Lazybit

A new beta of Password Carrier is now available, it brings Vista compatibility into the game; 32-bit and 64-bit versions of Windows Vista are both supported.

Other changes:

• An error was fixed - at times the program would fail if the number of collected credentials would exceed a certain threshold;
• Inactivity is now shown via a tray-icon (the program locks itself if the computer is left unattended)

How to update

Simply extract the contents of the archive to the removable disk, overwriting the current files of the program. Make sure you do not delete any of your .dka files (the profiles that contain your identities, and the credentials associated with each identity).

The beta is in a stable state, there are no known issues with it. The program is now an official release, and can be retrieved from dekart.com.

***

Why Password Carrier

Password Carrier is not just another form filler, it is much more than that, because:

• it was designed with security in mind - the collected data are encrypted with AES-256;
• biometric authentication can be used as a third authentication (along with "something you have" - the USB key, and "something you know" - the PIN);
• it is absolutely portable - works on any Windows system, does not require administrative privileges;
• all the private data are always with you, and updates happen on-the-fly - newly memorized passwords can be used on other computers, not only on the one on which they were captured;
• Password Carrier understands the meanings of the fields - so that if the design of the web-page is updated, it will still be able to figure out where to type in the data.

How can people be assured 100% that you don’t use all those accounts and passwords?

Couldn’t there be a hidden program that runs secretly to send all that information to a remote capture system?

You can be 110% sure that none of your credentials are sent to us, you can verify that yourself.

Password Carrier never establishes any network connections, so your data cannot be sent anywhere by our program. The only exception is if you have update checks enabled; in that case, the program will connect to dekart.com and retrieve a small text file, which contains information about the new versions, if they are available.

You can disable the automatic update checker, and in that case Password Carrier will be completely isolated from the Internet.

If you have updates enabled, you can use a network sniffer (such as Wireshark), to see which data are actually sent/received by the program, and make sure that you are indeed dealing with a small text file which contains the number of the latest version.

Further, you can examine the program with various tools in order to monitor Password Carrier's file-system behaviour. If you do that, you will notice that Password Carrier does not start other processes which could perform network transfers; nor it writes sensitive data to obscure locations in the file system.

The drawing below shows that:

• Password Carrier does not 'talk' to any web-sites directly
• It only interacts with your system's browser, and then the browser itself will communicate with each web-site

Password Carrier is a tool that automatically fills web-forms that were previously filled, sparing you from the task of doing it again next time you visit the page. However, in some cases you may notice that the program does not handle a page correctly, either by filling the field with an incorrect value, or by not filling it at all.

We have anticipated such cases, which is why the tool was designed to be extendable, this guide will explain how to tweak Password Carrier in such a way that it will be able to handle the pages that don’t work in the ‘out of the box’ configuration.

How does it work?
Fine tuning works by letting Password Carrier know which forms of the web-page need to be processed in a special way. This is necessary because not all webmasters use meaningful names for their forms, making it impossible for a program to ‘understand’ that the field called ‘ABC123’ stands for ‘Password’, and so on.

Case#1 – A field is not filled
It is likely that the page uses a non-standard name for that field, we’ll have to determine the name of the field by studying the code of the page and configure Password Carrier respectively.

1. Load the page
2. View its source code (Ctrl+U in Firefox; View\Source in Internet Explorer)
3. Search for input (if you use Firefox, you can enable the highlighter, so that all the found words are shown with a different color, as in the screenshot)
   Notice that there are several occurrences of input, but not all of them are needed:
   
   • if the type of the form is hidden, it can be ignored (underlined with red)
   • if the type of the form is password, it can be ignored only if the field you are looking for is not a password field (underlined with blue)
   
   
4. Find the name of the field; in this case it is ‘memnumber’ (highlighted with green)
5. This is what we were looking for. Note that down and proceed to the tweaking section, use the ExactNameField mode

Case#2 – A field is not filled, but I can’t find the name of the field
Sometimes the name of the field is generated when the page loads, so it is different when you reload the page.

1. Load the page
2. Analyze the text near the field (either its title, or a special word from its description)
3. Note that word down and proceed to the tweaking section, use the Possible mode.

As an example, take a look at this picture, which illustrates the login page of a fictive company named ACME; if you examine the code of the page, the names of the fields are not defined with meaningful words, each time the page loads the field is given a name like ‘37379351906’ or ‘f01asd’, and so on. However, regardless of the actual name of the field, the label ‘ACMEid’ is always nearby, so we can use it as a reference.

Case#3 – The program fills a field I don’t need
To handle this issue, follow the instructions given in the first use case in order to determine the name of the problematic field, afterwards use the Wrong mode.

Tweaking
There is a file called DPCarrier.ini in Password Carrier’s folder, editing it allows you to extend the functionality of the application. The file consists of sections, keys and values.


[FillTokens]
UserName_Exact=memnumber


In the above example:

• [FillTokens] is a section;
• UserName_ExactNameField is a key;
• memnumber is a value.

The line UserName_ExactNameField=memnumber is the instruction that tells Password Carrier that if a field is called ‘memnumber’, it should be processed, and interpreted as a UserName field (this applies to Case#1). If you’ve had the same problem with other sites, and discovered that other fields you need are ‘serialUserID’, and ‘socialNumber’, then these values can be added to the key: UserName_ExactNameField=memnumber,serialUserID,socialNumber. As you can see, multiple values are comma-separated.

Take a look at UserName_ExactNameField, it consists of two parts:

• UserName – the name of the field
• ExactNameField – the handling mode (tells Password Carrier what to do with the field)

Valid field names are:

• Password
• UserName
• AddressLine1
• AddressLine2
• City
• Company
• Country
• Email
• Fax
• FirstName
• LastName
• FullName
• JobTitle
• Phone
• State
• TaxIDNumber
• ZipCode

The valid handling modes are:

• ExactNameField – the field will be filled if its name matches the specified word
• Possible – the field is filled if the specified word is found nearby and if it is not included in Wrong
• Super – the field is filled if the specified word is found nearby
• Wrong – the field is not filled if the specified word is found nearby

You can combine these field names and modes by yourself, adapting Password Carrier to your needs. Here is an example of a customized DPCarrier.ini

Future versions of the program will provide an easier way to perform these customizations.

Password Carrier is an advanced form filling application, which has many tricks up its sleeve. It uses the most reliable encryption algorithm to keep your passwords secure, it works with biometric devices, it can be used directly from a removable drive, it is small and it doesn't get in your way. However, there is another important detail which is hidden beneath everything else - Password Carrier's intelligent approach to form-filling.

Our approach is that of understanding the meaning of each field in a form, and using that knowledge when you browse a site not visited previously. This offers a great advantage - if you purchase something in a web-store, your User Profile details will be used to fill in the forms. If you go to another site - you won't have to fill the forms in again, because your User Profile is the same. On the other hand, if Password Carrier 'blindly' filled in the forms with data you used previously, it would mean that when you visit a new site, you will have to manually fill in the fields once, and only after that the program will be able to take over and automate your actions.

The role of the User Profile is that of a business card - it contains your general details, which are 'plugged' into a form whenever they are requested. The user profile is an independent entity, and it is universal. In contrast, your other credentials such as username/password are not universal, instead you have a different set of credentials for each site you visit.

For instance, on www.siteA.com you are asked to enter a username and a password - Password Carrier will remember those and use the data in the future.

If www.siteB.com asks for your email and password - Password Carrier will use the email address specified in your profile, and it will only memorize the password (because your email address is globally unique, while the password for www.siteB.com is different from your other passwords).

However, some sites are not following the same logic. A typical example is Gmail, it uses your email address as a user ID, in this case Password Carrier provides the email address from your User Profile. If you enter another address in the field, it will be overridden by the email address from the User Profile (since it has the top priority) when the page is open again.

A workaround is to use your @gmail.com address as the email address of the User Profile. However, a problem may occur if you use multiple email addresses, and in some cases you have multiple accounts on the same site. You can deal with this by using multiple flash disks, each of them will represent one of your multiple identities on the web. The licensing policy allows you to use the same license for multiple instances of Password Carrier (on other USB drives that belong to you), as long as you are the only person who uses the drives.

Introducing identities

The future releases of Password Carrier will come with a new feature, which deals with the aforementioned problem. Identities will allow you to create multiple user profiles, as well as keep different sets of credentials for each profile.

Your work colleagues call you "Thomas Anderson", but when your shift is over, you go back home and post messages in newsgroups as "Neo"? No problem, Password Carrier's identity manager will handle that. You'll be able to switch from one identity to another with a few mouse-clicks, without having to restart the program. Each identity has its own user profile, and a separate storage for credentials entered on web-pages.