Jump to content


Popular Content

Showing content with the highest reputation since 03/13/14 in all areas

  1. 3 points

    Recycle Bin Options

    Hi, I would like to place this Feature Request here because I found nothing about it in the manuals. A member of a team here in my company using Passwordstate V8.3 (one of latest builds) was asking me - When are the accounts in the Recycle Bin deleted permanently? So I went to the System Settings Tab and tried to find out any option to set here but I found nothing about it. It would be nice to get such a feature to enable the auto delete for Recycle Bin's in order to delete accounts older (with regards to the deletion date) than e.g. 90 days. In addition to that it would be nice if a deletion date could be displayed in the "Recycle Bin view". Thanks Best Regards Philipp
  2. 2 points
    If you need to import all of your data from KeePass into Passwordstate, this is the preferred process due to the below Powershell script keeping the correct format of your KeePass database. We'd like to thank one of our customers Fabian Näf from Switzerland for writing this script for us. He did a great job and it's helped out many of our customers. This import process will create a Folder with the same name as the XML file you export from KeePass, and it will then replicate the KeePass structure beneath this. For customers not familiar with Passwordstate, the equivalent of a "Group" in KeePass is a "Password List" in Passwordstate. We also have the concept of "Folders" which allow you to logically group Password Lists together. If you follow the process below, it should create a Folder with the same name as the XML file you export from KeePass, and it will then replicate the KeePass group structure beneath this. Process Start: In Passwordstate, identify and note down your System Wide API key from Administration-> System Settings -> API and you will find it under “Anonymous API Settings & Key”. Ensure you save this page after you generate the new key. Create a Password List Template under the Passwords Menu -> Password List Templates. On this template please set the following options and then save the template: Disable the option to prevent the saving of password records if they are found to be a “Bad Password” (screenshot 1 below) Uncheck the option so the Password field is not required, and enable the URL field (screenshot 2 below) Identify and note down the TemplateID by toggling the column visibility (screenshot 3 below) In KeePass, open your database and export the contents to a XML file. This can be executed from File -> Export -> KeePass XML (2.x) Download the script from: https://www.clickstudios.com.au/downloads/import-keepass-xml.zip Extract this zip file and open with Powershell ISE or the straight Powershell shell, if you prefer You will be prompted to answer 5 pieces of information: The username of an existing Passwordstate user you wish to give Admin rights to all Passwords imported during this process. Generally you would just enter your own Passwordstate UserID here as you can modify permissions later and and example format for this is halox\lsand Your Passwordstate URL Your System Wide API key The FolderID you wish to create your KeePass structure under. Enter '0' to create this in the root of Passwords Home, otherwise find the Folder ID of any Folder you like and use this when running the script Your PasswordList Template ID It will ask you to browse to your Exported XML file That’s it, the script will now run through and automatically read all of the information out of the XML file, and import it into Passwordstate. From here, there are a few other things you might want to consider doing after the script has run successfully: You may want to rearrange your folder structure. Ie possibly you might want to create some new folders for each of your teams, and then drag and drop existing Password Lists/Folders inside of them Once you are happy with your Folder structure, you should start applying permissions to either Password Lists or Folders using the following video as a guide: https://www.youtube.com/watch?v=QBJE_xD185U Best practices are to use Security Groups to apply permissions, instead of individual users, if possible Screenshot 1: Screenshot 2: Screenshot 3: Regards, Support
  3. 2 points
    Hi, we just bought the passwordstate enterprise edition for our company and are very satisfied. Because we are a german company i would like to ask if there are any plans for adding the possibility to change the language to for example german. This would be a great feature and would help us to find more user acceptance. Thank you. Kind regards Achim
  4. 2 points
    Thanks Christopher. We finished this work yesterday, and it will be available in the next build. The supported Hash types will be HMAC HMACMD5 HMACSHA1 HMACSHA256 HMACSHA384 HMACSHA512 MACTripleDES MD5 RIPEMD160 SHA1 SHA256 SHA384 SHA512 Regards Click Studios
  5. 2 points
    Thanks, and I can see the issue now - I just tested this also: You have your Invoke-RestMethod inside the json object - although you probably have moved this out by now And the GenericField1 and Description fields do not have a double quote before the single quote for your PowerShell variables i.e. should be "GenericField1":"'+$ServerName+'", instead of "GenericField1":'+$ServerName+'", I know it's hard to see in this forum, but cut and paste the text above and you will see what I mean. Regards Click Studios
  6. 2 points
    I've developed a script, which uses PowerCLI/API (VMwares powershell-modules), instead of SSH. SSH is by default disabled on ESXi-hosts for security-reasons, and I want to keep it that way As mentioned needs PowerCLI installed on the server (Guide can be found here https://blogs.vmware.com/PowerCLI/2017/08/updating-powercli-powershell-gallery.html). No privileged account needed. Function Set-ESXiPassword { [CmdletBinding()] param ( [String]$HostName, [String]$UserName, [String]$OldPassword, [String]$NewPassword ) try{ $conn=Connect-VIServer $HostName -User $UserName -Password $OldPassword } catch { switch -wildcard ($error[0].Exception.ToString().ToLower()) { "*incorrect user*" { Write-Output "Incorrect username or password on host '$HostName'"; break} "*" {write-output $error[0].Exception.ToString().ToLower();break} } } try{ $change=Set-VMHostAccount -UserAccount $UserName -Password $NewPassword Disconnect-Viserver * -confirm:$false } catch { switch -wildcard ($error[0].Exception.ToString().ToLower()) { "*not currently connected*" {Write-Output "It wasn't possible to connect to '$HostName'";break} "*weak password*" { Write-Output "Failed to execute script correctly against Host '$HostName' for the account '$UserName'. It appears the new password did not meet the password complexity requirements on the host."; break } "*" {write-output $error[0].Exception.ToString().ToLower();break} #Add other wildcard matches here as required default { Write-Output "Success" } } } } Set-ESXiPassword -HostName '[HostName]' -UserName '[UserName]' -OldPassword '[OldPassword]' -NewPassword '[NewPassword]' Regards Stefan
  7. 2 points
    As stated by support, Copy & Link is available between as many lists as desired. Add a custom field, add your 'tags'. Make sure the field isn't encrypted so that it is searchable. We've done this to make it easy to find passwords related to applications or services; and another custom field so we can search by server name. It'd be wonderful to link security items through to hosts that exist in the system rather than using a custom field for it, but it's not a big deal. A drop down field with a simply 'True' 'False' or 'Yes' 'No' values would achieve this. The first value you set in the field is the default value when creating new security items. Radio buttons would also achieve this - you can only select one radio button at a time, so its either true or false.
  8. 2 points

    Temporary access

    Hi Kinglsulgard, Thanks for your interest in our software and we do have a couple of options that you can try to resolve this problem: First solution: I don't think this is what you are after but we have a feature called remote session launcher. This allows you to remote into machines on your network without the need to enter a username and password. You could give your contractors access to this feature, and they do not even need to know the password. This means they will connect to the machine using a username and password that you have pre-configured, and they can then perform their work. As long as they don't need to know the password to do their work, this might be a good option for you. Here's how to set up the Remote Session Launcher: https://www.clickstudios.com.au/community/index.php?/topic/2110-how-to-set-up-the-remote-session-launcher-passwordstate-8/ Here's how to use the remote session launcher without even knowing the password: https://www.clickstudios.com.au/community/index.php?/topic/2112-remote-sessions-without-access-to-password-credentials/ Second Solution: Give the user Time Based access to the individual password, and force the password to be changed once that access runs out. To do this, go to the permissions on the password from the Actions Menu: And then choose the user to grant access to on the access permissions tab, and then on the time based access tab do something like this: If you take this one staep further, and set up the account for automatic password resets, passwordstate will also reset the password on the remote system. An example of this is if you are giving your contractor access to a privileged Active Directory Account, when their time based access runs out, it will reset the password in Passwordstate, and also it will reset it in Active Directory, keeping them in Sync. Please see this forum on how to set up automatic password resets for remote systems, and the Active Directory link is down the bottom: https://www.clickstudios.com.au/community/index.php?/forum/31-password-resets/ Third Solution: This may also be suitable for you, our Password Check Out/Check In feature: https://www.clickstudios.com.au/community/index.php?/topic/1687-using-the-password-check-out-feature/&tab=comments#comment-3368 Hope this helps! Support
  9. 2 points
    Hello HA4g3n, We cannot really use a gMSA account here, because we need to 'Impersonate' the account in code when performing backups and upgrades, and when impersonating you need to specify the password for the account - which is not possible for gMSA accounts. We did finish this feature request yesterday, and it will be available in the next release. Regards Click Studios
  10. 2 points

    New phone when using Google Auth

    Hi Greg, If you go to the screen Administration -> User Accounts, you can email the user a copy of their QR Code - basically it will be a link which takes them back to the Passwordstate web site, where they can scan the QR code in. You will find this option on the Authentication tab for the user's account. Regards Click Studios
  11. 2 points
    Hi Greg, We'll need to consider your request in a future release - maybe we could extend the feature where you can copy and link passwords, but allow you to have unique values on certain fields, instead of exact copies. Regards Click Studios
  12. 1 point

    HTTP Security Headers

    Good afternoon, I recently implemented OWASP's HTTP Security Headers Best Practices on our Passwordstate install. This may be something you want to consider implementing out of the box to further increase the overall security of the platform when deployed. From what I can see, the following settings would work for most installs. Sure, there will need to be some tweaks for those that have additional requirements/integrations. Here is a link to OWASP's HTTP Security Header Best Practice: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Best_Practices Scott Helme's SecurityHeaders.com checker: https://securityheaders.com Here are the settings I found to work: Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Referrer-Policy: strict-origin Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self'; connect-src 'self'; font-src 'self' fonts.gstatic.com fonts.googleapis.com; form-action 'self'; connect-src api.pwnedpasswords.com Feature-Policy: accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none' The one thing that caused some flags was the "unsafe-inline" and "unsafe-eval" in the CSP policy. This is something that would have to be reworked on your end... I hope others find this useful as well. Kyle
  13. 1 point
    Okay, the restore of the VM snapshot would have caused this - it looks like your VM Snapshot was old, back when you were using an older build of Passwordstate. Basically your files and database are now out of sync. To fix this, can you please follow section '5. Manual Upgrade Instructions' in the following document - https://www.clickstudios.com.au/downloads/version8/Upgrade_Instructions.pdf Regards Click Studios
  14. 1 point
    Hey Buckit, We we take a look and see if this will be a simple change. If it is we'll include it in a future build. Regards, Support
  15. 1 point
    Hi Jimmy, We'''ll schedule an Internet outage at the office tomorrow, and see if we can replicate your issue again - it's currently 7pm in Australia. We'll let you know what we find. Regards Click Studios
  16. 1 point
    Hi Findus, Yes they can, and the SQL Server Replication will take care of this - changes in the DB are replicated almost immediately between the two SQL Servers. Regards Click Studios
  17. 1 point

    Bug report: password dependencies

    Personally, I'd expect one to be able to edit anything one has added Nothing's set in stone. Wait what? O_o Time to hit the manuals again! You mean to say that I don't have to manually add 150+ dependencies for that task that runs on all my boxen? NICE!
  18. 1 point
    Thanks Buckit - looks like we've also got a lot more learning to do
  19. 1 point
    Hi Achim, We already have a feature for this, and you can find it on the screen Administration -> Password Lists, and then from the 'Perform Bulk Processing' dropdown list you can select 'Bulk Copy/Move Passwords'. Regards Click Studios
  20. 1 point

    Bug report: Linux password reset script

    Thanks Buckit And Sarge and us are from Australia, so I can guarantee you that we have more "colorful analogies' than you do
  21. 1 point
    Hi Yoshi Have you enabled the "Anonymous API" and did you use the key for this API? (take a look at the screenshot above from Clickstudios). Best regards, Fabian
  22. 1 point
    Hello HA4g3n, We'll do some testing again with Server 2016, but that is the Version 8 install. Hopefully we can make a small tweak to the script and it should work for you - we'll let you know. Regards Click Studios
  23. 1 point

    Auditing Use of Remote Session Launcher

    Hello, Yes, if you go to the Auditing screen in the Administration area, there is an Activity Type called 'Remote Session Connection' - this will give you what you need. Regards Click Studios
  24. 1 point
    Hi Greg, At this stage we only support the two fields, but we do plan on extending this in a future release. Regards Click Studios
  25. 1 point

    SSH Keys

    Hello, What most of our customers do for this is configure a Generic Field for this, and and select the option to encrypt the field (I believe this is what you've done). On the Passwords Grid, you can then chose not to show this column, as it would be quite wide on the screen - click on the 'Screen Options' button to do this. Another option is to attach the SSH key as a 'document' to a password record. For our remote session launcher, unfortunately we haven't found a solution for this. Putty requires the SSH keys to be stored locally on the file system, so that it can reference them when authenticating. Obviously having them stored in the database doesn't help with this. I hope this helps a little. Regards Click Studios