Leaderboard

Inevitably someone had to bring this one up. In the current interface, the tab bar with the "Passwords", "Hosts", "Administration", doesn't play nice with the most pervasive Dark Reader extension, so just making that play nice would make it look okay for Dark Reader users. But a native dark theme would be wonderful.

Hi, we just bought the passwordstate enterprise edition for our company and are very satisfied. Because we are a german company i would like to ask if there are any plans for adding the possibility to change the language to for example german. This would be a great feature and would help us to find more user acceptance. Thank you. Kind regards Achim

Hello, From time to time users are asking if there is a "Dark Mode" available in Passwordstate themes. It would be a nice feature for improving the user experience.

Hi, I played a lot with the PS Remote Session Launcher and it's integration with applications via the PSLauncher.ps1 script. There is, as of yet, 5 choices only (RDP, SSH, TeamViewer, Telnet and VNC) The Telnet one, in my opinion, can be dropped because Telnet shouldn't be used in any way. Here is the improvement proposal: These 5 choices should be at least 10. (and an infinity if possible, like a + button to add a new one) There is plenty of applications that uses passwords and that are cli compatible to launch. (Like the many VPN clients out there) The choices should be fully customizable. The 5 defaults could be pre-configured The 5 (or more) following could be user defined The PSLauncher.ps1 script doesn't need any modification since it already is customizable. This comes from our usage, which is RDP, SSH, Teamviewer and VPN clients mostly. Since the VNC and Telnet options are not used they have been reconfigured in the PSLauncher.ps1 script to be mapped on 2 VPN clients. Have a nice day!

Hi Is Passwordstate vulnerable to "Log4Shell vulnerability (CVE-2021-44228)" in any way?

It would be great if the RDP Linked Credentials would show not only your remote session credentials (if created and linked via hostname match) but also the passwords associated with the host in the dropdown. We have multiple local accounts on our servers and additional domain accounts. Unfortunately, you can only choose either the local accounts or the domain accounts (Via Remote Session Credentials). The colleagues can take the detour via the function on the passwords, but this is quite inconvenient for most.

Hi Everyone, Build 9849 of Passwordstate has been released, along with a new version of our Browser extensions for Chrome, Edge and Firefox that now supports Passkeys. The browser extension versions are also 9849 and should have automatically updated in your browser. Currently this is a beta build of the Passkeys functionality, and we'd appreciate if you notice any bug to please log a support call with Click Studios via this page: https://www.clickstudios.com.au/support.aspx You'll need to upgrade your core Passwordstate application tot he latest build by following this guide: https://www.clickstudios.com.au/downloads/version9/Upgrade_Instructions.pdf Once upgraded, you'll find a new section in the Help -> Browser Extensions Manual called "Web Authentication Passkeys" that will help understand how to use this new feature. Supported website can be found at this link: https://passkeys.directory/ Thanks to all for your feature request, and if you run into any issues with it, or have any questions, please let us know! Regards, Support

For an automation process we have, we would need to create a large number of password lists in one Passwordstate folder for an 'admin' account. Those password lists will be shared with exactly 1 person, and contain a password to a service. We would like those people to be able to access Passwordstate API to retrieve said passwords. The users can't use WinAPI, as the machine they will be accessing Passwordstate API from, doesn't have an AD account for them. Hence, the users are limited to using the default API. To connect to it, they need to have an API key. However, we can't generate nor set an API key for them programmatically. We can't generate API keys manually, as it's too much manual work on our end. We can't let users generate their API key themselves, because for that they have to have at least M or A priviledges, and we would like to have them limited to V. Hence, we would like to have a WinAPI endpoint to generate \ set an API key for a given password list. Do you think it sounds reasonable?

Hi Guys, We've finished this feature, and it will be available in the next build - about 1 to 2 weeks time. Regards Click Studios

Links provided to Click Studios from the customer who requested this can be seen below. Microsoft will be dropping support for Basic Authentication late 2022, which is what the current email settings use in Passwordstate: The full article about the deprecation of basic authentication by Microsoft: Deprecation of Basic authentication in Exchange Online | Microsoft Docs. They recommend to switch over to OAuth 2.0 authentication or Microsoft Graph API for alle messaging protocols used with Exchange Online Authenticate an IMAP, POP or SMTP connection using OAuth | Microsoft Docs. Microsoft regards something as basic authentication whenever the authentication credentials are saved on the server/client from which the authentication takes place. More links on modern authentication:” Announcing OAuth 2.0 support for IMAP and SMTP AUTH protocols in Exchange Online - Microsoft Tech Community New resources for moving to Modern Authentication - Microsoft Lifecycle | Microsoft Docs

Hi, I would like to place this Feature Request here because I found nothing about it in the manuals. A member of a team here in my company using Passwordstate V8.3 (one of latest builds) was asking me - When are the accounts in the Recycle Bin deleted permanently? So I went to the System Settings Tab and tried to find out any option to set here but I found nothing about it. It would be nice to get such a feature to enable the auto delete for Recycle Bin's in order to delete accounts older (with regards to the deletion date) than e.g. 90 days. In addition to that it would be nice if a deletion date could be displayed in the "Recycle Bin view". Thanks Best Regards Philipp

We've had a request for the following for the Self Destruct Message web site: Add auditing for failed PassPhrase login attempts Track failed Passphrase login attempts by IP, and lock the user out when they reach the Brute Force login threshhold. The Admin would then need to unblock this IP Address, just like in the main UI. These changes would provide an additional layer of security, on top of: Brute Force Lockouts via Session tracking Guessing the URL of the Self Destruct Message web site Guessing the randomly generated 32 character Self Destruct ID, needed to view the message Regards Click Studios

I would very much like to have a complete list of configurable default settings in a spreadsheet format listed by feature/section. This would enable the opportunity to document and keep track of all changes over time. Thank you, Rene

Hi Team, I'm aware you have SAML2 support, and we're currently making good use of that feature, however it'd be great if we could sync user information down from AD based on group membership. Even better if this includes the groups themselves, so we can manage users info and what Passwordstate security groups they get all from Azure AD. I see elsewhere you've suggested to just have your Azure AD sync with an on-prem AD, however that's not a great solution as it then requires that we manage our users from an on-prem AD, when we've moved to decommission such onsite servers. You can easily pull such information from something like Microsoft's own Graph API. List members - Microsoft Graph v1.0 | Microsoft Docs List group transitive members - Microsoft Graph v1.0 | Microsoft Docs Or even better use something like SCIM so any IDP that supports SCIM provisioning can provision users/groups to Passwordstate. SCIM: System for Cross-domain Identity Management (simplecloud.info) Tutorial - Develop a SCIM endpoint for user provisioning to apps from Azure Active Directory - Microsoft Entra | Microsoft Learn This feature would provide huge value for us in allowing us to centrally manage users for Passwordstate.

A customer has requested the following functionality: "Would be great to be able to manage\modify and delete password lists via API.". Specifically fields and settings on Password Lists. Regards Click Studios

I request a Passwordstate add-on for Splunk. The add-on should aid organisations in parsing the syslog ingested from Passwordstate, in line with Splunk Common Information Model (CIM).

Can the ability to have the log format of JSON (Key Value Pair)/Leaf be added to password state when setting up forwarding to a remote syslog server? This would assist with building alerting and correlation around password state activity in a SIEM. Currently the log format varies so much and it makes it difficult to extract our field such as: source user, event type, action, resource accessed.

We would like to be able to extract a list of individual password permissions via API. Right now, we can only add/update/delete, but not get the current permissions. This would be a great help in our work to automate permissions handling via active directory for thousands of service accounts and similar if we were able to also get any current permissions. Perhaps, it could be included as part of the data that's returned by the 'Retrieving a password' function, as a nested array. If we use the example in your API documentation, it could look something like this (See bold text at bottom): GET 'https://passwordstate/winapi/passwords/46411' # Response HTTP/1.1 200 [ { "PasswordID": 46411, "Title": "forum4", "Domain": "", "HostName": "", "UserName": "login2", "Description": "My login to forum4", "GenericField1": "loginasa", "GenericField2": "", "GenericField3": "", "GenericField4": "", "GenericField5": "", "GenericField6": "", "GenericField7": "", "GenericField8": "", "GenericField9": "", "GenericField10": "", "GenericFieldInfo": [ { "GenericFieldID": "GenericField1", "DisplayName": "Pin Number", "Value": "0000" }, { "GenericFieldID": "GenericField2", "DisplayName": "Surname", "Value": "Reznor" } ], "AccountTypeID": 0, "Notes": "", "URL": "http://www.microsoft.com", "Password": "ZHn#3+A^yc", "ExpiryDate": "23/08/2012", "AllowExport": true, "AccountType": "", "OTP": "", "Permissions": [ { "UserID": "domain\\User1", "Permission": "M" }, { "UserID": "domain\\User2", "Permission": "V" } ] } ]

We would like the ability to use our Yubikey (FIDO 2) to authenticate with the browser add-on instead of a Master Password set in Passwordstate. Our users get confused having their domain credentials for logging into Passwordstate portal then separate master password for the browser addon. Would like to replace master password with yubikey auth.

Hi Guys, We will be making this change for version 10, which we're currently working on. Regards Click Studios

Hello, This functionality will be coming in version 10, which we are currently working on. Specifically, the following - at this stage we do not have a release date for V10 though. Hosts 1. Adding a Host record 2. Deleting a Host record 3. Searching for Host records Host Folders 1. Add Host Folder 2. Delete Host Folder 3. Search Host Folder 4. Add Host Folder Permissions 5. Delete Host Folder Permissions 6. Add Host Records into Folder 7. Remove Host Records from Folder Remote Session Credentials 1. Add Remote Session Credential 2. Update Remote Session Credential 3. Delete Remote Session Credential 4. Search Remote Session Credentials 5. Add Remote Session Credential Permission 6. Delete Remote Session Credential Permission 7. Search Remote Session Credential Permissions Regards Click Studios

It would be fantastic to be able to customise what fields are included in the reports that can be scheduled. For example a Password List used to store SSL certificates with a number of custom fields; currently the report only shows the title and expiry date as we don't use any of the other default fields - we'd love to be able to select which fields to show on the report (exclude empty fields and include custom fields). If they could be scheduled from the administration area as well rather than in a specific users context that would be great as well so all administrators can see/modify the reports easily. If the wording of the report email could be customised in the same manner other email templates are. Ability to allow users to run reports without giving them the reporting security administrator role. (We have separate accounts for security administrator roles).

Currently the User Account Policies only allow you to enforce one specific method for 2-factor authentication, such as Duo or TOTP. This means that you'd have to keep track of every individual user and their preferred method, then create separate policies for every "group". This is quite a hassle, so perhaps a better option would be to enforce using any method. The dropdown list could simply include something along the lines of "anything besides Ignore". For the very first logon, Passwordstate can simply use the global default setting (e.g. TOTP), or if the admin has overridden it in some way then use that method instead. Afterwards the user can simply change it to something else, as long as it's not "Only Forms Based".

Just heads up we are hoping to get Version 10 out by the end of quarter 2, 2024 now. This date may still change, depending on development hurdles. Regards, Support.

Just a heads up everyone, we are currently working on this feature, and will report back here once complete. Thanks, Click Studios Support.

Hi Everyone, We have released a new build of Passwordstate today, build 9823 which should fix this issue. We have also had to submit a new extension to each of the stores, so you'll need to wait until your browser automatically updates those extensions before testing this again. Chrome and Firefox seem to be pretty instant in terms of approving the new extensions, but Edge seem to work on a 7 day schedule...Date of writing this post is 19th October in Australian time. Please let us know if this doesn't help! Regards, Support

Hello Valentijn, This feature will be coming in version 10. Regards Click Studios

As of build 9360 One Time Codes cannot be exported from the system, when exporting passwords from a List. This feature request is to add in OTP codes when performing an export to CSV.

User would like the ability to remove the brute forced IP addresses using the API.

Hi Guys, We are working on synchronizing Azure AD user accounts and security groups in version 10, which we believe will somewhat help with this feature request. With SAML authentication, you can also use Azure MFA for this already as well. Regards Click Studios

We have done away with http listeners and deployed certificate backed https listeners only. For this to work, we have to manually edit all PowerShell Scripts that use Invoke-Command to add the attribute -UseSSL. These scripts need to be manually replaced after every upgrade. Please make using https listeners selectable in the GUI. It should be a simple change to create a parameter for your scripts to allow UseSSL to be toggled on or off to support either requirement.

OAuth has become the de facto standard for machine to machine auth and automation. Support for OAuth would also allow the use of multifactor auth with the API across a number of Identity Providers such as Azure AD, just by being able to leverage existing multifactor claims in the JWT. This would allow a great number of use cases across the board and make the API very robust.

Please add the ability to allow the folder level API key permissions to propagated to the lower level folders, lists, and passwords. We would like to give some of our teams API access to all the items under their team folder without using the system wide API key or the Windows access API.

Hi I would like to suggest a feature that lets me purge all groups and/or users permissions on a folder or passwordlist. By API or make it the default behavior when disabling inheritance on a new folder. Maybe with the added option to copy permissions from top, My company uses a folder structure and advanced mode permissions in a model like the one below. My problem is that every time i create a new folder structure for a application or system I have to manually delete all the groups and users that is copied to the new folder from the top even though the inheritance is disabled. The other solutions is to use the API to first get all the securitygroups then for each securitygroup try to delete it from the newly created folder, not a nice solution in my opinion. Folders example: Applications[every securitygroup(~50-100) can view] -Application1 [inherit from top] --Test [inheritance blocked, only securitygroup for the application and environment can view/modify] --Acceptance [inheritance blocked, only securitygroup for the application and environment can view/modify] --Production [inheritance blocked, only securitygroup for the application and environment can view/modify] -Application2 [inherit from top] --Test [inheritance blocked, only securitygroup for the application and environment can view/modify] --Acceptance [inheritance blocked, only securitygroup for the application and environment can view/modify] --Production [inheritance blocked, only securitygroup for the application and environment can view/modify] Best regards Patrik

I would like to request the option to silently install PasswordState so I can incorporate it into an automated deployment. There used to be a PowerShell Script Clickstudio provided to make this happen in the past but sounds like it is no longer supported with the new MSI installer. Once the unattended options are worked out and can be passed to the MSI installer, then it can easily be added to a Chef cookbook, packaged up in a Chocolatey package, or any automated packaging system. I rely on being able to quickly build out test environments to test new features of passwordstate. Maybe a more futuristic request is to provide a VM appliance of the passwordstate that we can drop into our environment and wire back into our existing DB data....or maybe create a container version of the service would be cool. This may already be in your roadmap for the product eventually but I'm seeing allot of our IT tooling starting to be available as containers options. Just incase you got that crazy dev that wants to do that you should let them investigate that setup. 🙂

Hi, The default script "Reset Fortigate Password" to reset passwords on Fortigate firewalls will fail when virtual domains (VDOMs) are enabled on the device. This is due to the wrong starting environment when connected to the firewall. In this case, one can copy the existing powershell script and replace the lines if ($PrivilegedAccountUserName -ne '') { $ResetCommands = "config system admin`redit $UserName`rset password $NewPassword`rend`rexit`r" } else { $ResetCommands = "config system admin`redit $UserName`rset password $NewPassword $OldPassword`rend`rexit`r" } with if ($PrivilegedAccountUserName -ne '') { $ResetCommands = "config global`rconfig system admin`redit $UserName`rset password $NewPassword`rend`rexit`r" } else { $ResetCommands = "config global`rconfig system admin`redit $UserName`rset password $NewPassword $OldPassword`rend`rexit`r" } The new commands start with "config global" to change into the global context of the Fortigate. From that point onward, the commands are the same. Regards, Red

We are currently evaluating Passwordstate for roll out. The Password extension is great, but I think it would be better, if you have the option to turn off auto complete, as it sometimes tries too hard to fill forms. Furthermore you don't have the option to decide which account should be used for some form. Maybe you have access to a global admin account, but want to use a personalized account instead? Better is to click some button or press some key shortcut to fill the form. I think of the way like Enpass does it, if you don't mind to try it out. Cheers

It would be great to be able to include attachments in self-destruct messages. For example, send an SSL certificate and the password to access it both in a self-destruct message.

Here's a response from them on Reddit: tldr; While our policy is not to divulge information on the processes and systems we use we can advise we do not use directly, or indirectly via any contracted 3rd Party, the Log4j logging library.

Hi all, I got this to work in our lab environment and thought I'd share some of that setup. We have not setup the app service yet, so I can't comment on that. This isn't a full guide on how to configure Azure AD, Enterprise Applications, the Azure App Proxy Connector or anything like that. It's just the settings that worked for us to make the Passwordstate web interface accessible to external users via the Azure Application Proxy with SAML SSO and Conditional Access policies. As "<BaseURL>" we'll be using "https://passwordstate-<account>.msappproxy.net" where <account> is whatever Microsoft is using for your account there. Obviously you can change 'passwordstate' to something else as well. Azure - Application Proxy configuration We configured the Azure Application Proxy with identical domain names for internal and external users to ensure links sent our by Passwordstate will just work: Internal Passwordstate URL: <BaseURL> External Passwordstate URL: <BaseURL> Pre Authentication is set to Azure Active Directory. We want SAML SSO, after all. We enabled HTTP-Only, Secure and Persistent Cookies in our lab environment. However, when it comes to Persistent Cookies, you may want to change that to No for a production environment. As we're using the same URLs for internal and external there's no need for URL translation, so we disabled it for Header and Application Body. Azure - Single sign-on configuration Basic SAML Configuration Identifier (Entity ID): <BaseURL> Reply URL (Assertion Consumer Service URL): <BaseURL> Tick the Default checkbox on this one <BaseURL>/logins/saml/default.aspx Sign on URL: <BaseURL> Relay State: <BaseURL>/logins/saml/default.aspx Logout URL: <BaseURL>/?appproxy=logout Attributes & Claims Unique User Identifier: user.userprincipalname We didn't change any of the other ones. Note that you can use user.mail, as per Clickstudio's own Blog. We switched to userprincipalname as we are testing with accounts without email addresses, so this made more sense for us. Using userprincipalname also requires you to reconfigure Passwordstate and under System Settings -> Authentication Options check the UserPrincipalName option under "Select which field in Passwordstate you want to compare against the SAML Response's Name Identifier - NameID". For the remainder of the Azure (and Passwordstate SAML) configuration, just follow Clickstudio's guide: https://blog.clickstudios.com.au/saml-authentication-with-azure-ad/ Ensure to reconfigure your Base URL in Passwordstate under System Settings -> Miscellaneous to match your <BaseURL>. Certificates We created a certificate for our internal server using our existing, internal CA. Doesn't cost anything and we have more control over certificate lifetime and auto-renewal. If you go with a 'proper' custom domain setup (e.g. using https://passwordstate.<domain> for internal and external URL) for the App Proxy, you'll need a public CA certificate to be imported into the App Proxy. Internal DNS We created a DNS Zone on our internal DNS server to ensure internal systems resolve passwordstate-<account>.msappproxy.net to the internal IP of the Passwordstate server. You can probably force internal users through the Azure App Proxy as well, but at the very least the Azure App Proxy (and the internal Passwordstate server itself) needs to be able to resolve the name to the internal IP of the server or it won't be able to connect. IIS Ensure to configure your IIS Bindings to use the passwordstate-<account>.msappproxy.net FQDN and assign the correct certificate. We also disabled Windows Authentication for the passwordstate site as it's not required. That's it, SAML SSO should work and you can configure your Conditional Access policies as required. As mentioned, this isn't a full guide. You need to have your Azure Application Proxy Connector setup and operational, it needs to be able to access the Passwordstate server, the relevant outbound ports/IPs/FQDNs need to be allowed on the firewall, etc. I hope this helps someone else to get their setup working.

Hey! For the use case I have in mind, it's a Linux machine with no AD account on it. I am aware of the possibility of running WinAPI on Linux, but that won't work as the users can't use DefaultCredentials (bcz of lack of AD account on the machine), and if they were to provide their AD password directly to WinAPI with plaintext credentials - it will completely defeat the purpose of using Passwordstate. We aim to use it to avoid passing AD password in plain text to perform SSO, but rather retrieve a password from Passwordstate programmatically, where we can limit the potential disaster effect of revealing the auth method to Passwordstate. If an API key leaks - we have 1 password compromised (as there's only 1 password in that password list), but if an AD password leaks - we have the whole Passwordstate database for the taking. Thus, generating plain API keys using WinAPI would help us tremendously. Hope that makes sense.

Hey Everyone, Just a quick message to say we are very close to releasing a beta of our new Chrome extension. Possibly in the next couple of weeks, and this feature is in the new version:) We'll be announcing the beta release on Social Media soon, and we'll report back here to, and you are all welcome to test it out. Thanks again, Support.

Hi there! Is there any roadmap for upcomming Passwordstate releases/features for 2024? I've read a few times there is upcomming a Passwordstate V10 Major Version. Are there any plans for that? Greetings!

+1

Can we get a search function for documents similar to how we can search for passwords? Currently when you upload a document via the API you get an ID back but after that there is no way to search for the document you uploaded to retrieve it.

Can you create an API endpoint to get the permissions of a folder?

+1

+1 The issue with the top tab bar looks to be due to the inline style tags with the !important flag - as this can't be overwritten with css at all. However as stated, a native dark theme would be much appreciated.

We would like to request the same. We have been using PasswordState for a long time (8 or 9 years?), and have added it to our SIEM for correlation. The major issue is that the Syslog messages are far too "English" to be easily parsed with Regular Expressions. Having an option to send the data in a structured, machine parsable, way would make ingestion into a SIEM much easier. We don't really care which standard is followed, so long as it is consistent. Formats typically supported by SIEMs are: LEEF CEF JSON Key Value Pairs (key1='value1' key2='value2' or key1: value1; key2: value2) We would be looking for the following information in the logs (not necessarily in this order): For password operations: Operation Performed Who performed it (domain\user or user@domain.net, display name is optional, or API) Client IP/hostname Result (Success/Fail) Full path to password list (group/folder structure) PasswordList ID PasswordEntry Title PasswordEntry ID PasswordEntry Username For authentication events: Authentication could be split across multiple logs Authentication against Primary Authentication Server Authentication against additional Authentication server (eg. MFA, token, etc) For these we would expect Authentication Server Name Authentication Method (AD, LDAP, SAML, OAuth, etc) Auth status (success/fail) Auth status reason (if available) eg. account locked, account disabled, account does not exist, etc For host operations: Operation Performed Who performed it (domain\user or user@domain.net, display name is optional, or API) Client IP/hostname Result (Success/Fail) Full path to host (group/folder structure) HostEntry ID HostEntry Hostname HostEntry Site HostEntry IP Connection Port Some additional information may be useful, but this would be among the minimum critical information. Hopefully enough people are interested in this to make it happen. Regards, JohnB

Hi Kris, Yes sorry, your instructions above are excellent. You also need to ensure you have an active maintenance contract with your software before upgrading, unless you are using the free 5 user version. Regards Click Studios