Jump to content
GregSmid

Password field - reference to another password

Recommended Posts

Hi there, I couldn't find any forum posts on this so I figured this was a good spot for it.

 

Would it be possible to insert a reference to another password inside the password field for a site?  For example, I have a number of sites that I access using my Active Directory username and password:

 

https://site1.domain.com

https://site2.domain.com

https://servername.local

https://site3.otherdomainname.com

 

When it's time to change my AD password, I have to go through each of those entries in Passwordstate and update it.  What I would rather do is have one master site saved called 'AD Credentials' and have each of those other sites refer to the password there.

 

This would be similar to the Field Reference feature in KeePass.

 

Greg

Share this post


Link to post
Share on other sites

Hi Greg,

We're sorry, but unfortunately we do not have a feature like this. You could configure multiple Generic Fields as additional URL fields, and store them all in the one record, but that certainly doesn't sound as elegant as the KeePass option you mentioned.

 

Another option, and again not elegant, is creating a PowerShell script which is linked to the master record. When you reset the password for this field, your custom PowerShell script could take advantage of our API, and also update the other records as well.

 

Regards

Click Studios

Share this post


Link to post
Share on other sites

Thanks, I hadn't thought of either of those two options, I'll have to try them out.  I think either one could work with a little planning.

Do you think field references might be something that would be implemented in a future version?

 

Greg

Share this post


Link to post
Share on other sites

Hi Greg,

 

We'll need to consider your request in a future release - maybe we could extend the feature where you can copy and link passwords, but allow you to have unique values on certain fields, instead of exact copies.

 

Regards

Click Studios

Share this post


Link to post
Share on other sites

Hi guys,

 

So, the time has come.  I changed my AD password today, and now it's time to update my Password entries for all the sites that use it.

 

I've been going through my Passwords and adding tagging each one in the Notes field with "ADCreds". So, I should be able to use the API to go through each password, check if it has "ADCreds" in the Notes field, and update the Password fields if it does.

 

Do you have any starter scripts that could help with that? Or do I need to start from scratch?

 

Thanks,

 

Greg

Share this post


Link to post
Share on other sites

Hi Greg,

 

We don't really have any pre-made scripts for this request. What sort of scripting language are you comfortable in using? Basically what you need to do is:

  • Use the 'Searching for passwords' method first, and search the Notes field
  • And then with the results, use the 'Updating an Existing Password'

It shouldn't be that difficult to put together. If you are using PowerShell, we might be able to create something quickly for you.

Regards
Click Studios

Share this post


Link to post
Share on other sites

I'm running on Windows so PowerShell would definitely work. Anything you can do to help would be great... I had a look at your API documentation and it looked pretty straightforward but of course I'm a lot less familiar with it than you are. :)

 

Greg

Share this post


Link to post
Share on other sites

Hi Greg,

 

Hope we're not too late with this reply, but we've come up with a script that should help you out going forward:)  This script will search across all Password Records for the term "ADCreds" in the Notes field, and will update the password to what you insert into the "$NewPassword" variable.  The only other 2 things you'll need to change is the $PasswordstateURL and $APIKey to reflect your own environment.  It needs to be the System Wide API key found under Administration -> System Settings -> API Keys.  Please let us know if this suits and if you have any questions about it?

 

 

 

<#
.SYNOPSIS
Search for Specific Password Records and update them to the same password

.NOTES
Requires System Wide API key, name of field to search, and search terms
#>

 

$PasswordstateURL = "https://sandbox.halox.net"
$APIKey = "8536e72c4d38afb98563b4c73ed2af37"
$NewPassword = "TestPassword3"


$FullURL = "$PasswordstateURL/api/searchpasswords/?Notes=ADCreds"
$results = Invoke-Restmethod -Method GET -Uri $FullURL -Header @{ "APIKey" = $APIKey }
$PasswordIDs = $results.PasswordID

Foreach ($PasswordRecord in $PasswordIDs)
{
    
    $jsonString = '
{
   "PasswordID":"' + $PasswordRecord + '",
   "Password":"' + $NewPassword + '"
}
'
    
    Invoke-Restmethod -Method PUT -Uri "$PasswordstateURL/api/passwords" -ContentType "application/json" -Body $jsonString -Header @{ "APIKey" = $APIKey }
    
}

 

 

Share this post


Link to post
Share on other sites

Thanks for that, definitely a very helpful start! I'm having trouble actually getting the API call to return any search results though. Running the script was just returning an error:




[{"errors":[{"message":"Not Found"},{"phrase":"You search for Password records return zero results."}]}]

So, I've been testing in a browser directly, and still get the same error.

 

I've attached a couple screenshots to show the search results working in the web GUI vs. not working in the API call.

 

I've tried a few different things in the API call but so far it always returns zero results:

  • Capital 'N' on 'Notes' vs. lower-case 'n'
  • Capitalized ADCreds vs. lower-case adcreds
  • Quotation marks around "adcreds" vs no quotation marks
  • Using https://passwordstate/api/searchpasswords/?search= with all the above combos to search all fields instead of just Notes

 

I have verified that it's at least connecting to the PasswordState API correctly... if I put the wrong APIKey in, it tells me it's the wrong key.

I feel like we're really close here.  Once I can get some search results back, I'm certain the updating part of the script will work as well.

 

Do you see anything obviously wrong in the screenshot?

 

Thanks!

 

Greg

 

PasswordState - Web GUI Search Results.png

PasswordState - API Search Results.png

Share this post


Link to post
Share on other sites

Hi Greg,

 

I think the issue here is that you have these passwords stored in a Private Password List - we were not aware of this when you're request came through. You cannot use the System Wide API Key to search in Private Password Lists. Instead you will need to specify the PasswordListID and the APIKey from the Private List, like the URL below:

 

https://passwordstateurl/api/searchpasswords/2080?Notes=ADCreds&APIKey=df76a2b58ec393475bc6e2d343f98ac5

 

Regards

Click Studios

Share this post


Link to post
Share on other sites

Ah, ok, that makes sense.  My plan was to get it working with the System level API first and then customize it to just the list level after.  Will test with list level instead and let you know.

 

Thanks again!

 

Greg

Share this post


Link to post
Share on other sites

All working! For any future visitors to this thread, here's what I ended up with:

 


 <#

.SYNOPSIS

Search for Specific Password Records and update them to the same password



.NOTES

Requires Password List API Key, Password List ID, name of field to search, and search terms

#>



##########################################

#User Variables - Fill in your PS URL, the Password List ID and API Key of your Password List, the field your're searching, your search term, and your new password



$PasswordstateURL = "https://password.state.url"



$PasswordListID = "10"

#Password List ID can be found by hovering your mouse over the PW List name in the nav tree.



$APIKey = "11223344556677889900aabbccddeeff"

#Use the API key for your specific Password List. You can set it in the Password List settings on the API Key tab.



$SearchField = "Notes"



$SearchTerm = "ADCreds"



$NewPassword = "FancYNewPasw0rd!"



##########################################





$FullURL = "$PasswordstateURL/api/searchpasswords/" + $PasswordListID + "?" + $SearchField + "=" + $SearchTerm

$results = Invoke-Restmethod -Method GET -Uri $FullURL -Header @{ "APIKey" = $APIKey }

$PasswordIDs = $results.PasswordID





Foreach ($PasswordRecord in $PasswordIDs)

{

    

    $jsonString = '

{

   "PasswordID":"' + $PasswordRecord + '",

   "Password":"' + $NewPassword + '"

}

'

    

    Invoke-Restmethod -Method PUT -Uri "$PasswordstateURL/api/passwords" -ContentType "application/json" -Body $jsonString -Header @{ "APIKey" = $APIKey }

    

} 

 

Thanks again, this would have taken waaaaaay longer to figure out without your help! If you'd like to copy/move some or all of this thread over to the PowerShell Scripts area of the forums, feel free. :)

 

Greg

 

Share this post


Link to post
Share on other sites

Hi guys,

 

It occurred to me that we probably don't want to encourage people to leave scripts laying around on their computers that have their AD creds and their PasswordState API key in them, just waiting for someone to steal.

 

I've changed the lines in the User Variables section to:

 

$APIKey = Read-Host -Prompt 'Enter your API Key'

$NewPassword = Read-Host -Prompt 'Enter your new AD Password'

 

This way the script will prompt them to enter their password and API key instead.

Share this post


Link to post
Share on other sites

Final version of the script!

  • User is prompted for Password List ID, API Key, and their new password
  • New password is verified
  • API Key and Passwords are not displayed on screen
  • Error checking to make sure the API calls worked
  • Information about the number of passwords that got updated and which ones is displayed at the end

<#



.SYNOPSIS



Search for Specific Password Records and update them to the same password



.NOTES



Requires Password List API Key, Password List ID, name of field to search, and search terms



.REFERENCE



This all came from https://www.clickstudios.com.au/community/index.php?/topic/1781-password-field-reference-to-another-password/ if you're interested in the history of the script.



#>



#These are the two 'hard-coded' valuses for the script - the Password List field to search, and the search term. Script could be modified to prompt the user for these instead:



$PasswordstateURL = "https://passwordstate.url"



$SearchField = "Notes"



$SearchTerm = "ADCreds"



#Get the Password List ID:



Write-Host "Enter the ID of your private password list.`nYou can find it by hovering your mouse over top of of the list name.`n"



$PasswordListID = Read-Host -Prompt 'Password List ID'



#Prompt the user for the API key for their specific Password List. They can set/find it in the Password List settings on the API Key tab:



Write-Host "`nEnter the API Key of your private password list.`nYou can set it in the Password List settings, on the API Key tab.`n"



$APIKey = Read-Host -Prompt 'Enter your API Key' -AsSecureString

$APIKey = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($APIKey))



Write-Host ""



#Prompt the user for their new AD password:



$NewPassword = Read-Host -Prompt 'Enter your new AD Password' -AsSecureString

$NewPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($NewPassword))



#Have the user verify their AD password:



$NewPasswordVerify = Read-Host -Prompt 'Confirm your new AD Password' -AsSecureString

$NewPasswordVerify = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($NewPasswordVerify))



#Validate that $NewPassword and $NewPasswordVerify are the same.  If not, exit the script:



If ($NewPassword -ne $NewPasswordVerify) {



   Write-Host "`nSorry, your passwords don't match. Please run the script again.`n"

   

   Exit

   

   }



Write-Host ""



#Combine the variables into the URL to use for the API call:



$FullURL = "$PasswordstateURL/api/searchpasswords/" + $PasswordListID + "?" + $SearchField + "=" + $SearchTerm



#Create an array $SearchResults and fill it with all the password entries:



$SearchResults = Invoke-Restmethod -Method GET -Uri $FullURL -Header @{ "APIKey" = $APIKey }



#Create an array $PasswordIDs and fill it with all the Password IDs:



$PasswordIDs = $SearchResults.PasswordID



$PasswordTitles = $SearchResults.Title



$PasswordURLs = $SearchResults.URL



$PasswordCounter = 0



#Go through all the Password IDs and attempt to update them with the new password:



Foreach ($PasswordRecord in $PasswordIDs){



   #Gather the ID of the password to be updated along with the value for the new password:

   

   $jsonString = '{"PasswordID":"' + $PasswordRecord + '", "Password":"' + $NewPassword + '"}'

   

   #Clear the $Error catcher variable:

   

   $Error.Clear()

   

   #Attempt to send the API the password info gathered above:

   

   Try {

   

      Invoke-Restmethod -Method PUT -Uri "$PasswordstateURL/api/passwords" -ContentType "application/json" -Body $jsonString -Header @{ "APIKey" = $APIKey }

	  

	  }

	  

	#If the password update call throws an error, show it to the user and exit the script:

	

	Catch {

	

	   Write-Host "Uh oh, was at least one error! The API said:`n`n$Error`n`nNumber of passwords updated: $PasswordCounter"

	   

	   Write-Host "`nIf any passwords got updated, you should check your passwords and make sure they are what they should be.`n"

	   

	   Exit

	   

	   }



	#If the password update succeeded, increment the counter and clear the screen so the password isn't visible:   

   

   $PasswordCounter = $PasswordCounter + 1

   

   cls



   }



#Give the user some info about the passwords that got updated:

   

Write-Host "`n$PasswordCounter passswords updated!`n"



$x = 0



While ($x -lt $PasswordCounter)

{

   Write-Host "$($PasswordTitles[$x]) --- $($PasswordURLs[$x])"

   $x++

}



#Goodbye!



Exit

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×