Passwordstate Build 7393 New Features

Build 7393 introduce quite a few changes to the Password Reset, Discovery and Validation processes, which we’ll cover in this blog post in some detail. Once again, thanks to our fantastic customers who continue to provide feedback on how we can improve our software.

Password Reset Changes
Depending on the password reset script used, previously you may have needed to associate a Privileged Account Credential with a password reset script so a remote connection to the host could be made to perform the password reset. This is no longer the case, instead now you associate the Privileged Account Credential with the password record itself. This provides greater flexibility, because you can now use the same password reset script, but using different Privileged Account Credentials if required.

We’ve also made some changes to any reset tasks that may fail. It is now possible that a failed reset can be “rolled back” in Passwordstate, so the value of the password stored still matches what is in use on the Host. When this occurs, appropriate auditing data is added, Password History updated, and in the email you receive informing you of the failure, it has a status column indicating whether a rollback was performed. As it is possible to link a single password record to many host records, a rollback may not always be possible – for example, 45 Windows Workstations had their local administrator account password successfully changed, but 5 failed due to them being turned off. In this instance, there is a retry schedule you can set, as per the screenshot below.

We now have some options for also changing password reset options in bulk for password records – e.g. if you wanted to change the schedule when resets occurred on Windows Workstations, then you can do this with the new ‘Bulk Update Password Reset Options’ feature.

The process for this is relatively simple, with screenshots below:

  • Search for the password records you want to change
  • Modify various fields if required
  • Change Reset and Heartbeat options as required

The following table also describes which Reset Scripts require a Privileged Account to be associated with it, and certain notes for specific configurations which are required:

Script Name

Privileged Account Required

Reset Cisco Enable Secret


Reset Cisco Host Password Priv 1


For Privilege Level 1 type accounts
Reset Cisco Host Password Priv 15


For Privilege Level 15 type accounts
Reset COM+ Component Password


Reset Dell iDRAC Account Password


Reset F5 BIG-IP Account Password – AS


Accounts in BIG-IP appliances can be configured with Terminal Access of type ‘Advanced Shell’ or ‘TMSH’. You need to select the appropriate BIG-IP reset script to use, depending on the Terminal Access type for the Privileged Account Credentials you have associated with the Password Reset Script
Reset F5 BIG-IP Account Password – TMSH


Accounts in BIG-IP appliances can be configured with Terminal Access of type ‘Advanced Shell’ or ‘TMSH’. You need to select the appropriate BIG-IP reset script to use, depending on the Terminal Access type for the Privileged Account Credentials you have associated with the Password Reset Script
Reset HP iLO Password


Reset IBM IMM Account Password


When resetting passwords on IBM IMM cards, you must know the LoginID of the account you wish to reset passwords for. In order to use this script, you must configure a Generic Field for the PasswordList with the name of ‘LoginID’ and this is where you can store the value for each account you wish to reset passwords for
Reset IIS Application Pool Password


Reset Linux Password

Yes or No

  • If you do not associate a Privileged Account Credential with this script, you will SSH to the host using the account you wish to reset the password for
  • If you specify a Privileged Account Credential, you can SSH with this account, and then reset a password for a different account
  • If you want to reset the ‘root’ account password, then you need to specify a Privileged Account Credential to SSH with, and then the root account can be reset – generally most environments do not allow you to SSH in using the root account
Reset MySQL Password


Reset Oracle Password


Reset Scheduled Task Password


Reset SQL Password


Reset VMware ESX Password


Reset Windows Password


Reset Windows Service Password


Testing Scripts Manually
We’ve now added the ability to test each of the Reset, Validation and Discovery Scripts right within the Passwordstate user interface. Simply add one or more Hosts on the screen, specify various other field parameters as well, the hit the ‘Run Script’ button.

Account Heartbeat
In addition to the reports which can validate passwords are in sync between Passwordstate and the Hosts, there is also now a regular Account Heartbeat feature which can be enabled for password records which are configure for resets. Simply select the appropriate Password Validation Script, and the time of the day you wish to perform the validation.

The “rolled up” status of all linked Hosts records is then visible in the Passwords grid.

And when you view the linked Hosts to the password record, you can see the status of individual machines.

Host Heartbeat and Treatment
There is also a Host Heartbeat process in this build, and this can check on regular basis if your Hosts are available on online on the network.

The schedule for the Heartbeat poll which occur once a day, and is randomized between the hours set for each of the different Operating System types – which can be changed on the screen Administration -> Host Types & Operating Systems. Being able to set the hours in which the poll will occur is useful for desktop operating systems where machines may be turned off during the night.

And we have several options for how we treat Host records if the Host has not been seen on the network for some time. This is again useful for workstations and laptops which may have been decommissioned.

Simplifying Discovery Process
We’ve also simplified and made various changes to the 3 different types of Discovery Jobs we have – discovering Hosts in Active Directory, Local Administrator Accounts, and various Windows Resources which may be configured to run under the identity of a domain account. Some of the changes are:

  • Host Discovery – You can now also discover Linux hosts which have been added to Active Directory. The field we query in AD is the OperatingSystem attribute, and the values we query for this can be changed for each Operating System on the screen Administration -> Host Types & Operating Systems
  • Host Discovery – You no longer copy permissions to new Hosts from an existing Password List, instead there is a ‘Permissions’ tab on the Discovery Job screen which you can configure
  • Host Discovery – If a Host is no longer found in any of the OUs specific for the Job, there are options now for setting the Host to ‘Unmanaged’, or you can delete it if preferred
  • Local Admin Accounts – You no longer need to select the Password Reset script to associate with these discovered accounts, and you can also Include/Exclude certain named accounts from the discovery if required
  • Windows Resource Accounts – When discovering Windows Services, IIS Application Pools and Scheduled Tasks, you no longer need to select the Password Reset Scripts you wish to associate with these discovered accounts

Further Password Reset Support
We’ve also added a few more Password Reset Scripts, for the following systems:

  • F5 BIG-IP Load Balancers – thanks for your help on this Oscar J
  • Dell’s iDRAC out of band management cards
  • IBM’s IMM out of band management cards

Passwordstate Remote Session Launcher


In version 7 of Passwordstate, we have introduced a new feature called the Remote Session Launcher. This feature allows you to perform RDP, SSH, Telnet or VNC remote session connections directly from the Passwordstate web site, without having to … [Continue reading]

Passwordstate 7.0 New Features


Hi Everyone, We're sorry for being so quiet for the past few months, but we've been busy working on this biggest release of Passwordstate since its initial release in 2004. We're getting close to finishing it, with only a couple more features left … [Continue reading]

Passwordstate Now Fully Integrated with Remote Desktop Manager


Not so long ago we have the privilege of working with the team at, to fully integrate Passwordstate with their awesome software Remote Desktop Manager ( If you are not familiar with Remote … [Continue reading]

Choosing Good Passwords

We stumbled across the following article recently regarding Choosing Good Passwords, and thought it was definitely worth sharing. It's from 2009, but all the guidance is still valid today. We strongly recommend you create one or more Password … [Continue reading]

Passwordstate Now Fully Integrated with AuthAnvil Multi Factor Authentication


We have some great news for customers who already use, or would like to use, Scorpion Software's AuthAnvil Multi Factor Authentication solution – Passwordstate is now fully integrated, providing a fourth two-factor authentication option. As per … [Continue reading]

Two-Factor Authentication Using Email and Pin Code


In Build 6215 we introduced another two-factor Authentication option in addition to what was already possible with RSA's SecurID or Google Authenticator. If you'd also like to watch a video demonstrating this feature, you can do so here - Watch … [Continue reading]

Mobile Client Support in Passwordstate

Passwordstate Mobile Client Support

In the upcoming release of Version 6.2 of Passwordstate, we will have Mobile Client support for iOS, Android, Windows 8 Phone and Blackberry. In this blog post, we will run through some detail for User and System Preferences for the Mobile Client, as … [Continue reading]

Personal Password Management Best Practices

Personal Password List

We're often asked what are the recommended 'Best Practices' for personal password management, so we've put together a little guide which we hope you will find useful. The following suggestions are also applicable to passwords which are shared … [Continue reading]