Mobile Client Support in Passwordstate

In the upcoming release of Version 6.2 of Passwordstate, we will have Mobile Client support for iOS, Android, Windows 8 Phone and Blackberry. In this blog post, we will run through some detail for User and System Preferences for the Mobile Client, as well as the features available in the Mobile Client itself.

User Preferences

On the ‘Preferences’ screen on the main Passwordstate web site, you will find various settings which control how the Mobile Client will behave for you. Below is an explanation of each of these settings.

Default Home Page You can either choose your default home page to browse/filter all the Password Lists you have access to, or go straight to a screen where you can search for the password record you require
Limit the Number of Records to As cellular/mobile networks are typically slower than local networks, it’s recommended you limit the number of records returned to help with performance.
Mobile Pin Number The Pin Number you will use to authenticate with when using the Mobile Client – this is in conjunction with your UserID for Passwordstate


System Settings

The Mobile Access Options tab on the screen Administration -> System Settings allows you to specify multiple settings for how the Passwordstate Mobile Client behaves for your users.

Allow Mobile clients to access Passwordstate:
If you do not wish to allow Mobile Access to passwords, you can disable access altogether by selecting this option.

  • Note 1: If you choose to disable Mobile Access, it is recommended you set the option below to ‘No’, and then go to the screen Administration -> Passwords Lists -> Mobile Access Bulk Permissions, and then disable Mobile Access for all permissions
  • Note 2: Even if this option is enabled, your Firewall/System Administrators still need to configure external DNS and allow access through the firewall for anyone to access the Mobile Client web site


When adding new permissions to Password Lists, enabled Mobile Access by default:
When adding new permissions to a Password List, you can use to enable/disable Mobile Access by selecting the appropriate option here.

The Mobile Access Pin Number for user authentication must be a minimum length of:
You can choose the length of the Mobile Access Pin Number the users must use to authenticate with. When the users specify their own Pin Number on the Preferences screen, or use the option to generate one, it must meet the minimum length requirement of this setting.

The Inactivity Timeout for Mobile Access is (mins)
If the user forgets to log out of the Mobile session, this setting will automatically log them out after the set period of inactivity, and also clear their authenticated session.

Protect against brute force dictionary authentication attempts by locking out an active session after the following number of failed login attempts:
As the Mobile Access web site is generally externally accessible from your internal network, this setting will mitigate against any brute force authentication attempts by locking out authentication attempts when this setting has been reached.



Mobile Client Permissions

In addition to enabling Mobile Access for your users on the System Settings screen, access is also granted via applying permissions at the Password List level.

As you’re able to apply permissions at the Password List level, this means you don’t need to expose all passwords via the Mobile Access Client if you don’t want to.

Enabling/Disabling Mobile Access when Adding New Permissions
When you add new permissions to a Password List, you can choose to enable/disable Mobile Access using the ‘Mobile Access’ option on the screen.

Enabling/Disabling Mobile Access for Existing Permissions
With the permissions already applied to your Password Lists, you can choose to enable/disable Mobile Access by selecting the ‘Enable/Disable Mobile Access’ option under the ‘Actions’ dropdown menu.


Enabling/Disabling Mobile Access Permissions in Bulk
If you would like to enable/disable Mobile Access permissions for more than one Password List at a time, then you can do so via the page Administration -> Password Lists -> Mobile Access Bulk Permissions.


Mobile Client Usage

This following information provides instructions for how to use the Mobile Client itself. The following features are currently available in the Mobile Client:

  • Authentication
  • Browse/Search Password Lists that you have access to
  • Browse/Search Passwords within a selected Password List
  • Search for an individual password record, across all the Password List you have access to – similar to searching on the ‘Passwords Home’ page on the normal Passwordstate web site
  • View password records

Mobile Client Authentication
To authenticate using the mobile client, you need to specify your account’s UserID and the Pin Number associated with it.

Note: If using the AD Integrated version of Passwordstate, it’s not necessary to specify the UserID in the format of Domain\UserID – you can simply type just the UserID. The only exception to this would be if you had multiple Active Directory domains registered in Passwordstate, and there were duplicate logon names in AD.


Browsing/Filtering Password Lists
After you have authenticated, the default home screen is the one below which allows you to browse all the Password Lists your account has been given access to. A couple things to note about this screen are:

  1. The number of records displayed may be limited by the setting ‘Limit the Number of Records to’ on your User Preferences screen
  2. When searching/filtering Password Lists, you can search by the Title of the Password List, and also the Tree Path of the Password List in the Navigation Tree (the Tree Path is the logical structure/path of where the Password List is positioned in the Password List Navigation Tree on the main web site)

Browsing/Filtering Passwords for the selected Password List
After you have tapped on the appropriate Password List, you will be directed to the screen below which allows you to browse all the passwords in the selected Password List. A couple things to note about this screen are:

  1. The number of records displayed may be limited by the setting ‘Limit the Number of Records to’ on your User Preferences screen
  2. When searching/filtering passwords, you can search across all of the fields which can be configured for a Password record i.e. Title, Description, UserName, URL, Generic Fields, etc. The only fields you can’t search are the one’s which are encrypted i.e. the Password field, and any Generic Fields set as type ‘Password’


Viewing a Password Record
When you tap on one of the Password records on the screens above, you will be directed to the screen below where you can view the details of the password record. A couple of things to note about this screen are:

  1. An auditing record will be added, as you have viewed the details of this password record. If enabled in the main web site settings, any other users who have access to this password record will receive an email notification informing them you have accessed it
  2. Most mobile devices allow you to copy details to the clipboard if required, and majority of fields on this screen will allow you to copy their details
  3. If there are any ‘One-Time Access’ permissions enabled for this password record for your account, your access will automatically be removed after you have viewed the record


Password Search Home Page
If you have selected ‘Passwords Search’ as your default home page on the User Preferences screen, you will be directed to the screen below after you have authenticated. From here you can search for a password record across all of the Password Lists you have been given access to. This is a similar search feature which you will find on the ‘Passwords Home’ in the main web client.


When searching for Password records this way, a little more detail is shown on the screen so you know which Password List the password record belongs to.


Logging Out of the Mobile Client
When you tap on the ‘Exit’ button on the top right-hand side of the screen, you will be directed to the screen below and your Mobile Access session will be ended. If your leave your session inactive longer than the setting specified on the System Settings page, you will also be automatically logged out and directed to this screen.



Passwordstate 6.0 New Features

Hello Everyone,

Before we go into any detail about the new features of version 6, we just want to say a huge thanks to all our wonderful customers for their suggestions of what they would like to see in Passwordstate, and also for helping us test the various beta versions. It’s amazing how people will take time out of their day to provide feedback, and spend endless hours testing with us. Thanks Guys If you’re wanting to upgrade your beta install to this production release, please follow these instructions – J

Now on to the features. We’re very pleased to finally release version 6 of Passwordstate. This is probably one of the biggest releases we’ve had to date, and it’s been 8 months in the making. We’ll go into some detail here for the major changes in version 6.

New User Interface
The first thing you will notice when using v6 is the new user interface. The main change is how the old navigation tabs in version 5 have now been moved to the bottom of the screen as a horizontal popup menu. This provides a little more screen real-estate, which is useful when the majority of your time is spent clicking around in the navigation tree, and access passwords in each of the different Password List screens. We’ve also had quite a few beta testers comment on the new version appearing to run much faster.

Two-Factor Authentication with RSA’s SecurID
Version 6 now has 9 different authentication options, which can be used when you first access the site, or as an additional authentication step when you need to access certain Password Lists. One of these new authentication options is two-factor authentication with RSA’s SecurID tokens – these can be physical or software based tokens. There’s obviously quite a few versions of the RSA Authentication Manager, and in our testing we’ve used version 7.1 SP4 Patch 22. RSA assures us that prior and new releases should work just fine. Read more here –

Two-Factor Authentication with Google Authenticator
Can’t afford the investment for RSA’s SecurID solution, then use two-factor authentication with Google’s Authenticator. Google Authenticator is a software based solution, which can be installed on the majority of mobile clients. Read more here –

Application Programming Interface (API)
With the new API built into Passwordstate, you can integrate your other applications and do away with hard coded passwords in scripts, etc. Data can be returned in either JSON or XML format.

It’s possible to perform the following API Calls:

  • Retrieve a Password record
  • Update a Password record
  • Add a new Password record
  • Retrieve all the history for changes to a Password record
  • Retrieve all Passwords records in a specific Password List
  • Retrieve all Passwords records across all Shared Password Lists
  • Search for Password records, based on various search criteria
  • Generate one or more random passwords
  • Retrieve details and settings for a Password List

For each Password List which you enable for the API (create and API Key), you can also configure which of the API calls above is allowed, or not allowed, as per the following screenshot:


Linking Password Lists to Templates
Password List Templates where introduced in version 5, which allowed you to specify some default settings which could then be applied to a Password List. With version 6, we’ve now introduced the feature whereby you can link a Template to one or more Password Lists, and manage the settings in one central location – the template itself. Read more here –

User Account Policies
User Account Policies allows you to specify various settings for how Passwordstate appears or behaves for users. Once you’ve created a policy, you can apply permissions based on user accounts, or security groups. You can even apply more than one policy to the same user. Examples of how this would be used are:

  • Specify a different Authentication Method for users who have higher privileges to systems i.e. Domain Administrators
  • You don’t wish for any of the charts to appear for your users – simply disable them with a policy
  • Allow only a certain number of users to use the ‘Auto Generate New Password’ feature when adding new passwords

Read more here –
More Generic Fields and Different Data Types
There are now up to 10 different Generic Fields you can choose from for your Password Lists, and each field can be configured as one of the following data types – Text Field, Free Text Field, Password Field, Select List, Radio Buttons or Data Picker. Read more here –

Allowed IP Ranges
Need to restrict which networks can access the Passwordstate web site or API? If so, then you can use the ‘Allowed IP Ranges’ feature, where you can specify individual IP Addresses, or a range of IP Addresses. Read more here –

Backups and In-Place Upgrades
Version 6 now has an automated backup feature built into it, where you can set a schedule for automatic backups of all the web files, and copies of the database. You can specify at what time of the day the backups should begin, how often they should be run, and how many copies to keep on disk. In addition to automatic backups, we now have In-Place Upgrades, which means no more uninstalling/reinstalling Passwordstate to get to the latest version – simply upgrade right from within the web site. You must have your automatic backups configured and working prior to using the In-Place Upgrades feature. Read more here –

Active Directory & Windows Actions
When a Password List is configured to synchronize password changes with Active Directory, or local accounts on Windows Servers, you can now enable the feature ‘Active Directory & Windows Actions. With this feature you can perform certain account related tasks, such has unlocking account, disable accounts, etc. Read more here –

Automatic Password Rotation
Again, when a Password List is configured to synchronize password changes with Active Directory, or local accounts on Windows Servers, you can take advantage of the ‘Automatic Password Rotation’ feature, which allows you to specify a set and forget schedule for automatically updating and synchronizing passwords when they expire. Read more here –

Click Studios

Checkout the amount of features we now have for Password Lists

Hello Everyone,

We’ve been gradually adding more and more features to Passwordstate, with the majority being suggestions from our fantastic customers – thanks guys. The following is a summary of features specific to Password Lists which are now available.

Password List Details
Image: You can choose an image to display in the Password List Navigation Tree
Password Strength Policy: Your Security Administrators of Passwordstate can create multiple Password Strength Policies, and they will all show under this dropdown field
Password Generator: Choose from one of the Password Generator options your Security Administrators can create – any time you see the little Calculator icon, you can
Code Page: Used for exporting data in the correct character encoding
Additional Authentication: When you click on a Password List in the navigation tree, you can choose to first make your users provide another level of authentication before you can access the Password List

Password List Settings
Allow Password List to be Exported
: Allow or disallow Security Administrators/List Administrators from exporting the contents of the Password List
Time Based Access Mandatory: Enforce one of the Time Based Access options – expire at a certain time for Password Lists, or for individual password records you can specify time-based, when the password changes, or one-time access
Handshake Approval Madnatory: Enforce the rule of two users needing to approve access prior to it being given
Prevent Password Reuse: You can specify the last (n) number of passwords cannot be reused
Prevent Non-Admin users from Dragging and Dropping the Password List: This relates to dragging and dropping Password Lists in the navigation tree
Prevent saving of Password records if a ‘Bad’ password is detected: Your Security Administrators controls the list of what is deemed to be a Bad password
Users must first specify a reason why they need to view, edit or copy passwords: By selecting this option, the users will be presented with a dialog asking them to provide a reason why the need to access the record. This reason is then stored in the auditing table
Prevent Non-Admin users from manually changing values in Expiry Date fields: If you have View or Modify access to a Password List, then you won’t be able to change the Expiry Date field if this option is selected
Reset Expiry Date field to Current Date +…: When this option is selected, changing the value of the password field will automatically update the Expiry Date field
Additional Authentication only required once per session: If you have chosen an ‘Additional Authentication’ option for this Password List, you can enforce users to authentication once for an active session, or every time they try to access the Password List

Copy Details & Settings From
This option allows you to clone settings from existing Password Lists, or any Password List template you have access to. This saves you on having to select all of the options mentioned above

Copy Permissions From
By selecting this option, you can quickly apply new permissions to this Password List, by either cloning the permissions on another Password List, or Password List Template

Click Studios

Passwordstate 5.4 Released

Hello Everyone,

Click Studios is very pleased to announce the availability of Version 5.4 of Passwordstate with 70 new features, updates and bug fixes in total. Notable changes are:

  • Synchronize Password changes with Active Directory or Windows Servers
  • Prevent Reuse of Passwords
  • Mandatory Password Strength options
  • Share Password List Templates with other users
  • Secondary authentication options for securing access to Password Lists and navigation Tabs
  • Improved document handling for Password Records and Password Lists
  • Search across all passwords in Password Folders
  • Audit Log Tamper Detection
  • Any many User Interface improvements

You can download the latest release from here –, or watch the following short video showing some of the new features.

Passwordstate 5.2 Released

Hello Everyone,

Click Studios is very pleased to announce the availability of Version 5.2 of Passwordstate with 10 new features, 7 enhancements & 9 bug fixes. Notable changes in this release are:

  • Now supports Region Settings (Locales) for individual user accounts which are in different time-zones
  • You can now upload documents and attached them to individual Password records
  • You can now have multiple Password Strength Policies, and apply them to different Password Lists
  • Multiple options are now available for automatically hiding visible passwords – a set time period, or variable time periods based on password complexity or length

For information relating to this release, and instructions in upgrading, please visit our web site at

We can’t thank our customers enough for their feature suggestions, and working with us to development a better product for everyone.

Click Studios

Passwordstate Compliance

Passwordstate on its own cannot make your organization compliant to any regulatory compliance acts (such as Sox or PCI DDS), but it can help your organization reach compliance in the following ways:

  • Access Management – Passwordstate has granular role based access, so segregation of access is possible. Read, modify and administrator permissions can be granted to Password Lists and individual Passwords, either to individual users or users who have membership within a Security Group. Security Administrators (who administer the whole system) have 12 different roles which can be applied
  • Password Length and Complexity – As users administer passwords in Passwordstate, they’re provided visual recommendations for how strong the password strength is based on policy set by the Security Administrators
  • Compliance reporting – Passwordstate has 32 different types of reporting available, based and the majority of events being audited as they occur. You can see a complete list of audit reports here –
  • Tracking and reporting of password resets – each password within Passwordstate can have an expiry date set, with reporting and email/visual reminders as a result
  • Password Reset Recommendations – when a user’s access to passwords is removed, a recommendation email is sent to each of the Password List Administrators recommending they reset the appropriate passwords
If you have any queries for specific acts, please contact us via our web site and we’d be only too happy to assist.
Click Studios

Passwordstate 5.0 Available

Hello All,

Click Studios are pleased to annouce the immediate availability of version 5.0 of Passwordstate, which can be downloaded from

As version 5.0 requires a new registration key, all existing customers will be emailed shortly with their new key.

Passwordstate 5 Beta

Some of the new features in version 5 are:

[Read more…]

Upgrading Passwordstate from 4.x to 4.5

In order to upgrade to version 5.0 of Passwordstate, you must first be using version 4.5.

To upgrade Passwordstate from version 4.0, 4.1, 4.2, 4.3 or 4.4 to 4.5, please following these instructions:

  • Backup your Passwordstate4 database
  • Take a copy of the web.config file
  • Uninstall Passwordstate from Control Panel (please note your database will not be touched during the uninstall)
  • Once uninstalled, reinstall version 4.5 of Passwordstate –
  • Replace the web.config file from step 2
  • Restart the Windows Service ‘Passwordstate Service’
  • If you have modified the standard ‘passwordstate4’ cname DNS entry for the web site, or configured the web site to use a SSL certificate, you will need to redo these steps
  • Browse to the Passwordstate web site, and it should take you to a page asking you to upgrade to version 4.5. You will need to specify an SQL account with sufficient privileges to alter table structures i.e the sa account, or an account with the ‘dbcreator’ role.

Mark Sandford

PS5 Update – Forms Based Authentication

Hi Everyone,

We’ve now finished coding forms based authentication for Passwordstate, for customers who do not wish to rely on Active Directory for authentication. Essentially each user will need to specify a username and password to authenticate for Passwordstate.

With forms based authentication, Passwordstate is still fully functional except for the following features:

  • Only local security groups can be used to logically organize user accounts – no synchronization with Active Directory security groups is possible
  • ScramblePad Authentication is not available – not really needed as the user has to manually authenticate anyway
  • Adding Active Directory user accounts – obviously 🙂

Mark Sandford

New Web Site Launched

New web site is finished – we hope you like it.