Passwordstate 7.0 New Features

Hi Everyone,

We’re sorry for being so quiet for the past few months, but we’ve been busy working on this biggest release of Passwordstate since its initial release in 2004. We’re getting close to finishing it, with only a couple more features left to code and test. In total there about 80 updates in version 7, and below are some of the major features coming.

New Vertical Navigation Menu
In version 6 of Passwordstate we introduced a new Horizontal menu system at the bottom of the page. While this was well received by most customers, some customers didn’t like it. So in version 7 you will have the option of either a horizontal menu at the bottom of the screen, or a new vertical menu on the left-hand side of the screen.

There are 3 ways in which you can choose the Menu System to use – 1. It can be applied System Wide for all users, users can choose it as part of their Preferences, or you can create a User Account Policy and apply the setting to specific users or security groups.

 

Different Colour Themes
So you probably noticed a different shade of blue above J Yes, we’ve finally added in colour themes for version 7, and they can be applied the same way as the menu option above can be applied – System Wide, User Preferences or User Account Policy. Believe it or not this took quite a bit of work, as we needed to figure out how to change the colours applied to the Telerik ASP.NET Ajax Controls – http://www.telerik.com/products/aspnet-ajax.aspx

 

Browser Extensions for Form-Filling Web Site Logins
We’ve had a lot of customers requesting this feature, so we’re very excited we can finally offer it. Initially we will be releasing the extension for Chrome, and once we and our customers are happy with the functionality of it, we will provide extensions for Internet Explorer and Firefox as well.

Most of you are probably familiar with this sort of extension, and it will be similar to the functionality provided by LastPass, RoboForm, or any of the other offerings. Basically it allows you to save all your web logins into a Password List of your choice, and then every time you visit the site the extension can login for you automatically, without you needing to type in your username and password.

Discovery Different Windows Hosts on the Network, and Manually Add or Import Linux/Routers/Switches, etc
In itself, this feature doesn’t provide any real functionality, but is a pre-requisite to two other major features in version 7. You have the option to import Hosts via a CSV file, or we’ve added a ‘Discovery’ process which can query your Active Directory environment for Windows Hosts, and automatically import them into Passwordstate.

Access to each of the Hosts within Passwordstate are also permission based, so once imported you need to apply permissions for users who wish to make use of the new features which rely on the Hosts records. Below are a couple of screenshots of the Hosts screen, and the Discovery screen.

Reset Passwords Just About Everywhere
One of the major features in version 7 is the ability to change passwords automatically on various remote systems. The following will be supported when V7 is released:

  • Active Directory Accounts
  • Local Windows Accounts
  • Windows Services
  • IIS Application Pools
  • Scheduled Tasks
  • Cisco network equipment (routers, switches, etc)
  • Linux/Unix Accounts
  • Microsoft SQL Server and MySQL Server accounts

The Password Reset, Password Validation, and Resource Discovery features, are all achieved via the use of PowerShell scripts (we’re calling Windows Services, IIS App Pools and Scheduled Tasks ‘Resources’ in version 7). In the early planning stages, we were a little undecided whether to build our own ‘agents’ to be deployed to hosts to allow the password resets, or whether to use PowerShell scripts. In the end, it made much more sense to use to use PowerShell scripts, as it gives our users a lot more flexibility if they need to modify a script themselves, and some customers already use PowerShell heavily for managing their Windows environment. Unlike any solution for accessing and make changes to remote hosts, there are some system requirements for this functionality – primarily the Windows hosts will require PowerShell 2 or above installed, and PowerShell Remoting enabled. We provide full documentation for what’s required here. This functionality also works for non-trusted Active Directory Domains, so if you look after a lot of different client environments, all you need is functioning DNS, and domain account credentials with privileges to make the change. Below is a screenshot of the default scripts we provide, as well as a screenshot of one of the scripts. You can modify these scripts, restore the default script, or add your own.

As an example of the flexibility of this feature, when a password is updated in Passwordstate, you can also execute a PowerShell scripts to run any of your own custom MS SQL or MySQL scripts, say to update data in a table. The possibilities are only limited by your scripting skills J

 

Discovery Windows Services, IIS App Pools and Scheduled Tasks
As mentioned above, it’s possible to perform password resets for Windows Services, IIS Application Pools, and Scheduled Tasks which are configured to run under the identity of a domain account. While you can manually add these ‘Resources’ into Passwordstate, we’ve provided a feature where by you can automatically discovery them on your network, associated them automatically with the appropriate host, and also add the domain account used to a selected Password List if it doesn’t already exist in it.

Launch RDP, SSH, Telnet and VNC sessions to Remote Hosts
This is another new feature which takes advantage of adding/importing hosts into Passwordstate. Once you have installed out Remote Session Launcher utility (Windows only), and created one or more ‘Remote Session Credential Queries’, then you can launch a remote session to Hosts without having to enter your credentials to authentication – it logs you in automatically, and adds appropriate auditing records to reflect the action. The basic process use this functionality is:

  • Install the Remote Session Launcher utility (Windows only, and requires PowerShell to be installed)
  • Make sure you have all your Hosts added/imported into Passwordstate
  • Create one or more Remote Session Credential queries, and link it to a password you have stored in Passwordstate – screenshot 1 below
  • Now when you click on a Host in Passwordstate (screenshot 2 below), if the Host matches one of your saved “credential queries”, then it will launch the remote session without you needing to enter your Username and Password. There’s also an option to specify your login details manually if needed.

We also have provided a dedicated ‘Remote Session Launcher Screen’ which will allow you to use this feature all day long without being automatically logged out of Passwordstate if you are inactive for a period of time.

credentials

launchhost
Two-Factor Authentication with Dou Security
We’ve had quite a few requests recently to support Duo Security Two-Factor Authentication (https://www.duosecurity.com), so we’ve added support for this to the Web User Interface, and the Mobile App

More improvements to the API
We’ve also made some improvements to the API in version 7, specifically:

  • You can now add Folders and Password Lists through the API
  • We’ve made it more secure by allowing the API Key to be specified in the Request Header instead of the querystring
  • Private Password Lists can now be queried in the API, but only when using the Password List’s API Key, not the System Wide one.

 

And Various other Features
As mentioned, there are 80 updates in total, and below are a few more mentions:

  • New Dashboard Layout for Password Home and Folder pages – allows you to choose which panels to display, and where
  • New Favorite Password Lists feature, whereby favorites can be easily filtered in the Navigation Tree
  • New “Self Destruct Message” feature for sending time-bombed messages to other users
  • Added the ability to encrypt any one of the Generic Fields you can select for Password Lists
  • Auditing data for the High Availability instance is now maintained if the HA site is accessed
  • Added option to Password Lists to ensure passwords are not visible or can be copied to clipboard
  • Added option to force users to use the Password Generator associated with a Password List
  • User Account Policies can now dictate what Template to be used when creating Shared or Private Password Lists
  • Added the ability to generate random passwords based on a pattern of alphanumeric characters
  • Added the ability to exclude certain characters from a generated password
  • Filtering in the Navigation Tree can now also filter on Folders names
  • Users password, when using Forms based authentication, will now expire after a set period, and password reuse is prohibited
  • Email alerts from the High Availability instance of Passwordstate are now queued, instead of being sent real-time
  • Added the ability to see all Private Password Lists on the screen Administration -> Password Lists. Only features available with this is deleting the Password List, or changing settings
  • Moved all ‘Administration’ navigation menu items to their own Navigation Tree
  • It’s now possible to send specific email notifications to a generic email address

 

Quite a log post, but we have been busy J We hope you all like version 7 when it’s released in a month or two’s time.

Active Directory Actions

Hi Everyone,

We’ve added another new feature to version 6 called ‘Active Directory & Windows Actions’, and it can be enabled or disabled per Password List if required.

Active Directory & Windows Actions allows you to perform 4 different account related tasks, if your Password List is configured to synchronize changes with Active Directory or local Windows servers. The 4 functions are:

  • Unlock this account if locked
  • User must change password at next login
  • Disable this account
  • Enable this account

This feature is very useful for Help Desks who manage general user accounts within Passwordstate. You can also use this feature without having to update the Password record itself – simply click one of the options, hit the ‘Save’ button, and the action will be completed. Performing an Action by itself will not create a new Password History record – as history record is only created if you change one of the fields.

Note: If you use the ‘User must change password at next login’ option, then as soon as the user does change the password on the domain, then the password in Passwordstate will be out of Sync – this may not be an issue for some customers if they wish to use this feature this way.

A screenshot of the feature is below:

Active Directory & Windows Actions

 

If you don’t wish for your users to enable this feature on any of the Password Lists, you can disable it on the screen Administration -> System Settings -> Active Directory Options tab.

Regards
Click Studios

Automatic Password Rotation

Hello Everyone,

In Version 6 of Passwordstate, we have another new feature coming called ‘Automatic Password Rotation’.

With this feature, when a password expires (based on the ExpiryDate field), you can specify various options for automatically generating a new password and synchronizing the change with the Active Directory or Local Windows account.

You can specify the default values for these options at the Password List level, and then when you add or edit a password record, it will inherit the settings from the Password List. You can then choose to over-ride these values if you like. The options available are:

  • To enable/disable the feature
  • The time of day you want the password to be rotated
  • How many days you would like added to the ExpiryDate field
  • Whether or not to email Password List Administrators when the rotation was successful, or if it failed (for any reason)

Once you save the password record with these options, these settings will stay saved even after the initial rotation – effectively it’s a set and forget feature which will continually generate and update passwords when specified.

The following screenshot shows each of the options:

Automatic Password Rotation

 

We hope you like this new feature when V6 is released, which is just around the corner 🙂

Regards
Click Studios

Backups and In-Place Upgrades

Hi Everyone,

For the past couple of weeks, we’ve been working on the ability to perform backups of the Passwordstate database, and all the web files, right from within the Passwordstate application. In addition to this, and it’s been a long time coming (sorry), you can now perform in-place upgrades of Passwordstate – no longer do you need to uninstall and re-install Passwordstate every time there’s a new build released.

First we’ll start with the backups. You have the option of performing manual backups whenever you need, or you can set a regular schedule and let them run themselves. You have the following options available to you:

Backup Settings

  • How many backups to keep on the file system
  • The path to where you would like to store the backups (ideally should be stored on a different location other than your Passwordstate web or database server)
  • Username and Password required for the backup (we’ll explain what permissions are required further below)
  • Whether you want to enable a regular set-and-forget schedule for the backups to occur
  • And finally, what time you would like the scheduled backups to begin, and how often you want a backup to occur.

Couple of screenshots to show you the status of backups, and also the Settings screen:

Backup Permissions
To allow backups to work through the Passwordstate web interface, you will need to specify an account (domain or Windows account), which has the following permissions:

  • Permissions to write to the Backup path you’ve specified
  • Permissions to stop and start the Passwordstate Windows Service on the web server
  • Permissions to write to the Passwordstate folder.

In addition to this, you must configure the SQL Server service to use a domain or Windows account which has permissions to also write to the Backup Path. To do this, you need to open the ‘SQL Server Configuration Manager’ utility on your database server, click on ‘SQL Server Services’, and the specify and account as per the next screenshot:

 

In-Place Upgrades
A prerequisite to being able to perform in-place upgrades in version 6, is to ensure your backups are configured and working correctly. If they aren’t, you will not be able to perform in-place upgrades. There are to main processes for an upgrade:

Upgrade Web Files
Prior to performing the upgrade of the database, the following occurs:

  • Passwordstate Windows Service is stopped
  • Compresses and backup all the web files
  • Backup up the database
  • Download the latest build from the Passwordstate web site (there is an option to manually download the upgrade file, if for whatever reason Passwordstate is unable to do it itself i.e. proxy issues)
  • Extract the latest build to a temporary folder
  • Overwrite all the files, and clean up any old files
  • Restart the Passwordstate Windows Service.


Upgrade Database

Once all the web files have been upgraded, you will be logged out of Passwordstate automatically, at which time you can log straight back in and finish the upgrade of the database. The reason the log out is required, is because modifying files in a IIS web site can cause sessions in IIS to be disrupted (ended).

We apologize it’s taken so long to come up with a better upgrade procedure, but as soon as version 6 is released, it should make upgrading to new builds a whole lot easier.

Regards
Click Studios

Linking Password Lists to Templates

Hi Everyone,

We’ve now introduced the feature in version 6 where you can link Password Lists to Templates, and control all of the settings from the Template itself.

With this feature it means you can control the settings for multiple Password Lists in the one location, and easily enforce some consistency across similar Password Lists.

Caution: In version 6 you can now configure the ‘Generic Fields’ to be of different field types i.e. text fields, date field, password fields, etc. If you link a Password List to a Template, and the Template has non-compatible generic field types, it will blank the data for these fields in the database. You will be prompted and reminded of this when linking Password Lists, but it’s something to be aware of.

When you link a Password List to a Template, it will appear on the Templates as per this screenshot (To link Password Lists to a Template, you simply select ‘Linked Password Lists’ from the Action drop-down menu):

Linked Templates

Once linked, the majority of controls on the ‘Edit Password List’ will be disabled, and you will be notified at the top of the screen as to which Template the Password List has been linked to:

Linked Password List Edit Screen

 

Generic Field Improvements

Hi Everyone,

When version 6 is released, you will notice a few enhancements we have made to the Generic Fields you can associated with Password Lists.

To start with, we have extended the number of Generic Fields from 3 to 10, and now the following Field Types are also available:

  • Text Field – just a normal text field as you currently have in version 5 of Passwordstate
  • Free Text Field – an unlimited text field for entering larger bodies of text
  • Password – an encrypted password field, which is also salted in the database, and allows you mask the contents as per a normal Password field i.e. ******, and you can also copy to clipboard as per normal
  • Select List – allows you to specify multiple fixed values, which shows as a drop-down list
  • Radio Buttons – allows you to specify multiple fixed values, which shows as a Radio Button
  • Date Picker – similar to the Expiry Date field, this one gives you a popup calendar for specifying date values

We hope you like this feature once version 6 is released, and below are a couple of screenshot for how you configure your Password Lists, and how it looks on an Edit Password screen.

Configure Generic Field Settings for a Password List

Generic Field Setting for a Password List

 

How the Edit Password Screen looks with Generic Fields
Generic Fields on Edit Password Screen

Regards
Click Studios

Allowed IP Ranges in Passwordstate

Hi Everyone,

We’ve just added a small, but important feature in version 6 of Passwordstate called Allowed IP Ranges. This features allows you to restrict which IP addresses are allowed to browse to the Passwordstate web site, and can be specified in the following format:

Individual IP Address – 192.168.1.50
Entire Subnets – 192.168.1.*
Subnet Ranges – 192.168.1.50-192.168.1.254

In the event you make a mistake in specifying Allowed IP Ranges and lock yourself out of Passwordstate, you can always gain access via logging on directly to your web server, or via the Emergency Access account. Here’s a screenshot of where you can specify the settings:

Allowed IP Ranges in Passwordstate

Regards
Click Studios

Two-Factor Authentication with RSA SecurID

Hi Everyone,

As of today, we’ve finished implementing two-factor authentication in Passwordstate V6, using RSA’s SecurID solution. Once we have a beta of Version 6 available, we’ll be asking for testers of this functionality, as we’ve only been able to test using RSA Authentication Manager 7.1 SP4 Patch 22 – the Authentication Agent library we’re using is meant to be compatible with Authentication Manager 6.x, 7.x and the upcoming 8.x – due for release later this month.

Configuring Passwordstate to use SecurID is a fairly simple process, and we’ve written up specific documentation to assist customers with the initial configuration. Once done, you will be able to choose anyone of the following options:

  • Secure access to Passwordstate using SecurID Authentication – this is for both installs of either Active Directory authentication, or forms based authentication
  • Secure access to Passwordstate using both AD and SecurID Authentication – obviously only for AD users
  • Secure access to Password Lists using SecurID Authentication

We’ve also added a new option called ‘If one of the SecurID Authentication options are selected, auto-populate the UserID field based on the current logged in user – domain suffix will be dropped if using Active Directory version of Passwordstate’. If your Passwordstate UserID’s are the same format as your SecurID User ID’s, then this makes it a little quicker to authenticate.

Now for some screenshots:

Secure access to Passwordstate using SecurID Authentication

SecurID Authentication

 

Secure access to Passwordstate using both AD and SecurID Authentication

SecurID and AD Authentication

 

Secure access to Password Lists using SecurID Authentication
SecurID Authentication for Password Lists

 

 

We hope you like this feature when version 6 is available.

Two-Factor Authentication with Google Authenticator

Hi Everyone,

We’ve finished adding two-factor authentication using Google’s Authenticator to version 6 of Passwordstate. Google Authenticator is great for smaller companies who can’t afford the investment required to internally host other two-factor authentication solutions such as RSA’s SecurID.

Configuring your Passwordstate account to use Google Authenticator, is quite a simple process:

  • First install Google Authenticator on your mobile device – Android, iOS & Windows Phone
  • Visit the Preferences screen in Passwordstate, and click on the ‘Authentication Options’ tab
  • Select the ‘Google Authenticator’ option from the Authentication dropdown list
  • Generate a new barcode/secret key
  • Scan the barcode into Google Authenticator on your mobile/cell device, or manually type in the secret key
  • Click on the ‘Save’ button to save the secret key to your Passwordstate account.

Google Authenticator Settings

Once you have successfully enabled Google Authenticator with Passwordstate and on your mobile/cell device, then you will be presented with the following login screen next time you visit Passwordstate.

Passwordstate Google Authenticator Login

You will now have a maximum of 60 seconds to copy the verification code from your mobile/cell device (image below), into Passwordstate. After 60 seconds, a new verification code will appear on your device.

Google Authenticator for Android

 

We hope you like this new feature once version 6 of Passwordstate is released, and please leave us any comments you like regarding the feature.

Regards
Click Studios