Jump to content

All Activity

This stream auto-updates     

  1. Yesterday
  2. Fabian Näf

    Can WinAPI be used via a Linux shell script?

    Hi Habskilla To create the REST JSON Body I always go for the following approach: First create a PowerShell object and convert it then to a JSON-String. The big advantage of that is, that you don't have to care about any special characters, escaping and stuff like that. $Body = @{ FolderName = $Name Description = $Description NestUnderFolderID = $ParentFolderID APIKey = $global:PasswordStateSystemWideAPIKey } $jsonBody = $Body | ConvertTo-Json $PasswordstateURLFull = "$($global:PasswordstateURL)/api/folders" $result = Invoke-Restmethod -Method POST -Uri $PasswordstateURLFull -ContentType "application/json; charset=utf-8" -Body $jsonBody The response I get is then stored in $result and can be accessed directly: $output = $result.FolderID If you have the answer as a string you also could use for the following approach: $responseObject = $responseJsonString | ConvertFrom-Json If you take a look the KeePassImport-Script you'll find some more examples. All the best, Fabian
  3. Support - you're right. There's definitely a "report" request here, as that means the security admin can report on all passwords, not just those in shared lists. But the other side of the coin is to able to show end-users that a password that might previously have been "ok" has now been compromised. For example, I create a secure unique password for a site, let's say, "correct horse battery staple". Months after the password is created and stored successfully, Randall releases his comic, and thirty million people use it in various places. That password then is compromised somehow and added to HIBP. The user views their password list and now knows their password was potentially compromised and can take action as appropriate. I can also see a use case to expand that notification into the browser extension - perhaps the icon can flash, or the extension can turn the password fields red, or show an alert that the password (not necessarily the site) is no longer secure. I interpret the "once every update" to mean that passwords need only be re-evaluated across the board when Troy updates the downloadable lists and, simultaneously, the API results and versioning.
  4. Hi Paris, Thanks, and we can look into this as soon as we've manage to find the time. We think this feature request is a report which can be run at any time, so could you please clarify for us what you mean by "once then every list update" - we're not exactly sure what you mean by this? Thanks Click Studios
  5. I'd second this request, if you read Troy's block he get millions of requests through the APO and has developed a very slick serverless platform to manage it : https://www.troyhunt.com/serverless-to-the-max-doing-big-things-for-small-dollars-with-cloudflare-workers-and-azure-functions/ He is also partnering with Cloudflare to help with the massive load , he designed the API for this very reason! Password state would only need to query this once then every list update
  6. DavidRa

    API returning HMAC Hash Validation Failure

    Thanks - the record is gone, and now my API calls work. Win!
  7. Hi Martin, Thanks for the screenshots, and using all your settings I do not see this issue when first clicking on the Generator icon - it creates a very long password for me each time I do this. Are you using the latest build of Passwordstate? Is anyone else in the community able to reproduce this? Thanks Click Studios
  8. Last week
  9. support

    API returning HMAC Hash Validation Failure

    Hi David, I've emailed you a SQL Script so we can manually delete this corrupt record. Regards Click Studios
  10. The Password Strength Policy is set to Excellent and Mandatory (see image) The problem is not the Password Policy, but the Generator Policy. As I understand it, Password Strength Policy only specifies what may be stored. However, I am still one step ahead and first generate the password. It works if I select another password generator and change back
  11. habskilla

    Can WinAPI be used via a Linux shell script?

    Thanks very much. Works without issue in our environment. @Fabian Näf What are you using to parse the json response? Something like jq?
  12. DavidRa

    API returning HMAC Hash Validation Failure

    I can confirm no tuples in the Passwords table have a GUID of 0x. All 300+ entries have comparable length and are in the form: 0x07B431134861EFFC04E9... 0x084D3322F13EBE8A8891... 0x08EDF4D709B2B937D1BD... All are "0x" followed by 128 characters, so 0x and 64 bytes hex-encoded. I believe I have had a corruption in the past, but as far as I know it's all been OK for months. The host has no AV software installed and I don't believe there's been any manual adjustments to data (other than execution of scripts from Click Studios support in the past). However, based on your comment, I have indeed found a password list with an integrity problem. There's a password marked with the title "NEW OBJECT: <Account>" which might have been auto-discovered. Perhaps I should lodge a support call outside the API thread. Thanks!
  13. support

    API returning HMAC Hash Validation Failure

    Hi David, I've just done a code search on "HMAC Hash Validation Failure", and this is reporting an issue with the GUID column in the Passwords table - sorry I did not pick up on this originally. So this is not really related to the API at all, and you should see issues in the UI with one Password List at least for this problem i.e. a "database integrity issue" page. Can you have a look in this table and see if any of the GUID values is set to '0x' - we've seen this before where Antivirus software can cause issues with saving encrypted data. Or someone has been trying to manipulate data directly in the database, but I doubt that has occurred? Regards Click Studios
  14. DavidRa

    API returning HMAC Hash Validation Failure

    I do and (as per OP) if I don't specify that key I do get a different error. Right key: StatusDescription : [{"errors":[{"message":"Forbidden"},{"phrase":"HMAC Hash Validation Failure."}]}] Wrong key: StatusDescription : [{"errors":[{"message":"No Authorization"},{"phrase":"An error has occurred trying to validate the API Key as specified in the 'System Settings' section of Passwordstate. Please check the API Key value has been specified, and is correct."}]}]
  15. support

    API returning HMAC Hash Validation Failure

    Hi David, On the screen Administration -> System Settings -> API tab, do you see an API Key here, and is this the one you're using? Regards Click Studios
  16. DavidRa

    API returning HMAC Hash Validation Failure

    I was actually trying to retrieve "everything" - getting hashes will be better, but I was starting from this: Retrieving all Passwords in all Password Lists GET /api/passwords You can retrieve all Passwords in all Shared Password Lists by specifying the System Wide API Key, with a simple GET request - this is similar to the 'Export All Passwords' feature available in the Administration area of the Passwordstate web site. Note: By default, the retrieval of all Passwords records will add one Audit record for every Password record returned. If you wish to prevent audit records from being added, you can set the PreventAuditing parameter to true - if this parameter is omitted, the default option is false. # PowerShell Request $PasswordstateUrl = 'https://passwordstate/api/passwords/?QueryAll&PreventAuditing=<value>' Invoke-Restmethod -Method GET -Uri $PasswordstateUrl -Header @{ "APIKey" = "<apikey>" }
  17. Hi Bepo You could allow us of the GAuth plugin with Chrome. It should only used on the basis it was for "exceptional" user access when their phone was lost or where a user cannot get mobile coverage for example. It's not the best approach to MFA as it introduces some potential areas of additional exposure and could be argued that it isn't true MFA not being independent of the desktop/browser. So I would add some additional controls such as client-side cert and only allowing access to the Passwordstate service via an established VPN - but that VPN service would also probably need a non-phone-based MFA (e.g. Direct Access or use a Yubikey/RSA token) as that's the problem you are trying to workaround.
  18. Hello Bepo, Maybe you could use a User Account Policy for this, and when users forget their phone, add them to the User Account Policy which is using a different authentication method. Regards Click Studios
  19. support

    API returning HMAC Hash Validation Failure

    Hi David, Are you wanting the API to return Hash values of the passwords? If so, the documentation below shows how this can be done. Also, the System Wide API key is not designed to return password from Private Lists - this is for security reasons. You either need to use the API Key specific to those lists, or instead use our Windows Integrated API - but that only gives you access to the same credentials you would see when logged into Passwordstate.
  20. Hi Martin, Can you please answer the question above, and provide steps to reproduce this bug if your Password Strength Policy is set the same? Thanks Click Studios
  21. Hello, i would like to see a second 2 factor option in general. Sometimes our users forget their phones at home and can´t use passwordstate. I would be nice to enable a second 2 factor option like mail or sms for this case. Kind regards and thank you for a great product
  22. Its a bug on your side. I disabled the personal generators But if I create an entry, the settings of the personal generator are still used. Until I change the generator (to test) and select default again.
  23. I would like to enforce a time limit for how long (in minutes) the contents of the SDM is available when opened. With the current configuration settings, recipients might forget to close their browsers, leave their computers without locking etcetera. With internal users this is normally not a problem as we can both train and restrict them using either technical or HR policies, but with the new (great) functionality in SDM more and more messages are sent to external parties.
  24. GrouchyAdmin

    Updating causes "Upgrade In Progress" forever

    Want to add, I've ran into the same problem. Our login is AD + Google Authenticator so we normally have Anonymous authentication disabled. I got the same message as detailed above. I was logged in locally using the Security Administrator account and also, it logged me out when I stopped watching it for a moment. Enabling AA did not work for me. I had to run the SQL command, then I got to Upgrade Step 2, it completed and then logged me out.
  1. Load more activity
×