Import Passwords from KeePass into Passwordstate

Recently, we have been getting more and more requests from new Passwordstate customers asking how to import their data from KeePass. Because of these requests, we’ve now created a Powershell script which can be used in conjunction with our API. Our goal with this is to not only import the passwords from KeePass, but to also replicate the structure of the KeePass Groups in Passwordstate.

For customers not familiar with Passwordstate, the equivalent of a “Group” in KeePass is a “Password List” in Passwordstate. We also have the concept of “Folders” which allow you to logically group Password Lists together. If you follow the process below, it will create a Folder called KeePass Import in the root of Passwords Home, and will contain one Password List for every Group you have in KeePass. It will then import the relevant passwords inside each Password List.

We highly recommend taking a backup of your Passwordstate database prior to performing this import.  You can either use the automatic backup feature within Passwordstate, or possibly use SQL Management Studio Tools instead.

Exporting from KeePass in the Correct Format:

If you would like to migrate your passwords from KeePass to Passwordstate, you will need to export them as a csv file, which Passwordstate reads correctly.  The best version of KeePass to do this in is the Classic version and must be at least Version 1.31.  The Classic version has better options when exporting, allowing you to select which attributes of your passwords you would like to insert into the csv file.  If you are using KeePass Professional, you will need to transfer all of your passwords to the Classic version.  To do this:

  1. Open KeePass Professional and click File -> Export
  2. Select KeePass KDB (1.x)
  3. Select a place on your local disk to save the export to, and click OK
  4. If you get an error saying “This file format does not support root groups” click Close
  5. Open KeePass Classic
  6. Click File -> Import -> KeePass Database…
  7. Open the .kdb file you generated in the export process above
  8. Enter in the Master Password for your exported database and click OK
  9. Click File -> Export -> CSV File…
  10. Save the .csv to somewhere local like D:\KeePass-Import\Passwords.csv
  11. Under the fields to export, ensure you also tick “Group” and click OK

**Important** Once you have exported this .csv file, DO NOT modify and save in Excel in any way.  This can make the .csv file unreadable for the purpose of this exercise.

Preparing Passwordstate for the import

1. In Passwordstate, under the Passwords menu, create a new Password List Template.  This process will be copying the settings and permissions from this template when setting up your data.

2. On the Template, ensure you deselect the “Prevent saving of Password Record is ‘Bad’ password is detected“:

3. Also on the same Template, ensure you select the URL field as follows, and save it:

4. Apply appropriate permissions to the template via the Actions Menu.  Any user you give access to on this screen will get access to all passwords you import from KeePass.  If need be, you can easily modify permissions after you’ve completed this import process:

5. Press the Toggle ID Column Visibility and take note of the TemplateID:

6. Download the Import-Keepass.zip file from the Click Studios web site, and extract the contents into the same folder as your exported KeePass .csv file.

7. Take note of your System Wide API key in Passwordstate, which can be found under Administration -> System Settings -> API Keys.  If you need to, you can generate a new one:

8. Open the extracted import-keepass.ps1 file in your favorite Powershell scripting tool, and modify the top 4 variables to reflect the correct information about your environment. You will need to enter your Passwordstate URL, the exact path your exported .csv file, your system wide API key, and your Template ID:

9. If you now run your Powershell script, you should notice a KeePass Import folder in Passwordstate, along with Multiple Password Lists which are named the same as all your groups and sub-groups from KeePass.  They will also contain all the relevant passwords:

10. If you like, you can create some Folders in Passwordstate and begin dragging and dropping your new Password Lists as appropriate.

If you need any help with this at all, you are welcome to contact us on support@clickstudios.com.au.

Passwordstate Build 7580 New Features

In build 7580 of Passwordstate, we’ve introduced a few new features, most noticeably many changes in how encryption now works. Below is a summary of the more notable changes and features.

Encryption Changes
In consultation with an external company who specialises in web-based application security, we’ve made several changes to how encryption works within Passwordstate. Most of these changes are not noticeable in daily use, but they do further strengthen the security of Passwordstate. A summary of the changes are:

  • Random Initialisation Vectors are now used for every encrypted field and record – previously, the one Initialisation Vector was used for all encrypted data
  • HMAC-SHA512 Hashing algorithm has now replaced the previous method of validating tampering of data directly in the database – hashing of expected values, with a stronger algorithm, is now used to ensure data integrity
  • Every install of Passwordstate now uses two unique keys to perform the encryption, instead of previously it only used one
  • Encryption Keys now use Secret Splitting to mask their identity, and the secrets are stored in the web.config file (which can also be encrypted) and also in the database
  • A new Secret Key Rotation feature has now been added to allow regular encryption key rotation
  • And encryption keys can now be exported to a password protected zip file for disaster recovery purposes

With these encryption changes, it is very important that you have the following for disaster recovery purposes:

  • A copy of your database
  • And a copy of your web.config file, or of the exported encryption keys (split into secrets) in the password protected zip file.

Without these two items, it will not be possible to restore your Passwordstate instance in the event of a disaster – even with the Help from Click Studios. You must keep a copy of these encryption keys.

Most of these changes are transparent in day-to-day usage, except for the exporting of encryption keys, and encryption key rotation which we will cover below.

Exporting of Encryption Keys
There is now a new menu item in the Administration area called ‘Encryption Keys’. From here you can Export your encryption keys using the appropriate button, at which time you will be presented with the popup dialog for you to enter the zip file’s password. Note: Exported encryption keys adds a relevant audit record.

It is recommended you export your encryption keys immediately after upgrading to Build 7580, as well as take a backup of your database. Any time you perform encryption key rotation as well, you will be required to export your encryption keys again.

Encryption Key Rotation
Performing encryption key rotation is a very simple process, but it is very important to back up your encryption keys and database before performing this task – in the event some sort of error was to occur during the re-encryption, you need your previous keys to perform a restore. Please follow the on screen instructions for preparing for key rotation, as per the screenshot below.

Once key rotation starts, it will cycle through each of the relevant tables, and re-encrypt data as appropriate. The schedule in which you perform key rotation is a decision your Passwordstate administrators would need to make. Auditing records are also added for encryption key rotation.



One-Time Password Two-Factor Authentication
We’ve also introduced a new two-factor authentication option, for both the web interface and mobile client, called One-Time Password.

With this authentication option, you can use either hardware or software tokens which are compatible with the TOTP or HOTP algorithms – TOTP is Time-Based, and HOTP is Counter-Based.

On the screen Administration -> System Settings -> Authentication Options tab, you will see the following settings for this new authentication option. A brief description of these settings are:

  • Time-Based Clock Drift – as hardware tokens age, they can lose time. This setting allows you to specify what is the maximum clock drift which is allowed for a user’s hardware token – effectively it will look ahead (x) number of seconds to try the time based authentication. If a match is found, and the clock on the user’s token appears to have ‘drifted’, then the time differential is stored as part of the user’s preferences for this authentication option
  • Time-Based Default Time Step – most TOTP tokens work on either 30 or 60 seconds intervals, and you can specify the default time step for new user accounts in Passwordstate here
  • Counter-Based Look Ahead Window Size – each time the user generates a new One-Time Password when using HOTP, the counter increases on their token. When a successful authentication attempt is made in Passwordstate, this counter value is also stored as part of the user’s preferences for this authentication feature. As tokens may be used for different systems in additional to Passwordstate, we need a look-ahead window size to determine what the actual value of the counter is for the user’s token
  • Counter-Based Default Number of Digits – HOTP generally uses passwords of 6 digits in length, but you can configure the default for all new user accounts added into Passwordstate if required


User’s Preference Settings for One-Time Password Authentication
In the user’s Preferences screen, they can select either of the Time-Based or Counter-Based authentication options, and then settings as appropriate. They must also specify their Base32 Secret Key, which will be provided with any hardware tokens you purchase (this key should be 32 characters in length). If using software tokens, you can generate a random Base32 key here, and then use it for your software token.

Note: If the user neglects to specifying these settings, and a Security Administrator of Passwordstate were to enable One-Time Password authentication for them, then they will be given the opportunity to specify their settings when they next try and access Passwordstate.

One-Time Password Authentication Screens
And when you browse to Passwordstate to authenticate, you will see one of the following screens depending on which authentication option has been applied to your account.

Miscellaneous Features
We’ve also added various other features based on requests for customers, and they are:

  • There is now a System Setting for blocking brute force dictionary authentication attempts to all authentication screens in Passwordstate. The default setting is 5 failed login attempts, at which time the user’s session in IIS will be locked out. This setting can also be customized to how ever menu failed login attempts you want
  • On the screen Administration -> System Settings -> API Keys tab, there is now a setting to prevent users from specifying API Keys within the QueryString of an API Call, instead forcing them to include the API Keys in the header request – which is more secure as the API Key is encrypted in the SSL tunnel
  • In Build 7476 we introduced a new feature to prevent the creation of Password Lists or Folder beneath other Password Lists. We did this primarily because it was causing confusion for customers in relation to the permission model, but also when trying to search for password records. We had several requests from customers to allow this type of nested, so we’ve now added a System Setting where you can turn this restriction off. You can find it on the screen Administration -> System Settings -> Password List Options tab, and the setting is called ‘Allow users to nest Password Lists and Folders beneath other Password Lists’

We hope you like these changes in Build 7580, and please keep the feature requests coming J

Regards
Click Studios

Password Management – Best Way To Secure Passwords

Has there ever been a time in your life that you couldn’t for the life of you recall a password? If remembering the seemingly countless amounts of passwords correctly is a problem, then you need to make use of Passwordstate, a revolutionary password management system that has been created to simplify the way your business functions. You will have vital data, information and passwords stored securely and encrypted in the password manager vault. The passwords will be stored in a secure and safe place and you can recall them all in just a few clicks. There is no need for you to remember and write down all your passwords anymore!

Key features of Passwordstate, the leading password management software

There are many kinds of features that are offered in Passwordstate apart from keeping your login usernames and passwords safe and secure.

  • The password manager can be accessed from anywhere and at any time using a web interface
  • Provides you with a free browser extension for Google Chrome, Internet Explorere and Firefox, enabling a secure auto-fill of your credentials when visiting sites in the future
  • They are accessible across all platforms like Windows phone, Android phone, iPhone, computer or a laptop
  • They are very easy to use and all you need is to remember one password to log in to your password manage account
  • All kinds of passwords, generic, email account passwords, software registration keys, etc., can be recorded in the Passwordstate vault
  • It offers an easy search option. All you need to do is to key in the related data in the search box and all information pertaining to that will show up on your screen instantly
  • The software has the option of creating multiple tough and hard to crack passwords

Never worry about forgetting passwords

With good password management software in place for your business, you need not worry about remembering or writing down all the passwords. Say goodbye to constantly having to go through the Forgot your password? forms and simplify the way it all works utilising Passwordstate, the leading software for managing passwords. You just need to click on the mouse once to get the password copied to the clipboard, or form-filled in its respective web site. There is no better option for storing and encrypting all your sensitive passwords, documents, user IDs, etc., than password management software. Simply install the password manager program and break free from the tough task of remembering passwords!

Password Management Best Practices

There is no guarantee that one person will stay in the same job forever. Opportunities arise and employees shift from job to job all the time. When this happens in a managed service business, technicians who move to a new company will also be taking the passwords for the customer accounts they were mangaging with them. As data of your customers is extremely valuable, it is imperative that you give serious thought to the security of the customer’s passwords in order to protect personal information that has been entrusted with you. We recommend implementing the following practices for your business to manage your customers’ passwords and ensure total privacy.

Inspection

This password management practice functions to regularly inspect the system and check that everything is in place and no changes have been made. This technique allows you to see who has accessed the stored passwords whilst also enabling you to check whether the passwords remain compliant with the set rules (for instance, do they meet the password complexity requirements).

Another auditing practice to apply is regularly checking whether the passwords match with the ones used in the system. Furthermore, it is a good idea to install a system that informs employers if anything goes wrong or something interferes with the process of password management.

Full control  

A good password management system must have full control of the valuable data in the system. Full control gives you the tools to prevent unwanted users from accessing sensitive or confidential data such as customer passwords and personal information. It is highly essential that you ensure you have full control of those who have access to the company’s passwords, while also assuming control of what they can do with the passwords in terms of creating, writing, reading or deleting information. Additionally, it is important to install a system that gives full access to the passwords as well as the ability to store them centrally from anywhere.

Automation services

Each business should employ a system that automatically changes passwords whenever necessary. You should also have a process that enables you to inform the person in control of the password to change it manually.

A spreadsheet alone is simply not enough to protect the valuable information of your customers. We advise all companies to make use of the above password management practices to ensure complete password protection and consequently, a professional and trustworthy business.

What You Should Look Into When Choosing A Password Manager

There are many security experts who feel that simply choosing a password with alphanumeric letters and special characters is not enough to keep internet infrastructure protected. On top of that, many users choose the same password for all their accounts to avoid the difficulty of remembering numerous variations.

Basic measures to improve password security include using long and complex character combinations and phrases; changing the password on a regular basis; and using more than one password for different purposes. This can be a difficult and time-consuming process for enterprises where website logins, servers, databases, desktops and other forms of internet infrastructure need to be considered. This is where management software such as Passwordstate can help.

When you are looking for a password manager you can rely on, here are a few quick points to take into account.

Supported infrastructure

As mentioned above, enterprise system admins have more to worry about than just online accounts. While web site logins are important, passwords for everything from routers to individual desktops need to be managed effectively. This is a key difference between enterprise-based software and those limited to security for personal use of the web.

Two-factor authentication 

Password security does not just involve cyber attacks: malicious activity can also occur internally through use of keylogging malware and other techniques. In other words, you need software that provides protection from internal threats to security.

Two-factor authentication is a process where logins from new computers or devices must be authorised through another channel. Passwordstate is a perfect example of this, as it supports a range of two-factor authentication methods which add an extra layer of internal security — these include use of security tokens, temporary PINs through email and more. On top of that, automatic logouts help prevent unauthorised users accessing data on an unattended terminal.

Strong encryption

To put it simply, password management software is virtually useless if sensitive data can’t be stored securely within the database. Even if the database is not cloud-based (i.e. located internally), advanced encryption is vital to achieve a higher level of security. Passwordstate uses 256 Bit AES Encryption and keeps all sensitive code secure with precompiled ASP.NET pages and obfuscated .NET Assemblies.

Ease of use

As with any software, blending functionality with a user-friendly interface can be something that seals the deal. It’s important that you, your staff and any one-time users can easily navigate all relevant tools and features to ensure that your productivity as a business is not harmed; an intuitive interface makes all the difference when using complex password management software.

These are just some of many things to consider when choosing password management software for your enterprise. Read more about the features of Passwordstate to see how it can help you manage all your internet infrastructure.

Why Role Based Access Control is Crucial to Your Organisational Security

In today’s modern workplace, most if not all important documents, information and sensitive data is kept on a computer system, readily accessed at any point in time. While this offers a convenient way to store and retrieve files, a lack of role based access control (RBAC) can leave them susceptible to the snooping eyes of internal employees. When your organisation has the right RBAC system implemented however, access to network resources and computer networks is purely based on the roles you assign to individual staff within the organization or business. This means that your data is not open for all to see, and any breaches are more easily narrowed down to the person at fault. For this reason, implementing an effective RBAC system is crucial to your company’s data secutrity.

 The advantages of RBAC

  • RBAC implementation regulates access to your systems and networks by only allowing certain people to view, edit and create particular files.
  • The ability to access data, documents or information will be defined based on the authority you assign to the person, their responsibilities in the organisation and resource needs based on their role.
  • It is simple to create, change or discontinue a role according to the changing needs of your organisation and its employees.

RBAC through Passwordstate

RBAC software, such as Click Studio’s Passwordstate, increases your organisational network security by providing a number of roles that you can assign to your employees based on their position within the company. This can be regulated by a list of passwords that unlock certain roles when signed in. Passwordstate also gives you the ability to use 15 security administrator roles, covering all bases when it comes to the privacy needs of your organisation and its computer systems. These features provide the framework for a system where only authorised personnel are permitted from viewing or editing sensitive information.

Some of the security administrator roles provided by the software include

  • Emergency access
  • Auditing
  • Password generator
  • Security groups
  • Licensing
  • User accounts
  • System settings

Implementing RBAC?

Many find implementing RBAC highly challenging. However, Passwordstate makes it easy to adopt this method for your professional security. While operating systems such as Apple iOS and Windows do provide basic RBAC systems for security purposes, a commercial software option is always your best bet when it comes to the security of your company’s sensitive information. Investing in a specialised, custom RBAC program that works for your company will give you peace of mind knowing that any sensitive data on your network is safe and secure.

What Problems Does Password Management Solve?

A password is an imperfect solution to the problem of information security. Stronger passwords can be hard for individual employees to remember, leading to them potentially reusing the same string of characters across multiple private and commercial services – meaning if a hacker uncovers one password being used, they could potentially have access to multiple web sites and systems.

This said, the right password management infrastructure can mitigate many of the negative aspects of relying on alphanumeric passwords for access to your computer system. Discover how Passwordstate can help you.

Prevent the use of weak passwords before they compromise your system

Ensuring that every password used to access your system is complex and difficult to either guess or brute force is a crucial aspect of a security administrator’s job. There are going to be some employees who’ve never suffered a data breach who will merrily use ‘password’ or ‘1234’ to get into their work terminal unless you make this impossible.

Passwordstate allows security administrators to define what is and is not allowed in a password. Simple rules like raising the minimum character count to 12, or forbidding a password ending in a number (automatically putting a stop to anyone ending a password with their birth year) can dramatically increase your organisation’s data security. Having passwords reset after a certain period of time also ensures that even if a password is leaked and a third-party has access to your system, they don’t have long before they’re locked out.

Secure, flexible access control

If you’re required to share your data with someone outside the company for a short period of time, Passwordstate can ensure that you’re not giving them too much power. Security administrators can set different read, modify and access permissions to different password lists and even individual passwords.

If you’re having a company scrutinise your financial documents or performing maintenance on your secure server, giving them read only access or administrative priviliges on select systems can be a smart idea. Don’t give away the keys to the kingdom; Passwordstate helps you limit what people outside your organisation can access.

Ensure your business is fully compliant with relevant industry standards

Many organisations live and die by their ability to maintain compliance with stringent industry-wide data security regulations. For example, if you’re a merchant handling Visa, Mastercard, American Express or any major branded credit card, you’ll be required to abide by the Payment Card Industry Data Security Standard to protect your customers from credit card fraud. Failing to comply with these and other similar regulations can result in payment of large compensation amounts, lost revenue and legal action.

Passwordstate offers comprehensive reporting and auditing options that can help you achieve compliance. If a security breach were to happen while you were not PCI DSS compliant, you could be up for additional, expensive penalties including fines.

Investing in an enterprise-ready, scalable password management solution like Passwordstate is a smart, cost-effective decision for any business. Protect your customers and your business with Passwordstate.

Is Changing Passwords Mandatory For Systems And Accounts?

Password breaches are becoming common across all types of internet infrastructure and we need better password practices to protect our online servers, databases, routers and switches.

A common source of the problem revolves around improper password management techniques. A database or network not protected by a well-encrypted password system leaves itself vulnerable to hackers, phishing schemes, malware and viruses.

Why should I be changing my network’s passwords?

When a password is too old – or too easy to guess – it can lead to hackers easily accessing the system access codes. As well as this, once they malignant software guesses one password, it could only be a matter of time before all other aspects of the company are penetrated.

Apart from this, sharing passwords between employees is often unavoidable, especially when certain tasks cannot be completed by one person alone. This can lead to breaches in security. Rather than having your employees share private information with each other, invest in a targeted password management system, which will work to instantly to tighten your security and make for a more impenetrable network.

What if I forget all my new passwords?

Any business worth its while will have a large network of applications and servers. Between all the different parts that make up your company, it can be mind-boggling to attempt to remember every single password, especially when you change them frequently. After all, a revolving string of numbers and symbols doesn’t exactly lead to an easy memory trigger.

Instead, password management software such as Passwordstate will store all of your company’s passwords, allowing you to access them when you next need them – either web-based access, or mobile access.

How can I better protect my company’s data?

To better protect your company’s information, it is pertinent that you download software such as Passwordstate that performs a scheduled reset of passwords for you. An automated solution such as ours will audit, store and encrypt your various system passwords, leading to higher protection of your sensitive data and information.

The software also includes API scripts, meaning you have the freedom to integrate it into your SAAS, without fear that your customers’ privacy is at risk.

Another option is to opt for a single-sign-on, or federated network, which allows one password complete access to all of the company’s software (providing the user has administrator permissions for the specific function).

Passwordstate Permission Model Changes

In build 7476 of Passwordstate, we introduced a new Permission Model which customers have been requesting for a while. You can now set a top level folder to propagate it’s permissions down to all nested Password Lists and Folders.

The traditional model of setting permissions at the individual Password List level is still available, and if you do not wish your users to use this new model of propagating permissions down, you can disable it on the screen Administration -> System Settings -> Miscellaneous tab -> Enable the ‘Propagate Permissions Downwards’ feature for top level Folders.

Things to note about this new Permissions Model:

  1. You can only apply permissions to a top level Folder in the Root of ‘Passwords Home’
  2. You can only make changes to permissions on the Folder at top of the tree – nested Password Lists and Folders will have controls on the Permission pages disabled
  3. If you drag and drop a Password List, or a Folder containing Password Lists into another Folder structure with propagating permissions, it will ask you to confirm you wish to make this change as permissions will change
  4. Private Password Lists cannot be nested beneath a Folder which is propagating permissions down
  5. The ‘Bulk Permissions’ feature cannot be used for any Password Lists which are inheriting permissions from a top level Folder
  6. A couple of System Settings options for applying permissions to newly created Password Lists will be ignored
  7. When adding or editing a Password List, the options to clone permissions from other Password Lists or Templates will be disabled

How to use the new permissions model on a new Folder Structure:

  1. Ensure you have these two settings set to ‘Yes’ in Administration -> System Settings -> Miscellaneous:

  1. Create a Folder under Passwords Home. In this example we’ve called it “Windows Desktop Machines”
  2. When creating the Folder, ensure you tick ‘Manage permissions manually for this folder’ and ‘Enable the Propagate Permissions Downwards
  3. Once saved, you’ll notice a slight change to the Folder Icon. The brown triangle on the right hand side indicates it is now propagating permissions, and anything nested below it will inherit those permissions.

  • Next highlight the Folder and select Folder Properties.

 

  • Click the View Permissions Button and use the Grant New Permissions button to set permissions. This can be an individual users or Security Groups

Now any new Password Lists or Folders you create or drag into this Folder will automatically inherit those permissions.

How to convert an existing Folder structure to use the new permission model:

  1. Select your top level Folder and select ‘Folder Properties’
  2. Ensure you have ‘Manage permissions manually for this folder‘ selected
  3. Click the ‘Convert Permission Model‘ button
  4. Run through the three step Wizard:

    Step 1: Review what changes are about to happen
    Step 2: Review existing Permissions, and modify them to suit
    Step 3: execute the conversion

That’s it! Now when you make a change to the permissions at the top level folder, they will cascade all the way down the folder. Any existing Password Lists will inherit these permissions and new ones created under here will be forced to use the same permissions.

NOTE: As mentioned earlier, the new Propagating Permissions Model can only apply to a Folder in the Root of Passwords Home. If you have an existing Password List structure under your ‘Passwords Home’, you will need to create a new Folder first, move the Password Lists into the folder, and then apply the conversion.