Two-Factor Authentication Using Email and Pin Code

In Build 6215 we introduced another two-factor Authentication option in addition to what was already possible with RSA’s SecurID or Google Authenticator. If you’d also like to watch a video demonstrating this feature, you can do so here – Watch Video

This two-factor authentication option allows you to specify an email address where a temporary pin code can be emailed, which is used as the basis for the authentication. Instead of just using your email address associated with your Passwordstate user account, we provide the option to specify a different email address so you can send it to a personal email account none of our work colleges may have access to, so you can receive the email on your mobile device, or so you can send to an SMS gateway. In addition to using this authentication method for accessing Passwordstate, you can also configure Password Lists to use this option as an additional authentication step which is required each time a user wishes to access password records in the Password List.

Before we get into how it works, let’s cover off on some of the settings for this feature.

In order to start using this feature, you need to first select the Authentication Option on the Preferences screen, and also specify the email address of where you want the temporary pin code to be sent. It’s possible your Security Administrators of Passwordstate may select this authentication option for you as well, and they can do this as a System Wide setting, or possibly configure a User Account Policy for you.

 

The Security Administrators of Passwordstate can also configure a couple of settings for this feature, including the minimum length of the pin code and how long the pin code will be active.

 

Now your Preferences and System Settings are configured, you will be presented with the following screen when you attempt to authenticate. You will notice initially the login screen reminds you which email address the Pin Code is being sent to, and then it shows a countdown timer indicating when the temporary pin code will expire.

 

And below is a screenshot of an example email you will receive – simply enter the pin code before it expires, and the authentication step will be complete.

 

 

Mobile Client Support in Passwordstate

In the upcoming release of Version 6.2 of Passwordstate, we will have Mobile Client support for iOS, Android, Windows 8 Phone and Blackberry. In this blog post, we will run through some detail for User and System Preferences for the Mobile Client, as well as the features available in the Mobile Client itself.

User Preferences

On the ‘Preferences’ screen on the main Passwordstate web site, you will find various settings which control how the Mobile Client will behave for you. Below is an explanation of each of these settings.

Default Home Page You can either choose your default home page to browse/filter all the Password Lists you have access to, or go straight to a screen where you can search for the password record you require
Limit the Number of Records to As cellular/mobile networks are typically slower than local networks, it’s recommended you limit the number of records returned to help with performance.
Mobile Pin Number The Pin Number you will use to authenticate with when using the Mobile Client – this is in conjunction with your UserID for Passwordstate

 

System Settings

The Mobile Access Options tab on the screen Administration -> System Settings allows you to specify multiple settings for how the Passwordstate Mobile Client behaves for your users.

Allow Mobile clients to access Passwordstate:
If you do not wish to allow Mobile Access to passwords, you can disable access altogether by selecting this option.

  • Note 1: If you choose to disable Mobile Access, it is recommended you set the option below to ‘No’, and then go to the screen Administration -> Passwords Lists -> Mobile Access Bulk Permissions, and then disable Mobile Access for all permissions
  • Note 2: Even if this option is enabled, your Firewall/System Administrators still need to configure external DNS and allow access through the firewall for anyone to access the Mobile Client web site

 

When adding new permissions to Password Lists, enabled Mobile Access by default:
When adding new permissions to a Password List, you can use to enable/disable Mobile Access by selecting the appropriate option here.

The Mobile Access Pin Number for user authentication must be a minimum length of:
You can choose the length of the Mobile Access Pin Number the users must use to authenticate with. When the users specify their own Pin Number on the Preferences screen, or use the option to generate one, it must meet the minimum length requirement of this setting.

The Inactivity Timeout for Mobile Access is (mins)
If the user forgets to log out of the Mobile session, this setting will automatically log them out after the set period of inactivity, and also clear their authenticated session.

Protect against brute force dictionary authentication attempts by locking out an active session after the following number of failed login attempts:
As the Mobile Access web site is generally externally accessible from your internal network, this setting will mitigate against any brute force authentication attempts by locking out authentication attempts when this setting has been reached.

 

 

Mobile Client Permissions

In addition to enabling Mobile Access for your users on the System Settings screen, access is also granted via applying permissions at the Password List level.

As you’re able to apply permissions at the Password List level, this means you don’t need to expose all passwords via the Mobile Access Client if you don’t want to.

Enabling/Disabling Mobile Access when Adding New Permissions
When you add new permissions to a Password List, you can choose to enable/disable Mobile Access using the ‘Mobile Access’ option on the screen.

Enabling/Disabling Mobile Access for Existing Permissions
With the permissions already applied to your Password Lists, you can choose to enable/disable Mobile Access by selecting the ‘Enable/Disable Mobile Access’ option under the ‘Actions’ dropdown menu.

 

Enabling/Disabling Mobile Access Permissions in Bulk
If you would like to enable/disable Mobile Access permissions for more than one Password List at a time, then you can do so via the page Administration -> Password Lists -> Mobile Access Bulk Permissions.

 

Mobile Client Usage

This following information provides instructions for how to use the Mobile Client itself. The following features are currently available in the Mobile Client:

  • Authentication
  • Browse/Search Password Lists that you have access to
  • Browse/Search Passwords within a selected Password List
  • Search for an individual password record, across all the Password List you have access to – similar to searching on the ‘Passwords Home’ page on the normal Passwordstate web site
  • View password records


Mobile Client Authentication
To authenticate using the mobile client, you need to specify your account’s UserID and the Pin Number associated with it.

Note: If using the AD Integrated version of Passwordstate, it’s not necessary to specify the UserID in the format of Domain\UserID – you can simply type just the UserID. The only exception to this would be if you had multiple Active Directory domains registered in Passwordstate, and there were duplicate logon names in AD.

 

Browsing/Filtering Password Lists
After you have authenticated, the default home screen is the one below which allows you to browse all the Password Lists your account has been given access to. A couple things to note about this screen are:

  1. The number of records displayed may be limited by the setting ‘Limit the Number of Records to’ on your User Preferences screen
  2. When searching/filtering Password Lists, you can search by the Title of the Password List, and also the Tree Path of the Password List in the Navigation Tree (the Tree Path is the logical structure/path of where the Password List is positioned in the Password List Navigation Tree on the main web site)

Browsing/Filtering Passwords for the selected Password List
After you have tapped on the appropriate Password List, you will be directed to the screen below which allows you to browse all the passwords in the selected Password List. A couple things to note about this screen are:

  1. The number of records displayed may be limited by the setting ‘Limit the Number of Records to’ on your User Preferences screen
  2. When searching/filtering passwords, you can search across all of the fields which can be configured for a Password record i.e. Title, Description, UserName, URL, Generic Fields, etc. The only fields you can’t search are the one’s which are encrypted i.e. the Password field, and any Generic Fields set as type ‘Password’

 

Viewing a Password Record
When you tap on one of the Password records on the screens above, you will be directed to the screen below where you can view the details of the password record. A couple of things to note about this screen are:

  1. An auditing record will be added, as you have viewed the details of this password record. If enabled in the main web site settings, any other users who have access to this password record will receive an email notification informing them you have accessed it
  2. Most mobile devices allow you to copy details to the clipboard if required, and majority of fields on this screen will allow you to copy their details
  3. If there are any ‘One-Time Access’ permissions enabled for this password record for your account, your access will automatically be removed after you have viewed the record

 

Password Search Home Page
If you have selected ‘Passwords Search’ as your default home page on the User Preferences screen, you will be directed to the screen below after you have authenticated. From here you can search for a password record across all of the Password Lists you have been given access to. This is a similar search feature which you will find on the ‘Passwords Home’ in the main web client.

 

When searching for Password records this way, a little more detail is shown on the screen so you know which Password List the password record belongs to.

 

Logging Out of the Mobile Client
When you tap on the ‘Exit’ button on the top right-hand side of the screen, you will be directed to the screen below and your Mobile Access session will be ended. If your leave your session inactive longer than the setting specified on the System Settings page, you will also be automatically logged out and directed to this screen.

 

 

Passwordstate 6.0 New Features

Hello Everyone,

Before we go into any detail about the new features of version 6, we just want to say a huge thanks to all our wonderful customers for their suggestions of what they would like to see in Passwordstate, and also for helping us test the various beta versions. It’s amazing how people will take time out of their day to provide feedback, and spend endless hours testing with us. Thanks Guys If you’re wanting to upgrade your beta install to this production release, please follow these instructions – http://www.clickstudios.com.au/forum/showthread.php/365-Upgrade-Instructions-for-Production-Release-(Build-6080) J

Now on to the features. We’re very pleased to finally release version 6 of Passwordstate. This is probably one of the biggest releases we’ve had to date, and it’s been 8 months in the making. We’ll go into some detail here for the major changes in version 6.

New User Interface
The first thing you will notice when using v6 is the new user interface. The main change is how the old navigation tabs in version 5 have now been moved to the bottom of the screen as a horizontal popup menu. This provides a little more screen real-estate, which is useful when the majority of your time is spent clicking around in the navigation tree, and access passwords in each of the different Password List screens. We’ve also had quite a few beta testers comment on the new version appearing to run much faster.

Two-Factor Authentication with RSA’s SecurID
Version 6 now has 9 different authentication options, which can be used when you first access the site, or as an additional authentication step when you need to access certain Password Lists. One of these new authentication options is two-factor authentication with RSA’s SecurID tokens – these can be physical or software based tokens. There’s obviously quite a few versions of the RSA Authentication Manager, and in our testing we’ve used version 7.1 SP4 Patch 22. RSA assures us that prior and new releases should work just fine. Read more here – http://www.clickstudios.com.au/blog/two-factor-authentication-with-rsa-securid/

Two-Factor Authentication with Google Authenticator
Can’t afford the investment for RSA’s SecurID solution, then use two-factor authentication with Google’s Authenticator. Google Authenticator is a software based solution, which can be installed on the majority of mobile clients. Read more here – http://www.clickstudios.com.au/blog/two-factor-authentication-with-google-authenticator/

Application Programming Interface (API)
With the new API built into Passwordstate, you can integrate your other applications and do away with hard coded passwords in scripts, etc. Data can be returned in either JSON or XML format.

It’s possible to perform the following API Calls:

  • Retrieve a Password record
  • Update a Password record
  • Add a new Password record
  • Retrieve all the history for changes to a Password record
  • Retrieve all Passwords records in a specific Password List
  • Retrieve all Passwords records across all Shared Password Lists
  • Search for Password records, based on various search criteria
  • Generate one or more random passwords
  • Retrieve details and settings for a Password List

For each Password List which you enable for the API (create and API Key), you can also configure which of the API calls above is allowed, or not allowed, as per the following screenshot:

 

Linking Password Lists to Templates
Password List Templates where introduced in version 5, which allowed you to specify some default settings which could then be applied to a Password List. With version 6, we’ve now introduced the feature whereby you can link a Template to one or more Password Lists, and manage the settings in one central location – the template itself. Read more here – http://www.clickstudios.com.au/blog/linking-password-lists-to-templates/

User Account Policies
User Account Policies allows you to specify various settings for how Passwordstate appears or behaves for users. Once you’ve created a policy, you can apply permissions based on user accounts, or security groups. You can even apply more than one policy to the same user. Examples of how this would be used are:

  • Specify a different Authentication Method for users who have higher privileges to systems i.e. Domain Administrators
  • You don’t wish for any of the charts to appear for your users – simply disable them with a policy
  • Allow only a certain number of users to use the ‘Auto Generate New Password’ feature when adding new passwords

Read more here – http://www.clickstudios.com.au/blog/user-account-policies-in-passwordstate/
More Generic Fields and Different Data Types
There are now up to 10 different Generic Fields you can choose from for your Password Lists, and each field can be configured as one of the following data types – Text Field, Free Text Field, Password Field, Select List, Radio Buttons or Data Picker. Read more here – http://www.clickstudios.com.au/blog/generic-field-improvements/


Allowed IP Ranges
Need to restrict which networks can access the Passwordstate web site or API? If so, then you can use the ‘Allowed IP Ranges’ feature, where you can specify individual IP Addresses, or a range of IP Addresses. Read more here – http://www.clickstudios.com.au/blog/allowed-ip-ranges-in-passwordstate/

Backups and In-Place Upgrades
Version 6 now has an automated backup feature built into it, where you can set a schedule for automatic backups of all the web files, and copies of the database. You can specify at what time of the day the backups should begin, how often they should be run, and how many copies to keep on disk. In addition to automatic backups, we now have In-Place Upgrades, which means no more uninstalling/reinstalling Passwordstate to get to the latest version – simply upgrade right from within the web site. You must have your automatic backups configured and working prior to using the In-Place Upgrades feature. Read more here – http://www.clickstudios.com.au/blog/backups-and-in-place-upgrades/

Active Directory & Windows Actions
When a Password List is configured to synchronize password changes with Active Directory, or local accounts on Windows Servers, you can now enable the feature ‘Active Directory & Windows Actions. With this feature you can perform certain account related tasks, such has unlocking account, disable accounts, etc. Read more here – http://www.clickstudios.com.au/blog/active-directory-actions/

Automatic Password Rotation
Again, when a Password List is configured to synchronize password changes with Active Directory, or local accounts on Windows Servers, you can take advantage of the ‘Automatic Password Rotation’ feature, which allows you to specify a set and forget schedule for automatically updating and synchronizing passwords when they expire. Read more here – http://www.clickstudios.com.au/blog/automatic-password-rotation/

Regards
Click Studios

Active Directory Actions

Hi Everyone,

We’ve added another new feature to version 6 called ‘Active Directory & Windows Actions’, and it can be enabled or disabled per Password List if required.

Active Directory & Windows Actions allows you to perform 4 different account related tasks, if your Password List is configured to synchronize changes with Active Directory or local Windows servers. The 4 functions are:

  • Unlock this account if locked
  • User must change password at next login
  • Disable this account
  • Enable this account

This feature is very useful for Help Desks who manage general user accounts within Passwordstate. You can also use this feature without having to update the Password record itself – simply click one of the options, hit the ‘Save’ button, and the action will be completed. Performing an Action by itself will not create a new Password History record – as history record is only created if you change one of the fields.

Note: If you use the ‘User must change password at next login’ option, then as soon as the user does change the password on the domain, then the password in Passwordstate will be out of Sync – this may not be an issue for some customers if they wish to use this feature this way.

A screenshot of the feature is below:

Active Directory & Windows Actions

 

If you don’t wish for your users to enable this feature on any of the Password Lists, you can disable it on the screen Administration -> System Settings -> Active Directory Options tab.

Regards
Click Studios

Automatic Password Rotation

Hello Everyone,

In Version 6 of Passwordstate, we have another new feature coming called ‘Automatic Password Rotation’.

With this feature, when a password expires (based on the ExpiryDate field), you can specify various options for automatically generating a new password and synchronizing the change with the Active Directory or Local Windows account.

You can specify the default values for these options at the Password List level, and then when you add or edit a password record, it will inherit the settings from the Password List. You can then choose to over-ride these values if you like. The options available are:

  • To enable/disable the feature
  • The time of day you want the password to be rotated
  • How many days you would like added to the ExpiryDate field
  • Whether or not to email Password List Administrators when the rotation was successful, or if it failed (for any reason)

Once you save the password record with these options, these settings will stay saved even after the initial rotation – effectively it’s a set and forget feature which will continually generate and update passwords when specified.

The following screenshot shows each of the options:

Automatic Password Rotation

 

We hope you like this new feature when V6 is released, which is just around the corner 🙂

Regards
Click Studios

Backups and In-Place Upgrades

Hi Everyone,

For the past couple of weeks, we’ve been working on the ability to perform backups of the Passwordstate database, and all the web files, right from within the Passwordstate application. In addition to this, and it’s been a long time coming (sorry), you can now perform in-place upgrades of Passwordstate – no longer do you need to uninstall and re-install Passwordstate every time there’s a new build released.

First we’ll start with the backups. You have the option of performing manual backups whenever you need, or you can set a regular schedule and let them run themselves. You have the following options available to you:

Backup Settings

  • How many backups to keep on the file system
  • The path to where you would like to store the backups (ideally should be stored on a different location other than your Passwordstate web or database server)
  • Username and Password required for the backup (we’ll explain what permissions are required further below)
  • Whether you want to enable a regular set-and-forget schedule for the backups to occur
  • And finally, what time you would like the scheduled backups to begin, and how often you want a backup to occur.

Couple of screenshots to show you the status of backups, and also the Settings screen:

Backup Permissions
To allow backups to work through the Passwordstate web interface, you will need to specify an account (domain or Windows account), which has the following permissions:

  • Permissions to write to the Backup path you’ve specified
  • Permissions to stop and start the Passwordstate Windows Service on the web server
  • Permissions to write to the Passwordstate folder.

In addition to this, you must configure the SQL Server service to use a domain or Windows account which has permissions to also write to the Backup Path. To do this, you need to open the ‘SQL Server Configuration Manager’ utility on your database server, click on ‘SQL Server Services’, and the specify and account as per the next screenshot:

 

In-Place Upgrades
A prerequisite to being able to perform in-place upgrades in version 6, is to ensure your backups are configured and working correctly. If they aren’t, you will not be able to perform in-place upgrades. There are to main processes for an upgrade:

Upgrade Web Files
Prior to performing the upgrade of the database, the following occurs:

  • Passwordstate Windows Service is stopped
  • Compresses and backup all the web files
  • Backup up the database
  • Download the latest build from the Passwordstate web site (there is an option to manually download the upgrade file, if for whatever reason Passwordstate is unable to do it itself i.e. proxy issues)
  • Extract the latest build to a temporary folder
  • Overwrite all the files, and clean up any old files
  • Restart the Passwordstate Windows Service.


Upgrade Database

Once all the web files have been upgraded, you will be logged out of Passwordstate automatically, at which time you can log straight back in and finish the upgrade of the database. The reason the log out is required, is because modifying files in a IIS web site can cause sessions in IIS to be disrupted (ended).

We apologize it’s taken so long to come up with a better upgrade procedure, but as soon as version 6 is released, it should make upgrading to new builds a whole lot easier.

Regards
Click Studios

Linking Password Lists to Templates

Hi Everyone,

We’ve now introduced the feature in version 6 where you can link Password Lists to Templates, and control all of the settings from the Template itself.

With this feature it means you can control the settings for multiple Password Lists in the one location, and easily enforce some consistency across similar Password Lists.

Caution: In version 6 you can now configure the ‘Generic Fields’ to be of different field types i.e. text fields, date field, password fields, etc. If you link a Password List to a Template, and the Template has non-compatible generic field types, it will blank the data for these fields in the database. You will be prompted and reminded of this when linking Password Lists, but it’s something to be aware of.

When you link a Password List to a Template, it will appear on the Templates as per this screenshot (To link Password Lists to a Template, you simply select ‘Linked Password Lists’ from the Action drop-down menu):

Linked Templates

Once linked, the majority of controls on the ‘Edit Password List’ will be disabled, and you will be notified at the top of the screen as to which Template the Password List has been linked to:

Linked Password List Edit Screen

 

How To Clone a Folder

Hi Everyone,

Today we released Build 5638 of Passwordstate, which includes a new feature where you can clone a Password Folder, and any Folders or Password Lists nested beneath it. This feature is very handy for keeping a consistent structure for storing all your passwords.

To clone a folder, you first need to click on it in the Navigation Tree, then click on the ‘Folder Options’ button at the top of the screen, and then you will see the ‘Clone Folder’ link. From here you have the following options available to you:

  • Specify the new name of the folder to be cloned
  • Choose whether you want to clone all Folders and Password Lists nested below the chosen folder, or just clone Folders only
  • Choose what permissions you would like to apply to the new Folders and Password Lists – either clone the current permissions, apply permissions just for yourself, or don’t apply any permissions at all

When you have finished cloning the folder, it will place the structure in the root of the Navigation Tree. Standard processing occurs when cloning folders i.e. appropriate audit events are logged, and email notifications are sent informing users they have access to one or more new Password Lists. We’ve also provided a ‘Save & Clone Again’ button, so you can quickly repeat the process. Below is a screenshot from version 6 of Passwordstate, showing the options available to you.

Note: Cloning Password Lists will not clone any of the passwords contained within them – only settings, customisations and permissions will be cloned.

Cloning Folders in Passwordstate

We hope you like this new feature, and please leave us some comments if you like.

Regards
Click Studios

 

Generic Field Improvements

Hi Everyone,

When version 6 is released, you will notice a few enhancements we have made to the Generic Fields you can associated with Password Lists.

To start with, we have extended the number of Generic Fields from 3 to 10, and now the following Field Types are also available:

  • Text Field – just a normal text field as you currently have in version 5 of Passwordstate
  • Free Text Field – an unlimited text field for entering larger bodies of text
  • Password – an encrypted password field, which is also salted in the database, and allows you mask the contents as per a normal Password field i.e. ******, and you can also copy to clipboard as per normal
  • Select List – allows you to specify multiple fixed values, which shows as a drop-down list
  • Radio Buttons – allows you to specify multiple fixed values, which shows as a Radio Button
  • Date Picker – similar to the Expiry Date field, this one gives you a popup calendar for specifying date values

We hope you like this feature once version 6 is released, and below are a couple of screenshot for how you configure your Password Lists, and how it looks on an Edit Password screen.

Configure Generic Field Settings for a Password List

Generic Field Setting for a Password List

 

How the Edit Password Screen looks with Generic Fields
Generic Fields on Edit Password Screen

Regards
Click Studios