Encryption and Obfuscation

To protect the privacy of sensitive data, all passwords are stored within the database using industry standard .NET Framework 256 Bit AES Encryption, and sensitive code is protected by the use of precompiled ASP.NET pages and obfuscated .NET Assemblies. No longer can web or database administrators gain access to data they are not authorised to view.

This encryption and obfuscation provides the following protection:

Digitally Signed Executables, DLLs and Installers

Click Studios allways digitally signs DLLs, Executables and Installers to confirm the software is from us and guarantee the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to validate authenticity and integrity.

TLS 1.2 Support

Passwordstate is fully compliant with only having the TLS 1.2 protocol enabled on your web server. It is recommended you disable the following protocols when hardening your web servers - Multi-Protocol Unified Hello, PCT 1.0, SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1.

Authorized Web Servers

You must specify which web server host names are authorized to host the Passwordstate web site. This is further protection to mitigate against theft of the Passwordstate database, and hosting it in an untrusted environment.

Unique Initialization Vectors

Every encrypted field, and every encrypted record, uses its own unique Initialization Vector for the encryption and decryption of data.

Secret Splitting

Two unique encryption keys are used for every Passwordstate installation, with the encryption keys being split into 4 secrets, which are independently stored on your web and database servers. Having the encryption keys split into secrets, and stored in different locations, means more than one Windows Server would need to be compromised in order to obtain your encryption keys.

Encryption Key Rotation

Generate new encryptions keys on which ever scheduled necessary for your organization, and re-encrypt all your data with these new encryptions keys. Key Rotation also logs auditing data, for complete traceability over who performed the key rotation, and when.

Encryption Key Disaster Recovery

To assist with recovering your Passwordstate installation in the event of a disaster, it's possible to export your encryption keys (in split secret format) to a password protected zip file for safe external storage if required - this is not required if you backup your Passwordstate folder and database. Exporting the encryption keys also adds relevant auditing data.

Data Integrity using HMAC-SHA512 Hashing Algorithm

To ensure no data is intentionally manipulated directly in the database, HMAC-SHA512 Hashing algorithm and data Salting is used to protect your sensitive data. If a DBA where to manipulate data directly, to grant themselves access to passwords as an example, a data integrity error will be displayed in Passwordstate, preventing the user from accessing Passwordstate.

PowerShell Scripts are Encrypted and Securely Stored

All PowerShell scripts used by Passwordstate are encrypted and securely stored within the database. This applies to both built-in PowerShell Scripts as well as any custom scripts that are added by a customer. This ensures the integrity of all PowerShell scripts used for Discoveries, Backups, Password Resets and Validations.

OWASP Development Methodology

Click Studios follows the Open Web Application Security Project (OWASP) methodology of software development, to mitigate against Cross Site Scripting (XSS) attacks, SQL Injections, and various other vulnerabilities.

Application Penetration Testing

Click Studios has engaged with multiple application security consultants, to perform independent application penetration tests on our software. Most recently, engaging with Agarri and Orange Cyberdefense.

FIPS Support

If you are required by the United States Government to configure your Microsoft Windows environment in FIPS compliance mode, then Passwordstate can also be configured in FIPS mode during the initial installation.

Encrypt settings in the Web.config file

To further secure access to the database and encryption keys, we provide instructions with our installer for encrypting the database connection string, and split secrets, in the web.config file for the Passwordstate web site.

Integrated Windows Authentication

Integrated Windows Authentication provides a greater level of secure access to Passwordstate. Multiple options can be set for allowing passthrough authentication to the Passwordstate web site, or users can be forced to manually enter their domain credentials.

Brute Force Dictionary Attack Detection and Blocking

Both the web interface, and the mobile client, have a configurable option for locking out failed Brute Force Dictionary Attacks, further securing your Passwordstate environment.

Password Hiding & Clipboard Clearing

Options can be set to automatically hide viewed passwords, or clear the clipboard from copied passwords, after a specified amount of time.

Automatic Logout Period

An Automatic Logout Period can be specified for inactive sessions i.e. if a user leaves Passwordstate open on the screen, it will be automatically logged out once the logout period is reached. Different time-out periods can be configured for when you are in or out of the office.