Personal Password Management Best Practices

We’re often asked what are the recommended ‘Best Practices’ for personal password management, so we’ve put together a little guide which we hope you will find useful.

The following suggestions are also applicable to passwords which are shared amongst team members, and while there is reference to features specific to Passwordstate, they are also useful tips for any other password management system.


Create a Private Password List

First thing you will want to do in Passwordstate is create your own Private Password List. By creating a Personal Password List, it is hidden from all other users of Passwordstate (including Security Administrators), and permissions cannot accidently be granted to other users – the option to apply permissions to the Password List is disabled. It’s possible your Security Administrators of Passwordstate have disabled the ability to create Private Password Lists, so if the option is greyed out under the ‘Passwords’ menu at the bottom of your screen, please speak to one of your Security Administrators of Passwordstate. Below is a screenshot for adding a new Private Password List, and we’ve highlighted a few options which we recommend. Some of these options are covered further down in the blog post.

Caution – As you can see in the screenshot below, you have the option of specifying an ‘Additional Authentication’ step which is required before you can access the Password List. If you choose ‘Use Separate Password’, and forget this password, then the only way to restore access to the Password List is to have one of your Database Administrators restore a copy of the database prior to making the change. Security Administrators are able to reset your ScramblePad Pin Code, your Google Authenticator Secret Key, or your SecurID pin, but they cannot reset a personal password you apply to this list.

Encrypt Your Passwords
It goes without saying, but if your passwords aren’t encrypted in some way, then anyone can potentially gain access to your valuable resources. Passwordstate uses industry standard 256-bit AES Encryption (Advanced Encryption Standard), and this should be a minimum encryption standard to use. AES has been adopted by the US government, and is now used worldwide. In addition to encrypting your passwords, their values should be also ‘salted’ in the database. Salted means an additional input is used as a one-way function that hashes a password or passphrase. The primary purpose of salts is to defend against dictionary attacks and pre-computed rainbow table attacks. In addition, even if your database administrator is snooping around the raw data, no two encrypted values appear to be the same. There are other features in Passwordstate which further protect against theft of the database and decryption attempts, like the ‘Authorized Web Servers’ feature.

 

Backup Your Passwords
We have witnessed quite a few customers over the years who do not backup their Passwordstate database. Best practice recommends you backup all IT systems, regardless of their importance or sensitivity of the data. When we’ve queried these customers as to why they haven’t got a backup of the database, we generally receive one of two responses – 1. I’m not a DBA and don’t know how to, or 2. I didn’t know we needed to do that. As of version 6 of Passwordstate, you can now take advantage of the Automatic Backup feature. With this feature, you can set a regular schedule, and Passwordstate will perform the backups for you. It will back up all of the Passwordstate web files, and also a full copy of your database. There are a few steps required to configure Automatic Backups, and the following blog post will provide further detail – http://www.clickstudios.com.au/blog/backups-and-in-place-upgrades/.

 

Create Strong Passwords
The stronger the password, the harder it is to guess or crack. The issue with complex passwords is they’re difficult to remember, and often a pain to create. In Passwordstate we’ve provided a Password Generator, and this tool allows you to easily create complex passwords. There are numerous Alphanumeric and Special character options, as well as the use of a Word Dictionary which contains 10,000 words which can be inserted into your password phrase. The following article on our site also goes into some detail about choosing good passwords – http://www.clickstudios.com.au/articles/choosing-good-passwords.html

Once you’ve set the options for your Password Generator, any time you need to create a new complex password, you simply click on the following icon . And there really is no need to try and memorize these passwords when using Passwordstate – you can unmask the password at any time by clicking on the ****** value you see in the grids, or you can copy the password to the clipboard by clicking on the icon .

Reset Passwords on a Regular Basis
How often do you read on the Internet of some site’s user database being compromised, and all the user’s passwords being leaked – unfortunately it’s all too often? If you reset your password on a regular basis, then this becomes less of an issue. We have a couple of features in Passwordstate which will help with the reset task, and they all relate around the use of the ‘Expiry Date’ field. When you populate the Expiry Date field, you can see visually on the screen when a Password should be reset – if the Password has already ‘expired’, or will expire in the next 30 days, then the Expiry Date field will be highlighted in a Red color. In addition to this, we have the ‘Expiring Passwords’ report which you can choose to receive via email either daily, weekly or monthly. This email report provides you a list of all your Passwords which have already expired, or are about to expire in the next 30 days.

 

Avoid Password Reuse
And finally, one of the worst things you can do is reuse Passwords across different systems and web sites. We all do it, but it is probably one of the worst password management practices you can adopt. Any time one Password on a web site/system is compromised, then the hacker could potentially gain access to all your other systems – assuming they know your login ID. In the screenshot above for the Private Password List’s settings, you will notice we’ve highlighted the feature ‘Prevent Password Reuse’. By using this feature, Passwordstate will query the history of changes for the Password record, and prevent you from ‘reusing’ passwords based on the number you set.

We hope you find this a useful guide for Personal Password Management Best Practices.

Regards
Click Studios

How To Clone a Folder

Hi Everyone,

Today we released Build 5638 of Passwordstate, which includes a new feature where you can clone a Password Folder, and any Folders or Password Lists nested beneath it. This feature is very handy for keeping a consistent structure for storing all your passwords.

To clone a folder, you first need to click on it in the Navigation Tree, then click on the ‘Folder Options’ button at the top of the screen, and then you will see the ‘Clone Folder’ link. From here you have the following options available to you:

  • Specify the new name of the folder to be cloned
  • Choose whether you want to clone all Folders and Password Lists nested below the chosen folder, or just clone Folders only
  • Choose what permissions you would like to apply to the new Folders and Password Lists – either clone the current permissions, apply permissions just for yourself, or don’t apply any permissions at all

When you have finished cloning the folder, it will place the structure in the root of the Navigation Tree. Standard processing occurs when cloning folders i.e. appropriate audit events are logged, and email notifications are sent informing users they have access to one or more new Password Lists. We’ve also provided a ‘Save & Clone Again’ button, so you can quickly repeat the process. Below is a screenshot from version 6 of Passwordstate, showing the options available to you.

Note: Cloning Password Lists will not clone any of the passwords contained within them – only settings, customisations and permissions will be cloned.

Cloning Folders in Passwordstate

We hope you like this new feature, and please leave us some comments if you like.

Regards
Click Studios

 

Generate Random Passwords

Passwordstate has a quite capable Password Generator, and can be used in a couple of ways – each user can have their own personal Password Generator options, or specific options can be assigned to individual Password Lists. We’ll run through some of the options now:

Alphanumerics & Special Characters
You can specify what letters, numerics and special characters will use when generating passwords, but selecting the appropriate options on the ‘Alphanumerics & Special Characters’ Tab. Options are:

  • Include Alphanumerics & Special Characters – if omitted, then only ‘Word Phrases’ will be used to generate the passwords
  • Length – specify the minimum and maximum length of characters/numbers generated
  • Lower-case – choose if you want to include lower-case characters
  • Upper-case – choose if you want to include upper-chase characters
  • Numbers – choose if you would like to include numbers
  • Include higher ratio of alphanumerics vs special characters – if you also choose to include special characters, then you can choose to generate a percentage of alphanumeric characters than special characters
  • Include ambiguous alphanumerics – characters like I , l, and 1 maybe be confusing as it’s difficult to read what they are, and you can choose to ignore these characters
  • Include the following special characters – you can use the predefined ones, or modify to suite your own requirements
  • Include the following brackets – again, you can choose the predefined brackets, or just specify the ones you want to use
Alphanumeric Password Generator Options

Alphanumeric Password Generator Options

 

Word Phrases
To make the passwords a little easier to read and remember, you can also choose to insert random words within the password itself. There are 10,000 random words which can be used. Options are:

  • Include Word Phrases – to include them or not
  • Number of Words – how many words you would like inserted in the password
  • Maximum Word Length – specify the maximum length of the word which will be generated
Word Phrase Password Generator Options

Word Phrase Password Generator Options

 

Generate Passwords
And now that you have specified all the settings for generating your password(s), on this tab you can specify how many passwords you would like to generate.

Generate Random Passwords

Generate Random Passwords

 

We hope you find this blog post useful, and please let us know if you have any other suggestions for posts you would like to see about our Password Manager software.

Regards
Click Studios

Flexible Options for Hiding Passwords

Hi Everyone,

Thought we’d share another little feature with you which might not be so obvious to you. On each of the Password Lists screens, there is a ‘Password’ column which shows the masked password and provides a image for you to click on copy the Password to the clipboard – see image below. Did you know there are three options for how long the Password will stay visible on the screen when you click the masked password text? Read on below to find out about each of the three options:

Masked Passwords
To find the option to change how quickly the Passwords will be hidden (masked), visit the page Administration -> System Settings -> Password Options Tab.

Option 1 – Hide Based on a Set Time
Regardless of the length or complexity of the Password, you can hide the Password based on a set time interval – in seconds.

Hide Password Based on Set Time

Option 2 – Hide Based on Complexity of the Password
As you’re aware, each Password is deemed to be of a certain ‘Strength’, and this strength can differ depending on which ‘Password Strength Policy’ is assigned to the Password List. You can set a specific time interval for each of the 5 different Password Strengths – Very Poor, Weak, Average, Strong & Excellent

Hide Password Based on Complexity

Option 3 – Hide Based on Password Length
It can be very difficult to read an unmasked Password in it’s entirety if it is a long password – more than likely it will be hidden before you’ve finished typing the password into a different screen somewhere. To overcome this, you can hide the Password based on different set time intervals, for three different Password Lengths – of which, all can be customized to your liking. Note that Length 3 is greater than or equal to, whereas the other two options are less than or equal to. This means you should set  Length 3 to be one value greater than Length 2.

Hide Password Based on Length

We’ll keep posting tips like this for our Password Management Software, and please leave us some comments if there’s anything specific you would like us to explain.

Regards
Click Studios

Linking Passwords Between Password Lists

We received an email request from a customer today, and it said “I have a request from the team regarding the sharing of same password by multiple applications. For instance, if Application A and B both using the shared account “SP1” . Do we need to enter the same information twice? Or just one time?”.

Well, the answer is there’s no need to enter the information more than once – you can create a password in one Password List, and then ‘Copy and Link’ the password to a different Password List. Any changes to either copy of the password will be synchronized automatically, with audit records being added for each of the Password Lists, and email alerts as per normal. You can even link the one password across 3 or 4 different Password Lists if you wish.

To link Password records you need to:

Select ‘Copy or Move to Different Password List’ from the ‘Actions’ dropdown menu in the Passwords grid, as per the screenshot below:

Copy or Move to Different Password List

 

Now you can select the option ‘Copy & Link’ as well as the Password List you want to copy and link too.

Link the Password

Pretty simple when you know the feature is there 🙂

If there’s any other hints and tips you would like to see about our Enterprise Password Management software, please leave us some comments.

Regards
Click Studios

Customized Fields and Screens

We had an interesting conversation with a customer recently, in that they weren’t aware they could choose which fields they would like to associate with a Password List, or that they could customize the look and feel of the main passwords screen.  To help other customers who may not be aware, we thought we’d write this post.

Customized Fields
When you first create a new Password List, you will see various tabs on the screen. The ‘Customize Fields’  tab is where you can specify which fields you would like to use, which ones you would like to make mandatory for data entry, and also gives you the option to rename any generic fields you choose to use.

If you already have an existing Password List you would like to modify, Administrators of the Password List can do so by selecting ‘Edit Password List Details’ from the ‘List Administrators Actions’ drop-down list.

Once you have the edit screen open, then you can change the fields by clicking on the ‘Customize Fields’ tab again.

 

Customizing the Passwords Screen
To customize how the password screen appears, you can click on the ‘Screen Options’ button at the top of the page.

Once you have clicked this button, the following tabs will be available to you:

  • Password Columns – Allows you to choose which fields you would like displayed on the grid. If you hide some fields from the grid view, they are still available when you add or edit passwords. You can also choose to apply these field view settings to one or more Password Lists under the section ‘Apply to the following Password Lists’.
  • Passwords Grid – Allows you to choose how many records to display in the grid view, and whether you want to show the Header, Footer or Filters for the grid – as the name implies, Filters allows you to filter contents of the grid based on the values you specify for one or more fields
  • Recent Activity Grid – Similar to the ‘Passwords Grid’ tab, except this is for the auditing grid at the bottom of the screen. Difference here is you can choose to hide this grid completely if required
  • Pager Style – once the number of passwords exceeds the number of rows you want to display in the password grid, a ‘Pager’ will be displayed at the bottom of the grid, allowing you to page through the records. On this tab, you can choose the style of the pager you want displayed – either Buttons or a Slider
  • Chart Settings – To the right of the passwords grid, you can have two charts displayed if you choose – one for a summarized view of the password strength for all passwords in the Password List, and the other for who is most active in making changes in this Password List

 

Regards
Click Studios

Email Notifications within Passwordstate

Passwordstate can generate up to 42 different types of emails, for which most can be enabled or disabled as required – certain email’s cannot be disabled due to the nature of them such as ‘Audit Log Tamper Detection’. What most people don’t realise is email notifications can be managed in three separate ways:

Managed By User
Each user can manage their own email notifications by visiting the ‘Preferences’ area for their account. From the ‘Email Notifications’ tab, they can select which email categories to enable or disable, depending on their personal preference.

Managed for Several Users at Once
As of Build 5416, we now have a feature called ‘Email Notification Groups’. This feature allows Security Administrators of Passwordstate to manage notifications for a collection of user accounts, or for members of specific security groups. In enabling this option for a user, it will disable their ability to specify their own settings under the Preferences section mentioned above.

Managed System-Wide for All User
Under the Administration area of Passwordstate, there is a feature called ‘Email Templates’. This feature allows the Security Administrators to customize the body of each of the emails sent, and also allows them to disable/enable all notifications system-wide – which overrides the two methods mentioned above. Generally most customers disable all email templates whilst they are configuring Passwordstate initially, to prevent a considerable amount of emails being generated as they add/import passwords from existing systems.
For your reference, a complete list of the Email Notifications can be found here – http://www.clickstudios.com.au/about/notifications.html

Regards
Click Studios

Time-Based Access to Passwords and Passwordstate

A couple of features we’ve had for quite some time now is Time-Based Access to Passwords, or to Passwordstate itself. To start with, we’ll show you time-based access to Password Lists:

Time-Based Access to Password Lists

When applying permissions to a Password List, you will notice a tab called ‘Time Based Access’. By clicking on this tab you can set the access to expire automatically at a specific time, or by a certain number of days, hours and minutes into the future.

After you have set the expiry date for the access, a new icon will be shown in the ‘Expires’ column of the Password Lists Permission page:

The Passwordstate Windows Service checks every one minute if any access has expired, and removes permissions if appropriate.

Time-Based Access to Passwordstate

Another useful feature is to automatically remove or disable a user’s account in Passwordstate at a set time. The screen for configuring expiry of an account is similar to the one for Password Lists, except this time you can also choose to disable or delete the user’s account.

This feature is very useful if you have contractors working in your organization, or if you have an employee leaving at a known time.

Regards

Click Studios

Passwordstate – Password Management Software

Synchronize Passwords with Active Directory

As of version 5.4 of Passwordstate, it’s now possible to synchronize passwords in Passwordstate with either Active Directory or local Windows Servers.

In order for a Password List to be ‘ready’ for synchronization, the following ‘Customized Fields’ are required for the Password List:

  • You must select the ‘User Name’ field
  • You must select one Generic Field and label it ‘Domain or Host’
  • You must select the ‘Account Type’ field

When a Password List is ready for synchronization, you will see the following graphic at the top-right hand side of the Password grid:

Now, when you edit a record, you will see the following screen:

  • 1 – You must select the ‘Account Type’ of Windows
  • 2 – The ‘Account Synchronization Enabled’ indicator will be shown
  • 3 – This icon allows you to confirm the password you are enter matches what’s stored in Active Directory or on the local Windows Server
  • 4 – This is what you click on to save the record in Passwordstate, and to change (sync) the password in Active Directory or local Windows Server

Note: When adding a new password record to Passwordstate, you cannot also add the account into Active Directory or local Windows Server, however you can confirm the password is correct by clicking on the Check Password icon.

As of Build 5416, we also have a report which you can run for Password Lists which validates in real-time if the passwords are synchronized. You will see the following drop-down menu option if the Password List is ‘ready’ for synchronization:


Troubleshooting Sync Issues

It’s possible that synchronization may not work with the default settings, due to different security restrictions customers may place on their Active Directory environment. If you receive a popup message when synchronizing to say there was an error, and to check your settings, you may need to specify an appropriate domain account to synchronize with. On the screen Administration -> System Settings -> Active Directory Options Tab, you can specify an account as per the screenshot below.

If you still have issues after this, something else which may be required is specifying the same AD account to use as the Application Pool identity in IIS – you can following the instructions in our installation documentation labelled ’11. Active Directory & IIS Application Pool.

adsync1

 

We hope you like to new feature, and look forward to hearing any feedback from you.

Regards
Click Studios
Passwordstate – Secure Password Manager

Video – Password Recycle Bin

Hi Everyone,

The following video demonstrates how to use the Recycle Bin feature within Passwordstate. Any questions at all about the feature, please don’t hesitate to ask.

Regards
Click Studios