of my passwords have a mandatory expiration period, this is completely subjective. How often do I want to change the password.

To this point, everything has been peachy. However, the next part caused the most frustration. There are a few options regarding how the password should be specified initially on the token. I figured that since I had set policy information that manually entering a initial configuration password that this would work. However, this is not the case. As soon as I would enter a manual initial password, the password pattern would reset to manual. This was not a good thing. I was hoping with how shotty this software appeared that this was just an ascetic problem. This was not the case. Therefore, once I transferred the information to the token, it would configure it anyway that it wanted.

However, I didn't discover this until after I started using it. Since the password I wanted to see was on the token, I went to begin changing passwords that I use. However, after getting just a couple sites into the process, I discovered that passwords were being generated that I couldn't use. The password templates that I specified were not being enforced (because they were reconfigured) and getting passwords that were too long or even with the wrong character set.

This was unacceptable.

So, now I have a real dilemma, I was under a misconception that I needed the software to configure this device for everything that I wanted. I now know that this is not the case, however, it is too far gone now for me to start over. The only thing that a computer is required for is the initialization step. Anyway, since I'm now using the passwords that are on it, I'm not going to re-initialize it. I'll deal with it with what I've got.

Moving on with the issue. Now, the device has passwords that I don't have memorized but I need to make configuration changes to it. So, I'm back to the same problem that I had initially. I need to update the password template from the software (because I locked the token from being able to do it) and I need to be confident that once I make the change that the password on the device is correct. A little forethought was put into this. I wrote down the passwords on the token into notepad and tried to reconfigure it.

At this time, I'm not very confident that what I tell the software will not certainly reach the token. So here's the deal. I first need to determine how to set the password pattern template and set a starting point password. As I told you before, this wasn't working. So, instead of flailing blindly at this software, I open the manuals. There was an option for the initial password called "Bootstrap". I didn't understand this term and wasn't sure what the results were going to be. Unfortunately, the manual was not very clear at the definition of this option, but it did give the impression that this was the option for which I was looking.

I return to the UI and start to redefine my password template options and specify bootstrap passwords. We have success. The software accepted the password and did not reconfigure anything else in the configuration.

Please bare in mind, all of this has transpired over a three day period. I'm not so sure that the typical consumer would put this much effort into using this device. I might have been better off making all of the password additions and configuration within the tokens interface, but this would have been cumbersome and time consuming. In hindsite, it might have been less cumbersome.

So, I spend some time (a lot of time) researching my browser cache and putting every password that I use for work (including the Army) or personal use into the software and I'm now ready to start using it.

The moral to this story is read the manual, understand the tool you are trying to use and it will save you tons of time in the long run. However, I'm not excusing the company. The documentation is less then desirable and the UI is about as intuitive as something I would expect from Beagle. Maybe, not even that good. His interfaces might not be pretty, but they work well and he will explain to you how to use it. That is more then what I got from this company.

The last challenge left in this adventure is to get Angel to set up her token. I'm certain that working with her will be a better usability test for this device. However, she has an advantage, I know how it works now. I'm sure that I'll have more to say about this little tool in the future.