Jump to content


  • Content Count

  • Joined

  • Last visited

  • Days Won


Mike last won the day on August 30 2019

Mike had the most liked content!

About Mike

  • Rank

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Just wondering if this is possible for 1 off usages. My function of "View Individual Permissions" is currently disabled, but I'm not sure if this was because I changed an administrative setting, or how the system is built. If we wanted to "share" a password, I was thinking that our best practice would be to copy a password into a shared list with view permissions only, thus the "owner" could control and update. Would this work?
  2. Mike

    Performance Tweaks?

    What should my expectations be for passwordstate website browsing? Are there any tweaks or settings I can change on my infrastructure to speed up the website loading of password queries? I'm in a small environment with the recommended server build (2016) in a VM environment. I've found that when I use the "password" search query, I find that the searches are very fast - almost instant. When I use the "Password or Host" field, the whole query takes about 3.5 seconds. First it reloads the password frame of the page, with no passwords showing. Then after a moment and it updates to show the passwords. <- this is the lag that I find somewhat out of place. Is this on par with what I should expect?
  3. Just an update - I've been testing more sites and can see this occur with regular frequency. In the URL field for a site, we've pull the full login urls into the URL field. This enables someone to click the globe icon to login immediately. Most of these sites have some sort of domain.com/login.aspx or domain.com/login path. Passwordstate seems to prompt "Would you like to save" if the next page redirects to a subdomain (success.domain.com), or adds a path to the URL (domain.com/ I've found that I can add "domain.com" to the ignore list, and that seems to not prompt, and then I can manually select it to fill, but that's not our preferred option either. I know ya'll are working hard. I'm more than happy to provide more feedback data if needed to help make improvements!
  4. The site in question is powerdms.com and we currently have a subscription. I'd be happy to reproduce. I modified my url setting to be the root of the domain, and a single ignore entry prevents the message from reappearing, but it also will no longer autofill now. EDIT: Weird - I was trying to reproduce, and now through a series of adding the site, relogging in, logging out, and deleting the site - I can't get the prompt to pop up again. I'll let you know if this comes back.
  5. Hi, We have a few vendor websites that work and auto-fill correctly with the browser extension. However, after logging in, the extension will re-prompt to save it as a new website right after. This wouldn't be a big deal if we could use the workaround to ignore it, but I found that: *If I did ignore it, it wouldn't login at the startup page anymore. *After logging in manually, it would continue to prompt to save the website. I found out eventually that I had some 50 odd entries in my "browser extension ignore" setting, because I kept clicking ignore and they were all the same URL. (Btw, it'd be nice if I could multi-delete from that screen). Any thoughts or workarounds? The URL domain is the same before and after (https://somecompany.com/login/ui) and (https://somecompany.com/home) PS. I've reproduced in both Beta and current version of the extension.
  6. Mike

    Secure the Notes Field

    Oh, I didn't mean encrypt all notes fields, but I was just thinking of our use cases. We're still working out best if we should allow visible passwords, or use the "hidden" ones for shared web logins. The issue is that we also want/need to store answers to "recovery questions" that often come with these accounts. As suggested, we could add generic fields to the template, but I'm trying to keep things simple for my users and only show as minimal information as necessary. Not all passwords would need three additional question fields, as an example. Thanks!
  7. Is there a way to make the "Notes" field of a password secured? We're in the position where some web-logins need to be shared. We can use the standard URL logins just fine, but are wondering where to record/save the "Security questions" that often come with web forms. Even if we did a "hide password" password list, we realize that someone would still be able to see the notes/security question in order to reset the password - should they want to. Any ideas on how to work with/around this?
  8. Mike

    Mobile Site - Changes with 2FA

    Update: I see that the "passcode" field is actually intended for DUO's number PIN and not an AD "Password" or other associated field. It somewhat makes sense to me now. I got the AD+DUO method to work after putting in a DNS entry so our DMZ server pointed to the internal server via the "internal" URL designated address.
  9. Mike

    Mobile Site - Changes with 2FA

    I'm using "DUO Authentication" as my authentication method for the mobile site. I've tried multiple browsers and the passwords are plain visible for me. I did some more testing, and it seems like the page is dependent on the option selected. I just saw that "AD + DUO" is also an option. After changing to this method, the Password field is obscured, but my AD password isn't working together. Error message: "Incorrect Login Details. Please try again". The audit log shows an error: "Failed 'AD Authentication' login attempt as an exception has occurred. Error = The remote name could not be resolved: 'passwordstate.domain.local'" (changed the url) I'll keep troubleshooting this.
  10. Looking for a secure method of "remote" access that's convenient to users without exposing the PS server to the Internet. Method 1 is to use VPN for laptops. The Second method is to use DUO for the mobile site. The PIN method isn't secure enough for our needs. In testing, I think this will work, but two requests. When enabling this configuration, I noticed the following. Can we obscure the password as its being typed into the password field? Or maybe have a "show/hide" button (default hide). There's a passcode login button present, even though it won't work (we require the 2fa). My HTML is a little rusty, but is there a file I can modify manually to make these changes for my install? (Edit: Doesn't look like it) Thanks again!
  11. Mike

    Offline Access

    Not all passwords stored are for web or online services. As an IT Administrator, the "keys to the kingdom" need to be stored in a secure location. Any type of contingency or failover plan can often require the original, root, or administrative accounts. I've tried to design around this, but sometimes it's needed. My thoughts definitely make use of an audit log. I personally like a "check out" feature, or "hold offline" password marker so that I can designate which ones I need (or not). Another solution I used encrypted the cache, but also required the device/app to check in every so often else items would be destroyed/inaccessible. An "export all" feature is different to me than offline access. It might just be more of a report for terminated users and "what passwords do we need to change". Customers love using a common account and sharing passwords - until they can't anymore.
  12. So far I've only tested the browser extension using an internal domain address. With more of our applications moving to Cloud Providers, my desire is to have the extension work while remote/laptops users are able to use the internet, but not necessarily on VPN. An offline method is not necessary, because you can't use cloud providers without internet. I can see that I can put in an alternate/external URL for the browser extension. Will the mobile site URL work? Or would this be for redirecting traffic directly back into the passwordstate server? For security reasons, I've put the mobile site in the DMZ. However, in usage reality, 95% of the usage would be for the browser extension for my users. Cheers!
  13. Got it. Thanks for the hints. The local error gave met the same errors as in the event logs. It pointed me to a connection error. As a result, there were a few things that I needed to go down as we're using SQL Express with our install. I tested using SQL Management Studio from other machines to try and connect remotely. 1. By default, SQLExpress doesn't allow remote connections. The remote connection needed to be enabled and a static port set, like 1433. (See any internet guide) 2. Since it's a named instance (SQLEXPRESS) and not the default, SQL Browser also needs to be enabled for the connection to work. (This wasn't as common to be listed). 3. Add appropriate local firewall rules (if applicable). 4. Make sure the DMZ server can see the internal server via hostname. I used the hostfile as it makes the most sense to me. Our DMZ servers don't have access to our domain controllers/DNS. 5. Add appropriate access rules & NAT rules for your DMZ. As a one man IT shop, it'd be great if these were in the documentation going forward.
  14. Per Best Practices, I'm putting up the mobile site in a DMZ and followed the installation instructions for installing the Mobile Client. I copied the 4 keys over and added the hostname to my install. Unfortunately, I'm getting a "Server Error in '/' Application" for IIS. The details aren't helpful as it just shows that I haven't turned on custom errors. Where should I start for troubleshooting? I've somewhat inherited this project from someone who left, and he setup the primary server. There's not too much in terms of specifics in the documentation though. I've opened up firewall holes between the two servers, and am somewhat all permissive as I troubleshoot this issue. The DMZ server is also NOT domain joined, per best practices. I setup DNS so that the DMZ server can see the PWS server via its hostname, but let me know if that makes a difference. Obviously, the two servers are on separate subnets and VLANs. The one error in the event log has an ASP.NET error (Event ID 1309) and alludes to an error in the w3wp.exe processes because it cannot connect to the database. I'm going to start troubleshooting database access next, but any other thoughts?
  15. Hello, Sorry if this has been answered before, but I couldn't find a direct answer. Is there a way to have multiple password types in one password list? I'm a part of a small organization, and it doesn't make sense to create multiple lists for multiple types, particularly when shared. As an example, there's a few passwords for facilities people. We would store a variety of items, such as Lockboxes (Box ID + Code), websites (Login + password), and maybe even a corporate card for them. As I'm working with the system, do I have to create a different password list (from different templates) in order for the data fields to fix correctly? I know I can fudge it somewhat and use the website type with username + password and forego the other requirements, but it seems inelegant. I'm used other solutions and they have this capability (one list, but different password types). Is there a trick to accomplish this?