Secure Code & Data
Passwordstate ensures the integrity of your sensitive data, by securing the back-end from database and web administrators, and the front-end from unauthorised access.
256bit AES data encryption, and code obfuscation ensures your data is protected.
Encryption and Obfuscation
To protect the privacy of sensitive data, all passwords are stored within the database using 256 Bit AES Encryption, and sensitive code is protected by the use of precompiled ASP.NET pages and obfuscated .NET Assemblies. No longer can web or database administrators gain access to data they are not authorised to view.
This encryption and obfuscation provides the following protection:
- All passwords are encrypted in the database, and no two identical passwords within Passwordstate would look the same when viewing the raw data in the database
- Database Administrators cannot change records in the database and grant themselves, or others, access to passwords they are not meant to have access too. They are also unable to grant or modify their roles within Passwordstate
- Web and System Administrators cannot write their own ASP.NET pages to try and retrieve data from the database
- The main assembly for the web site is obfuscated, so even using a disassembler users are unable to view the detail of methods/functionc/classes for retreiving data.
Unique Initialisation Vector
Every instance of Passwordstate generates its own unique Initialisation Vector for encrypting data.
Password Hiding & Clipboard Clearing
Options can be set to automatically hide viewed passwords, or clear the clipboard from copied passwords, after a specified amount of time.
Automatic Logout Period
An Automatic Logout Period can be specified for inactive sessions i.e. if a user leaves Passwordstate open on the screen, it will be automatically logged out once the logout period is reached.
Encrypting the Database Connection String in the Web.config file
To further secure access to the database, we provide instructions with our installer for encrypting the database connection string in the web.config file for the Passwordstate web site.
Integrated Windows Authentication
Integrated Windows Authentication provides a greater level of secure access to Passwordstate. Multiple options can be set for allowing passthrough authentication to the Passwordstate web site, or users can be forced to manually enter their domain credentials.
Optional ScramblePad Authentication for AD Users
ScramblePad Authentication can be enabled by individual users, or Security Administrators can choose to make it mandatory for all users.
ScramblePad Authentication works by assigning a Pin number to a user's account. When asked to authenticate, the user must match their pin number against a series of randomly generated letters.
