Jump to content

Ulf

Members
  • Content Count

    19
  • Joined

  • Last visited

Everything posted by Ulf

  1. Ok you actually do have to be able to reach haveibeenpwned.com from the server if you want the HaveIbeenPwned report to work....
  2. Ok I solved the problem.... This is a Client side Script!!! You need to say this as this is important for all of us not giving internet access to all of our systems.... So opening acces to the haveibeenpwned site from the clients made it work... You actually don't even need the passwordstate server to be able to access haveibeenpwned. Problem solved... Please update your Documentation on this so others will not go into the same problem. Best Regards Ulf
  3. Hi some update... and questions... I finaly had some time yesterday to do some digging in to this in our system. I found that all the haveibeenpwned integration works when logged in localy to the server and running it from a webbrowser there but not when connecting to the server from a different server. Can you maybe point me in the right direction as to what we have locked down to tight, the GPO is basically the same for the server and the connecting server. Is any of the haveibeenpwned code running in the browser? could I enable some debug mode? I'll contakt you thru the support channel as well but just wanted to post it here for the rest to see.
  4. Still no attempt to go to api.pwnedpasswords.com when saving new passwords, it only takes forever to save while it is "trying" to check the password.
  5. For me the report does not work, I dont get the email even when I shedule and run the report. And all I get when I click the export to excel in the Reports menu is a CSV with the top column definitions. I can se in the firewall that it gets 250 Kb of data from 104.18.206.87 whitch is Name: api.pwnedpasswords.com Addresses: 2606:4700::6812:ce57 2606:4700::6811:ac66 104.18.206.87 104.17.172.102 so it is doing something... We are not using any Loadbalancer or Proxy, reverse or other types. We do have a firewall but it says the trafic is alowed.
  6. I have the same problem on a fresh install 8679 right now. Works on our other Passwordstate install on 8573 No HaveIbeenPwned integration i passwordstate 8679 is working for me right now. I have checked the firewall for blocks but it is not even trying to connect according to the session data in the firewall.
  7. Hi guys I have been looking to pull out reports for who has had acces to what account during what time and their reason for it. On some admin accounts we have the checkout with a reason activated and the password is reset when checkedin.(so we know that only the user who checkedout the password had access to the account during this time) So I would like a report on who has checkedout what account and during what time was this checkedout and the reason for checking this out. Today I have only found reports where I se who checkedout an account and when it is checkedin and that is in a list/audit form so I have to peice together events of checkouts and checkins to form the report. I haven't found any way of getting the reason for checkout in any report today, is there a report today that gives me that? Or can I do that from the API? Example headers for the new proposed report User | account that was checkedout | time for checkout | time for checkin | duration of checkout | reason for checkout This would be realy nice for the annual reviews on SOX compliance on who has access to accounts with high privilege rights. Best Regards Ulf
  8. I would like to be able to set the message that is shown to the user when he och she is inputting a bad password. So I can explain the password rules and such.
  9. Ulf

    Have I Been Pwned? Integration

    Hi again seams like we are not alone with the problem then.... :-) One idea could be to let people put the password in the first time it's created but not to update to a password that is found to be bad. One other thing that would be a nice feature is some way of popping up a small popup guide when you are creating a password so we could give tips on how one should go about when creating a good strong password. For example the "Bad password popup" is a static message, it would be nice if I could set this message to what I want, then I could say something like "this password is actually known to bad guys and therefore you are not permitted to use it" or just give a short lesson in our password policy I bet all companies would want to say different things so the possibilities are endless. If you made it a ifferent kind of popup even liks to intranet resourses could be put in. Features that would let us security people easily and when it is needed educate the masses so to speak, this would be best done when they actually is creating a new password that is found to be inadequate would be greatly appreciated. The only tool given by Passwordstate right now (that I am aware of) for this is the emails and they are not always as effective as I would like. Keep up the awesomeness :-D Ulf
  10. Ulf

    Have I Been Pwned? Integration

    Yes this is a recurring prosess in alot of password lists. And as far as i know I don't get notified if the password is bad if i disable the "prevent bad passwords"...
  11. Ulf

    Have I Been Pwned? Integration

    Hi Guys and Good job with the PWN integration. Love it. We now only have one problem, the ongoing struggle of onboarding people to Passwordstate. Because it works so good many passwords that is already set in the environment is seen as bad and therefore can't be added to Passwordstate. So the problem that occur is when you are adding a password that is already in use somewhere in the environment and you can’t go and just change that password because of the different systems that use it and you can't just shut everything down without getting proper authorisation and waiting for a service window. So what we would need in order to get the benefit of this is actually some kind of easy way to get notified of a bad password but still being able to set it. Since being not able to set it makes it not get in to Passwordstate so we can get a grasp of what passwords are bad, instead they remain on the postits or in the .txt file. So it would be very nice with a popup message whitch explain that it is a bad password and so forth but where one could say yes save anyway. If you wana go advanced you could do something like a mail notification if someone saves a bad password or something like that. Maybe this is something that is already possible but I only found one setting to block saving of bad passwords not warn of them. Love What you guys do here at clickstudios keep up the good work. Best Regards Ulf
  12. Hi just wanted to share my powershell script for importing passwords from Passwordmanager XP. We have a lot of passwords so we wanted to create different password lists depending on the folder structure in Passwordmanager XP. Make sure the first line is mapping the values to this line, you can change the Notes to Description if you prefer that. Title;Username;Account;URL;Password;Modified;Created;Expire on;Notes;Modified by But the only values we import is actually Title;UserName;Password;Description;URL;Notes they don't need to be in any particular order. Enjoy... # Powershell script to import passwords from Passwordmanager XP # Written By Ulf in 2017-11-27 # # I take no responsibility for what you do with this script. Use at your own risk! but it worked for me ;-) $FolderID = "xxxx" # FolderID of the folder that we will use for our imported data $PasswordlistTemplate = "xxxx" # PasswordList ID for a Normal password list we will copy all settings and permissions from $APIKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" # your APIKey needs to be the global key. $Passwordlisttrigger = "\[" # Trigger to know if this is a new Section in the list and this will generate a new passwordlist to put passwords in $filetoimport = "C:\temp\Old Passwd to import.txt" # Path to the file that you want to import $Logtofile = "c:\temp\passwordstate-importlog.txt" # Logfile you want to create and log to $yourserverURL = "servername.local" # The server who is hosting the Passwordstate API try { $Imported = Import-Csv -Delimiter (";") -Path $filetoimport # <-------------- Modify your Delimiter if this is different } catch { "Error Can't find file $filetoimport" > $Logtofile Break } $PasswordListID = $null "Starting Bulk import of $($Imported.count) objects" > $Logtofile foreach($i in $Imported) { if($($i.Title) -Match $Passwordlisttrigger ) #This means it shuld be a new passwordlist { $PasswordlistName = $i.Title.trim('[]') $PasswordlistName = $PasswordlistName.replace('\',' ') "Search for Passwordlist $PasswordlistName" >> $Logtofile $Testpasswordlist = $null try { $Testpasswordlist = Invoke-Restmethod -Method Get -Uri "https://$yourserverURL/api/searchpasswordlists/?PasswordList=$PasswordlistName" -Header @{ "APIKey" = "$APIKey" } } Catch { "Can't find $PasswordlistName in the database" >> $Logtofile } $PasswordList = $Testpasswordlist | Where-Object -property PasswordList -eq $PasswordlistName #if we found more than one passwordlist choose the right one if ( $PasswordList.PasswordList -eq $PasswordlistName ) #If there is a passwordlist already { "Searched for Passwordlist $PasswordlistName and found Passwordlist $($PasswordList.PasswordList) with ID $($PasswordList.PasswordListID) " >> $Logtofile $PasswordListID = $PasswordList.PasswordListID } else { "Create Passwordlist $PasswordlistName" >> $Logtofile $PSData = @{ PasswordList=$PasswordlistName Description=$PasswordlistName CopySettingsFromPasswordListID=$PasswordlistTemplate CopyPermissionsFromPasswordListID=$PasswordlistTemplate NestUnderFolderID=$FolderID APIKey=$APIKey } $jsonData = $PSData | ConvertTo-Json $PasswordstateUrl = "https://$yourserverURL/api/passwordlists" try { $result = Invoke-Restmethod -Method Post -Uri $PasswordstateUrl -ContentType "application/json" -Body ([System.Text.Encoding]::UTF8.GetBytes($jsonData)) } catch { # Dig into the exception to get the Response details. # Note that value__ is not a typo. "StatusCode: $($_.Exception.Response.StatusCode.value__) " >> $Logtofile "StatusDescription: $($_.Exception.Response.StatusDescription) " >> $Logtofile $jsonData >> $Logtofile $result >> $Logtofile $_ >> $Logtofile } $PasswordListID = $result.PasswordListID "Passwordlist $PasswordlistName Created Successfully with ID $PasswordListID" >> $Logtofile } } else { "$($i.Title) is a Password so create new password record" >> $Logtofile #JSON data for the object $PSData = @{ PasswordListID=$PasswordListID Title=$($i.Title) UserName=$($i.UserName) Password=$($i.Password) Description=$($i.Description) URL=$($i.URL) Notes=$($i.Notes) APIKey=$APIKey } $jsondata = $PSData | ConvertTo-Json $PasswordstateUrl = "https://$yourserverURL/api/passwords" try { $result = Invoke-Restmethod -Method Post -Uri $PasswordstateUrl -ContentType "application/json" -Body ([System.Text.Encoding]::UTF8.GetBytes($jsonData)) } catch { # Dig into the exception to get the Response details. # Note that value__ is not a typo. "StatusCode: $($_.Exception.Response.StatusCode.value__) " >> $Logtofile "StatusDescription: $($_.Exception.Response.StatusDescription) " >> $Logtofile $jsonData >> $Logtofile $_ >> $Logtofile } } }
  13. Hi we have some Redhat Linux servers in our AD and they have no OS defined in the AD so we can't auto find them. As we have many such test servers we can't manually input them. As I have to define OU it should be no problem to import all computers found in this OU regardless of OS.
×