Jump to content


Popular Content

Showing content with the highest reputation since 07/19/18 in all areas

  1. 2 points

    MFA - "Remember Me" Option

    Good morning, We would be interested in a feature to allow an option for "Remember Me on This Computer for X Days" in regards to entering in a multi-factor authentication token. This is common for most services that allow MFA so that the user is not prompted for a token each time they log in. This can be tedious when logging into PasswordState numerous times a day. As a Security guy I can live with it, but I can see the benefit of it. Details: A new computer/browser will always prompt for MFA. Option to specify timeout (Hours, Minutes, Days, etc) before prompted again.
  2. 2 points

    External user access

    Hey everyone, Thanks for the votes and with a couple of prods from the Reddit community we're going to try to prioritize this one:) We'll report back here with more info when we have it. Regards, Support
  3. 2 points
    Thanks Christopher. We finished this work yesterday, and it will be available in the next build. The supported Hash types will be HMAC HMACMD5 HMACSHA1 HMACSHA256 HMACSHA384 HMACSHA512 MACTripleDES MD5 RIPEMD160 SHA1 SHA256 SHA384 SHA512 Regards Click Studios
  4. 1 point
    Version Passwordstate 8.4 (Build 8411) added support for generating TOTP tokens withing PasswordState, feature is called 'One-Time Password Authenticator'. The setup is shown in this video Passwordstate - Whats New in Build 8411? starting around 1:41. Discussed the missing manual setup issue with PasswordState support and they won't fix this if others won't need it too. So I ask you to vote for this feature. Since PasswordState is a web app and in most cases I don't this it has access to device camera to scan a qr-code (specially if your desktop doesn't have one). So users would/might end up saving the issuer generated qr-code in a image file locally and uploading that image to PasswordState. That file might not get securely deleted afterwards, which it should since it has the shared secret in it. In worst scenario user leaves the qr-code in his/her Downloads directory. There should be manual way of adding the TOTP token shared secret/key to PasswordState, one can get this from the most token issuers, quickly checked that Facebook shows key as default Google asks “can’t scan it?” and gives out the shared secret. Twtter also has “can’t scan code”. AWS shows “Show secret key for manual configuration”. Microsoft also provides “or enter code manually” as default option. Dropbox also has the option to show the code. Sure all of them default to qr-code, since it’s user friendly for personal use. But if using a password manager, best to use manual method and store the secret/key within password manager so you can migrate to another TOTP token generator easily. Most of those authenticator apps won’t let you restore/show the secret after adding a service, some do but most won't. It's fine if the authenticator and the shared secrets are in backup scope, like Github said in their blog post. The manual setup method would be much user friendly in PasswordState, specially for a shared password list. And lets not forget the backup/restore/migration need, I might wan't to change my authenticator app. If the shared secret/key would be stored in a password manager, migration is easy. When entering the secret manually, we would need to be able to enter also the time perioid (default 30s) and number of digits in token (default 6). Optionally token hash algorithm might be needed (default SHA-1). Since token issuers usually document which format are they using, PasswordState could have predefined list of Issuers where to derive the settings from (by quick googling found this project which has list of common Issuers) and have option to set them yourself.
  5. 1 point
    Hi Guys, Yes, this will be available in the next release - due in about a week or two. Screenshots below. Regards Click Studios
  6. 1 point

    Have I Been Pwned? Integration

    Thanks Parrishk. During imports, we do recommend turning off the 'Bad Passwords' option on the Password List, as this will allow you to import without any issues. Regards Click Studios
  7. 1 point
    Hey there! Here's my updated version with some new features Fixes: UTF8, Check for Folder, htmlsafe notes, a litttle bit errorhandling New: Importing additional KeePass Fields with customized mapping New: Adding not handled additional fields to the Notes field New: Support for File-Attachments New: Support for enabled rights propagation and Linked Templates (not setting rights to an admin) Due to the increased number of options you are not longer prompted for them, instead fill in all options at the top of the config file (see also below) Thanks to Fabian for the initial version. Kind Regards Folke The configuration section looks like this Import-KeePass-XML-2018-08-14.ps1
  8. 1 point

    Permission for Recycle Bin

    Hello Florian, At the moment, any user who has Modify or Admin rights to a Password List can empty the Recycle Bin. Instead of storing credentials in the recycle bin when they may be needed later, would it be better to move these accounts to some type of "Archive" Password List, and then you can control who has access there? Regards Click Studios
  9. 1 point

    External user access

    Passwordstate is great for internal (company) sharing of sensitive information. I would happily pay for additional licenses if I could use Passwordstate's Self Destruct Message with external (non-company) users as well. For example sending a new password to a contractor/consultant or a client's end user (that has no access to Passwordstate today). Basically what I would like to have is an on-prem equivalent of onetimesecret.com included into Passwordstate. The easiest way of achieving this would be to have a frontend / site (facing the Internet) that is allowed to connect to the backend-server using the existing API. That would not be a viable solution for us from a security perspective though. Instead, what I would like to see is a frontend installation used on a dedicated server in a DMZ that has no access to the backend-server. The backend server on the other hand should be able to push data (via encrypted channel) to the frontend server where an external user via a scrambled URL can access the information X number of times/hours/days (much like today's Self Destruct Message functionality) from external IP .a.b.c.d. (or other security measures).
  10. 1 point

    API Auditing Enhancement

    Just thought of something for this Sarge. Let's say one Password List is configured where 'Reason' is mandatory, and we are searching across all Password Lists without a reason being specified. Do you think we should raise an exception, and break the API Call, or simply not return any records from that one Password List. Not returning records may cause some confusion for customers, but these are the only two possibilities I can think of. Thoughts? Regards Click Studios
  11. 1 point

    HTTP Security Headers

    Good afternoon, I recently implemented OWASP's HTTP Security Headers Best Practices on our Passwordstate install. This may be something you want to consider implementing out of the box to further increase the overall security of the platform when deployed. From what I can see, the following settings would work for most installs. Sure, there will need to be some tweaks for those that have additional requirements/integrations. Here is a link to OWASP's HTTP Security Header Best Practice: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Best_Practices Scott Helme's SecurityHeaders.com checker: https://securityheaders.com Here are the settings I found to work: Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Referrer-Policy: strict-origin Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self'; connect-src 'self'; font-src 'self' fonts.gstatic.com fonts.googleapis.com; form-action 'self'; connect-src api.pwnedpasswords.com Feature-Policy: accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none' The one thing that caused some flags was the "unsafe-inline" and "unsafe-eval" in the CSP policy. This is something that would have to be reworked on your end... I hope others find this useful as well. Kyle
  12. 1 point

    External user access

    I'll +1 this.
  13. 1 point

    Ctrl Alt Del Screen

    Hi Nate, Good news is we already have this feature in our Password Reset Portal, and it was only introduced recently. Just to confirm we are talking about the same thing, our password reset portal is an additional module you can purchase which allows users to reset or unlock their AD account from any device, anywhere: https://www.clickstudios.com.au/resetportal/default.aspx In the video below, if you skip to the 10:15 mark, it shows how to open the portal from the Control Alt Delete screen: https://www.youtube.com/watch?v=21-P16xiu8U If you or anyone else reading this thread would like to test the Password Reset Portal, please contact us on "support at clickstudios.com.au" and we can send you instructions on how to set it up, including how to integrate with your login screen:) Regards, Support
  14. 1 point

    External user access

  15. 1 point

    External user access

    Hello, Thanks for logging this to our forums as per our email discussion. Hopefully some other customers will find this useful as well, and possibly we can prioritize if over some of the other feature requests we have. Regards Click Studios
  16. 1 point

    WinAPI - Auditing - 500 Errors

    Hi Christopher, As of yesterday, we've actually implemented this There is some auditing for failed API calls, but not when an incorrect syntax is being used as per your error message below. We're hoping to get the next build out in about a week or two. Regards Click Studios
  17. 1 point
    Hi Christopher, We've looked into this, and it looks like it should be fairly easy to implement, as they are part of Microsoft's System.Security.Cryptography assembly. Some of the older algorithms like MD5 and SHA1 are not recommended, as they are obsolete and insecure, but we can include them in case you need them for any legacy systems. We'll need to provide a URL parameter so you can specify if you want a hash returned, instead of the password value. Regards Click Studios
  18. 1 point

    WinAPI - Versioning

    Thanks Christopher. We're very cautious about making changes which would break existing scripts, but clearly it will happen one day as we add more and more functionality. Regards Click Studios
  19. 1 point

    API Auditing Enhancement

    Coming in the next release
  20. 1 point

    Multible Tabs

    Hi Findus, We have multiple checks to mitigate against any issues with Password Lists and Password records, so you should not see any problems with this. It's unlikely you would ever run into any issues, but if you do we can always help you fix them - we've only ever needed to help one customer in the past fix something like this. Regards Click Studios
  21. 1 point

    Multible Tabs

    Hello Findus, This is more to mitigate any issues with Session Variables on the web server. For example, we had a customer adding users into a Local Security Group, but was checking another group in another tab at the same time. This caused some issues with "Integrity" of HMAC Hashing in the database, and we needed to help the customer correct this. It's mainly to mitigate against any sort of issues like this, but very unlikely to cause any issues. Regards Click Studios
  22. 1 point

    New Entry Time Out

    Hi Findus, A lot of customers don't use the Passthrough authentication option, so it is more relevant to them. So if you have issues with staff jumping on other users computers, you select one of the other available authentication options - then the automatic timeout is relevant. Regards Click Studios
  23. 1 point

    Passwordstate 8.4 (Build 8411)

    Hi Everyone, Today we have release build 8411, which includes 2 new features, 7 updates, and 5 bug fixes. Full changelog can be found here - https://www.clickstudios.com.au/passwordstate-changelog.aspx. Regards Click Studios
  24. 1 point

    Have I Been Pwned? Integration

    You guys are amazing! I promote your product as much as I can, keep fighting the good fight :)