Password Manager XP - Store Your Data with Confidence

Password Manager XP - Store Your Data with Confidence
Page content

Introduction

Password Manager XP, at its core, is a tool for storing confidential data securely, regardless of what kind of data it may be. Most tools in the password management family place limits on the kinds of data they will allow you to store. What differentiates Password Manager from these other tools is its flexibility. However, as we will see later in the review, this flexibility comes at the cost of an easily usable system.
 
Password Manager XP has all the functionality you’d expect to find, including password protection of its database file, auto-fill functionality, and support for capturing login information automatically. It also provides business functionality, such as support for multiple users, network access, and remote logging, and even Group Policy support, which allows you to consistently apply configuration across your Windows domain.
 
Chief among Password Manager XP’s many features is one called “Form-fill,” which allows you to specify exactly which input fields apply to which record elements in a GUI fashion–the form turns gray and available fields turn yellow. This level of functionality allows Password Manager XP to work with almost any kind of form found on the Internet, as it does not depend on website developers using common names for entry fields to detect where to put data.
 
For non-English speakers, Password Manager XP provides support for many languages, including German, French, Italian, Spanish, Dutch, Swedish, Norwegian, Lithuanian, Chinese, Korean, Danish, Czech, Slovak, Slovenian, Hungarian, Greek, Croatian, Polish, Portuguese (Brazil), Hebrew, Turkish, Farsi, Romanian, Russian, and Ukrainian. I did not evaluate the quality of support for languages other than English.
 
Despite its name, Password Manager XP works not only on Microsoft Windows XP, but also on both 32-bit and 64-bit Vista. It also works well with User Account Control (UAC) in Vista by not requiring your approval for individual actions, other than to install or uninstall the application.
 
If you want a password management tool that you can customize, then Password Manager XP is the product for you. It can be used to store almost any kind of data by allowing you to define sets of fields for different categories, such as accounts, credit cards, or even freeform text.  
  
If ease of use is important to you, Password Manager XP is not the product for you.  It is difficult to use, in part because it is so customizable; there are no built-in concepts for “account,” “address,” and so on. They are all just “record” types. Without the UI to support core functionality, like password management, and good help and guidance, it is often unclear what to do next. For example, starting a new database gives you options to create a new folder and to “create a record.” The initial record type has fields to support password management functionality, but it isn’t always clear what to do with those fields. By default, there are both “account” and “username” fields.  I’ve never encountered a website where I have to fill in both account and username simultaneously. If you want to do anything else with the product, such as store an address or a credit card, you must define a new folder with a new set of fields.  
 
Password Manager XP does include a sample database to help show you what the product can do. It also gives you a place to look when you are trying to figure out how a given type of data might be stored, but the process remains cumbersome.
 [pwmxp-sample_db]

Help & Support (2 out of 5)

What’s Hot:
Password Manager’s help can be useful if you have the patience to read through it to get an overall understanding of the product, which is important because the UI is so unclear. 

What’s Not:
Unfortunately, this product’s documentation is feature/area-focused, and not scenario-focused. This means learning about, for example, users is generally straightforward, but understanding end-to-end how to set up a shared database takes some digging. I could not find a good explanation of what the server feature provides in terms of practical benefit, for example. As a result, I had to spend some time playing around to figure out the right way to use the product.

Price to Value (3 out of 5)

What’s Hot:
For $20, you get a very flexible, user-extensible, secure storage system with a good UI for filling in web forms with arbitrary data stored in the secure database.

What’s Not:
Password Manager XP is relatively inexpensive, but competing packages are easier to use.

Installation & Setup (4 out of 5)

What’s Hot:
Overall, I had a positive setup experience with Password Manager XP: the installation was flexible, providing reasonable defaults as I clicked through the setup wizard. For example, I was given the choice of directory installation in the My Documents folder, my roaming profile, or a custom location. If you are not familiar with the storage structure in Windows, however, you may find the choices confusing, as Password Manager XP provides no guidance on why you would choose a particular location.

What’s Not:

Password Manager XP is not digitally signed. As a result, I received a security warning in Windows Vista when I attempted to install it. There is no way to verify that the installation package has not been altered, nor any way to verify where it came from.  As it’s a security product, I would expect the installation package to be signed. 
 
During installation, Password Manager asks about setting up certain details (such as “allow hotkeys” or “notify on start”). I would prefer to first become familiar with how the product works before making decisions on these sorts of details.

Finally, uninstalling aborts if Password Manager XP is running, instead of shutting it down for me. When my browser was open, the uninstall process would not continue without further input, and the choices I was given didn’t indicate what the impact of proceeding would be. I went through each of the different options, but they all seemed to give the desired result in the end–an uninstalled product. In one case I had files left over after uninstall was finished, though the uninstall did warn me they could not be removed. The uninstall even gave me a warning and asked me to close all browser windows before it could complete–this is not typical behavior.

Overall, these are relatively minor complaints, but they can be potentially irritating or confusing to non-savvy computer users.

User Interface (2 out of 5)

What’s Hot:
The product’s form-fill programming is easy to use and allows you to choose which form fields to use to log in, and what they mean–even for completely custom web pages.

What’s Not:

The user interface and user experience as a whole is poor.  When you start the program, you are faced with an empty database, for which you must define records to manage accounts and other kinds of data. 
[pwmxp-new_db]
 
Finding what you need to do from the UI is difficult and requires experimentation, in part because everything is named with general terms.  Instead of creating an “Account,” you create a “Record” in the part of the database that holds accounts (and has the correct sets of fields for an account).  
As described earlier, even those entries that are predefined can be confusing, such as the preconfigured record type containing both “Account” and “Username.”
[pwmxp-new_db]

In the configuration UI, there are several options that are technical in nature and are poorly documented, such as “Concurrent write access,” “Remember data sort order,” and “Override Global Auto Closure Timeout.”

The UI that you interact with while working in the browser is contained in a system tray icon, instead of in the browser itself. This means that to interact with Password Manager XP, you must drag your mouse all the way down into the corner and target the small Password Manager XP icon, instead of working with a toolbar in the browser. The overall experience did not feel well integrated.

Product Features (3 out of 5)

What’s Hot:
Overall, Password Manager XP’s features work as intended. My two favorite features in the product are the customizable record types and the form-fill UI. 
Customizable record types, which let you store just about any type of data you can think of, allow for a lot of creative uses of the product. For example, you can store not only common things like passwords and credit card information, but also other secure data like Social Security numbers for family members, activation codes for software, or anything else you wish to protect.
[pwmxp-customize]
The form-fill UI ensures that no matter what you dream up when creating record types, they can always be used in any web page. 
[pwmxp-formfill2]

What’s Not:
Password Manager XP’s biggest downfall is that it doesn’t provide help to harness its power. Any new database should come with some predefined record types for common uses, such as saving address and credit card information. And the form-fill UI, while very powerful, should do a better job of guessing what fields to fill so you don’t have to make the assignment every time.

Security & Privacy (3 out of 5)

What’s Hot:

Password Manager XP offers plenty of encryption options to choose from, and they can be used concurrently. The application does not claim to, nor does it appear to, collect information from the user’s computer or activities. The store must be protected with a password. 

There is functionality to allow multiple users to access a single database; each user can be given different access rights.

For businesses, Password Manager XP can be controlled through Group Policy, ensuring that configuration is consistent throughout your company.

What’s Not:
Password Manager XP allows you to choose from eight different encryption algorithms, and it includes all the major ones.
[pwmxp-db_encrypt_options]
Unfortunately, included in this eight pack are algorithms that are no longer suitable for a security application (such as RC4). Having to choose from so many algorithms doesn’t make sense when there are only a few really good ones, and only one that has been chosen to be the Advanced Encryption Standard– Rijndael (https://en.wikipedia.org/wiki/Rijndael). 
A better approach would be to offer Rijndael as the primary supported algorithm (since interoperation is not a concern), and allow users to choose a longer key length if they so desire. Additionally, using the Windows implementation of these encryption algorithms would make me more confident that the encryption has been coded correctly. This is not a practical concern for most users, but anyone protecting corporate assets should give it some consideration.

Additionally, there is no assurance that the database cannot be used if removed from the computer. While not an issue for most users, in a corporate environment it means increased risk if a USB or laptop is lost or stolen.

The multi-user functionality is bad from a security perspective in that when a user first opens the database, it opens with full functionality, and then, when a user is logged on, that functionality is reduced to the user’s level. This means that Password Manager XP fundamentally has full rights to the database, and as such, any user has access to the database as well. This in turn means that while the program does provide the ability to restrict functionality, it can be bypassed by accessing the file directly. This is likely not a concern for a home user who will not use this functionality; it is of concern for any business relying on user permissions to control access to the records.

Overall, I get the feeling that the authors make use of security technology without thinking about security holistically: using accepted security practices such as those documented in the Security Development Lifecycle (https://msdn2.microsoft.com/en-us/library/ms995349.aspx) would force changes in many of the security features in this product. Again, this is probably not a concern for a home user, but if you’re running a business, you may want to consider a product with a better overall security design.

Suggested Features

If the user experience could be streamlined for core scenarios, that would go a long way to widening the audience for Password Manager XP. Separating out consumer from business functionality would also help. Including new database folders and field sets for common tasks would be a great addition, giving users a better starting point and making it easier to get up and running quickly. And better browser integration would make the product easier to use.
For business users, the creation of a proper server with centrally controlled access to the database would improve overall security.

Conclusion

Password Manager XP is very flexible but needlessly complicated; it mixes consumer and enterprise features throughout the product. Without a more streamlined UI and a better walkthrough of how it works, non-technical users will have a difficult time effectively using this software.  
 
I would not recommend this product unless you are very technical and like customizing your products, or you find that other products do not provide you with the flexibility you need.