Personal Password Management Best Practices

We’re often asked what are the recommended ‘Best Practices’ for personal password management, so we’ve put together a little guide which we hope you will find useful.

The following suggestions are also applicable to passwords which are shared amongst team members, and while there is reference to features specific to Passwordstate, they are also useful tips for any other password management system.


Create a Private Password List

First thing you will want to do in Passwordstate is create your own Private Password List. By creating a Personal Password List, it is hidden from all other users of Passwordstate (including Security Administrators), and permissions cannot accidently be granted to other users – the option to apply permissions to the Password List is disabled. It’s possible your Security Administrators of Passwordstate have disabled the ability to create Private Password Lists, so if the option is greyed out under the ‘Passwords’ menu at the bottom of your screen, please speak to one of your Security Administrators of Passwordstate. Below is a screenshot for adding a new Private Password List, and we’ve highlighted a few options which we recommend. Some of these options are covered further down in the blog post.

Caution – As you can see in the screenshot below, you have the option of specifying an ‘Additional Authentication’ step which is required before you can access the Password List. If you choose ‘Use Separate Password’, and forget this password, then the only way to restore access to the Password List is to have one of your Database Administrators restore a copy of the database prior to making the change. Security Administrators are able to reset your ScramblePad Pin Code, your Google Authenticator Secret Key, or your SecurID pin, but they cannot reset a personal password you apply to this list.

Encrypt Your Passwords
It goes without saying, but if your passwords aren’t encrypted in some way, then anyone can potentially gain access to your valuable resources. Passwordstate uses industry standard 256-bit AES Encryption (Advanced Encryption Standard), and this should be a minimum encryption standard to use. AES has been adopted by the US government, and is now used worldwide. In addition to encrypting your passwords, their values should be also ‘salted’ in the database. Salted means an additional input is used as a one-way function that hashes a password or passphrase. The primary purpose of salts is to defend against dictionary attacks and pre-computed rainbow table attacks. In addition, even if your database administrator is snooping around the raw data, no two encrypted values appear to be the same. There are other features in Passwordstate which further protect against theft of the database and decryption attempts, like the ‘Authorized Web Servers’ feature.

 

Backup Your Passwords
We have witnessed quite a few customers over the years who do not backup their Passwordstate database. Best practice recommends you backup all IT systems, regardless of their importance or sensitivity of the data. When we’ve queried these customers as to why they haven’t got a backup of the database, we generally receive one of two responses – 1. I’m not a DBA and don’t know how to, or 2. I didn’t know we needed to do that. As of version 6 of Passwordstate, you can now take advantage of the Automatic Backup feature. With this feature, you can set a regular schedule, and Passwordstate will perform the backups for you. It will back up all of the Passwordstate web files, and also a full copy of your database. There are a few steps required to configure Automatic Backups, and the following blog post will provide further detail – http://www.clickstudios.com.au/blog/backups-and-in-place-upgrades/.

 

Create Strong Passwords
The stronger the password, the harder it is to guess or crack. The issue with complex passwords is they’re difficult to remember, and often a pain to create. In Passwordstate we’ve provided a Password Generator, and this tool allows you to easily create complex passwords. There are numerous Alphanumeric and Special character options, as well as the use of a Word Dictionary which contains 10,000 words which can be inserted into your password phrase. The following article on our site also goes into some detail about choosing good passwords – http://www.clickstudios.com.au/articles/choosing-good-passwords.html

Once you’ve set the options for your Password Generator, any time you need to create a new complex password, you simply click on the following icon . And there really is no need to try and memorize these passwords when using Passwordstate – you can unmask the password at any time by clicking on the ****** value you see in the grids, or you can copy the password to the clipboard by clicking on the icon .

Reset Passwords on a Regular Basis
How often do you read on the Internet of some site’s user database being compromised, and all the user’s passwords being leaked – unfortunately it’s all too often? If you reset your password on a regular basis, then this becomes less of an issue. We have a couple of features in Passwordstate which will help with the reset task, and they all relate around the use of the ‘Expiry Date’ field. When you populate the Expiry Date field, you can see visually on the screen when a Password should be reset – if the Password has already ‘expired’, or will expire in the next 30 days, then the Expiry Date field will be highlighted in a Red color. In addition to this, we have the ‘Expiring Passwords’ report which you can choose to receive via email either daily, weekly or monthly. This email report provides you a list of all your Passwords which have already expired, or are about to expire in the next 30 days.

 

Avoid Password Reuse
And finally, one of the worst things you can do is reuse Passwords across different systems and web sites. We all do it, but it is probably one of the worst password management practices you can adopt. Any time one Password on a web site/system is compromised, then the hacker could potentially gain access to all your other systems – assuming they know your login ID. In the screenshot above for the Private Password List’s settings, you will notice we’ve highlighted the feature ‘Prevent Password Reuse’. By using this feature, Passwordstate will query the history of changes for the Password record, and prevent you from ‘reusing’ passwords based on the number you set.

We hope you find this a useful guide for Personal Password Management Best Practices.

Regards
Click Studios

Passwordstate 6.0 New Features

Hello Everyone,

Before we go into any detail about the new features of version 6, we just want to say a huge thanks to all our wonderful customers for their suggestions of what they would like to see in Passwordstate, and also for helping us test the various beta versions. It’s amazing how people will take time out of their day to provide feedback, and spend endless hours testing with us. Thanks Guys If you’re wanting to upgrade your beta install to this production release, please follow these instructions – http://www.clickstudios.com.au/forum/showthread.php/365-Upgrade-Instructions-for-Production-Release-(Build-6080) J

Now on to the features. We’re very pleased to finally release version 6 of Passwordstate. This is probably one of the biggest releases we’ve had to date, and it’s been 8 months in the making. We’ll go into some detail here for the major changes in version 6.

New User Interface
The first thing you will notice when using v6 is the new user interface. The main change is how the old navigation tabs in version 5 have now been moved to the bottom of the screen as a horizontal popup menu. This provides a little more screen real-estate, which is useful when the majority of your time is spent clicking around in the navigation tree, and access passwords in each of the different Password List screens. We’ve also had quite a few beta testers comment on the new version appearing to run much faster.

Two-Factor Authentication with RSA’s SecurID
Version 6 now has 9 different authentication options, which can be used when you first access the site, or as an additional authentication step when you need to access certain Password Lists. One of these new authentication options is two-factor authentication with RSA’s SecurID tokens – these can be physical or software based tokens. There’s obviously quite a few versions of the RSA Authentication Manager, and in our testing we’ve used version 7.1 SP4 Patch 22. RSA assures us that prior and new releases should work just fine. Read more here – http://www.clickstudios.com.au/blog/two-factor-authentication-with-rsa-securid/

Two-Factor Authentication with Google Authenticator
Can’t afford the investment for RSA’s SecurID solution, then use two-factor authentication with Google’s Authenticator. Google Authenticator is a software based solution, which can be installed on the majority of mobile clients. Read more here – http://www.clickstudios.com.au/blog/two-factor-authentication-with-google-authenticator/

Application Programming Interface (API)
With the new API built into Passwordstate, you can integrate your other applications and do away with hard coded passwords in scripts, etc. Data can be returned in either JSON or XML format.

It’s possible to perform the following API Calls:

  • Retrieve a Password record
  • Update a Password record
  • Add a new Password record
  • Retrieve all the history for changes to a Password record
  • Retrieve all Passwords records in a specific Password List
  • Retrieve all Passwords records across all Shared Password Lists
  • Search for Password records, based on various search criteria
  • Generate one or more random passwords
  • Retrieve details and settings for a Password List

For each Password List which you enable for the API (create and API Key), you can also configure which of the API calls above is allowed, or not allowed, as per the following screenshot:

 

Linking Password Lists to Templates
Password List Templates where introduced in version 5, which allowed you to specify some default settings which could then be applied to a Password List. With version 6, we’ve now introduced the feature whereby you can link a Template to one or more Password Lists, and manage the settings in one central location – the template itself. Read more here – http://www.clickstudios.com.au/blog/linking-password-lists-to-templates/

User Account Policies
User Account Policies allows you to specify various settings for how Passwordstate appears or behaves for users. Once you’ve created a policy, you can apply permissions based on user accounts, or security groups. You can even apply more than one policy to the same user. Examples of how this would be used are:

  • Specify a different Authentication Method for users who have higher privileges to systems i.e. Domain Administrators
  • You don’t wish for any of the charts to appear for your users – simply disable them with a policy
  • Allow only a certain number of users to use the ‘Auto Generate New Password’ feature when adding new passwords

Read more here – http://www.clickstudios.com.au/blog/user-account-policies-in-passwordstate/
More Generic Fields and Different Data Types
There are now up to 10 different Generic Fields you can choose from for your Password Lists, and each field can be configured as one of the following data types – Text Field, Free Text Field, Password Field, Select List, Radio Buttons or Data Picker. Read more here – http://www.clickstudios.com.au/blog/generic-field-improvements/


Allowed IP Ranges
Need to restrict which networks can access the Passwordstate web site or API? If so, then you can use the ‘Allowed IP Ranges’ feature, where you can specify individual IP Addresses, or a range of IP Addresses. Read more here – http://www.clickstudios.com.au/blog/allowed-ip-ranges-in-passwordstate/

Backups and In-Place Upgrades
Version 6 now has an automated backup feature built into it, where you can set a schedule for automatic backups of all the web files, and copies of the database. You can specify at what time of the day the backups should begin, how often they should be run, and how many copies to keep on disk. In addition to automatic backups, we now have In-Place Upgrades, which means no more uninstalling/reinstalling Passwordstate to get to the latest version – simply upgrade right from within the web site. You must have your automatic backups configured and working prior to using the In-Place Upgrades feature. Read more here – http://www.clickstudios.com.au/blog/backups-and-in-place-upgrades/

Active Directory & Windows Actions
When a Password List is configured to synchronize password changes with Active Directory, or local accounts on Windows Servers, you can now enable the feature ‘Active Directory & Windows Actions. With this feature you can perform certain account related tasks, such has unlocking account, disable accounts, etc. Read more here – http://www.clickstudios.com.au/blog/active-directory-actions/

Automatic Password Rotation
Again, when a Password List is configured to synchronize password changes with Active Directory, or local accounts on Windows Servers, you can take advantage of the ‘Automatic Password Rotation’ feature, which allows you to specify a set and forget schedule for automatically updating and synchronizing passwords when they expire. Read more here – http://www.clickstudios.com.au/blog/automatic-password-rotation/

Regards
Click Studios

Active Directory Actions

Hi Everyone,

We’ve added another new feature to version 6 called ‘Active Directory & Windows Actions’, and it can be enabled or disabled per Password List if required.

Active Directory & Windows Actions allows you to perform 4 different account related tasks, if your Password List is configured to synchronize changes with Active Directory or local Windows servers. The 4 functions are:

  • Unlock this account if locked
  • User must change password at next login
  • Disable this account
  • Enable this account

This feature is very useful for Help Desks who manage general user accounts within Passwordstate. You can also use this feature without having to update the Password record itself – simply click one of the options, hit the ‘Save’ button, and the action will be completed. Performing an Action by itself will not create a new Password History record – as history record is only created if you change one of the fields.

Note: If you use the ‘User must change password at next login’ option, then as soon as the user does change the password on the domain, then the password in Passwordstate will be out of Sync – this may not be an issue for some customers if they wish to use this feature this way.

A screenshot of the feature is below:

Active Directory & Windows Actions

 

If you don’t wish for your users to enable this feature on any of the Password Lists, you can disable it on the screen Administration -> System Settings -> Active Directory Options tab.

Regards
Click Studios

Automatic Password Rotation

Hello Everyone,

In Version 6 of Passwordstate, we have another new feature coming called ‘Automatic Password Rotation’.

With this feature, when a password expires (based on the ExpiryDate field), you can specify various options for automatically generating a new password and synchronizing the change with the Active Directory or Local Windows account.

You can specify the default values for these options at the Password List level, and then when you add or edit a password record, it will inherit the settings from the Password List. You can then choose to over-ride these values if you like. The options available are:

  • To enable/disable the feature
  • The time of day you want the password to be rotated
  • How many days you would like added to the ExpiryDate field
  • Whether or not to email Password List Administrators when the rotation was successful, or if it failed (for any reason)

Once you save the password record with these options, these settings will stay saved even after the initial rotation – effectively it’s a set and forget feature which will continually generate and update passwords when specified.

The following screenshot shows each of the options:

Automatic Password Rotation

 

We hope you like this new feature when V6 is released, which is just around the corner 🙂

Regards
Click Studios

Backups and In-Place Upgrades

Hi Everyone,

For the past couple of weeks, we’ve been working on the ability to perform backups of the Passwordstate database, and all the web files, right from within the Passwordstate application. In addition to this, and it’s been a long time coming (sorry), you can now perform in-place upgrades of Passwordstate – no longer do you need to uninstall and re-install Passwordstate every time there’s a new build released.

First we’ll start with the backups. You have the option of performing manual backups whenever you need, or you can set a regular schedule and let them run themselves. You have the following options available to you:

Backup Settings

  • How many backups to keep on the file system
  • The path to where you would like to store the backups (ideally should be stored on a different location other than your Passwordstate web or database server)
  • Username and Password required for the backup (we’ll explain what permissions are required further below)
  • Whether you want to enable a regular set-and-forget schedule for the backups to occur
  • And finally, what time you would like the scheduled backups to begin, and how often you want a backup to occur.

Couple of screenshots to show you the status of backups, and also the Settings screen:

Backup Permissions
To allow backups to work through the Passwordstate web interface, you will need to specify an account (domain or Windows account), which has the following permissions:

  • Permissions to write to the Backup path you’ve specified
  • Permissions to stop and start the Passwordstate Windows Service on the web server
  • Permissions to write to the Passwordstate folder.

In addition to this, you must configure the SQL Server service to use a domain or Windows account which has permissions to also write to the Backup Path. To do this, you need to open the ‘SQL Server Configuration Manager’ utility on your database server, click on ‘SQL Server Services’, and the specify and account as per the next screenshot:

 

In-Place Upgrades
A prerequisite to being able to perform in-place upgrades in version 6, is to ensure your backups are configured and working correctly. If they aren’t, you will not be able to perform in-place upgrades. There are to main processes for an upgrade:

Upgrade Web Files
Prior to performing the upgrade of the database, the following occurs:

  • Passwordstate Windows Service is stopped
  • Compresses and backup all the web files
  • Backup up the database
  • Download the latest build from the Passwordstate web site (there is an option to manually download the upgrade file, if for whatever reason Passwordstate is unable to do it itself i.e. proxy issues)
  • Extract the latest build to a temporary folder
  • Overwrite all the files, and clean up any old files
  • Restart the Passwordstate Windows Service.


Upgrade Database

Once all the web files have been upgraded, you will be logged out of Passwordstate automatically, at which time you can log straight back in and finish the upgrade of the database. The reason the log out is required, is because modifying files in a IIS web site can cause sessions in IIS to be disrupted (ended).

We apologize it’s taken so long to come up with a better upgrade procedure, but as soon as version 6 is released, it should make upgrading to new builds a whole lot easier.

Regards
Click Studios

Linking Password Lists to Templates

Hi Everyone,

We’ve now introduced the feature in version 6 where you can link Password Lists to Templates, and control all of the settings from the Template itself.

With this feature it means you can control the settings for multiple Password Lists in the one location, and easily enforce some consistency across similar Password Lists.

Caution: In version 6 you can now configure the ‘Generic Fields’ to be of different field types i.e. text fields, date field, password fields, etc. If you link a Password List to a Template, and the Template has non-compatible generic field types, it will blank the data for these fields in the database. You will be prompted and reminded of this when linking Password Lists, but it’s something to be aware of.

When you link a Password List to a Template, it will appear on the Templates as per this screenshot (To link Password Lists to a Template, you simply select ‘Linked Password Lists’ from the Action drop-down menu):

Linked Templates

Once linked, the majority of controls on the ‘Edit Password List’ will be disabled, and you will be notified at the top of the screen as to which Template the Password List has been linked to:

Linked Password List Edit Screen

 

How To Clone a Folder

Hi Everyone,

Today we released Build 5638 of Passwordstate, which includes a new feature where you can clone a Password Folder, and any Folders or Password Lists nested beneath it. This feature is very handy for keeping a consistent structure for storing all your passwords.

To clone a folder, you first need to click on it in the Navigation Tree, then click on the ‘Folder Options’ button at the top of the screen, and then you will see the ‘Clone Folder’ link. From here you have the following options available to you:

  • Specify the new name of the folder to be cloned
  • Choose whether you want to clone all Folders and Password Lists nested below the chosen folder, or just clone Folders only
  • Choose what permissions you would like to apply to the new Folders and Password Lists – either clone the current permissions, apply permissions just for yourself, or don’t apply any permissions at all

When you have finished cloning the folder, it will place the structure in the root of the Navigation Tree. Standard processing occurs when cloning folders i.e. appropriate audit events are logged, and email notifications are sent informing users they have access to one or more new Password Lists. We’ve also provided a ‘Save & Clone Again’ button, so you can quickly repeat the process. Below is a screenshot from version 6 of Passwordstate, showing the options available to you.

Note: Cloning Password Lists will not clone any of the passwords contained within them – only settings, customisations and permissions will be cloned.

Cloning Folders in Passwordstate

We hope you like this new feature, and please leave us some comments if you like.

Regards
Click Studios

 

Generic Field Improvements

Hi Everyone,

When version 6 is released, you will notice a few enhancements we have made to the Generic Fields you can associated with Password Lists.

To start with, we have extended the number of Generic Fields from 3 to 10, and now the following Field Types are also available:

  • Text Field – just a normal text field as you currently have in version 5 of Passwordstate
  • Free Text Field – an unlimited text field for entering larger bodies of text
  • Password – an encrypted password field, which is also salted in the database, and allows you mask the contents as per a normal Password field i.e. ******, and you can also copy to clipboard as per normal
  • Select List – allows you to specify multiple fixed values, which shows as a drop-down list
  • Radio Buttons – allows you to specify multiple fixed values, which shows as a Radio Button
  • Date Picker – similar to the Expiry Date field, this one gives you a popup calendar for specifying date values

We hope you like this feature once version 6 is released, and below are a couple of screenshot for how you configure your Password Lists, and how it looks on an Edit Password screen.

Configure Generic Field Settings for a Password List

Generic Field Setting for a Password List

 

How the Edit Password Screen looks with Generic Fields
Generic Fields on Edit Password Screen

Regards
Click Studios

Allowed IP Ranges in Passwordstate

Hi Everyone,

We’ve just added a small, but important feature in version 6 of Passwordstate called Allowed IP Ranges. This features allows you to restrict which IP addresses are allowed to browse to the Passwordstate web site, and can be specified in the following format:

Individual IP Address – 192.168.1.50
Entire Subnets – 192.168.1.*
Subnet Ranges – 192.168.1.50-192.168.1.254

In the event you make a mistake in specifying Allowed IP Ranges and lock yourself out of Passwordstate, you can always gain access via logging on directly to your web server, or via the Emergency Access account. Here’s a screenshot of where you can specify the settings:

Allowed IP Ranges in Passwordstate

Regards
Click Studios