Securing your Web.config File

Click Studios has always strongly recommended that customers encrypt both their Database Connection String and their appSettings Sections of their Web.config file.

These are considered part of Click Studios Best Practice approach for securing your Passwordstate instances. It ensures that should anyone have access to your Web Server’s file system they will be unable to use the details of the Web.config file to access and retrieve your Password Credentials.

The process is straight forward and as outlined below. If you are unsure as to whether your existing Web.config file is already encrypted or not you can follow the steps in this previous Blog. As always, we welcome your feedback via support@clickstudios.com.au.

Further details on how to perform this encryption can be found Under Section 10 and 11 in our Passwordstate Installation Instructions.

Encrypting the Database Connection String

On your Passwordstate Web Server open a Command Prompt with administrator privileges and navigate to C:\Windows\Microsoft.NET\Framework64\v4.0.30319


Now type in aspnet_regiis.exe -pef “connectionStrings” “c:\inetpub\passwordstate” and press enter. Note that if you installed Passwordstate in a different location you’ll need to replace c:\inetpub\passwordstate with the location of your Passwordstate instance. You should see the following;


Now that you’ve successfully encrypted your Database Connection String, you’ll need to restart your Passwordstate Windows Service. To do this you can enter the following commands;

net stop “Passwordstate Service”, and,

net start “Passwordstate Service”

You should be presented with the following after running each command.


Your Passwordstate Instance is now running again with the encrypted connection string. Now you should proceed to encrypt the appSettings section of your Web.config file.

Encrypting the appSettings Section

Assuming you are still in the command prompt with administrator privileges, type in aspnet_regiis.exe -pef “appSettings” “c:\inetpub\passwordstate” and press enter. Again, if you installed Passwordstate in a different location you’ll need to replace c:\inetpub\passwordstate with the location of your Passwordstate instance. Once again, you’ll need to restart your Passwordstate Windows Service with net stop “Passwordstate Service”, and net start “Passwordstate Service”.

Your screen should look similar to the one below;


Now just exit out of command prompt and take a well earned break. You’ve just made your Passwordstate instance even more secure!

Further details on how to perform this encryption can be found Under Section 10 and 11 in our Passwordstate Installation Instructions.

Using the New Browser Extensions with Passwordstate

Passwordstate's Browser Extensions allow for the secure saving and retrieval of your password credentials using the Passwordstate vault. These credentials can then be used to autofill your website's user name and password fields, streamlining the … [Continue reading]

Importing passwords from LastPass into Passwordstate

If you are a LastPass user and would like to migrate across to Passwordstate, please use this process below to migrate all of your LastPass data into our system Step 1: To export your data from Lastpass, select "Open my Vault" Go to "More Options" … [Continue reading]

New Chrome Browser Extension for Passwordstate

  **Available from Chrome Store Late September/Early October 2019** **Beta Available Now** **Instructions to install beta at bottom of this post**   One of the most popular features in Passwordstate are our Browser Extensions. These plugins for your … [Continue reading]

Passwordstate integration with Have I Been Pwned

If you are unfamiliar with Have I Been Pwned, it's a website created by Troy Hunt that allows users to check whether the passwords they use have been compromised due to a data breach. If you wanted to check out Troy's website to see how it works, … [Continue reading]

Import Passwords from Thycotic Secret Server into Passwordstate

With the use of the Passwordstate API, it's possible to import Secret Server data using the XML export option Thycotic provide. The following documentation has been tested using Secret Server version 10.5.000003, and it would be unlikely Thycotic's … [Continue reading]

Import Passwords from KeePass into Passwordstate

We are updating this blog in July 2018, as we've now got a new process for importing KeePass data into Passwordstate.  This process was supplied to us by one of our customers called Fabian Näf from Switzerland, and we'd like to thank him for his … [Continue reading]

What’s New in Passwordstate Version 8

Click Studios is very happy to announce the release of Version 8 of Passwordstate, for which we have been working on for the past 12 months. Version 8 comes with two new major modules, and many new improvements to our Password Management platform. … [Continue reading]

Passwordstate Build 7580 New Features

In build 7580 of Passwordstate, we've introduced a few new features, most noticeably many changes in how encryption now works. Below is a summary of the more notable changes and features. Encryption Changes In consultation with an external … [Continue reading]