Web Confidential: Securing Information of All Sorts
Back in TidBITS-279 in May of 1995, I wrote "PowerTalk to the Rescue?", an article about how we needed the PowerTalk Keychain to help with authenticated Web sites. The good news is that the Keychain will return in a future version of the Mac OS for AppleShare and Internet passwords; however, better news is that those who don’t want to wait, or who want a solution to storing sensitive information that will integrate with the Keychain, can now check out Alco Blom’s $25 shareware Web Confidential 1.0.1. Despite the name, Web Confidential provides a mechanism for storing not only Web-related information, but also any confidential data, including user IDs and passwords, for a wide variety of general-purpose situations. Alco also makes the powerful bookmark utility URL Manager Pro, and it’s no surprise Web Confidential works together with URL Manager Pro at every opportunity.
Confidential Cards — Web Confidential’s interface resembles nothing so much as a HyperCard stack with simple, four-field cards holding information in different categories. The fields change by category, so a Web page card has name, home page, user ID, and password fields, whereas a credit card card has name, expiration date, number, and PIN code fields. A disclosure triangle provides a fifth field for notes.
Next to the first field is the arrowhead-shaped pop-up navigation menu, which provides access to cards in that category. A checkmark pop-up menu enables you to control attributes for that card, and an eyeglasses icon next to the password field displays the password in a help balloon when you mouse over it. Since passwords appear as bullets in the password field (to prevent over-the-shoulder spying), the eyeglasses icon is a great reminder or typing check. It’s also a security problem if you leave your file open when you’re not at your computer, so be sure to close the file when you’re not using it. An option in the next version will lock the file after a certain amount of inactivity.
You switch between categories via a pop-up menu, and each category can have multiple cards. Arrow buttons help you navigate through the cards in each category. Categories include:
- WWW Pages
- FTP Servers
- Email Contacts
- Login Accounts
- POP Accounts
- Bank Accounts
- Software Keys
- Credit Cards
- ATM/PIN Cards
- Personal Data
- Serial Numbers
- Membership Numbers
- Password Manager
A toolbar at the top of the window provides buttons for switching to other Internet applications, opening URLs, copying the current password, finding cards, changing your encryption key, saving, and adding and deleting cards. Menus duplicate these functions and add a few, such as sorting, moving to the first and last card in a category, and providing access to a few preferences.
Military Menus — While the Web Confidential application is running, it makes additional functionality available through three menus shared with applications that support menu sharing, such as Internet Explorer, Netscape Navigator, Eudora, Fetch, and Anarchie.
The Diamond menu mainly enables you to create a Web page card in Web Confidential using the current URL. Other menu items enable switching between various applications and refresh the shared menus with changes made in the Web Confidential application.
The Key/Lock menu provides access to cards that make sense in the appropriate application. So, if you’re in a Web browser, the names of your Web page cards appear, whereas if you’re in an FTP program, the Key/Lock menu contains the names of your FTP server cards. Choosing one sends you to that page or server and authenticates your user ID.
The Eyeglasses menu lists the names of cards from the Password Manager category, which provides details for Web pages that use forms for authentication or for any other password you want accessible in applications that support menu sharing. Choosing one of these items displays information from that item’s card, plus provides commands to copy the password, and (for users of Internet Explorer 4.01) to enter information in user ID and password form fields – these commands may not work with all pages.
Extreme Encryption — So far I’ve described a simple flat file database with some nice features to improve usability. In fact, that’s all Web Confidential is, well designed though it may be, and if you’ve kept a HyperCard stack, FileMaker database, or even text file of user IDs and passwords, you’ve duplicated much of Web Confidential’s basic functionality. What sets Web Confidential apart from your efforts (and mine), is that it encrypts its files with the extremely secure Blowfish algorithm, or, optionally, PGP. The program notes that a computer that could test one million keys per second could require up to 7,000 years to guess a 10-character key by brute force.
Declassified Documentation — Although Web Confidential is easy to use, Alco deserves credit for working with writer Colin Brace to create an excellent manual. It comes in PDF format, and although it’s designed to be printed, it works well on screen, thanks to search capabilities and many bookmarks to main headings. The manual provides background information, a getting started tutorial, and a reference section that includes a list of all command key shortcuts. It’s one of the best shareware manuals I’ve seen, and my main suggestion would be to add a section explaining the different categories and offering suggestions for how to use the more general categories; for instance, I occasionally need Tonya’s social security number, and it’s a perfect item to put into a Personal Data card.
Useful balloon help is available for most, though not all of Web Confidential’s interface elements, although it gets a little confused within some of the dialog boxes. Concise online help is also available for both the Key/Lock menu and the Eyeglasses menu.
No Longer Top Secret — So, if you’re looking for a secure repository for all sorts of sensitive information, you owe it to yourself to give Web Confidential a try. The program is fully functional for the first 30 days, but if you don’t pay your $25 shareware fee, after 30 days you lose the capability to add new cards, plus you can’t enable encryption (although previously encrypted files remain encrypted), which seems like a reasonable way to hobble it for evaluation purposes. Overall, Web Confidential is easy to use, secure, and, for Internet applications, well-integrated. Tune in next week for a cautionary tale of why I’ll use Web Confidential seriously in the future.