New Chrome Browser Extension for Passwordstate

 

**Available from Chrome Store Late September/Early October 2019**

**Beta Available Now**

**Instructions to install beta at bottom of this post**

 

One of the most popular features in Passwordstate are our Browser Extensions. These plugins for your browser securely retrieve credentials from the Passwordstate vault, and autofill websites credential fields allowing you to login automatically.

They can securely save website credentials entered by you directly into your Passwordstate vault. This is an automated process and encourages your end-users to have strong, individual passwords for all websites they visit. This is crucial in minimising potential attack vectors and is considered one of the best practices you can employ in protecting your personal and corporate data and systems.

Here at Click Studios we’ve been busy redeveloping our Browser Extensions over the last 3 months to include more features, improved website compatibility and offer a new UI (User Interface). The first to be released will be for Chrome and Firefox, followed by the new Edge extension once Microsoft release the production version of Chromium Edge (predicted late 2019).

Below is information about the new functionality we’ve included in the browser extensions. As always, we welcome your feedback via support@clickstudios.com.au.

 

New UI (User Interface)

The first thing you’ll notice is the new UI for the browser extension. Apart from a redesigned browser icon there is a new Search option, a Preferences Menu, and a new link to report any websites directly to Click Studios that don’t either save credentials or autofill them correctly. When the Report Site Issue is selected, we’ll be notified, attempt to fix the issue and contact you directly when we release a patched version of the extension into the relevant store.

 

New Search Feature

Searching on this screen will query your Passwordstate vault and display only the records you have permissions for. It displays more information about each record than the previous browser extensions, including the website logo, the Password List where it is stored and a description of the password record.

Clicking on a search result will open a new tab and take you directly to that site, auto-filling the credentials for you. Clicking the link icon associated with a search result will open the password record in Passwordstate allowing you to make any changes required.

New Preferences Screen

On the new Preferences screen, you can choose to:

  • Select a Default Password List to store your new credentials in
  • Select a Default Password Generator to use on your websites
  • Temporarily disable auto-filling
  • Toggled on or off the Icon Overlay option. More about the icon overlay later in the blog

New Save Screen

When saving new credentials for a website, you are presented with a new screen. Information on this screen can be modified prior to saving. Alternatively, you can simply “Close” this screen if you don’t want to add the site into Passwordstate, or you can select the “Ignore” option and the browser extension will never ask you to save credentials for this website again.

More Ways to Auto-fill Websites

Auto-filling of websites with the new browser extensions can be performed multiple ways:

  1. If you have a single credential saved for the website it will automatically fill it for you when you visit the site.
  2. If you have 2 or more credentials saved for a website, the browser extension will alert you by displaying a numerical badge on the extension itself. Clicking on the extension will open the main page, displaying an extra menu advising you have multiple matching logins. Clicking onto his you will allow you to select which credential you want to auto fill on the website.
  3. Alternatively, you can use the new “Icon Overlay” which is a new icon you’ll find in the username and password fields on the website. Likewise, clicking on this icon will give you a choice of which credentials to autofill the website with.

New Overlay Icon

The icon overlay on the login fields is a new feature that allows you to search for and choose saved credentials to log into the web page with. Clicking on this new icon will allow you to either scroll up and down to find your credential:

Alternatively you can use the Search feature to quickly find your credential:

Better Website Compatibility

The last new feature we’ve included in these extensions is the automatic updating of the username and password Field IDs. When you save a record, the browser extension will automatically populate these fields for you:

These IDs tell the browser extension where exactly on the web page to autofill the username and password. Websites are constantly updated, and these fields occasionally change, which previously stopped the autofill process from occurring.

With the new browser extensions, if these field IDs change on website the extension will automatically update them in Passwordstate. If you have multiple logins for the same webpage, it will update all of them.

This feature will significantly improve the auto-filling compatibility of the browser extensions.

 

Beta Information

On the 11th September 2019, Click Studios have released build 8782 of Passwordstate which supports the new Browser extension (Beta 2). You’ll need to upgrade to this build of Passwordstate, and then you can install the beta version of the new extension on as many machines as you like.

Upgrading Passwordstate will not affect your existing Chrome, Firefox, Safari, Edge and Internet Explorer extensions at all.  You can continue to use those as well as use the beta extension.

To upgrade Passwordstate, please follow one of the upgrade options in this document: https://www.clickstudios.com.au/downloads/version8/Upgrade_Instructions.pdf

The beta version of the extension can be downloaded directly from Click Studios’ website:  https://www.clickstudios.com.au/downloads/temp/ChromeExtension_Build8782_Beta.zip

Once you have extracted this zip file to your local drive, follow this process to load it into Chrome:

Step 1:

In Chrome, type chrome://extensions/ into your address bar, and then turn on Developer mode in the top right hand corner of your screen:

Step 2:

On the same page, click the “Load Unpacked” button, and then browse to the extracted zip file you downloaded from the Click Studios website:

Step 3:

Now the extension should appear in your browser, and it will be red.  Browse to your Passwordstate website and login, and the extension will turn grey, indicating that it is configured and ready to use.

 

When using an offline Chrome extension, Chrome will prompt you every time you open your browser, asking you to disable the extension.  Unfortunately this is a feature of Chrome that you cannot disable, so you’ll need to dismiss this prompt whilst using the beta version of the extension.  

 

When Click Studios release the extension to the Google store, you should uninstall this beta version and then download and install it from the store, and you will no longer get this popup every time  you open your browser.

 

Enjoy the new browser extensions and as always if you have any questions please email via support@clickstudios.com.au

 

Regards,

Click Studios

Passwordstate integration with Have I Been Pwned

If you are unfamiliar with Have I Been Pwned, it’s a website created by Troy Hunt that allows users to check whether the passwords they use have been compromised due to a data breach. If you wanted to check out Troy’s website to see how it works, please follow this link: https://haveibeenpwned.com

Passwordstate is now fully integrated with this online repository, and I’ll explain below the new tools and settings that we have in our software that works together with the Have I Been Pwned website.

You must be on Passwordstate version 8600 or higher to take advantage of these features.

First of the new features can be found under Tools -> Have I Been Pwned Password Check

This screen will allow you to manually enter any password you like, and see if it is a known compromised password in Troy’s database. If you need to think of a good strong password to use for a website for example, this tool will help you decide which password you should use.

Next, if you look under the Administration -> Bad Passwords tab, you can configure your system to use the Have I Been Pwned repository for your own Bad Passwords:

What this means is by default, any time someone adds, or updates a password in Passwordstate, it will do a check against Troy’s website first before allowing you to save it. If that online check finds that the password is ‘Pwned’, then the user will be informed they will need to choose a different password and will have to try to save it again.

As Have I Been Pwned has millions of passwords, using one that is compromised only once or twice for example might not be such a bad thing. It’s really the very common and simple passwords that users should be discouraged from using. For this reason, you can instead simply warn your Passwordstate users that the password resides in Troy’s database, and they should consider changing it to a different one.

If you’d like to turn o this warning instead of denying the users from saving the password, then edit your Password List and deselect this Bad Passwords option:

When a user is adding a new password, or updating an existing one, they will also have this new icon that will allow the m to quickly check the Have I Been Pwned status:

Next, we have an all new report which you can find under Administration -> Reporting called Have I Been Pwned Compromises:

Running this report will check every single shared password in your system against Have I Been Pwned, and will list any passwords that you should change.

If you just wanted to run this report against a single Password List instead of your entire Passwordstate database, then select your Password List, click List administrator Actions and then run the report from here:

Also, you can run this Have I Been Pwned report from our API. You find examples under Help -> Web API Documentation.

If you want to watch a video of this, we have this available on Youtube here: https://www.youtube.com/watch?v=RXBF35t7Mj8

Regards,
Support.

Import Passwords from Thycotic Secret Server into Passwordstate

With the use of the Passwordstate API, it’s possible to import Secret Server data using the XML export option Thycotic provide.

The following documentation has been tested using Secret Server version 10.5.000003, and it would be unlikely Thycotic’s Password Templates and XML export feature would be different in other builds. We also recommend following this forum article to quickly backup and restore your database, in case you experience any errors during the import process – https://www.clickstudios.com.au/community/index.php?/topic/2480-sql-script-to-quickly-backup-and-restore-passwordstate-database/

Field Mappings
Secret Server handles fields differently to Passwordstate, in that they provide a per password record Template of different types (25 in total). Passwordstate uses Password List Templates instead, and the following instructions will use 5 different Templates for the import. Please be aware, you must be using Passwordstate Build 8652 or above for this process, as it has changes to Password List Templates required for this process.

Below in the instructions where you download the file ‘Import-Secret-Server-XML.zip’, this includes an Excel spreadsheet called ‘SecretServer_Passwordstate_FieldMappings.xlsx’. This spreadsheet documents the field mapping from the various Secret Server Password Templates, to the Passwordstate Password List Templates. The only Secret Server template which will not be imported is ‘Contact’, due to Secret Server exceeding the maximum number of Generic Fields Passwordstate supports.

Exporting from Secret Server:

To export your Secret Server data in XML format, please use the screenshots below for guidance. Please save the XML file locally somewhere on your PC, for access further down in the instructions.

Preparing Passwordstate for the import:

  • In Passwordstate, on the screen Administration -> Password List Templates, you need to edit each of the Templates listed in the dot points below to turn off the option “Prevent saving of Password Record if a ‘Bad’ password is detected” – if this step is missed, your import may fail due to Bad Password detection:
    • Credit Cards
    • Software Licenses
    • SSH Account (Password + Key Storage)
    • Standard Password List
    • Web Site Logins

Import Data

To import the exported XML file above, please follow these instructions:

  • Take note of your System Wide API key in Passwordstate, which can be found under Administration -> System Settings -> API Keys. If you need to, you can generate a new one, and please click the ‘Save’ button on this screen if you do


  • Extract the Zip file to the same path as where you exported your XML file
  • Open PowerShell ISE as ‘Administrator’, and open the file ‘Import-SecretServer-XML.ps1’
  • Update the field variables at the top of the script with appropriate values (see screenshot below) – please specify your UserID here that you use login to Passwordstate with. Once done, save the changes to the file
  • Now execute the script, and select the exported XML file when prompted

 

  • Once the script has finished executing, you should see a ‘parent’ folder called ‘Secret Server Import’, with relevant Folders, Password Lists, and Password records, as per the screenshot below.


  • Once complete, please go back to each of the Password List Templates within the Administration area, and turn back on the option ‘Prevent saving of Password Record is ‘Bad’ password is detected’ for each Password List Template

Import Passwords from KeePass into Passwordstate

We are updating this blog in July 2018, as we’ve now got a new process for importing KeePass data into Passwordstate.  This process was supplied to us by one of our customers called Fabian Näf from Switzerland, and we’d like to thank him for his efforts as this has made the life easier for a lot of our customers.

Recently, we have been getting more and more requests from new Passwordstate customers asking how to import their data from KeePass. Because of these requests, we’ve now created a Powershell script which can be used in conjunction with our API. Our goal with this is to not only import the passwords from KeePass, but to also replicate the structure of the KeePass Groups in Passwordstate.

For customers not familiar with Passwordstate, the equivalent of a “Group” in KeePass is a “Password List” in Passwordstate. We also have the concept of “Folders” which allow you to logically group Password Lists together. If you follow the process below, it should create a Folder with the same name as the XML file you export from KeePass, and it will then replicate the KeePass group structure beneath this.

We recommend doing the following prior to import:

  • Taking a backup of your Passwordstate database prior to performing this import.  You can either use the automatic backup feature within Passwordstate, or possibly use SQL Management Studio Tools instead
  • Disable all Email Templates within the Administration area prior to the import, to prevent potentially mass emailing to your users. Or you could just disable specific ones like ‘Password Added’.

Process Start:

  1. In Passwordstate, identify and note down your System Wide API key from Administration-> System Settings -> API and you will find it under “Anonymous API Settings & Key”.  Ensure you save this page after you generate the new key.
  2. Create a Password List Template under the Passwords Menu -> Password List Templates.  On this template please set the following options and then save the template:
    1. Disable the option to prevent the saving of password records if they are found to be a “Bad Password” (screenshot 1 below)
    2. Uncheck the option so the Password field is not required, and enable the URL field (screenshot 2 below)
  3. Identify and note down the TemplateID by toggling the column visibility (screenshot 3 below)
  4. In KeePass, open your database and export the contents to a XML file.  This can be executed from File -> Export -> KeePass XML (2.x)
  5. Download the script from:  https://www.clickstudios.com.au/downloads/import-keepass-xml.zip
  6. Extract this zip file and open with Powershell ISE or the straight Powershell shell, if you prefer
  7. You will be prompted to answer 6 pieces of information:
    1. The username of an existing Passwordstate user you wish to give Admin rights to all Passwords imported during this process.  Generally you would just enter your own Passwordstate UserID here as you can modify permissions later and and example format for this is domain\username
    2. Your Passwordstate URL
    3. Your System Wide API key
    4. The FolderID you wish to create your KeePass structure under.  Enter ‘0‘ to create this in the root of Passwords Home, otherwise find the Folder ID of any Folder you like and use this when running the script
    5. Your PasswordList Template ID
    6. It will ask you to browse to your Exported XML file

That’s it, the script will now run through and automatically read all of the information out of the XML file, and import it into Passwordstate.  From here, there are a few other things you might want to consider doing after the script has run successfully:

  1. You may want to rearrange your folder structure.  Ie possibly you might want to create some new folders for each of your teams, and then drag and drop existing Password Lists/Folders inside of them
  2. Once you are happy with your Folder structure, you should start applying permissions to either Password Lists or Folders using the following video as a guide: https://www.youtube.com/watch?v=QBJE_xD185U
  3. Best practices are to use Security Groups to apply permissions, instead of individual users, if possible

Screenshot 1:

SNAGHTML14bffe9b.png

Screenshot 2:

2018-06-21_9-41-43.png

Screenshot 3:

If you need any help with this at all, you are welcome to contact us on support@clickstudios.com.au.

What’s New in Passwordstate Version 8

Click Studios is very happy to announce the release of Version 8 of Passwordstate, for which we have been working on for the past 12 months.

Version 8 comes with two new major modules, and many new improvements to our Password Management platform. Below are the major changes, within many more minor changes not documented in this post.

New Interface
We’ve been working on several improvements to the interface of Passwordstate, to make workflow more intuitive, and to provide a more appealing User Interface experience. Some of the changes are:

  • A new modern looking interface
  • A new Notification Centre for important alerts
  • The Remote Session Launcher feature has been given its own focus with a new Hosts navigation tab
  • A new consolidated search improvement to search for either Password credentials, or Host records
  • Password Folders have now been redesigned, to improve the type of information which can be associated with the Folder
  • And various navigation menus have been moved around to simplify the UI for the majority of users

Below are some screenshots for features mentioned above.

New Modern Looking Interface

New Notification Centre

New Hosts Navigation Tab

Consolidated Search Improvements

When using the Search feature in the top header bar, you can search for either Password credentials in the Passwords tab, or Host records in the Hosts tab.

By default, it will search within the currently selected Tab, but you can either append a p (for Passwords) or h (for Hosts) to the end of your search term, if you need to swap which tab you are searching within.

Password Folder Changes

In prior versions of Passwordstate, the Password Folder view was primarily the same as Passwords Home, but just a filtered view of records nested beneath it. This caused some confusion for customers, and was a feature rarely used, so Password Folders has now been give its own custom screen.

On this screen you see various fields for the Folder at a glance, as well as a Guide if specified, and you can also upload relevant documents to the folder – and link to any relevant External links as well.

Password Reset Portal

We have added a new module in Passwordstate called the Password Reset Portal. This is a Self-Service Password Reset Portal, which allows users to reset their own password for their domain account, or unlock their account, without needing to call the IS Service Desk (Help Desk).

Once the user has enrolled to use the feature, resetting their account is a simple 3 step process:

  1. Identify who they are
  2. Verify who they are
  3. Reset or Unlock their account

The Portal itself is installed separately to Passwordstate, and communicates securely back to the Passwordstate API. The Portal can be installed in your DMZ as an example, and then be accessible on all mobile phones, or desktop computers (Windows, Macs, Linux, etc).

The key component to a Reset Portal like this is accurately ‘Verifying’ the users account, to mitigate against unauthorised users doing this for accounts other than their own. For our Reset Portal, the following methods are used – for which we call ‘Verification Policies’:

  • AuthAnvil Authentication
  • Duo Push Authentication
  • Email Temporary PIN Code
  • Google Authenticator
  • One-Time Passwords (TOTP or HOTP)
  • PIN Number
  • RADIUS Authentication
  • RSA SecurID Authentication
  • Safenet Authentication

Some of these two-factor authentication options require a subscription to third party providers, but options like Email Temporary PIN Code, Google Authenticator, One-Time Passwords (TOTP or HOTP) & PIN Number can be used for free.

Below are some screenshots of key areas within the Administration area of Passwordstate, as well screenshots of the Portal itself – the Portal can also be customized with different background images, and colors.

Active Directory Domains

Multiple Active Directory Domains can be added, and LDAP over SSL (Port 636) is used by default to communicate with the domain.

Reporting

Various pre-defined reports are available, assisting with management of the module, and confirmation the portal is being used by your users.

User Account Management

The User Account Management screen can be used for various user management tasks, including resetting or unlocking a user’s account if required. The whole purpose of the Reset Portal is to prevent this from happening though, so if a user is to call the Help Desk asking for assistance, you can log a reason why they are doing this – and then overtime, you can get a picture as to why the Reset Portal is not being used, and address those reasons specifically.

On the Account Lockout Monitoring tab, you can also look at Domain Controller Event Log data to try and identify where a user is constantly getting their account locked out on – if needed.

Verification Policies

The Verification Policies screen is where you specify which policies apply to which users (multiple policies can be used), customize the configuration settings for the policy, and also customize the Enrollment Emails which can be sent.

On initial deployment, after applying the policy to user accounts or security groups, you can use the ‘Send Enrollment Email 1’ menu to send the initial email to all users on this policy. Enrollment email 2 and 3 will be sent automatically, if the user fails to enroll. Any subsequent users who are added to the system via an AD Security Group synchronization, will have each of the 3 enrollment emails sent as appropriate.

Portal Screenshot 1 – Identify

Portal Screenshot 2 – Verify

Portal Screenshot 3 – Reset or Unlock

On this screen, if the user’s account is also locked, it will tell them on this screen and give them the option to also unlock.

Managed Service Provider (MSP) Features

In version 8, the other new major module we’ve added, is our Remote Site Locations any many other new features for our Managed Service Provider customers, in particular:

  • A Remote Site Agent which can be deployed, to perform Account Discoveries, Password Resets, Account and Host Heartbeats on customer’s networks – securely communicating on one port over the Internet
  • A new process for easily resetting many passwords at once, if a technician/staff member where to leave
  • You can associate Hosts, Folders, Password Lists and Passwords, Domains, Privileged Accounts and many other things with the appropriate Site Location
  • We have added support in our Remote Session Launcher for TeamViewer as well
  • User’s from these Remote Site Locations can now also login to Passwordstate to see their passwords (View Access), without consuming any of your standard Passwordstate Client Access Licenses
  • You can now upload documentation to customer folders and Host records as well, and link to other sources of documentation too

Remote Site Locations and Agent

The Remote Site Locations area within the Administration screens is the core of the new features for MSP’s. Once you have added one or more Remote Site Locations, you can then deploy agents to customer’s sites, and start tagging data within Passwordstate to reflect what data belongs to which customers.

The screen below shows three remote site locations, the health of the Remote Agent, as well as the duration for various tasks.

Deploying the agent is a very simple process, using a silent installer with appropriate command line parameters as per the screenshot below. From the agent install itself, it must be able to communicate back to the URL you see in this screenshot below – i.e. only 1 port needs to be open back to your internal network.

In addition to the agent communicating back securely over HTTPS, all traffic within the HTTP body is also further encrypted using 256bit AES encryption, with unique In-Transit Encryption keys per customer.

In addition to all the standard auditing data which is added, the agent itself also logs various files locally to help with troubleshooting if required.

Resetting Passwords en Mass when a Technician Leaves

If you have one of your technicians leave your company, it is possible to reset multiple accounts en mass using the ‘Bulk Password Resets’ feature which can be found on the screen Administration -> Passwordstate Administration -> Password Lists.

Below is a screenshot of this feature, showing various filtering features, and options for adding one or more records to the Password Reset Queue, either immediately, or at a schedule.

Windows Integrated API

In prior versions of Passwordstate, the API required the use of one or more API keys, as authentication to various API methods. Whilst this type of API allows calls from any Operating System, one of the drawbacks is lack of accountability as to which user is executing the API call – this is not reflected in Auditing data, as it’s now “user aware”.

In version 8 of Passwordstate, we now have a new Windows Integrated API, which means all access, and all auditing, is “user aware”. As an example, when searching for password records via the API, it will return the exact same results as it would via the User Interface when the user is logged in.

When accessing the new Windows Integrated API, you would use the URL or /WinAPI instead of just /API. Below is also a screenshot of a PowerShell command which shows how the identity of the logged in user can be passed to the API.

New Discovery Jobs

In additional to discovery of Local Administrator Accounts on Windows Hosts, and Windows Dependencies, we’ve also added the following new Discovery Jobs in version 8, which saves a lot of time discovering accounts on your network, and importing them into Passwordstate for better Privileged Account Management (PAM).

  • Cisco IOS Accounts
  • HP H3C Accounts
  • Juniper Junos Accounts
  • Linux and Mac Accounts
  • MS SQL Database Accounts
  • MySQL Database Accounts
  • Oracle Database Accounts


Reporting Improvements

34 new pre-defined reports have been added to version 8, which can be reported in real-time, scheduled, or run via the API as well.

In addition, the Scheduled Reports ‘Expiring Passwords’ and ‘Custom Auditing’ Reports have been improved as well, with further filtering available.

34 Pre-Defined Reports

Custom Auditing Report

The filtering options highlighted below have been added for the Custom Auditing report.

Expiring Passwords Report

The filtering option highlighted below has been added for the Expiring Passwords report.

Document Management Improvements

Document Management in Passwordstate has been given some focus as well, with improvements in the following areas:

  • Depending on your browser and document type, documents can now be viewed in the browser, instead of you first needing to download and saving the document somewhere.
  • Documents can now also be uploaded to Passwordstate Folders, Host Folders, and Host records
  • Updated documents can now be re-uploaded into Passwordstate, without first having to delete the original document
  • API has been updated so you can upload documents to Folders, and Retrieve them from Folders as well.

There are also many more minor features available in version 8, and we thank our customers for their feedback and feature requests, making Passwordstate a better product.

Regards
Click Studios

Passwordstate Build 7580 New Features

In build 7580 of Passwordstate, we’ve introduced a few new features, most noticeably many changes in how encryption now works. Below is a summary of the more notable changes and features.

Encryption Changes
In consultation with an external company who specialises in web-based application security, we’ve made several changes to how encryption works within Passwordstate. Most of these changes are not noticeable in daily use, but they do further strengthen the security of Passwordstate. A summary of the changes are:

  • Random Initialisation Vectors are now used for every encrypted field and record – previously, the one Initialisation Vector was used for all encrypted data
  • HMAC-SHA512 Hashing algorithm has now replaced the previous method of validating tampering of data directly in the database – hashing of expected values, with a stronger algorithm, is now used to ensure data integrity
  • Every install of Passwordstate now uses two unique keys to perform the encryption, instead of previously it only used one
  • Encryption Keys now use Secret Splitting to mask their identity, and the secrets are stored in the web.config file (which can also be encrypted) and also in the database
  • A new Secret Key Rotation feature has now been added to allow regular encryption key rotation
  • And encryption keys can now be exported to a password protected zip file for disaster recovery purposes

With these encryption changes, it is very important that you have the following for disaster recovery purposes:

  • A copy of your database
  • And a copy of your web.config file, or of the exported encryption keys (split into secrets) in the password protected zip file.

Without these two items, it will not be possible to restore your Passwordstate instance in the event of a disaster – even with the Help from Click Studios. You must keep a copy of these encryption keys.

Most of these changes are transparent in day-to-day usage, except for the exporting of encryption keys, and encryption key rotation which we will cover below.

Exporting of Encryption Keys
There is now a new menu item in the Administration area called ‘Encryption Keys’. From here you can Export your encryption keys using the appropriate button, at which time you will be presented with the popup dialog for you to enter the zip file’s password. Note: Exported encryption keys adds a relevant audit record.

It is recommended you export your encryption keys immediately after upgrading to Build 7580, as well as take a backup of your database. Any time you perform encryption key rotation as well, you will be required to export your encryption keys again.

Encryption Key Rotation
Performing encryption key rotation is a very simple process, but it is very important to back up your encryption keys and database before performing this task – in the event some sort of error was to occur during the re-encryption, you need your previous keys to perform a restore. Please follow the on screen instructions for preparing for key rotation, as per the screenshot below.

Once key rotation starts, it will cycle through each of the relevant tables, and re-encrypt data as appropriate. The schedule in which you perform key rotation is a decision your Passwordstate administrators would need to make. Auditing records are also added for encryption key rotation.



One-Time Password Two-Factor Authentication
We’ve also introduced a new two-factor authentication option, for both the web interface and mobile client, called One-Time Password.

With this authentication option, you can use either hardware or software tokens which are compatible with the TOTP or HOTP algorithms – TOTP is Time-Based, and HOTP is Counter-Based.

On the screen Administration -> System Settings -> Authentication Options tab, you will see the following settings for this new authentication option. A brief description of these settings are:

  • Time-Based Clock Drift – as hardware tokens age, they can lose time. This setting allows you to specify what is the maximum clock drift which is allowed for a user’s hardware token – effectively it will look ahead (x) number of seconds to try the time based authentication. If a match is found, and the clock on the user’s token appears to have ‘drifted’, then the time differential is stored as part of the user’s preferences for this authentication option
  • Time-Based Default Time Step – most TOTP tokens work on either 30 or 60 seconds intervals, and you can specify the default time step for new user accounts in Passwordstate here
  • Counter-Based Look Ahead Window Size – each time the user generates a new One-Time Password when using HOTP, the counter increases on their token. When a successful authentication attempt is made in Passwordstate, this counter value is also stored as part of the user’s preferences for this authentication feature. As tokens may be used for different systems in additional to Passwordstate, we need a look-ahead window size to determine what the actual value of the counter is for the user’s token
  • Counter-Based Default Number of Digits – HOTP generally uses passwords of 6 digits in length, but you can configure the default for all new user accounts added into Passwordstate if required


User’s Preference Settings for One-Time Password Authentication
In the user’s Preferences screen, they can select either of the Time-Based or Counter-Based authentication options, and then settings as appropriate. They must also specify their Base32 Secret Key, which will be provided with any hardware tokens you purchase (this key should be 32 characters in length). If using software tokens, you can generate a random Base32 key here, and then use it for your software token.

Note: If the user neglects to specifying these settings, and a Security Administrator of Passwordstate were to enable One-Time Password authentication for them, then they will be given the opportunity to specify their settings when they next try and access Passwordstate.

One-Time Password Authentication Screens
And when you browse to Passwordstate to authenticate, you will see one of the following screens depending on which authentication option has been applied to your account.

Miscellaneous Features
We’ve also added various other features based on requests for customers, and they are:

  • There is now a System Setting for blocking brute force dictionary authentication attempts to all authentication screens in Passwordstate. The default setting is 5 failed login attempts, at which time the user’s session in IIS will be locked out. This setting can also be customized to how ever menu failed login attempts you want
  • On the screen Administration -> System Settings -> API Keys tab, there is now a setting to prevent users from specifying API Keys within the QueryString of an API Call, instead forcing them to include the API Keys in the header request – which is more secure as the API Key is encrypted in the SSL tunnel
  • In Build 7476 we introduced a new feature to prevent the creation of Password Lists or Folder beneath other Password Lists. We did this primarily because it was causing confusion for customers in relation to the permission model, but also when trying to search for password records. We had several requests from customers to allow this type of nested, so we’ve now added a System Setting where you can turn this restriction off. You can find it on the screen Administration -> System Settings -> Password List Options tab, and the setting is called ‘Allow users to nest Password Lists and Folders beneath other Password Lists’

We hope you like these changes in Build 7580, and please keep the feature requests coming J

Regards
Click Studios

Password Management – Best Way To Secure Passwords

Has there ever been a time in your life that you couldn’t for the life of you recall a password? If remembering the seemingly countless amounts of passwords correctly is a problem, then you need to make use of Passwordstate, a revolutionary password management system that has been created to simplify the way your business functions. You will have vital data, information and passwords stored securely and encrypted in the password manager vault. The passwords will be stored in a secure and safe place and you can recall them all in just a few clicks. There is no need for you to remember and write down all your passwords anymore!

Key features of Passwordstate, the leading password management software

There are many kinds of features that are offered in Passwordstate apart from keeping your login usernames and passwords safe and secure.

  • The password manager can be accessed from anywhere and at any time using a web interface
  • Provides you with a free browser extension for Google Chrome, Internet Explorere and Firefox, enabling a secure auto-fill of your credentials when visiting sites in the future
  • They are accessible across all platforms like Windows phone, Android phone, iPhone, computer or a laptop
  • They are very easy to use and all you need is to remember one password to log in to your password manage account
  • All kinds of passwords, generic, email account passwords, software registration keys, etc., can be recorded in the Passwordstate vault
  • It offers an easy search option. All you need to do is to key in the related data in the search box and all information pertaining to that will show up on your screen instantly
  • The software has the option of creating multiple tough and hard to crack passwords

Never worry about forgetting passwords

With good password management software in place for your business, you need not worry about remembering or writing down all the passwords. Say goodbye to constantly having to go through the Forgot your password? forms and simplify the way it all works utilising Passwordstate, the leading software for managing passwords. You just need to click on the mouse once to get the password copied to the clipboard, or form-filled in its respective web site. There is no better option for storing and encrypting all your sensitive passwords, documents, user IDs, etc., than password management software. Simply install the password manager program and break free from the tough task of remembering passwords!

Password Management Best Practices

There is no guarantee that one person will stay in the same job forever. Opportunities arise and employees shift from job to job all the time. When this happens in a managed service business, technicians who move to a new company will also be taking the passwords for the customer accounts they were mangaging with them. As data of your customers is extremely valuable, it is imperative that you give serious thought to the security of the customer’s passwords in order to protect personal information that has been entrusted with you. We recommend implementing the following practices for your business to manage your customers’ passwords and ensure total privacy.

Inspection

This password management practice functions to regularly inspect the system and check that everything is in place and no changes have been made. This technique allows you to see who has accessed the stored passwords whilst also enabling you to check whether the passwords remain compliant with the set rules (for instance, do they meet the password complexity requirements).

Another auditing practice to apply is regularly checking whether the passwords match with the ones used in the system. Furthermore, it is a good idea to install a system that informs employers if anything goes wrong or something interferes with the process of password management.

Full control  

A good password management system must have full control of the valuable data in the system. Full control gives you the tools to prevent unwanted users from accessing sensitive or confidential data such as customer passwords and personal information. It is highly essential that you ensure you have full control of those who have access to the company’s passwords, while also assuming control of what they can do with the passwords in terms of creating, writing, reading or deleting information. Additionally, it is important to install a system that gives full access to the passwords as well as the ability to store them centrally from anywhere.

Automation services

Each business should employ a system that automatically changes passwords whenever necessary. You should also have a process that enables you to inform the person in control of the password to change it manually.

A spreadsheet alone is simply not enough to protect the valuable information of your customers. We advise all companies to make use of the above password management practices to ensure complete password protection and consequently, a professional and trustworthy business.

What You Should Look Into When Choosing A Password Manager

There are many security experts who feel that simply choosing a password with alphanumeric letters and special characters is not enough to keep internet infrastructure protected. On top of that, many users choose the same password for all their accounts to avoid the difficulty of remembering numerous variations.

Basic measures to improve password security include using long and complex character combinations and phrases; changing the password on a regular basis; and using more than one password for different purposes. This can be a difficult and time-consuming process for enterprises where website logins, servers, databases, desktops and other forms of internet infrastructure need to be considered. This is where management software such as Passwordstate can help.

When you are looking for a password manager you can rely on, here are a few quick points to take into account.

Supported infrastructure

As mentioned above, enterprise system admins have more to worry about than just online accounts. While web site logins are important, passwords for everything from routers to individual desktops need to be managed effectively. This is a key difference between enterprise-based software and those limited to security for personal use of the web.

Two-factor authentication 

Password security does not just involve cyber attacks: malicious activity can also occur internally through use of keylogging malware and other techniques. In other words, you need software that provides protection from internal threats to security.

Two-factor authentication is a process where logins from new computers or devices must be authorised through another channel. Passwordstate is a perfect example of this, as it supports a range of two-factor authentication methods which add an extra layer of internal security — these include use of security tokens, temporary PINs through email and more. On top of that, automatic logouts help prevent unauthorised users accessing data on an unattended terminal.

Strong encryption

To put it simply, password management software is virtually useless if sensitive data can’t be stored securely within the database. Even if the database is not cloud-based (i.e. located internally), advanced encryption is vital to achieve a higher level of security. Passwordstate uses 256 Bit AES Encryption and keeps all sensitive code secure with precompiled ASP.NET pages and obfuscated .NET Assemblies.

Ease of use

As with any software, blending functionality with a user-friendly interface can be something that seals the deal. It’s important that you, your staff and any one-time users can easily navigate all relevant tools and features to ensure that your productivity as a business is not harmed; an intuitive interface makes all the difference when using complex password management software.

These are just some of many things to consider when choosing password management software for your enterprise. Read more about the features of Passwordstate to see how it can help you manage all your internet infrastructure.