Leaderboard

Hello, From time to time users are asking if there is a "Dark Mode" available in Passwordstate themes. It would be a nice feature for improving the user experience.

Hi Everyone, Build 9849 of Passwordstate has been released, along with a new version of our Browser extensions for Chrome, Edge and Firefox that now supports Passkeys. The browser extension versions are also 9849 and should have automatically updated in your browser. Currently this is a beta build of the Passkeys functionality, and we'd appreciate if you notice any bug to please log a support call with Click Studios via this page: https://www.clickstudios.com.au/support.aspx You'll need to upgrade your core Passwordstate application tot he latest build by following this guide: https://www.clickstudios.com.au/downloads/version9/Upgrade_Instructions.pdf Once upgraded, you'll find a new section in the Help -> Browser Extensions Manual called "Web Authentication Passkeys" that will help understand how to use this new feature. Supported website can be found at this link: https://passkeys.directory/ Thanks to all for your feature request, and if you run into any issues with it, or have any questions, please let us know! Regards, Support

Hi Guys, We've finished this feature, and it will be available in the next build - about 1 to 2 weeks time. Regards Click Studios

I request a Passwordstate add-on for Splunk. The add-on should aid organisations in parsing the syslog ingested from Passwordstate, in line with Splunk Common Information Model (CIM).

We would like the ability to use our Yubikey (FIDO 2) to authenticate with the browser add-on instead of a Master Password set in Passwordstate. Our users get confused having their domain credentials for logging into Passwordstate portal then separate master password for the browser addon. Would like to replace master password with yubikey auth.

Hi Guys, We will be making this change for version 10, which we're currently working on. Regards Click Studios

Hello, This functionality will be coming in version 10, which we are currently working on. Specifically, the following - at this stage we do not have a release date for V10 though. Hosts 1. Adding a Host record 2. Deleting a Host record 3. Searching for Host records Host Folders 1. Add Host Folder 2. Delete Host Folder 3. Search Host Folder 4. Add Host Folder Permissions 5. Delete Host Folder Permissions 6. Add Host Records into Folder 7. Remove Host Records from Folder Remote Session Credentials 1. Add Remote Session Credential 2. Update Remote Session Credential 3. Delete Remote Session Credential 4. Search Remote Session Credentials 5. Add Remote Session Credential Permission 6. Delete Remote Session Credential Permission 7. Search Remote Session Credential Permissions Regards Click Studios

It would be fantastic to be able to customise what fields are included in the reports that can be scheduled. For example a Password List used to store SSL certificates with a number of custom fields; currently the report only shows the title and expiry date as we don't use any of the other default fields - we'd love to be able to select which fields to show on the report (exclude empty fields and include custom fields). If they could be scheduled from the administration area as well rather than in a specific users context that would be great as well so all administrators can see/modify the reports easily. If the wording of the report email could be customised in the same manner other email templates are. Ability to allow users to run reports without giving them the reporting security administrator role. (We have separate accounts for security administrator roles).

Just heads up we are hoping to get Version 10 out by the end of quarter 2, 2024 now. This date may still change, depending on development hurdles. Regards, Support.

Just a heads up everyone, we are currently working on this feature, and will report back here once complete. Thanks, Click Studios Support.

Hi Everyone, We have released a new build of Passwordstate today, build 9823 which should fix this issue. We have also had to submit a new extension to each of the stores, so you'll need to wait until your browser automatically updates those extensions before testing this again. Chrome and Firefox seem to be pretty instant in terms of approving the new extensions, but Edge seem to work on a 7 day schedule...Date of writing this post is 19th October in Australian time. Please let us know if this doesn't help! Regards, Support

Hello Valentijn, This feature will be coming in version 10. Regards Click Studios

Hi Guys, We are working on synchronizing Azure AD user accounts and security groups in version 10, which we believe will somewhat help with this feature request. With SAML authentication, you can also use Azure MFA for this already as well. Regards Click Studios

It would be great to be able to include attachments in self-destruct messages. For example, send an SSL certificate and the password to access it both in a self-destruct message.

I would very much like to have a complete list of configurable default settings in a spreadsheet format listed by feature/section. This would enable the opportunity to document and keep track of all changes over time. Thank you, Rene

Within Password State it would be handy to be able to publish a broadcast message which will placed on a logic visible location, like in the top bar of the password state UI, this way all password state users will be able to see the message. For example, to heads-up on an upcoming password state maintenance window due to application upgrade and/or OS updates. Currently maintenance window outage notifications can only be send using email, but, this is less and less being used as a common communication method. Example is how gitlab has introduced this feature Broadcast messages | GitLab which you can utilize within GitLab Maintenance Mode | GitLab

Hi there! Is there any roadmap for upcomming Passwordstate releases/features for 2024? I've read a few times there is upcomming a Passwordstate V10 Major Version. Are there any plans for that? Greetings!

Inevitably someone had to bring this one up. In the current interface, the tab bar with the "Passwords", "Hosts", "Administration", doesn't play nice with the most pervasive Dark Reader extension, so just making that play nice would make it look okay for Dark Reader users. But a native dark theme would be wonderful.

A customer has requested the following functionality: "Would be great to be able to manage\modify and delete password lists via API.". Specifically fields and settings on Password Lists. Regards Click Studios

Would be great to have the option to select "TLS" as protocol for Syslog Server, beside UDP and TCP: RFC5425 - Transport Layer Security (TLS) Transport Mapping for Syslog https://datatracker.ietf.org/doc/html/rfc5425

API Keys - Timestamp them at creation so that we can report on the age of each API Key (It will help us ensure we rotate API keys as per our company policy)

Folders can only be created via the system wide API key, same goes for adding Password Lists from a Template to the folder. We need a way via API to add folders, add password lists from template, add/modify/remove password list permissions and have the API user NOT be able to read/change any passwords in existing password lists. We tried the Windows Integrated Auth API, unfortunately to be able to see if the folder already had a password list required us to give that API user View permissions on the Password List Template or Password List which also allows them to view any password records in that list. As a large organization, we try our best to follow the least privilege model including API users.

Hello Robert, Yes, we have information in the following manual - just search for kerberos - https://www.clickstudios.com.au/downloads/version9/Passwordstate_Remote_Session_Management_Manual.pdf Regards Click Studios

Hi Ralph, The following in the API documentation will help with this. Regards Click Studios

We would like to see native authentication options within the browser extension as on Passwordstate Web Portal. To be more specific, the browser extension should perform the exact same authentication flow as when trying to login to the web portal. Users within an organization should generally not handle any kind of "Master Passwords" with some very rare exceptions. Instead most (and probably all larger companies) try to create a unified authentication experience with some IDPs like AzureAD. In our case we integrate using SAML2 with AzureAD, where authentication, SSO, MFA, device compliance check and so on is performed. We do this for all internal applications in our organization and it´s the best suitable and manageable way with a great user acceptance. Handling master passwords would be a security concern because users could simply store those password in an text file on the desktop f.e. which is practically impossible to control / audit. As we are humans, something like this will happen. It is also a security concern as this eliminates the MFA / device compliance process in our case. Also this is not a comfortable way and user acceptance of the browser extension is very limited. In our organization users prefer to login to Passwordstate web portal and copy the credentials they instead of managing a master password. I understand that changing this behaviour is a lot of work because of existing API architecture and so on, but at least in my opinion this is the most needed feature from all.

Feature request: Master list, not necessarily per-user based, whereby aliases / "Similar" URL's can have access to the same password. For example, Office 365 can use those credentials across MANY different URLs, including: office.com office365.com live.com outlook.com sharepointonline.com microsoft.com - These all point to various Microsoft pages / portals, and are frequently be based on the same Microsoft ID (same password entry). - In some cases, you might use one URL to get into a site, and depending how you log out, you might end up at a different URL for re-entry in. Request is to be able to map these aliases across the entire password system as a default. There is always a concern that this list be compromised - if the overall system considered a fraudulent site as an acceptable alias, there would be deep concerns of compromised credentials.

+1

Hello, Thanks for your request. Please be aware though that under no circumstances do we send credentials to any third party services, including Have I Been Pwned. Please see there documentation here, for how their API works - https://haveibeenpwned.com/API/v3 Regards Click Studios

Passkey adoption, Passkey Manager and integration into the App would be fantastic!

Issue: You are trying to configure the Passwordstate browser extension but are getting a Connection error, server not available error message, or Error, connection timed out and the browser extension icon stays Red in colour Troubleshooting Steps: Please follow this process below to capture the network traffic when this issue occurs, and forward that onto Click Studios support for analysis. Step 1: Click on the Manage Extensions button Step 2: Enable the Developer Mode option, and then click Background.html link, and this will open a separate browser window with the developer tools Step3: Log into Passwordstate, then try Logging into the extension Step 4: This will generate some traffic under the Network tab in the Developer tools window. Save the output to a .har file and forward that onto Click Studios support to look at. Regards, Support

Hi Mordecai, The only other API functionality we think we'll be adding at this stage is related to documentation, specifically searching for documents. No changes will be made to existing API code so your existing scripts won't be affected, and we'll be releasing the first build of Passwordstate 10 as a beta to all users. Normally we'll run the beta for about 2 months and fix any issues that were reported before the first stable version is released. Regards, Click Studios.

There is a STIG requirement to reset KRBTGT password every 180 days: The password for the krbtgt account on a domain must be reset at least every 180 days. (stigviewer.com) It would be nice to be able to have Passwordstate handle this in the recommended manner; which is to reset the password twice with at least a 10 hour pause between each reset. AD Forest Recovery - Resetting the krbtgt password | Microsoft Learn We're currently doing this through a custom script and the API; but native support would be appreciated.

Unfortunately, that's what I thought - hence, feature request! In a MSP environment, or when handling multiple clients, this feature would be crucial for usefulness. Eg: We've got approx 60 Office 365 accounts in our Passwordstate intsance. Having to create and maintain the appropriate aliases for each of these accounts would be a challenge. Same with some multi-domain vendor sites, partner sites, toolsets, etc....

+1

We are trying to work on this for version 10 guys. It's an enormous amount of work, with over 400 pages to update and test, tweaking of all the Telerik controls, as well as a series of new icons. We are going to need to also limit some UI customizations in V10 for this new theme, so it does not alter the aesthetic of it. Regards Click Studios

Thank you so much for this post. I came to the forums to find out if anyone else was unhappy with this new Master Password requirement and discovered how to properly manage the system instead. This makes things much better. As always, I still love and recommend this product over any other out there.

Hello Magnus, Yes, that is correct. They will need to login to Passwordstate at at least once though, so authenticate with the new functionality. Regards Click Studios

HI Szu, Today we have released build 9823 of Passwordstate which should fix this issue. Can you please upgrade and test and if there are any issues with this let us know? Regards, Supprot

For an automation process we have, we would need to create a large number of password lists in one Passwordstate folder for an 'admin' account. Those password lists will be shared with exactly 1 person, and contain a password to a service. We would like those people to be able to access Passwordstate API to retrieve said passwords. The users can't use WinAPI, as the machine they will be accessing Passwordstate API from, doesn't have an AD account for them. Hence, the users are limited to using the default API. To connect to it, they need to have an API key. However, we can't generate nor set an API key for them programmatically. We can't generate API keys manually, as it's too much manual work on our end. We can't let users generate their API key themselves, because for that they have to have at least M or A priviledges, and we would like to have them limited to V. Hence, we would like to have a WinAPI endpoint to generate \ set an API key for a given password list. Do you think it sounds reasonable?

Hi Everyone, This unfortunately is a bug in 9811. In this build, we upgraded the .dll library we use to zip up the backups, and for some reason this new library won't zip the file because it found a new file that is in use within the Passwordstate install folder. Only some of our customers are seeing this. We'll have this patched in the next build of Passwordstate we release, but for now please contact support and we can give you the custom instructions that KC_BREC mentioned above: https://www.clickstudios.com.au/support.aspx Regards, Support

As of build 9360 One Time Codes cannot be exported from the system, when exporting passwords from a List. This feature request is to add in OTP codes when performing an export to CSV.

Hello Mark, We need to update the wording on this screen, as it has not been done since we've added the App Server feature. The message is referring to the 'Primary Server' Server Role, you see on this screen. So there are no issues with you deleting the App Server role here. Regards Click Studios

yes please Dark Mode experience theme

+1 Would be great to have far more flexibility in Email Templates & Reports so that they can adhere to the organisations standard email template for things such as notifications, outages etc. Being able to use HTML in the templates so we can embed images.

I would like to request the option to silently install PasswordState so I can incorporate it into an automated deployment. There used to be a PowerShell Script Clickstudio provided to make this happen in the past but sounds like it is no longer supported with the new MSI installer. Once the unattended options are worked out and can be passed to the MSI installer, then it can easily be added to a Chef cookbook, packaged up in a Chocolatey package, or any automated packaging system. I rely on being able to quickly build out test environments to test new features of passwordstate. Maybe a more futuristic request is to provide a VM appliance of the passwordstate that we can drop into our environment and wire back into our existing DB data....or maybe create a container version of the service would be cool. This may already be in your roadmap for the product eventually but I'm seeing allot of our IT tooling starting to be available as containers options. Just incase you got that crazy dev that wants to do that you should let them investigate that setup. 🙂

Topic: In this forum post we'll describe how you can update multiple records with the same password, by using a Password Reset Dependency and a Powershell API script. Passwordstate has the ability to copy and link password records between two Password Lists, but this means everything with these two records is identical, including the username. If you have some requirement to have the same password to log into two different systems, but with different usernames, this forum post will guide you how to do this. First, let's take a look at these two Password Records. Our goal here is to trigger a reset on "Passwordstate Service Account" record, and then have our API script automatically update the "Passwordstate Sharepoint Account" password to be the same value. Take note of the PasswordID for this second record: Now, let's browse to the Powershell Password Resets page: Add a new Blank Script: And then click on this new script to open the editor. Paste in the code of your choice. The code in this screenshot below will be copied in at the end of this post for your reference. In the screenshot below, you can see you have a number of Variables you can insert into your script. These values are pulled directly from the master Password Record, and in this example, I'll be using the [NewPassword] variable. This just means, when the password for the master record is reset through the User Interface, then that new password it is reset to will be passed to your script: We'll now add in a new Password Reset Dependency on the master record: Click the Add Dependency button: And select the Custom Script you wrote. Also, ignore the Windows Account Dependency type, and Save this config: The Master Password now has "1" dependency, and triggering a Password Reset on this master record will proceed as per normal and queue up the reset. In this example, it's also going to reset the password for the account in Active Directory: Once the master password has successfully reset, it will trigger your Powershell API Script, which in turn triggers a new password reset on the Sharepoint account: And the end result of the two successful Password Resets, means these two separate accounts, will have the same password: Powershell Code to Update an Existing Password, using the Standard API (Requires API Key) $PasswordstateUrl = "https://passwordstate.clickdemo.com" # Define values for the Password List in below array $Body = @{ PasswordID = "1045" Password = [NewPassword] } # Convert Array to Json $jsonData = $Body | ConvertTo-Json # Execute the command $FullUrl = "$PasswordstateUrl/api/passwords" Invoke-Restmethod -Method Put -Uri $FullUrl -ContentType "application/json" -Body $jsonData -Header @{ "APIKey" = "8c5423d3e9a7bf6ad6cf8e457392b3d6" } Regards, Support

We would like to request the same. We have been using PasswordState for a long time (8 or 9 years?), and have added it to our SIEM for correlation. The major issue is that the Syslog messages are far too "English" to be easily parsed with Regular Expressions. Having an option to send the data in a structured, machine parsable, way would make ingestion into a SIEM much easier. We don't really care which standard is followed, so long as it is consistent. Formats typically supported by SIEMs are: LEEF CEF JSON Key Value Pairs (key1='value1' key2='value2' or key1: value1; key2: value2) We would be looking for the following information in the logs (not necessarily in this order): For password operations: Operation Performed Who performed it (domain\user or user@domain.net, display name is optional, or API) Client IP/hostname Result (Success/Fail) Full path to password list (group/folder structure) PasswordList ID PasswordEntry Title PasswordEntry ID PasswordEntry Username For authentication events: Authentication could be split across multiple logs Authentication against Primary Authentication Server Authentication against additional Authentication server (eg. MFA, token, etc) For these we would expect Authentication Server Name Authentication Method (AD, LDAP, SAML, OAuth, etc) Auth status (success/fail) Auth status reason (if available) eg. account locked, account disabled, account does not exist, etc For host operations: Operation Performed Who performed it (domain\user or user@domain.net, display name is optional, or API) Client IP/hostname Result (Success/Fail) Full path to host (group/folder structure) HostEntry ID HostEntry Hostname HostEntry Site HostEntry IP Connection Port Some additional information may be useful, but this would be among the minimum critical information. Hopefully enough people are interested in this to make it happen. Regards, JohnB

It'd be useful to be able to set a different 'send from' address for self destruct messages

Hey! For the use case I have in mind, it's a Linux machine with no AD account on it. I am aware of the possibility of running WinAPI on Linux, but that won't work as the users can't use DefaultCredentials (bcz of lack of AD account on the machine), and if they were to provide their AD password directly to WinAPI with plaintext credentials - it will completely defeat the purpose of using Passwordstate. We aim to use it to avoid passing AD password in plain text to perform SSO, but rather retrieve a password from Passwordstate programmatically, where we can limit the potential disaster effect of revealing the auth method to Passwordstate. If an API key leaks - we have 1 password compromised (as there's only 1 password in that password list), but if an AD password leaks - we have the whole Passwordstate database for the taking. Thus, generating plain API keys using WinAPI would help us tremendously. Hope that makes sense.

Hi Folke My final solution (workaround) in this case was to update the guide directly in the database, below some snippets from my Powershell script. I have to say, that this is very dangerous and can lead to a corrupt database if you're doing something wrong! So be very careful with this!! $global:PasswordstateSystemWideAPIKey = ''; Import-Module SQLPS -DisableNameChecking Push-Location cd SQLSERVER:\SQL\localhost\DEFAULT\Databases\passwordstate Function UpdateGuideOfPasswordstatePasswordlistOrFolder() { Param ( [Parameter(Mandatory=$True,ValueFromPipeline=$False,ValueFromPipelinebyPropertyName=$False)] [String]$Id, [Parameter(Mandatory=$False,ValueFromPipeline=$False,ValueFromPipelinebyPropertyName=$False)] [String]$Guide ) Begin { $Guide = ConvertTextToHtml -text $Guide } Process { $Header = @{ APIKey = $global:PasswordstateSystemWideAPIKey } try { $query = $("UPDATE PasswordLists SET Guide = '" + $Guide + "' WHERE PasswordListID = " + $ID) Invoke-Sqlcmd -Query $query } catch { Write-Host $_ -ForegroundColor Red Write-Host $_.GetType() -ForegroundColor Red Write-Host $_.Exception -ForegroundColor Red throw $_.Exception } } End { Write-Output ($result | Where-Object { $_.TreePath -eq $Tree }).PasswordListID } } Function ConvertTextToHtml() { Param ( [Parameter(Mandatory=$True,ValueFromPipeline=$False,ValueFromPipelinebyPropertyName=$False)] [String]$text ) Begin { } Process { $html = $($text -replace "\n", "<br>") } End { Write-Output $html } } $dummyGuide = @" This Is A Test Guide Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. "@ UpdateGuideOfPasswordstatePasswordlistOrFolder -Id 123456789 -Guide $dummyGuide Pop-Location Best regards, Fabian