Leaderboard

Good morning, We would be interested in a feature to allow an option for "Remember Me on This Computer for X Days" in regards to entering in a multi-factor authentication token. This is common for most services that allow MFA so that the user is not prompted for a token each time they log in. This can be tedious when logging into PasswordState numerous times a day. As a Security guy I can live with it, but I can see the benefit of it. Details: A new computer/browser will always prompt for MFA. Option to specify timeout (Hours, Minutes, Days, etc) before prompted again.

Hey everyone, Thanks for the votes and with a couple of prods from the Reddit community we're going to try to prioritize this one:) We'll report back here with more info when we have it. Regards, Support

Thanks Christopher. We finished this work yesterday, and it will be available in the next build. The supported Hash types will be HMAC HMACMD5 HMACSHA1 HMACSHA256 HMACSHA384 HMACSHA512 MACTripleDES MD5 RIPEMD160 SHA1 SHA256 SHA384 SHA512 Regards Click Studios

Version Passwordstate 8.4 (Build 8411) added support for generating TOTP tokens withing PasswordState, feature is called 'One-Time Password Authenticator'. The setup is shown in this video Passwordstate - Whats New in Build 8411? starting around 1:41. Discussed the missing manual setup issue with PasswordState support and they won't fix this if others won't need it too. So I ask you to vote for this feature. Since PasswordState is a web app and in most cases I don't this it has access to device camera to scan a qr-code (specially if your desktop doesn't have one). So users would/might end up saving the issuer generated qr-code in a image file locally and uploading that image to PasswordState. That file might not get securely deleted afterwards, which it should since it has the shared secret in it. In worst scenario user leaves the qr-code in his/her Downloads directory. There should be manual way of adding the TOTP token shared secret/key to PasswordState, one can get this from the most token issuers, quickly checked that Facebook shows key as default Google asks “can’t scan it?” and gives out the shared secret. Twtter also has “can’t scan code”. AWS shows “Show secret key for manual configuration”. Microsoft also provides “or enter code manually” as default option. Dropbox also has the option to show the code. Sure all of them default to qr-code, since it’s user friendly for personal use. But if using a password manager, best to use manual method and store the secret/key within password manager so you can migrate to another TOTP token generator easily. Most of those authenticator apps won’t let you restore/show the secret after adding a service, some do but most won't. It's fine if the authenticator and the shared secrets are in backup scope, like Github said in their blog post. The manual setup method would be much user friendly in PasswordState, specially for a shared password list. And lets not forget the backup/restore/migration need, I might wan't to change my authenticator app. If the shared secret/key would be stored in a password manager, migration is easy. When entering the secret manually, we would need to be able to enter also the time perioid (default 30s) and number of digits in token (default 6). Optionally token hash algorithm might be needed (default SHA-1). Since token issuers usually document which format are they using, PasswordState could have predefined list of Issuers where to derive the settings from (by quick googling found this project which has list of common Issuers) and have option to set them yourself.

Hi Guys, Yes, this will be available in the next release - due in about a week or two. Screenshots below. Regards Click Studios

Thanks Parrishk. During imports, we do recommend turning off the 'Bad Passwords' option on the Password List, as this will allow you to import without any issues. Regards Click Studios

Hey there! Here's my updated version with some new features Fixes: UTF8, Check for Folder, htmlsafe notes, a litttle bit errorhandling New: Importing additional KeePass Fields with customized mapping New: Adding not handled additional fields to the Notes field New: Support for File-Attachments New: Support for enabled rights propagation and Linked Templates (not setting rights to an admin) Due to the increased number of options you are not longer prompted for them, instead fill in all options at the top of the config file (see also below) Thanks to Fabian for the initial version. Kind Regards Folke The configuration section looks like this Import-KeePass-XML-2018-08-14.ps1

Hello Florian, At the moment, any user who has Modify or Admin rights to a Password List can empty the Recycle Bin. Instead of storing credentials in the recycle bin when they may be needed later, would it be better to move these accounts to some type of "Archive" Password List, and then you can control who has access there? Regards Click Studios

Passwordstate is great for internal (company) sharing of sensitive information. I would happily pay for additional licenses if I could use Passwordstate's Self Destruct Message with external (non-company) users as well. For example sending a new password to a contractor/consultant or a client's end user (that has no access to Passwordstate today). Basically what I would like to have is an on-prem equivalent of onetimesecret.com included into Passwordstate. The easiest way of achieving this would be to have a frontend / site (facing the Internet) that is allowed to connect to the backend-server using the existing API. That would not be a viable solution for us from a security perspective though. Instead, what I would like to see is a frontend installation used on a dedicated server in a DMZ that has no access to the backend-server. The backend server on the other hand should be able to push data (via encrypted channel) to the frontend server where an external user via a scrambled URL can access the information X number of times/hours/days (much like today's Self Destruct Message functionality) from external IP .a.b.c.d. (or other security measures).

Just thought of something for this Sarge. Let's say one Password List is configured where 'Reason' is mandatory, and we are searching across all Password Lists without a reason being specified. Do you think we should raise an exception, and break the API Call, or simply not return any records from that one Password List. Not returning records may cause some confusion for customers, but these are the only two possibilities I can think of. Thoughts? Regards Click Studios

Good afternoon, I recently implemented OWASP's HTTP Security Headers Best Practices on our Passwordstate install. This may be something you want to consider implementing out of the box to further increase the overall security of the platform when deployed. From what I can see, the following settings would work for most installs. Sure, there will need to be some tweaks for those that have additional requirements/integrations. Here is a link to OWASP's HTTP Security Header Best Practice: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Best_Practices Scott Helme's SecurityHeaders.com checker: https://securityheaders.com Here are the settings I found to work: Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Referrer-Policy: strict-origin Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self'; connect-src 'self'; font-src 'self' fonts.gstatic.com fonts.googleapis.com; form-action 'self'; connect-src api.pwnedpasswords.com Feature-Policy: accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none' The one thing that caused some flags was the "unsafe-inline" and "unsafe-eval" in the CSP policy. This is something that would have to be reworked on your end... I hope others find this useful as well. Kyle

I'll +1 this.

Hi Nate, Good news is we already have this feature in our Password Reset Portal, and it was only introduced recently. Just to confirm we are talking about the same thing, our password reset portal is an additional module you can purchase which allows users to reset or unlock their AD account from any device, anywhere: https://www.clickstudios.com.au/resetportal/default.aspx In the video below, if you skip to the 10:15 mark, it shows how to open the portal from the Control Alt Delete screen: https://www.youtube.com/watch?v=21-P16xiu8U If you or anyone else reading this thread would like to test the Password Reset Portal, please contact us on "support at clickstudios.com.au" and we can send you instructions on how to set it up, including how to integrate with your login screen:) Regards, Support

+1

Hello, Thanks for logging this to our forums as per our email discussion. Hopefully some other customers will find this useful as well, and possibly we can prioritize if over some of the other feature requests we have. Regards Click Studios

Hi Christopher, As of yesterday, we've actually implemented this There is some auditing for failed API calls, but not when an incorrect syntax is being used as per your error message below. We're hoping to get the next build out in about a week or two. Regards Click Studios

Hi Christopher, We've looked into this, and it looks like it should be fairly easy to implement, as they are part of Microsoft's System.Security.Cryptography assembly. Some of the older algorithms like MD5 and SHA1 are not recommended, as they are obsolete and insecure, but we can include them in case you need them for any legacy systems. We'll need to provide a URL parameter so you can specify if you want a hash returned, instead of the password value. Regards Click Studios

Thanks Christopher. We're very cautious about making changes which would break existing scripts, but clearly it will happen one day as we add more and more functionality. Regards Click Studios

Coming in the next release

Hi Findus, We have multiple checks to mitigate against any issues with Password Lists and Password records, so you should not see any problems with this. It's unlikely you would ever run into any issues, but if you do we can always help you fix them - we've only ever needed to help one customer in the past fix something like this. Regards Click Studios

Hello Findus, This is more to mitigate any issues with Session Variables on the web server. For example, we had a customer adding users into a Local Security Group, but was checking another group in another tab at the same time. This caused some issues with "Integrity" of HMAC Hashing in the database, and we needed to help the customer correct this. It's mainly to mitigate against any sort of issues like this, but very unlikely to cause any issues. Regards Click Studios

Hi Findus, A lot of customers don't use the Passthrough authentication option, so it is more relevant to them. So if you have issues with staff jumping on other users computers, you select one of the other available authentication options - then the automatic timeout is relevant. Regards Click Studios

Hi Everyone, Today we have release build 8411, which includes 2 new features, 7 updates, and 5 bug fixes. Full changelog can be found here - https://www.clickstudios.com.au/passwordstate-changelog.aspx. Regards Click Studios

You guys are amazing! I promote your product as much as I can, keep fighting the good fight :)