Remote Sessions Without Knowing the Password

A key feature of Passwordstate is being able to automatically authenticate to remote hosts, without the need for specifying your authentication credentials manually.  This feature can be extremely useful when utilising contract staff to assist in supporting large fleets of servers and network infrastructure.  It can be used in situations where remote 3rd Party access is required by application vendors to ensure your expensive software is up to date and functioning correctly.  In this scenario, you can configure your system so the contractor doesn’t even know the password they are connecting in with.

Remote sessions are automatically audited enabling you to report on who launched a Remote Session, to which Host, from what IP Address, and using which specific authentication credentials.  This can be taken to the next level by using our browser based launcher and specifying which contractors, vendors or support staff have their Remote Sessions recorded.  This allows you to maintain a record of what actions were undertaken during each remote session.

How do you setup for establishing Remote Sessions without the user “needing to know” or having to remember complex credentials?

Setting up the Remote Session Launchers

If you are not familiar with how to set up the Remote Session Launchers, please refer to the following information,

Add an account with permissions to connect to Hosts

First, create a new Password List and give it a meaningful name.   In this example I’ve created a Password List called Remote Session Launcher Accounts under a folder called Remote Access in the root of the Passwords tab.  Next add a new Password Record, specifying an account with permission to connect into machines on your network.  The following example uses an Active Directory account which can connect to any Windows Server or Desktop.  Note, do not grant contractors, vendors or support staff permissions to see or use this Password Record!

Create a Remote Session Credential and grant access to it

Next, you’ll need to create a Remote Session Credential.  To do this navigate to Hosts->Hosts Home->Remote Session Credentials and Add Credential to create a new Remote Session Credential, ensuring it’s linked to the existing Password Record you’ve created above:

Next, you need to grant your contractors, vendors or support staff access to the Remote Session Credential you have just created by selecting the action icon and clicking on View Permissions

then click on the Grant New Permissions and add the appropriate account (as per the example below) and click save

Granting access to a Folder containing the Hosts

Now you can grant access to the Folder containing the machines you want the contractors, vendors or support staff to have access to.  Once done the Folder and the machines will be visible in the Host tab when they log into Passwordstate.

Now those users can simply navigate to the Hosts tab, select the host they need to establish a remote session to and click on the Auto Launch button. 

This will establish the connection for them without their ever needing to know the password credentials!

As always, we welcome your feedback via

Protecting your Passwordstate Website when exposing it to the Internet

One of the great advantages of Passwordstate is being able to securely provide authorized employees with access to your password credentials whilst they’re out of the office.  This requires your Passwordstate instance to have a connection to the internet which could pose a number of complications and well as potentially increase your organizations attack vector.

How do you make Passwordstate more accessible without dramatically increasing the risk to your organization?

Prerequisites for accessing Passwordstate from outside your Network

Before you begin there are a number of prerequisites that will need to be in place.

First, you’ll need to ensure you have an external DNS entry which directs all HTTPS traffic to your company IP Address.

Next, you’ll need an open port on your firewall which will be used to direct all incoming HTTPS traffic to your Passwordstate webserver.  This port is the same one you will have configured for Passwordstate in Internet Information Server (IIS).

It is highly recommended that you purchase a signed SSL certificate from an Online Certificate Authority and assign it to your Passwordstate website in IIS.  Whilst Click Studios provides and installs a self-signed SSL certificate with Passwordstate it is not recommended for use over the internet.  There are many online companies that provide CA-signed SSL Certificates.  The key thing to remember is to purchase it from a trusted source and ensure it matches the URL of your Passwordstate website.

Considerations for Securing Passwordstate when exposed to the Internet

A lot of our customers elect to have their Passwordstate instance accessible over the internet.  When planning this you should consider the options listed below.  As always, we’d recommend following your own internal risk assessment process as part of a Change Management Plan, to determine if there is any associated residual risk or compensating controls required, for your environment.

  • If you would prefer your employees not to have to use Two-factor Authentication whilst inside your corporate network you can use our Allowed IP Ranges feature.  This is located under Administration->System Settings->allowed ip ranges and allows you to specify your internal IP ranges;

Once set, along with the Two-factor Authentication, any access from any IP range not matching your allowed IP ranges will be prompted for the Two-factor Authentication option you have set. Now access from the internet will be differentiated from internal corporate access and ensure that additional authentication is required.

  • As part of good Systems Administration practice, you should look at removing older protocols on your webserver.  Passwordstate uses the most secure protocol currently supported by Microsoft IIS, TLS (Transport Layer Security) 1.2.   The removal of any older, less secure protocols, will help protect your webserver.  There are many toolsets available to assist with this, just search for “enable or disable windows protocols” and pick one that works for your organization.
  • The backups feature in Passwordstate requires an account on your webserver with permissions to upgrade the install files.  Some customers make this account a member of the Local Administrators group on the Server, but you can give it less permissions by following the guide under Help->Security Administrators Manual->Passwordstate Administration->Backups and Upgrades->Non Local Administrator Rights for the Backup Account on the Web Server.
  • Under Administration->System Settings->Authentication Options->Web Authentication Options we have 2 settings that apply to Brute Force attacks,

The fist setting relates to the number of failed login attempts before the active session is locked out.  By default, this value is set to 5 however you can reduce this value in accordance with your IT Security Policy.  Lowering this value will slow down automated attempts at guessing a login for your website.

The second setting relates to the delay in seconds before returning a message of “Incorrect Username or Password”.  If you find that entering a false username takes a shorter amount of time to produce the message, compared to entering a false password, then you can increase this value.  This will delay the message by the stated number of seconds, which will help to confuse the attacker knowing which information they have wrong.

  • Click Studios Best Practice approach for securing your Passwordstate instances involves securing your Web.config file.  There are two parts to this, encrypting your Database Connection string and encrypting your appSetting Section.  Further details on how to do this can be obtained from the following blog entry:
  • You could consider using a Managed Service Account Consider to communicate with the Passwordstate database server, instead of a SQL Login.  Managed Service Accounts have the benefit of being locked down, do not permit interactive logins and are able to automatically negotiate password updates with minimal administration overhead.   You’ll find information on how to configure this under Section 14 of our Installation Instructions here:

As always, we welcome your feedback via

Encryption Keys Explained

Passwordstate utilises a number of techniques to ensure the security of your password credentials. 

One of these is implemented automatically during installation, when two unique encryption keys are created.  These encryption keys use a 256 Bit AES (Advanced Encryption Standard) Encryption, first adopted by the U.S. government and now used worldwide.  The keys provide the encryption of passwords as well as the HMAC-SHA512 hash used to ensure the integrity of the database.

These encryption keys are split into 4 secrets that are independently stored in different locations.  The reason for this is it would require more than one of your Windows Servers to be compromised, to obtain your encryption keys, and access your privileged account credentials.

Whilst not covered in this blog, it is highly recommended that you follow Click Studios best practice approach to securing your Passwordstate instance, by encrypting your Web.config file.  You can find the details on how to do this here.

Split Secrets file locations:

As mentioned above, the two encryption keys are split into 4 secrets, with 2 of the split secrets stored on your Passwordstate Server in the Web.config file.  The other 2 split secrets are stored within the Passwordstate database itself.

The Web.config file is located by default in the root directory of your Passwordstate installation or C:\inetpub\passwordstate.  It contains the first 2 secrets (Secret1 and Secret2) under the <appSettings> section.  An example is show below;

Your Database for Passwordstate contains the remaining 2 secrets (Secret3 and Secret4) in the Passwordstate table.  To extract these, you’ll need to use Microsoft’s SQL Management Studio tools to connect to your database server and execute the following query;

USE Passwordstate

SELECT EA_Password, Secret3, Secret4 FROM SystemSettings

Note: If you ever lose or forget your Emergency Access Password you can request Click Studios to generate a new one for you.  To do this email us and provide a copy of your Web.config file (so we can access your Secret1 and Secret2) as well as the details from the SQL query above.  We’ll then recreate an Emergency Access Password for you, and suggest that once you have access again, that you change this and rotate your encryption keys

Exporting your Encryption Keys:

It is extremely important to export the full set of your Encryption keys and store these safely outside of Passwordstate.  In the event of a disaster, and you are unable to locate a copy of your Web.config file, Click Studios will be unable to help you rebuild your Passwordstate environment.

When you export your encryption keys, they are written to a password protected Zip file.  To do this navigate to Administration->Encryption Keys and click on Export Keys;

You are then presented with an information screen and a button to Export the Keys;

At this stage you’ll need to specify a password for the Zip file that is about to be created and then click on Export Keys;

You will then be presented with a Save As dialog box.  Select the folder you wish to save the Password protected Zip file to.  Note: the file name includes the date and time the export was performed;

You should also note that the exporting of encryption keys is automatically logged as an auditable event.

Restoring your Passwordstate Server:

You MUST have a copy of both your Web.config file and your Passwordstate database to be able to restore your Passwordstate instance in the event of a disaster.  Without these two Click Studios will not be able to assist you in recovering your password credentials. 

In the event you need to build a new Database Server or Web Server then please follow the links below for detailed instructions;

Moving Passwordstate to a new Database Server here

Moving Passwordstate to a new Web Server here

As always, we welcome your feedback via

Diagnose and Fix Passthrough Authentication Issues

Passwordstate has a couple of base authentication methods, Active Directory Integrated and Forms Based Authentication.  When you setup Passwordstate for the first time you can choose which of these authentication options you want to use.  By default, the Active Directory Integrated version of Passwordstate is installed.

With Active Directory Integration you can take advantage of Single Sign-On (SSO).  SSO is an authentication scheme that allows logging in with a single username and password to access multiple computer applications and resources.  It uses your Active Directory credentials to automatically authenticate you to your Passwordstate website, without needing to re-enter your username and password. 

But what if that isn’t working?  How do you stop Passwordstate from prompting for your credentials each time you browse to Passwordstate?  What if you can’t select Passthrough AD Authentication in your System Settings?

Check your Internet Information Server Authentication Settings

Passwordstate requires users to enter their Active Directory username and password to authenticate by default.  During installation we also set the Internet Information Server (IIS) to Anonymous Authentication.  This setting needs to be disabled to allow your Windows clients to use SSO.  To do this you’ll need to open IIS on your webserver, select your Passwordstate website and double click Authentication,

Now right click Anonymous Authentication and select disable.  The results should look like the screen image below,

Now you can make the required changes in your Passwordstate Instance.

Choosing Passthrough AD Authentication

Logon to your Passwordstate instance and navigate to Administration TAB->System Settings->Authentication Options->Web Authentication Options and select Passthrough AD Authentication from the Choose Authentication Options drop down list as per the screenshot below

Once this has been set you can logoff and try browsing back to your Passwordstate instance.  You should now be automatically logged in with SSO from your Windows client.  Unfortunately, Linux and Mac clients will continue to prompt for the username and password credentials.

My Browser Is Still Prompting for Domain Credentials

You’ve now successfully configured your system to allow SSO.  So why could you still be receiving prompts to enter your domain credentials?  There are a number of reasons why you could continue to receive these prompts to enter your domain credentials.

First, check that you are currently logged on using a Domain Account and not a Local Account.  You should also check that you are using DNS for name resolution and not a hosts file.

Next you can confirm if your Passwordstate website is being detected as being in the ‘Local Internet’ Security Zone.  Security Zones are a legacy of Internet Explorer but appear to be still used by modern browsers.  To confirm if Passwordstate is in the correct Security Zone, open Control Panel->Internet Options->Security Tab and select Local intranet and click on Sites (screen shot below;

Next click on Advanced,

And confirm your Passwordstate website is listed under the Websites: listing.  The example below is for Click Studios Passwordstate instances.  If your Passwordstate instance is not shown here you should add the URL of the site to a group policy which forces your browser to detect the site is in the Local Intranet zone.  Alternatively, each user can add the URL in the Add this website to the zone: and click the Add button.

For the Firefox browser, open Firefox and type about:config in the URL bar.  In the Search dialog box type network:automatic and double click the network.automatic-ntlm-auth.trusted-uris result.  You’ll then need to enter your Passwordstate URL (screenshot below as reference),

Now restart your browser and SSO should be working.

Lastly, some customers SSO for Passwordstate has been affected by the order of the authentication providers in IIS for Windows Authentication.  You can try moving the NTLM Provider to the top.  To do this open IIS on your web server, select your Passwordstate website and double click Authentication.  Select Windows Authentication, click on Providers… select NTLM and click on Move Up.

Click on OK and then restart IIS or reboot the Webserver and your SSO for Passwordstate should now be working.

As always, we welcome your feedback via

Securing your Web.config File

Click Studios has always strongly recommended that customers encrypt both their Database Connection String and their appSettings Sections of their Web.config file. 

These are considered part of Click Studios Best Practice approach for securing your Passwordstate instances.  It ensures that should anyone have access to your Web Server’s file system they will be unable to use the details of the Web.config file to access and retrieve your Password Credentials.

The process is straight forward and as outlined below.  If you are unsure as to whether your existing Web.config file is already encrypted or not you can follow the steps in this previous Blog.  As always, we welcome your feedback via

Further details on how to perform this encryption can be found Under Section 10 and 11 in our Passwordstate Installation Instructions.

Encrypting the Database Connection String

On your Passwordstate Web Server open a Command Prompt with administrator privileges and navigate to C:\Windows\Microsoft.NET\Framework64\v4.0.30319

Now type in aspnet_regiis.exe -pef “connectionStrings” “c:\inetpub\passwordstate” and press enter.  Note that if you installed Passwordstate in a different location you’ll need to replace c:\inetpub\passwordstate with the location of your Passwordstate instance.  You should see the following;

Now that you’ve successfully encrypted your Database Connection String, you’ll need to restart your Passwordstate Windows Service.  To do this you can enter the following commands;

net stop “Passwordstate Service”, and,

net start “Passwordstate Service”

You should be presented with the following after running each command.

Your Passwordstate Instance is now running again with the encrypted connection string.  Now you should proceed to encrypt the appSettings section of your Web.config file.

Encrypting the appSettings Section

Assuming you are still in the command prompt with administrator privileges, type in aspnet_regiis.exe -pef “appSettings” “c:\inetpub\passwordstate” and press enter.  Again, if you installed Passwordstate in a different location you’ll need to replace c:\inetpub\passwordstate with the location of your Passwordstate instance.  Once again, you’ll need to restart your Passwordstate Windows Service with net stop “Passwordstate Service”, and net start “Passwordstate Service”.

Your screen should look similar to the one below;

Now just exit out of command prompt and take a well earned break.  You’ve just made your Passwordstate instance even more secure!

Further details on how to perform this encryption can be found Under Section 10 and 11 in our Passwordstate Installation Instructions.

Using the New Browser Extensions with Passwordstate

Passwordstate’s Browser Extensions allow for the secure saving and retrieval of your password credentials using the Passwordstate vault.  These credentials can then be used to autofill your website’s user name and password fields, streamlining the login process.

This automated process makes it easier for your end-users to have strong, individual passwords for all websites they visit. This is crucial in minimising potential attack vectors and is considered one of the best practices in protecting your personal and corporate data and systems.

All the details in this blog apply to the new Extensions for Microsoft Edge, Google Chrome and Firefox Browsers. As always, we welcome your feedback via

Enabling the URL Field

First, you’ll need to create a private password list by using the Add Private Password List Wizard.  You can enter any name you wish for the new Private Password List and make sure you select the Web Site Logins template from the Template drop down box

Click Next and you’ll be presented with a screen to confirm your settings.  Click on Finish to create the Private Password List.

Once completed the URL field is enabled.  This is required for Browser Extensions to be able to save passwords.  You can confirm the URL field is enabled by navigating to the Edit Password List Properties -> Customize fields tab

Adding Browser Extensions

The example used here is with the new Chromium Edge Browser.  Simply go to the Edge Settings on the right hand side of your Browser, click on and select Extensions 

This will take you to the settings page where you’ll need to click on Get extensions from Microsoft Store.  Search for Passwordstate in the search box and click on the Passwordstate result that is returned.

Next, click Get and then Add extension button.  This will install the extension, which will appear red until you are connected to your Passwordstate instance.

Simply logon to Passwordstate using your normal credentials and the Browser Extension will turn from red to dark grey.  You can now begin saving and using password credentials for your web based logins.

Using Browser Extensions

Searching for Website Credentials, Linking to Records and Passwordstate

You can use the Browser Extension to quickly search for Web Sites that you have logins for.  Simply click on the Passwordstate Browser Extension and enter the Web Site name I the search dialog box

In this example we’re searching for reddit.  This will search your Private Password List for a matching entry and return the title of the login, your username, the Password List where it is stored and the description of the login.

Clicking on the chain icon that is presented to the right of the text will take you directly to the Password record allowing you to change elements of that record

You can also link directly to your Passwordstate instance by clicking on Passwordstate Web Site button

Generating Passwords and Setting Preferences

You can generate new passwords direct from the Browser Extension.  These can be generated by using any one of a number of different Password Generators available in the Choose Password Generator drop down box.  Simply select a Generator and click New.  Once generated you can copy the new password to the clipboard or apply it to the field for the currently active Web Site.

 Under Preferences you’ll find options to enable Auto-Fill of your Web Site logins with your saved credentials, enable the Icon Overlay, specify which Password List to be used by default and also the default Password Generator to be used.

Reporting Site Issues

The Internet has literally millions of different Web Sites that have been developed using different technologies and standards.  In the event that you come across a Web Site that doesn’t work properly with the Browser Extension you can report the issue to Click Studios by selecting the Report Site Issue.

Please supply as much information as possible, including the type of Browser you are using, the Web Site URL, your Email address and a detailed description of what happens.  This will help us to analyse why the Browser Extension doesn’t work with that particular site.  Please understand that because of the way that some sites have been developed it may not be possible to resolve the issue.

To disconnect your Browser Extension from your Passwordstate instance simply click on Logout

Capturing and Selecting Login Credentials

When entering your login credentials for a web site for the first time you’ll be prompted with the following screen.  The example below is based on a login for Facebook.  This will allow you to specify the Password List you wish to save the credentials to, the Username and Password you’ve just entered and the ability to add a description for the credentials.

To save the record to your Passwordstate vault click Save.  Clicking on Ignore will prevent the web site from asking you to save any future logins and clicking on Close will close the dialog box without performing any action.

Once the credentials are saved, they will be automatically populated into the correct fields for you every time you open that web site login page.  All you are required to do is click on the log in button.

If you have 2 or more logins for a particular web site, when browsing to it the Passwordstate Browser Extension will show the number of login credentials you have saved for that site.   In this example we’re using Imgur and have 2 separate logins.

Simply click on Show Matching Logins and then select the correct set of credentials to login to the web site.

Alternatively, you can select the correct credentials to use from the Icon Overlay that is shown in the Login fields.  Simply click on the Icon Overlay and you’ll be presented with the Log in as dialog box

Keyboard Shortcuts

Lastly there are predefine keyboard shortcuts available under Extensions->Keyboard shortcuts.  All the shortcuts shown below are configurable if you’d prefer to specify your own key combinations.

To watch the full video tutorial for this blog please visit

Importing Passwords from LastPass into Passwordstate

Step 1:

To export your data from Lastpass, select “Open my Vault

Go to “More Options” and under Advanced click “Export”

Type in your Master LastPass password and click Continue:

This will open a new tab in your browser and it will have multiple lines of text.  Highlight all of these lines and copy then to your clipboard using Control-A and Control-C

Open a notepad, and past the contents into the notepad, and then save it as a csv file (if you wrap the LastPass.csv title in double quotes, this saves it as a csv file):

Step 2:

Download the “” file from

Step 3:

Extract this file which will give you a Import-LastPass.ps1 Powershell script.  Open this script with Powershell ISE or a Powershell scripting tool of your choice.

Step 4:

On lines 5 – 9 you’ll need to enter your appropriate information about your Passwordstate website:

  • $PasswordstateURL is just your standard URL you use to access Passwordstate
  • $Filename is the full path to the CSV file you created in Step 1
  • $SystemWideAPIKey can be generated/found under Administration -> System Settings -> API
  • $TemplateID is the number of the built in “Web Site Logins” Password List template.  This can be found under Administration -> Password List Templates and you’ll need to toggle the ID column visibility to get this value:
  • $UserID is your exact username you enter to access Passwordstate. This can be found under Administration -> User Accounts

Step 5:

If you now runt the script, you should get no errors, and a new Folder will be created in your Passwordstate Navigation Tree called “LastPass Import”.  Inside that folder should be a number of different Password Lists, depending on how many Groups you had in LastPass, and in each of those Password Lists should be all of your existing LastPass passwords.

We hope this helps and if you have any queries about this, please contact for help.

Regards, Support.

Import Passwords from Thycotic Secret into Passwordstate

With the use of the Passwordstate API, it’s possible to import Secret Server data using the XML export option Thycotic provide.

The following documentation has been tested using Secret Server version 10.5.000003, and it would be unlikely Thycotic’s Password Templates and XML export feature would be different in other builds. We also recommend following this forum article to quickly backup and restore your database, in case you experience any errors during the import process –

Field Mappings

Secret Server handles fields differently to Passwordstate, in that they provide a per password record Template of different types (25 in total). Passwordstate uses Password List Templates instead, and the following instructions will use 5 different Templates for the import. Please be aware, you must be using Passwordstate Build 8652 or above for this process, as it has changes to Password List Templates required for this process.

Below in the instructions where you download the file ‘’, this includes an Excel spreadsheet called ‘SecretServer_Passwordstate_FieldMappings.xlsx’. This spreadsheet documents the field mapping from the various Secret Server Password Templates, to the Passwordstate Password List Templates. The only Secret Server template which will not be imported is ‘Contact’, due to Secret Server exceeding the maximum number of Generic Fields Passwordstate supports.

Exporting from Secret Server:

To export your Secret Server data in XML format, please use the screenshots below for guidance. Please save the XML file locally somewhere on your PC, for access further down in the instructions.

Preparing Passwordstate for the import:

  • In Passwordstate, on the screen Administration -> Password List Templates, you need to edit each of the Templates listed in the dot points below to turn off the option “Prevent saving of Password Record if a ‘Bad’ password is detected” – if this step is missed, your import may fail due to Bad Password detection:
    • Credit Cards
    • Software Licenses
    • SSH Account (Password + Key Storage)
    • Standard Password List
    • Web Site Logins

Import Data

To import the exported XML file above, please follow these instructions:

  • Take note of your System Wide API key in Passwordstate, which can be found under Administration -> System Settings -> API Keys.  If you need to, you can generate a new one, and please click the ‘Save’ button on this screen if you do
  • Download the following file
  • Extract the Zip file to the same path as where you exported your XML file
  • Open PowerShell ISE as ‘Administrator’, and open the file ‘Import-SecretServer-XML.ps1’
  • Update the field variables at the top of the script with appropriate values (see screenshot below) – please specify your UserID here that you use login to Passwordstate with. Once done, save the changes to the file
  • Now execute the script, and select the exported XML file when prompted
  • Once the script has finished executing, you should see a ‘parent’ folder called ‘Secret Server Import’, with relevant Folders, Password Lists, and Password records, as per the screenshot below.
  • Once complete, please go back to each of the Password List Templates within the Administration area, and turn back on the option ‘Prevent saving of Password Record is ‘Bad’ password is detected’ for each Password List Template

Import Passwords from KeePass into Passwordstate

Recently, we have been getting more and more requests from new Passwordstate customers asking how to import their data from KeePass.  Because of these requests, we’ve now created a Powershell script which can be used in conjunction with our API.  Our goal with this is to not only import the passwords from KeePass, but to also replicate the structure of the KeePass Groups in Passwordstate.

For customers not familiar with Passwordstate, the equivalent of a “Group” in KeePass is a “Password List” in Passwordstate.  We also have the concept of “Folders” which allow you to logically group Password Lists together.  If you follow the process below, it will create a Folder called KeePass Import in the root of Passwords Home, and will contain one Password List for every Group you have in Keepass.  It will then import the relevant passwords inside each Password List.

We highly recommend taking a backup of your Passwordstate database prior to performing this import.  You can either use the automatic backup feature within Passwordstate, or possibly use SQL Management Studio Tools instead.

Exporting from KeePass in the Correct Format:

If you would like to migrate your passwords from KeePass to Passwordstate, you will need to export them as a csv file, which Passwordstate reads correctly.  The best version of KeePass to do this in is the Classic version.  The Classic version has better options when exporting, allowing you to select which attributes of your passwords you would like to insert into the csv file.  If you are using KeePass Professional, you will need to transfer all of your passwords to the Classic version.  To do this:

1. Open KeePass Professional and click File -> Export

2. Select KeePass KDB (1.x)

3. Select a place on your local disk to save the export to, and click OK

4. If you get an error saying “This file format does not support root groups” click Close

5. Open KeePass Classic

6. Click File -> Import -> KeePass Database…

7. Open the .kdb file you generated in the export process above

8. Enter in the Master Password for your exported database and click OK

9. Click File -> Export -> CSV File…

10. Save the .csv to somewhere local like D:\KeePass-Import\Passwords.csv

11. Under the fields to export, ensure you also tick “Group” and click OK

**Important** Once you have exported this .csv file, DO NOT modify and save in Excel in any way.  This can make the .csv file unreadable for the purpose of this exercise.

Preparing Passwordstate for the import

1. In Passwordstate, under the Passwords menu, create a Password List Template.  This process will be copying the settings and permissions from this template when setting up your data.

2. On the Template, ensure you deselect the “Prevent saving of Password Record is ‘Bad’ password is detected“:

3. Also on the same Template, ensure you select the URLfield as follows, and save it:

4. Apply appropriate permissions to the template via the Actions Menu.  Any user you give access to on this screen will get access to all passwords you import from KeePass.  If need be, you can easily modify permissions after you’ve completed this import process:

5. Press the Toggle ID Column Visibility and take note of the TemplateID:

6. Download the file from the Click Studios web site, and extract the contents into the same folder as your exported KeePass .csv file.

7. Take note of your System Wide API key in Passwordstate, which can be found under Administration -> System Settings -> API Keys.  If you need to, you can generate a new one:

8. Open the extracted import-keepass.ps1 file in your favorite Powershell scripting tool, and modify the top 4 variables to reflect the correct information about your environment. You will need to enter your Passwordstate URL, the exact path your exported .csv file, your system wide API key, and your Template ID:

9. If you now run your Powershell script, you should notice a KeePass Import folder in Passwordstate, along with Multiple Password Lists which are named the same as all your groups and sub-groups from KeePass.  They will also contain all the relevant passwords:

10. If you like, you can create some Folders in Passwordstate and begin dragging and dropping your new Password Lists as appropriate.

If you need any help with this at all, you are welcome to contact us on