Jump to content

parrishk

Members
  • Content Count

    74
  • Joined

  • Last visited

  • Days Won

    4

Reputation Activity

  1. Like
    parrishk reacted to Sarge in MFA - "Remember Me" Option   
    +1
    This certainly has its uses when you have a busy day with Passwordstate and you keep getting idle timed out every 10 minutes.
  2. Like
    parrishk got a reaction from Sarge in MFA - "Remember Me" Option   
    Good morning,
     
    We would be interested in a feature to allow an option for "Remember Me on This Computer for X Days" in regards to entering in a multi-factor authentication token.
     
    This is common for most services that allow MFA so that the user is not prompted for a token each time they log in. This can be tedious when logging into PasswordState numerous times a day.
     
    As a Security guy I can live with it, but I can see the benefit of it.
     
    Details:
    A new computer/browser will always prompt for MFA.
    Option to specify timeout (Hours, Minutes, Days, etc) before prompted again.
     
     
  3. Like
    parrishk reacted to support in Password Extension: Fill on click instead of auto fill   
    Hey Everyone,
     
    Just a quick message to say we are very close to releasing a beta of our new Chrome extension.  Possibly in the next couple of weeks, and this feature is in the new version:)
     
    We'll be announcing the beta release on Social Media soon, and we'll report back here to, and you are all welcome to test it out.
     
    Thanks again,
    Support.
  4. Like
    parrishk reacted to support in multiple authentications   
    Hi Alan,
     
    Thanks for your enquiry and yes this is possible.

    Navigate to the screen Administration -> System Settings -> Allowed IP Ranges tab, specify your "trusted" internal IP ranges, and then select an alternative authentication option is accessed from and IP Address which is not trusted.
     
    We hope this helps, and please let us know if you have any further questions about this.

    Regards
    Click Studios
  5. Like
    parrishk reacted to support in HTTP Security Headers   
    Hi Guys,
     
    We've add most of these in for the next release, except for Content-Security-Policy - we'd need to do some more investigation/testing to know whether this would impact anything.

    Regards
    Click Studios
  6. Thanks
    parrishk reacted to support in HTTP Security Headers   
    Hi Guys,
     
    We've added the mentioned security headers in build 8600.
     
    Regards
    Click Studios
  7. Like
    parrishk reacted to support in Remove "HiddenGoogleSecretKey" from HTML Source   
    Hi ParrishK,
     
    We've just updated this in one of the latest builds, and the secret is no longer visible to Security Admins.  Please see screenshot below.  Security Admins can now clear the key, which will generate a new QR code the next time the user logs into Passwordstate.  We've made this change to YubiKey, One Time Password and Google Authenticator authentication types.
     

     
     
    If you can perform an upgrade this issue will be fixed:)
     
    Regards,
    Support
  8. Like
    parrishk got a reaction from Jasper in Title in Google Authenticator   
    Jasper,
     
    I'm not sure if they will want to add an option to do this...but it could be handy for those that want to customize it.
     
    In the meantime, you can create your own barcode via the following format:
    otpauth://totp/Passwordstate?secret=XXXXXXXXXXXXXXXX&issuer=Passwordstate Just grab the secret from your authentication options page and run it through a QR generator.
     
    I made a simple PowerShell module to generate custom QR codes... https://github.com/arnydo/qrgenerator/blob/master/invoke-qrgenerator.ps1
  9. Like
    parrishk got a reaction from Jasper in Title in Google Authenticator   
    Hey Jasper. I brought this up quite a bit ago but didn't see any updates yet.
     
    It looks like they are not including the "Issuer" parameter when generating the QR codes. Some authenticator apps use this for the Title. Others just use the Label.
     
    I have been generating my own QR codes for a separate application and this works as expected.
     
    The URI should be similar to:
    otpauth://totp/Passwordstate:SmithJ?secret=JBSWY3DPEHPK3PXP&issuer=PasswordState https://github.com/google/google-authenticator/wiki/Key-Uri-Format
  10. Like
    parrishk got a reaction from Jasper in Title in Google Authenticator   
    Hey!
     
    I will do some testing but it was either the "issuer" or the "label" that was missing and some authenticator apps did not show "Passwordstate".
     
    Ill see which one it was and report back.
  11. Like
    parrishk reacted to Ulf in Have I been Pwned warning message   
    +1
  12. Like
    parrishk reacted to support in Have I Been Pwned? Integration   
    Thanks Parrishk.
     
    During imports, we do recommend turning off the 'Bad Passwords' option on the Password List, as this will allow you to import without any issues.

    Regards
    Click Studios
  13. Like
    parrishk reacted to iCanHazPassword in Have I Been Pwned? Integration   
    You guys are amazing!  I promote your product as much as I can, keep fighting the good fight :)
  14. Like
    parrishk got a reaction from Sarge in MFA - "Remember Me" Option   
    Good morning,
     
    We would be interested in a feature to allow an option for "Remember Me on This Computer for X Days" in regards to entering in a multi-factor authentication token.
     
    This is common for most services that allow MFA so that the user is not prompted for a token each time they log in. This can be tedious when logging into PasswordState numerous times a day.
     
    As a Security guy I can live with it, but I can see the benefit of it.
     
    Details:
    A new computer/browser will always prompt for MFA.
    Option to specify timeout (Hours, Minutes, Days, etc) before prompted again.
     
     
  15. Like
    parrishk got a reaction from Sarge in MFA - "Remember Me" Option   
    Good morning,
     
    We would be interested in a feature to allow an option for "Remember Me on This Computer for X Days" in regards to entering in a multi-factor authentication token.
     
    This is common for most services that allow MFA so that the user is not prompted for a token each time they log in. This can be tedious when logging into PasswordState numerous times a day.
     
    As a Security guy I can live with it, but I can see the benefit of it.
     
    Details:
    A new computer/browser will always prompt for MFA.
    Option to specify timeout (Hours, Minutes, Days, etc) before prompted again.
     
     
  16. Like
    parrishk got a reaction from Sarge in HTTP Security Headers   
    Good afternoon,
     
    I recently implemented OWASP's HTTP Security Headers Best Practices on our Passwordstate install.
     
    This may be something you want to consider implementing out of the box to further increase the overall security of the platform when deployed.
    From what I can see, the following settings would work for most installs. Sure, there will need to be some tweaks for those that have additional requirements/integrations.
     
    Here is a link to OWASP's HTTP Security Header Best Practice: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Best_Practices
    Scott Helme's SecurityHeaders.com checker: https://securityheaders.com

    Here are the settings I found to work:
    Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Referrer-Policy: strict-origin Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self'; connect-src 'self'; font-src 'self' fonts.gstatic.com fonts.googleapis.com; form-action 'self'; connect-src api.pwnedpasswords.com Feature-Policy: accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'  
    The one thing that caused some flags was the "unsafe-inline" and "unsafe-eval" in the CSP policy. This is something that would have to be reworked on your end...
     
    I hope others find this useful as well.
     
    Kyle
  17. Like
    parrishk reacted to support in Making PasswordState available from WAN?   
    Interesting member name
     
    It doesn't sound like the traffic is getting through to your IIS web server. Do you see any connection attempts in the IIS logs, or errors in the Application Event Log.
     
    Is the external DNS you've created for this URL added as a binding to the site in IIS?

    Regards
    Click Studios
  18. Like
    parrishk reacted to support in New phone when using Google Auth   
    Hi Greg,
     
    If you go to the screen Administration -> User Accounts, you can email the user a copy of their QR Code - basically it will be a link which takes them back to the Passwordstate web site, where they can scan the QR code in. You will find this option on the Authentication tab for the user's account.

    Regards
    Click Studios
  19. Like
    parrishk reacted to GregSmid in New phone when using Google Auth   
    Ahh, there it is... I knew it had to be an option somewhere.  I was looking in the drop-down menu for each user account on the main Users listing page, but I hadn't actually opened the account up.
     
    Thanks!
×