Passwordstate 7.0 New Features

Hi Everyone,

We’re sorry for being so quiet for the past few months, but we’ve been busy working on this biggest release of Passwordstate since its initial release in 2004. We’re getting close to finishing it, with only a couple more features left to code and test. In total there about 80 updates in version 7, and below are some of the major features coming.

New Vertical Navigation Menu
In version 6 of Passwordstate we introduced a new Horizontal menu system at the bottom of the page. While this was well received by most customers, some customers didn’t like it. So in version 7 you will have the option of either a horizontal menu at the bottom of the screen, or a new vertical menu on the left-hand side of the screen.

There are 3 ways in which you can choose the Menu System to use – 1. It can be applied System Wide for all users, users can choose it as part of their Preferences, or you can create a User Account Policy and apply the setting to specific users or security groups.

 

Different Colour Themes
So you probably noticed a different shade of blue above J Yes, we’ve finally added in colour themes for version 7, and they can be applied the same way as the menu option above can be applied – System Wide, User Preferences or User Account Policy. Believe it or not this took quite a bit of work, as we needed to figure out how to change the colours applied to the Telerik ASP.NET Ajax Controls – http://www.telerik.com/products/aspnet-ajax.aspx

 

Browser Extensions for Form-Filling Web Site Logins
We’ve had a lot of customers requesting this feature, so we’re very excited we can finally offer it. Initially we will be releasing the extension for Chrome, and once we and our customers are happy with the functionality of it, we will provide extensions for Internet Explorer and Firefox as well.

Most of you are probably familiar with this sort of extension, and it will be similar to the functionality provided by LastPass, RoboForm, or any of the other offerings. Basically it allows you to save all your web logins into a Password List of your choice, and then every time you visit the site the extension can login for you automatically, without you needing to type in your username and password.

Discovery Different Windows Hosts on the Network, and Manually Add or Import Linux/Routers/Switches, etc
In itself, this feature doesn’t provide any real functionality, but is a pre-requisite to two other major features in version 7. You have the option to import Hosts via a CSV file, or we’ve added a ‘Discovery’ process which can query your Active Directory environment for Windows Hosts, and automatically import them into Passwordstate.

Access to each of the Hosts within Passwordstate are also permission based, so once imported you need to apply permissions for users who wish to make use of the new features which rely on the Hosts records. Below are a couple of screenshots of the Hosts screen, and the Discovery screen.

Reset Passwords Just About Everywhere
One of the major features in version 7 is the ability to change passwords automatically on various remote systems. The following will be supported when V7 is released:

  • Active Directory Accounts
  • Local Windows Accounts
  • Windows Services
  • IIS Application Pools
  • Scheduled Tasks
  • Cisco network equipment (routers, switches, etc)
  • Linux/Unix Accounts
  • Microsoft SQL Server and MySQL Server accounts

The Password Reset, Password Validation, and Resource Discovery features, are all achieved via the use of PowerShell scripts (we’re calling Windows Services, IIS App Pools and Scheduled Tasks ‘Resources’ in version 7). In the early planning stages, we were a little undecided whether to build our own ‘agents’ to be deployed to hosts to allow the password resets, or whether to use PowerShell scripts. In the end, it made much more sense to use to use PowerShell scripts, as it gives our users a lot more flexibility if they need to modify a script themselves, and some customers already use PowerShell heavily for managing their Windows environment. Unlike any solution for accessing and make changes to remote hosts, there are some system requirements for this functionality – primarily the Windows hosts will require PowerShell 2 or above installed, and PowerShell Remoting enabled. We provide full documentation for what’s required here. This functionality also works for non-trusted Active Directory Domains, so if you look after a lot of different client environments, all you need is functioning DNS, and domain account credentials with privileges to make the change. Below is a screenshot of the default scripts we provide, as well as a screenshot of one of the scripts. You can modify these scripts, restore the default script, or add your own.

As an example of the flexibility of this feature, when a password is updated in Passwordstate, you can also execute a PowerShell scripts to run any of your own custom MS SQL or MySQL scripts, say to update data in a table. The possibilities are only limited by your scripting skills J

 

Discovery Windows Services, IIS App Pools and Scheduled Tasks
As mentioned above, it’s possible to perform password resets for Windows Services, IIS Application Pools, and Scheduled Tasks which are configured to run under the identity of a domain account. While you can manually add these ‘Resources’ into Passwordstate, we’ve provided a feature where by you can automatically discovery them on your network, associated them automatically with the appropriate host, and also add the domain account used to a selected Password List if it doesn’t already exist in it.

Launch RDP, SSH, Telnet and VNC sessions to Remote Hosts
This is another new feature which takes advantage of adding/importing hosts into Passwordstate. Once you have installed out Remote Session Launcher utility (Windows only), and created one or more ‘Remote Session Credential Queries’, then you can launch a remote session to Hosts without having to enter your credentials to authentication – it logs you in automatically, and adds appropriate auditing records to reflect the action. The basic process use this functionality is:

  • Install the Remote Session Launcher utility (Windows only, and requires PowerShell to be installed)
  • Make sure you have all your Hosts added/imported into Passwordstate
  • Create one or more Remote Session Credential queries, and link it to a password you have stored in Passwordstate – screenshot 1 below
  • Now when you click on a Host in Passwordstate (screenshot 2 below), if the Host matches one of your saved “credential queries”, then it will launch the remote session without you needing to enter your Username and Password. There’s also an option to specify your login details manually if needed.

We also have provided a dedicated ‘Remote Session Launcher Screen’ which will allow you to use this feature all day long without being automatically logged out of Passwordstate if you are inactive for a period of time.

credentials

launchhost
Two-Factor Authentication with Dou Security
We’ve had quite a few requests recently to support Duo Security Two-Factor Authentication (https://www.duosecurity.com), so we’ve added support for this to the Web User Interface, and the Mobile App

More improvements to the API
We’ve also made some improvements to the API in version 7, specifically:

  • You can now add Folders and Password Lists through the API
  • We’ve made it more secure by allowing the API Key to be specified in the Request Header instead of the querystring
  • Private Password Lists can now be queried in the API, but only when using the Password List’s API Key, not the System Wide one.

 

And Various other Features
As mentioned, there are 80 updates in total, and below are a few more mentions:

  • New Dashboard Layout for Password Home and Folder pages – allows you to choose which panels to display, and where
  • New Favorite Password Lists feature, whereby favorites can be easily filtered in the Navigation Tree
  • New “Self Destruct Message” feature for sending time-bombed messages to other users
  • Added the ability to encrypt any one of the Generic Fields you can select for Password Lists
  • Auditing data for the High Availability instance is now maintained if the HA site is accessed
  • Added option to Password Lists to ensure passwords are not visible or can be copied to clipboard
  • Added option to force users to use the Password Generator associated with a Password List
  • User Account Policies can now dictate what Template to be used when creating Shared or Private Password Lists
  • Added the ability to generate random passwords based on a pattern of alphanumeric characters
  • Added the ability to exclude certain characters from a generated password
  • Filtering in the Navigation Tree can now also filter on Folders names
  • Users password, when using Forms based authentication, will now expire after a set period, and password reuse is prohibited
  • Email alerts from the High Availability instance of Passwordstate are now queued, instead of being sent real-time
  • Added the ability to see all Private Password Lists on the screen Administration -> Password Lists. Only features available with this is deleting the Password List, or changing settings
  • Moved all ‘Administration’ navigation menu items to their own Navigation Tree
  • It’s now possible to send specific email notifications to a generic email address

 

Quite a log post, but we have been busy J We hope you all like version 7 when it’s released in a month or two’s time.

Two-Factor Authentication Using Email and Pin Code

In Build 6215 we introduced another two-factor Authentication option in addition to what was already possible with RSA’s SecurID or Google Authenticator. If you’d also like to watch a video demonstrating this feature, you can do so here – Watch Video

This two-factor authentication option allows you to specify an email address where a temporary pin code can be emailed, which is used as the basis for the authentication. Instead of just using your email address associated with your Passwordstate user account, we provide the option to specify a different email address so you can send it to a personal email account none of our work colleges may have access to, so you can receive the email on your mobile device, or so you can send to an SMS gateway. In addition to using this authentication method for accessing Passwordstate, you can also configure Password Lists to use this option as an additional authentication step which is required each time a user wishes to access password records in the Password List.

Before we get into how it works, let’s cover off on some of the settings for this feature.

In order to start using this feature, you need to first select the Authentication Option on the Preferences screen, and also specify the email address of where you want the temporary pin code to be sent. It’s possible your Security Administrators of Passwordstate may select this authentication option for you as well, and they can do this as a System Wide setting, or possibly configure a User Account Policy for you.

 

The Security Administrators of Passwordstate can also configure a couple of settings for this feature, including the minimum length of the pin code and how long the pin code will be active.

 

Now your Preferences and System Settings are configured, you will be presented with the following screen when you attempt to authenticate. You will notice initially the login screen reminds you which email address the Pin Code is being sent to, and then it shows a countdown timer indicating when the temporary pin code will expire.

 

And below is a screenshot of an example email you will receive – simply enter the pin code before it expires, and the authentication step will be complete.

 

 

Passwordstate 6.0 New Features

Hello Everyone,

Before we go into any detail about the new features of version 6, we just want to say a huge thanks to all our wonderful customers for their suggestions of what they would like to see in Passwordstate, and also for helping us test the various beta versions. It’s amazing how people will take time out of their day to provide feedback, and spend endless hours testing with us. Thanks Guys If you’re wanting to upgrade your beta install to this production release, please follow these instructions – http://www.clickstudios.com.au/forum/showthread.php/365-Upgrade-Instructions-for-Production-Release-(Build-6080) J

Now on to the features. We’re very pleased to finally release version 6 of Passwordstate. This is probably one of the biggest releases we’ve had to date, and it’s been 8 months in the making. We’ll go into some detail here for the major changes in version 6.

New User Interface
The first thing you will notice when using v6 is the new user interface. The main change is how the old navigation tabs in version 5 have now been moved to the bottom of the screen as a horizontal popup menu. This provides a little more screen real-estate, which is useful when the majority of your time is spent clicking around in the navigation tree, and access passwords in each of the different Password List screens. We’ve also had quite a few beta testers comment on the new version appearing to run much faster.

Two-Factor Authentication with RSA’s SecurID
Version 6 now has 9 different authentication options, which can be used when you first access the site, or as an additional authentication step when you need to access certain Password Lists. One of these new authentication options is two-factor authentication with RSA’s SecurID tokens – these can be physical or software based tokens. There’s obviously quite a few versions of the RSA Authentication Manager, and in our testing we’ve used version 7.1 SP4 Patch 22. RSA assures us that prior and new releases should work just fine. Read more here – http://www.clickstudios.com.au/blog/two-factor-authentication-with-rsa-securid/

Two-Factor Authentication with Google Authenticator
Can’t afford the investment for RSA’s SecurID solution, then use two-factor authentication with Google’s Authenticator. Google Authenticator is a software based solution, which can be installed on the majority of mobile clients. Read more here – http://www.clickstudios.com.au/blog/two-factor-authentication-with-google-authenticator/

Application Programming Interface (API)
With the new API built into Passwordstate, you can integrate your other applications and do away with hard coded passwords in scripts, etc. Data can be returned in either JSON or XML format.

It’s possible to perform the following API Calls:

  • Retrieve a Password record
  • Update a Password record
  • Add a new Password record
  • Retrieve all the history for changes to a Password record
  • Retrieve all Passwords records in a specific Password List
  • Retrieve all Passwords records across all Shared Password Lists
  • Search for Password records, based on various search criteria
  • Generate one or more random passwords
  • Retrieve details and settings for a Password List

For each Password List which you enable for the API (create and API Key), you can also configure which of the API calls above is allowed, or not allowed, as per the following screenshot:

 

Linking Password Lists to Templates
Password List Templates where introduced in version 5, which allowed you to specify some default settings which could then be applied to a Password List. With version 6, we’ve now introduced the feature whereby you can link a Template to one or more Password Lists, and manage the settings in one central location – the template itself. Read more here – http://www.clickstudios.com.au/blog/linking-password-lists-to-templates/

User Account Policies
User Account Policies allows you to specify various settings for how Passwordstate appears or behaves for users. Once you’ve created a policy, you can apply permissions based on user accounts, or security groups. You can even apply more than one policy to the same user. Examples of how this would be used are:

  • Specify a different Authentication Method for users who have higher privileges to systems i.e. Domain Administrators
  • You don’t wish for any of the charts to appear for your users – simply disable them with a policy
  • Allow only a certain number of users to use the ‘Auto Generate New Password’ feature when adding new passwords

Read more here – http://www.clickstudios.com.au/blog/user-account-policies-in-passwordstate/
More Generic Fields and Different Data Types
There are now up to 10 different Generic Fields you can choose from for your Password Lists, and each field can be configured as one of the following data types – Text Field, Free Text Field, Password Field, Select List, Radio Buttons or Data Picker. Read more here – http://www.clickstudios.com.au/blog/generic-field-improvements/


Allowed IP Ranges
Need to restrict which networks can access the Passwordstate web site or API? If so, then you can use the ‘Allowed IP Ranges’ feature, where you can specify individual IP Addresses, or a range of IP Addresses. Read more here – http://www.clickstudios.com.au/blog/allowed-ip-ranges-in-passwordstate/

Backups and In-Place Upgrades
Version 6 now has an automated backup feature built into it, where you can set a schedule for automatic backups of all the web files, and copies of the database. You can specify at what time of the day the backups should begin, how often they should be run, and how many copies to keep on disk. In addition to automatic backups, we now have In-Place Upgrades, which means no more uninstalling/reinstalling Passwordstate to get to the latest version – simply upgrade right from within the web site. You must have your automatic backups configured and working prior to using the In-Place Upgrades feature. Read more here – http://www.clickstudios.com.au/blog/backups-and-in-place-upgrades/

Active Directory & Windows Actions
When a Password List is configured to synchronize password changes with Active Directory, or local accounts on Windows Servers, you can now enable the feature ‘Active Directory & Windows Actions. With this feature you can perform certain account related tasks, such has unlocking account, disable accounts, etc. Read more here – http://www.clickstudios.com.au/blog/active-directory-actions/

Automatic Password Rotation
Again, when a Password List is configured to synchronize password changes with Active Directory, or local accounts on Windows Servers, you can take advantage of the ‘Automatic Password Rotation’ feature, which allows you to specify a set and forget schedule for automatically updating and synchronizing passwords when they expire. Read more here – http://www.clickstudios.com.au/blog/automatic-password-rotation/

Regards
Click Studios

Linking Passwords Between Password Lists

We received an email request from a customer today, and it said “I have a request from the team regarding the sharing of same password by multiple applications. For instance, if Application A and B both using the shared account “SP1” . Do we need to enter the same information twice? Or just one time?”.

Well, the answer is there’s no need to enter the information more than once – you can create a password in one Password List, and then ‘Copy and Link’ the password to a different Password List. Any changes to either copy of the password will be synchronized automatically, with audit records being added for each of the Password Lists, and email alerts as per normal. You can even link the one password across 3 or 4 different Password Lists if you wish.

To link Password records you need to:

Select ‘Copy or Move to Different Password List’ from the ‘Actions’ dropdown menu in the Passwords grid, as per the screenshot below:

Copy or Move to Different Password List

 

Now you can select the option ‘Copy & Link’ as well as the Password List you want to copy and link too.

Link the Password

Pretty simple when you know the feature is there 🙂

If there’s any other hints and tips you would like to see about our Enterprise Password Management software, please leave us some comments.

Regards
Click Studios

Checkout the amount of features we now have for Password Lists

Hello Everyone,

We’ve been gradually adding more and more features to Passwordstate, with the majority being suggestions from our fantastic customers – thanks guys. The following is a summary of features specific to Password Lists which are now available.

Password List Details
Image: You can choose an image to display in the Password List Navigation Tree
Password Strength Policy: Your Security Administrators of Passwordstate can create multiple Password Strength Policies, and they will all show under this dropdown field
Password Generator: Choose from one of the Password Generator options your Security Administrators can create – any time you see the little Calculator icon, you can
Code Page: Used for exporting data in the correct character encoding
Additional Authentication: When you click on a Password List in the navigation tree, you can choose to first make your users provide another level of authentication before you can access the Password List

Password List Settings
Allow Password List to be Exported
: Allow or disallow Security Administrators/List Administrators from exporting the contents of the Password List
Time Based Access Mandatory: Enforce one of the Time Based Access options – expire at a certain time for Password Lists, or for individual password records you can specify time-based, when the password changes, or one-time access
Handshake Approval Madnatory: Enforce the rule of two users needing to approve access prior to it being given
Prevent Password Reuse: You can specify the last (n) number of passwords cannot be reused
Prevent Non-Admin users from Dragging and Dropping the Password List: This relates to dragging and dropping Password Lists in the navigation tree
Prevent saving of Password records if a ‘Bad’ password is detected: Your Security Administrators controls the list of what is deemed to be a Bad password
Users must first specify a reason why they need to view, edit or copy passwords: By selecting this option, the users will be presented with a dialog asking them to provide a reason why the need to access the record. This reason is then stored in the auditing table
Prevent Non-Admin users from manually changing values in Expiry Date fields: If you have View or Modify access to a Password List, then you won’t be able to change the Expiry Date field if this option is selected
Reset Expiry Date field to Current Date +…: When this option is selected, changing the value of the password field will automatically update the Expiry Date field
Additional Authentication only required once per session: If you have chosen an ‘Additional Authentication’ option for this Password List, you can enforce users to authentication once for an active session, or every time they try to access the Password List

Copy Details & Settings From
This option allows you to clone settings from existing Password Lists, or any Password List template you have access to. This saves you on having to select all of the options mentioned above

Copy Permissions From
By selecting this option, you can quickly apply new permissions to this Password List, by either cloning the permissions on another Password List, or Password List Template

Regards
Click Studios

Passwordstate 5.5 Released

Hello Everyone,

Click Studios is very pleased to announce the availability of Version 5.5 of Passwordstate with 30 new features, updates and bug fixes in total. Notable changes are:

  • Added Authorized Web Server functionality whereby you must now specify which web server names are hosting the Passwordstate web site. This mitigates against database theft, and hosting in an untrusted environment
  • A new Delta Permissions Email Notification report which alerts Password List Administrators of prior and post permission changes to Password Lists
  • You can now choose to send all Auditing data to a syslog server
  • Enumerated Password Permissions Report which shows access for all users accounts, even if permissions were applied via security group membership
  • Secondary authentication options for securing access to Password Lists and navigation Tabs
  • User must provide reason for accessing password value – either copy to clipboard, or view on screen
  • One-Time Access is now possible for password records – as soon as a password is viewed or copied, the user’s access is removed

You can download the latest release from here – http://www.clickstudios.com.au/downloads/passwordstate.zip, or watch the following short video showing some of the new features.

Customized Fields and Screens

We had an interesting conversation with a customer recently, in that they weren’t aware they could choose which fields they would like to associate with a Password List, or that they could customize the look and feel of the main passwords screen.  To help other customers who may not be aware, we thought we’d write this post.

Customized Fields
When you first create a new Password List, you will see various tabs on the screen. The ‘Customize Fields’  tab is where you can specify which fields you would like to use, which ones you would like to make mandatory for data entry, and also gives you the option to rename any generic fields you choose to use.

If you already have an existing Password List you would like to modify, Administrators of the Password List can do so by selecting ‘Edit Password List Details’ from the ‘List Administrators Actions’ drop-down list.

Once you have the edit screen open, then you can change the fields by clicking on the ‘Customize Fields’ tab again.

 

Customizing the Passwords Screen
To customize how the password screen appears, you can click on the ‘Screen Options’ button at the top of the page.

Once you have clicked this button, the following tabs will be available to you:

  • Password Columns – Allows you to choose which fields you would like displayed on the grid. If you hide some fields from the grid view, they are still available when you add or edit passwords. You can also choose to apply these field view settings to one or more Password Lists under the section ‘Apply to the following Password Lists’.
  • Passwords Grid – Allows you to choose how many records to display in the grid view, and whether you want to show the Header, Footer or Filters for the grid – as the name implies, Filters allows you to filter contents of the grid based on the values you specify for one or more fields
  • Recent Activity Grid – Similar to the ‘Passwords Grid’ tab, except this is for the auditing grid at the bottom of the screen. Difference here is you can choose to hide this grid completely if required
  • Pager Style – once the number of passwords exceeds the number of rows you want to display in the password grid, a ‘Pager’ will be displayed at the bottom of the grid, allowing you to page through the records. On this tab, you can choose the style of the pager you want displayed – either Buttons or a Slider
  • Chart Settings – To the right of the passwords grid, you can have two charts displayed if you choose – one for a summarized view of the password strength for all passwords in the Password List, and the other for who is most active in making changes in this Password List

 

Regards
Click Studios

Email Notifications within Passwordstate

Passwordstate can generate up to 42 different types of emails, for which most can be enabled or disabled as required – certain email’s cannot be disabled due to the nature of them such as ‘Audit Log Tamper Detection’. What most people don’t realise is email notifications can be managed in three separate ways:

Managed By User
Each user can manage their own email notifications by visiting the ‘Preferences’ area for their account. From the ‘Email Notifications’ tab, they can select which email categories to enable or disable, depending on their personal preference.

Managed for Several Users at Once
As of Build 5416, we now have a feature called ‘Email Notification Groups’. This feature allows Security Administrators of Passwordstate to manage notifications for a collection of user accounts, or for members of specific security groups. In enabling this option for a user, it will disable their ability to specify their own settings under the Preferences section mentioned above.

Managed System-Wide for All User
Under the Administration area of Passwordstate, there is a feature called ‘Email Templates’. This feature allows the Security Administrators to customize the body of each of the emails sent, and also allows them to disable/enable all notifications system-wide – which overrides the two methods mentioned above. Generally most customers disable all email templates whilst they are configuring Passwordstate initially, to prevent a considerable amount of emails being generated as they add/import passwords from existing systems.
For your reference, a complete list of the Email Notifications can be found here – http://www.clickstudios.com.au/about/notifications.html

Regards
Click Studios

Synchronize Passwords with Active Directory

As of version 5.4 of Passwordstate, it’s now possible to synchronize passwords in Passwordstate with either Active Directory or local Windows Servers.

In order for a Password List to be ‘ready’ for synchronization, the following ‘Customized Fields’ are required for the Password List:

  • You must select the ‘User Name’ field
  • You must select one Generic Field and label it ‘Domain or Host’
  • You must select the ‘Account Type’ field

When a Password List is ready for synchronization, you will see the following graphic at the top-right hand side of the Password grid:

Now, when you edit a record, you will see the following screen:

  • 1 – You must select the ‘Account Type’ of Windows
  • 2 – The ‘Account Synchronization Enabled’ indicator will be shown
  • 3 – This icon allows you to confirm the password you are enter matches what’s stored in Active Directory or on the local Windows Server
  • 4 – This is what you click on to save the record in Passwordstate, and to change (sync) the password in Active Directory or local Windows Server

Note: When adding a new password record to Passwordstate, you cannot also add the account into Active Directory or local Windows Server, however you can confirm the password is correct by clicking on the Check Password icon.

As of Build 5416, we also have a report which you can run for Password Lists which validates in real-time if the passwords are synchronized. You will see the following drop-down menu option if the Password List is ‘ready’ for synchronization:


Troubleshooting Sync Issues

It’s possible that synchronization may not work with the default settings, due to different security restrictions customers may place on their Active Directory environment. If you receive a popup message when synchronizing to say there was an error, and to check your settings, you may need to specify an appropriate domain account to synchronize with. On the screen Administration -> System Settings -> Active Directory Options Tab, you can specify an account as per the screenshot below.

If you still have issues after this, something else which may be required is specifying the same AD account to use as the Application Pool identity in IIS – you can following the instructions in our installation documentation labelled ’11. Active Directory & IIS Application Pool.

adsync1

 

We hope you like to new feature, and look forward to hearing any feedback from you.

Regards
Click Studios
Passwordstate – Secure Password Manager

Video – Password Recycle Bin

Hi Everyone,

The following video demonstrates how to use the Recycle Bin feature within Passwordstate. Any questions at all about the feature, please don’t hesitate to ask.

Regards
Click Studios