Important Changes to Browser Extensions

Click Studios is making changes to Passwordstate and our Browser Extensions.  We’ve been maintaining a legacy code base in Passwordstate and the Browser Extensions since Build 8782, released way back in September 2019.  This code base can no longer be supported.  In removing it we remove unnecessary complexity from the ongoing development of Passwordstate and our Browser Extensions, and open up the ability for richer functionality in both.

The first of these changes relates to the authentication method used in our Browser Extensions for Chrome, Edge, Firefox and Brave web browsers.  This will come into effect when first upgrading Passwordstate from Build 9753 (or lower) to Build 9785 (or higher)Once Passwordstate has been upgraded all users Browser Extensions will be in a state of being unauthenticated and the extension icon will be Red.

To authenticate you’ll need to create a new Browser Extension Master Password and follow the process as outlined in this blog.

Create A Master Password!

From Passwordstate Build 9785, Browser Extensions will first require a Master Password to be entered in order to effectively authenticate against your Passwordstate instance and be unlocked to retrieve credentials.  Each end user needs to do this themselves as this Master Password authenticates their use.

To create the Browser Extension Master Password, navigate to Preferences->Browser Extension->Browser Extension Master Password and create the Master Password by entering it in the field indicated.  Note, your Security Administrator will have specified a Password Strength Policy that this Password must adhere to.  Feedback is provided underneath the input field providing guidance on what is required as the user types in this field,

Once you’ve finished click on the Save & Close button.Now you’ll need to click on the Red Browser Extension icon.  This will open a dialog asking you to confirm the URL for the source of your credentials,

this will be either your Passwordstate instance URL (the base URL you’ve just logged into) or the URL of the APP Server that processes these requests.  If you have any doubt, check with your Passwordstate Security Administrator.  Only if the URL matches should you enter the Browser Extension Master Password previously created, then click on the Login button, 

You can then also click on the OK – I understand button if it is still displayed.  While on the Master Password / Login dialog box it’s important that you do not move the focus from this box.  It is deliberately designed so that if you click on anything outside of the dialog box the process will be terminated.  If this happens, logout of Passwordstate and start the process from the beginning (you won’t need to recreate the Browser Extension Master Password).

What Will I See?

You are now authenticated and unlocked as indicated by the Browser Extension, having turned Black. You can now add and retrieve credentials as normal,

Browser Extensions can be in various states.  Each of these is color coded as per the image below,

Red: The Browser Extension is not active. It has either been logged out of your Passwordstate Instance, or is waiting for the initial configuration against your Passwordstate instance’s base URL. To activate the Browser Extension simply browse to your Passwordstate website login URL, login as normal, confirm the URL presented is the same as your Passwordstate instance’s base URL, enter the Master Password and click Login.  Please note your Security Administrator controls the Browser Extension Session Timeout setting.

Blue: Indicates the Browser Extension is active, authenticated, unlocked and the URL on the active tab of your browser is set to be ignored.  Ignored URLs do not automatically form-fill existing, or prompt to save new, credentials for that website.

Black: Your Browser Extension is active, authenticated, unlocked and able to automatically form-fill saved credentials for a website or add new credentials.

Yellow: Your browser extension is in a “locked” state, and you will need to unlock it using your Master Password.  This typically occurs when you have closed your web browser but have not exceeded the Browser Extension Session Timeout setting.  While in a “locked” state you are unable to retrieve or add credentials to Passwordstate.

How To Unlock The Browser Extension?

As outlined in the section above, when the Browser Extension is showing as Yellow it is locked and will not allow you to retrieve or add credentials to Passwordstate.  To unlock the Browser Extension simply click on the icon, enter your Master Password and click on the Unlock button,

Again, do not move the focus from this dialog box.  If you click on anything outside of the dialog box the process will be terminated and you will have to start the process again.  If you click on Logout your Browser Extension icon will turn Red and you’ll be required to login to Passwordstate to reauthenticate and then re-enter the Master Password.

If you’d like to share your feedback please send it through to

Getting More Out Of Passwordstate

Passwordstate commenced development way back in 2004, as a result of witnessing first hand, the number of clients that had adopted poor Password Management practices.  Approaches such as storing simple passwords, in unprotected spreadsheets, stored on network file shares and personal computers, posed a real risk to these clients.  And we weren’t just talking about small businesses.  Our clientele came from industry verticals including Property Management, Gaming & Entertainment, Hospitality, Health & Fitness, Lotteries and Agriculture.

Passwordstate has come a long way since those early days.  Today we can boast having more than 29,000 Customers and 370,000 Security & IT Professionals globally, spanning industry verticals including Defence, Banking & Finance, Media and Entertainment, Space & Aviation, Education, Utilities, Retail, Mining, Automotive, Service Providers and IT Security Integrators.  Please note, the screenshot below is of V2.0.  We’ve intentionally removed all images of V1.0 as it didn’t look all that flash.

Passwordstate’s Core Functionality Is…

All about the secure storing, management and use of credentials.  The approach taken in Passwordstate is the same regardless of the credentials being Shared or Private

Access to Shared Password Lists, and the Password Records contained within those Lists are permission based.  The same is true in principle with Private Password Lists and Records, except that with these you’re prevented from sharing or granting access to these Lists and Records at a system level (and there are no workarounds while they remain Private).

But that’s not all that Passwordstate has to offer.  In the Core functionality to can also perform Privileged Account Management, discover local accounts on equipment (such as switches and servers), change then password for those accounts and mange them from that point onwards.  You can also store documents relating to Work Instructions, Change Approvers (or anything at all).

Extend Access to Credentials

Once you’ve got your credentials securely centralized, you can extend access to these using our Android and iOS Mobile Apps.  The Mobile Apps use an independent credential set per user and store password records on the smartphone within an encrypted cache.  This encrypted cache can have a ‘Time to Live’ of up to 30 days, with the value configurable by your Security Administrator.  You can also assign permissions on who is permitted to use the Mobile Apps based on User and Security Groups.

All authentication and access of credentials is audited and synced back automatically with Passwordstate on next connection so there is always an audit trail on credentials that have been accessed.

Once you have the Mobile App installed you can do away with any existing Authenticator Apps.  Access to your One-Time Password codes can be done right in the Passwordstate Mobile App.  This means when you replace your device you can automatically synchronize all applicable Credentials and OTP Codes to the new device,

Self-Destruct Messages

You can also use Self Destruct Messaging, allowing you to send messages containing content highly confidential information, that can only be viewed for a specified period of time.  The content you share is stored only within the Passwordstate Self Destruct Messaging portal.  You specify who can send Self Destruct Messages and control both the ‘Time to Live’ and number of times the data or a Password Record can be viewed.

When the recipient views the content of a Self Destruct Message it is presented via the Passwordstate Self Destruct Messaging portal,

Remote Host Connections

Passwordstate has 2 first-in-class Remote Access Solutions, a Browser Based Launcher and a Client Based LauncherThese are included with the core Passwordstate product and at no additional cost.

The key advantage for these built-in launchers is the use of Remote Session Credentials which enable automatic authentication to your remote hosts.  This feature is especially useful for enabling contractors or vendors accounts to be configured for authenticating to hosts without having to have access to the password record.  The encrypted credentials are retrieved from Passwordstate, sent to the Remote Session Launcher utility/gateway, decrypted and passed to the remote client. 

While the Browser Based Launcher only supports RDP and SSH connections you also have the ability to record sessions and be able to playback the Session Recordings at a later time.

It’s Not Just About Passwords!

Passwordstate can be used to record many types of information, from Credit Cards, Hardware Maintenance Contracts, Software License Keys to SSL Certificates and many more.  This allows you to record and use many types of business information, that is both associated and unassociated with the credentials you manage.

It allows you to share the information with those that need it and maintain a full audit trail of all access to that information.

You may think that Passwordstate is just an effective and affordable Enterprise Password Management System.  But it can offer so much more, and while it isn’t designed to be a complete document management system or Remote Desktop Solution, it offers some of the functionality of more expensive 3rd party solutions at no additional cost.  You can get more out of Passwordstate, you just need to think about how else you can use it.

If you’d like to share your feedback please send it through to

Importing Hosts In Bulk

The Hosts tab facilitates two main functions.  To allow Hosts to be added into Passwordstate, and in doing so enable local accounts on those hosts to be managed in the form of Account Discoveries, Password Resets and Account Heartbeats.  And to access these Hosts using our Remote Session Launcher via RDP, SSH, Telnet, VNC, SQL and Teamviewer.  The types of connections that can be used is dependent on the Remote Session Launcher selected.

When navigating to Hosts Home, located on the Hosts Tab in Passwordstate, you are provided with summary information on all the Hosts added to your Passwordstate instance.  This includes the total number of Hosts, a breakdown by type, and the Remote Session Credentials used to access your Hosts.  As Passwordstate uses Role Based Access Control (RBAC) you will only be able to access the Remote Session Credentials you have been granted permission to.

You also have links to Add Host records, View All Host Records and View Host Discovery Jobs.  While this blog is about Importing Hosts in bulk into Passwordstate, you can of course add individual Host Records.  To do this you would simply click on Add Host,

this will present you with the Add New Host screen (the image below is only part of that screen).  Just fill out all the required details and click on Save, or if adding multiple new records, click on the Save & Add Another button,

Add Hosts Through Discovery Jobs

From Hosts Home you have the option of viewing and adding Host Discovery Jobs.  Host Discovery jobs are essentially the same as Account Discovery jobs, except instead of collecting local account information on devices, you’re collecting information about the devices themselves.  At this stage we need to point out that Passwordstate collects this information from Active Directory (AD).  Our software doesn’t “trawl your network” looking for devices.

To add a discovery job to import your Hosts, navigate to Hosts->Hosts Home and click on View Host Discovery Jobs.  This will take you to the Host Discovery Jobs screen.  Underneath the display grid, showing any existing Discovery Jobs, you’ll find the option to Add Discovery Job,

This will take you to the Add Hosts Discovery Job screen.  From this screen you can enter all the specifics associated with the discovery job,

The information you can enter includes,

  • The Discovery Job Name,
  • A Description for the job,
  • The Site Location, only used if you have multiple Remote Site Locations configured,
  • Which Active Directory Domain to query for this discovery job,
  • Selecting the Simulation Mode allows you to receive an email on the results of the discovery job without processing those results,
  • Only Discover hosts with the following Operating Systems by selecting that OS,
  • Only discover Hosts where the Last Logged on date is greater than or equal to a specific date, i.e., only machines logged into since July 2022
  • If you want to, you can Populate the Host’s Tag field with the Organizational Unit (OU) it belongs to,
  • When a new Host is found, set its Remote Connection Properties to a Specific Port Number and connection type,
  • Choose what to do If an existing Host in Passwordstate is no longer found in any of the OUs specified,
  • Specify the Privileged Account Credential used to query your AD Domain.

To query specific AD OUs, click on the active directory ous tab and specify them there.  Lastly on the schedule tab you can specify the time and frequency for running the Host Discovery Job.

Import Hosts via CSV File

From Hosts Home you also have the option of viewing and importing Host Records.  To View All Host Records, navigate to Hosts->Hosts Home and click on View All Host Records.  This will display any existing Host Records in the display grid.

Above the display grid is a Host Filters section which allows you fine tune the Host Records you are searching for. Beneath the display grid are options to Add Host, Import and Export Hosts.  To perform a bulk import of Hosts click on Import,

This will take you to the Import Hosts screen.  From here you’ll need to generate a CSV template, that includes all the fields for a Host Record.  The template shown specifies what fields are required, and allows you to specify the Host Type and Operating System from the drop down lists,

On clicking the Generate CSV Template button, Passwordstate will generate the CSV template and download it to your PC.  For Windows based systems this will typically be C:\Users\<your username>\Downloads.  You can now populate this template with the Hosts you wish to import.  Once you are ready, simply use the Select button, navigate the file system, select the file and then click Submit.  In the example I’ve named the populated template Click_Studios_hosts_template.csv,

On completion of the import process, you’ll be presented with the Import Successful screen advising the number of records that were imported.  Click on the Continue button to return to the Hosts Home screen.

Import Hosts via Scripting With API

Lastly, you can also use the Passwordstate API to import Hosts.  The example PowerShell script below uses the Standard API (the API Key needs to be provided) to import 3 computers.  Please note the script directly below has some data removed, such as the full server names, Passwordstate URL and API key,

This code can be loaded into PowerShell ISE and run.  Again, data such as the full server names, Passwordstate URL and API key has been redacted,

In summary, there are 3 different methods of importing Hosts in Bulk into Passwordstate.  This provides you with the choice of method that best suits you and your environment. If you’d like to share your feedback please send it through to

All About Licensing

Click Studios receives requests, related to explaining Passwordstate licensing, on a regular basis. 

While we have the majority of the details covered here we still have other associated questions posed to us regularly.

This blog post is aimed at offering an end to end view of licensing and applying the keys.

What are Core License Types?

There are 3 different categories of Licensing used for Passwordstate.  These are Core Licensing, Annual Support and Module based licenses.

Core Licensing includes Client Access Licenses, Enterprise Licensing and Global Licensing.  All 3 of these are a once off purchase, have exactly the same Passwordstate functionality, with the only differentiator being the number of users that can access Passwordstate and the number of instances of Passwordstate you can install. 

Client Access Licenses limit the number of users accessing a Passwordstate instance to the number of licenses you have purchased.  The example being you have purchased 52 Client Access Licenses so only 52 named users can access the instance.  Please Note: the first time you purchase Client Access Licenses, with Annual Support and Upgrade Protection, we’ll add an extra 5 Client Access Licenses to the quantity you purchase in lieu of the “Free for 5 Users” license.

Enterprise Licensing is price capped at the cost of 200 Client Access Licenses.  It allows for an unlimited number of users to access the one Passwordstate instance.  The example being you need 500 users to access your Passwordstate instance so you purchase an Enterprise License.  If you request a quote to purchase more than 200 Client Access Licenses, we’ll convert your quote to an Enterprise License.

Global Licensing enables you to have an unlimited number of Enterprise License instances, each allowing for an unlimited number of users accessing each instance.  The example being you need Passwordstate instances deployed, in multiple countries or locations, and each need to potentially cater for up to 200 or more named users.

“Free for 5 Users” Licensing is a version of Client Access Licenses.  We provided it at no cost for small businesses because we believe that password management should be Affordable for Everyone. Because it’s Important!  While this version allows the customer to upgrade Passwordstate to later versions the provision of technical support does require active Annual Support and Upgrade Protection.

What are Annual and Module Based Types?

The Annual and Module Based Licensing covers Annual Support and Upgrade Protection, the High Availability, Password Reset Portal and Remote Sites Locations Modules.

Annual Support and Upgrade Protection, is the maintenance for your Passwordstate Core Licensing and the High Availability Module.  The cost is calculated at 20% of the current value of your Licenses, allows you to upgrade to the latest version of Passwordstate, as well as receive Technical Support.  Greater detail around what is included with Annual Support and Upgrade Protection can be found here

The High Availability Module is a Once Off purchase and allows you to replicate your instance of Passwordstate, for the purpose of Load Balancing, Disaster Recovery and Business Continuity.  Each HA instance requires a license, and you must purchase the High Availability license if you wish to use Virtual Server Replication technologies for disaster recovery or business continuity purposes.  You can implement High Availability in either an Active / Passive or Active / Active configuration.  You can purchase multiple HA instances for Load Balancing or implementing DR and Business Continuity across multiple sites.

Our Password Reset Portal Module is Subscription based, with the subscription option chosen for the required number of users to be covered.  The subscription is sold in blocks starting at 100 Users, and then covering 500, 1,000, 2,000 5,000, 10,000 and Unlimited Users.  The subscription is tied to your Annual Support and Upgrade Protection Expires Date.  You do not need to match the Subscription size for Password Reset Portal to your core license quantity, just the number of users you want to have the Password Reset Portal available to.

The Remote Site Locations Module is also a Subscription based module, with the subscription option chosen for the required number of sites to be covered.  The subscription is sold in single sites starting at 1 through to 30 Sites with an option for Unlimited Sites also available.  Again, this subscription is tied to your Annual Support and Upgrade Protection Expires Date.

What Modules are Applicable to Each Core License Type?

In terms of “Mixing and Matching” what License types and Modules go together?  The table below summarizes what Core License Types can be used with each of the Module Based Licenses,

As can be seen in the above table, Client Access, Enterprise and Global Licensing can be purchased without Annual Support and Upgrade ProtectionWhen there is no Annual Support and Upgrade Protection the only Module that can be purchased is the High Availability Module.

Purchasing Annual Support and Upgrade Protection, and keeping this active, is strongly recommended.  It entitles you to all bug fixes, performance improvements, new features and Update/Upgrade releases as well as allowing you to receive Technical Support.

As the “Free for 5 Users” licensing does not include Technical Support and there is no Annual Support and Upgrade Protection Expires Date.  This prevents adding both the Password Reset Portal and Remote Site Locations Modules.  Click Studios policy also prevents “Free for 5 Users” from purchasing the High Availability Module.

I’ve Placed My Order – What Happens Now?

To place and order, you’ll either have,

  • Placed the order online via the  This is only for customers placing their first order.  If you are an existing customer, you must first email and request a quote.  Without doing this you run the risk of incorrectly ordering your licenses.  Once license keys have been generated we are unable to change them.
  • Placed the order based on a custom Buy-Now link, sent us a Purchase Order based on a self-generated quote, or one we have sent you, or,
  • Placed the order via an Authorized Reseller.

All orders are ultimately processed by Click Studios.  When we complete processing your order, we’ll send your License Keys via email to your Nominated Contacts.  We’ll also send a courtesy copy of the License Keys to the Authorized Reseller if you’ve ordered via them.

Every order, whether it’s renewing your Annual Support and Upgrade Protection, or purchasing additional Licenses or Subscriptions, will require you to apply the License Key details you receive to the fields in your Passwordstate License Information screen.

Our email, with a subject line of Passwordstate License Keys, contains details that are color coded.  This makes it easier for you to identify what needs to be updated.  If the email contains any red bolded text, then these are the only details that need to be updated.  Simply login to your Passwordstate instance, navigate to Administration->License Information screen, select each License Type that corresponds to the block in the email containing the red bolded text, and Cut & Paste the red text into the corresponding field, an example being,

The example above (with redacted details) shows updating the Expires and Registration Key details from an email into the License Type of Annual Support.  If the Passwordstate License Keys email contains no red bolded text then all details in the License Type block will need to be input.  Modern Builds of Passwordstate will automatically remove leading and or trailing spaces on the input fields when you click save.

Traps For Young Players

The most common issues we see when customers place an order for Annual Support and Upgrade Protection are,

  1. You’ve placed your order, but are still receiving notifications from us advising to organise your renewal with Click Studios,

This notification isn’t sent by Click Studios, it’s being sent by your Passwordstate instance.  This means that you haven’t applied the updated license keys that you received via email.  These are sent to your Nominated Contacts (up to a maximum of 4 contacts).  The new License Keys need to be applied by navigating to Administration->License Information screen.

  1. Applying the updated Annual Support Registration Key, but not applying the new Expires Date.  Both need to be applied for the updated license key to be successfully applied.
  2. You’ve attempted to update the license keys but are receiving the following error,

This is because you have either mistyped the Registration Name, License Count, Expires date or Registration Key.  Cut & Paste the License Details directly from the email provided whenever possible or export.  Modern Builds of Passwordstate will automatically remove leading and or trailing spaces on the input fields when you click save.

  1. When you have installed Passwordstate you have chosen FIPS Encryption, or you have chosen to re-encrypt using FIPS 140-2 Encryption during the Encryption Key Rotation Process.  To resolve this please contact Click Studios and request that your license keys be generated as FIPS Compliant.  By default, all Passwordstate License Keys are generated for 256 Bit AES Encryption.

Ordering, receiving and applying your Passwordstate licensing is easy-peasy.  Just take your time and follow the instructions.

If you’d like to share your feedback please send it through to

Bypassing SAML Authentication For Selected Users

We often get asked if it’s possible to bypass SAML Authentication and have an alternative fall back method of Authentication enabled for Passwordstate Users.  The requested use case typically being that SAML Authentication is set globally with an alternative, such as Manual AD Authentication,being available in case of an outage with the SAML provider.

This use case isn’t possible, but with a few changes you can achieve a similar result.

Why Can’t You Have Both With SAML As Default?

By default, when Passwordstate is installed, your Internet Information Server (IIS) is set to Anonymous Authentication.  This means that IIS does not send through your logged in credentials to Passwordstate, and when SAML Authentication is set globally, you are directing all users that browse to your Passwordstate Login URL to first authenticate with the SAML Provider.

Using a simplistic, high level diagram as an example, let’s say your SAML Identity Provider is based in Azure, and you Passwordstate instance is hosted on premise.  The following is the high-level sequence of events when accessing Passwordstate under this use case,

  1. The user browses to the Passwordstate login URL,
  2. Passwordstate redirects the request to the SAML Identity Provider (IDP) as configured in Passwordstate,
  3. The SAML IDP send’s a Login Request to the User,
  4. The User receives a Login Request screen (not a Passwordstate Login Screen),
  5. The User fills out their SAML Response’s Name Identifier (NameID) and Password and hits enter,
  6. The credential set is checked against the IDP’s directory, and,
  7. If authorized, the SAML response is then passed through to Passwordstate.

While this is a very simplistic explanation, it does show that all traffic to the Passwordstate Login URL is redirected to the SAML Identity Provider to obtain User Authorization.  When setting the SAML Authentication globally, and using Anonymous Authentication, Passwordstate is unable to validate and choose an authentication option based on User Account Policies (and that’s part of the trick).

What’s The Alternative?

The alternative involves a number of steps.  You’ll need to disable Anonymous Authentication in IIS, set the global Authentication Option in Passwordstate to SAML (if that is what the majority of your users will be authenticating with), create a User Account Policy (UAP) and assign this to all users you want to be authenticated by your chosen alternative Authentication option (in this case Manual AD Authentication).  This may sound complex so let’s break it down. 

Disable Anonymous Authentication

First, let’s disable Anonymous Authentication in IIS.  In doing this you are passing your domain Username through to IIS, so the UAP can be applied, and then the user fills out the login screen details.

As stated above, the default setup during Passwordstate’s installation is to set IIS to Anonymous Authentication.  To disable this, you’ll need to open IIS on your webserver, select your Passwordstate website and double click Authentication,

Now right click Anonymous Authentication and select disable.  The results should look like the screen image below,

Now you’re ready to make the required changes in your Passwordstate Instance.

Set Your Global Authentication Option in Passwordstate

Login to your Passwordstate instance and navigate to Administration TAB->System Settings->Authentication Options->Web Authentication Options and select SAML2 Authentication (the global option we’re using for this example) from the Choose Authentication Options drop down list and click Save,

If you need assistance on configuring your SAML2 Authentication settings please refer to our Security Administrators Manual located under Support->Documentation on our Website.

Now Create A User Account Policy For Manual Login Authentication Users

Now we’ll create a User Account Policy for Manual Login Authentication by navigating to Administration->User Account Policies and clicking on Add.  This will take you to the Add User Account Policy screen.  We’ve previously created a policy for this so we’ll edit it instead by clicking on the name Default Manual AD,

Here you can see we’ve selected the A6 Setting ID that controls Authentication Options and selected Manual Login Authentication from the drop down list,

Once this has been saved, you’re ready to apply it to the users that will be using their AD Accounts to authenticate with Passwordstate.

Apply The UAP to the Selected Users

While still on Administration->User Account Policies you’ll need to click on the Action Icon next to the Default Manual AD Policy you’ve created and select Apply Policy to Users,

From here, you need to search for the Users or Groups you want to add to the Policy.  While you can search for, and assign users to the Policy, we’d always recommend making the assignment based on Group Membership.

You now have the majority of your users being authenticated via SAML and a select number of users being authenticated via their AD Accounts.

By using this alternative, you can achieve a similar result to the use case of SAML Authentication set globally with an alternative authentication being used for select users.  The only caveat is this only works for users logging in from Windows based machines.

If you’d like to share your feedback please send it through to

Tagging Data Belonging To Remote Sites

Passwordstate has flexible Privileged Account Management functionality included in the core product.  This means it is available for customers with Client Access Licenses (support for up to 199 users per instance), Enterprise Licenses (unlimited number of users per instance) and Global Licenses (unlimited number of Enterprise Licenses). 

With Privileged Account Management you can perform on-demand or scheduled Passwords Resets, on-demand or scheduled Heartbeat Validations (check the accuracy of account name and password) in your environments, and discover the account types on your network.  All this is based on networks, their AD infrastructure and devices being accessible to Passwordstate.  This can pose a challenge when you’re dealing with discreate or firewalled networks and remote sites accessible over the internet.

What Are Remote Site Locations?

The Remote Site Locations module is a subscription based offering from Click Studios.  It enables Passwordstate to reach out to those discreate or firewalled networks, and remote sites accessible over the internet, and manage your accounts on those networks.  It does this through the use of an agent, installed on the remote network, which acts as its proxy (authorized to act on behalf of Passwordstate) on that network.

This allows Passwordstate to send to each remote agent, the tasks that need to be run on the remote network.  The agent runs these tasks and reports the details back to Passwordstate.  All that is required for this to occur is an open port on the firewall of the remote site.  This can be locked down to the IP address of your Passwordstate instance and the traffic between the remote agent and your Passwordstate instance uses independent In-Transit encryption.

You can obtain more details on how to install the Remote Site agents here  Once you’ve installed the agents, and are starting to build up a list of the hosts, accounts and passwords used on these remote sites, you’ll want to ensure the information is tagged to each of the Remote Sites.

What Can Be Associated With A Remote Site Location?

There are multiple objects and associated records that can be linked to a Remote Site Location.  This is referred to as “tagging” in our documentation.  The following are the items can all be tagged with the Remote Site Location name,

  • a Domain,
  • a Privileged Account Credential,
  • a Host record,
  • a Folder (Password and Hosts Tab),
  • a Password List,
  • a Discovery Job (Host and Account).
  • a Scheduled Report (not shown in this blog),
  • a Security Group (not shown in this blog),
  • a User Account (not shown in this blog).

Tagging an Active Directory Domain with a Remote Site Location:  This can be done by navigating to Administration->Active Directory Domains, editing the required entry in your display grid and selecting the proper Site Location from the drop down list.  In the example below we’ve selected the SandDomain Site Location,

Tagging a Privileged Account Credential with a Remote Site Location: This can be done by navigating to Administration->Privileged Account Credentials, editing the required entry in your display grid and selecting the proper Site Location from the drop down list.  In the example below we’ve again selected the SandDomain Site Location,

Tagging a Host Record with a Remote Site Location: This is performed by navigating to Hosts, selecting the appropriate host from the folder hierarchy shown on the left hand side and then clicking on Edit Host Properties on the right hand side.  Again, you can select the correct Site Location from the drop down list,

Tagging a Folder with a Remote Site Location: This is performed by navigating to Passwords or Hosts, selecting the appropriate Folder, right clicking and selecting Edit Properties.  Then you can select the correct Site Location from the drop down list. 

Please be aware, when you tag a Site Location to a Folder,

  • all objects within the Folder will also be tagged to the same Site Location, and,
  • You can tag any object that has a Site Location of Internal to another Site Location.  However, you cannot tag any other named Site Location to another Site Location name or back to Internal.

Tagging a Password List with a Remote Site Location:  This happens automatically when you add a Password List to a Folder that has already been tagged with a Remote Site Location Name.

Tagging a Discovery Jobs with a Remote Site Location:  As an example, this is performed by navigating to Tools->Account Discovery and selecting the Discovery Job you want to tag.  Click on the Job Name to edit the job,

Then select the appropriate Site Location, again SandDomain in our example, from the drop down list,

With all these examples you’ll obviously need to save the settings, where required, by clicking Save on the bottom right of the screen.

It is a straightforward process to tag your objects in Passwordstate and maintain the relationship between the Site Location and the data that applies to that Remote Site.

If you’d like to share your feedback please send it through to

What Is Maintenance Mode?

Have you ever considered if there is an impact associated with performing upgrades to systems?  Or for that matter, how you minimize any potential impact on your internal customers?

Many Operating Systems and Applications use the concept of a “Maintenance Mode”.  This is designed to allow the person performing the change, to perform the actions associated with the change, in a way that doesn’t significantly impact on the users of that system.

So… the next question is does Passwordstate have a “Maintenance Mode” type feature?  Yes, it does.

What is Maintenance Mode?

Located under Administration->Passwordstate Administration->Maintenance and Upgrades you’ll find 3 buttons as shown in the image below, 

  • Enable Maintenance Mode: This button allows you to put your Passwordstate instance in Maintenance Mode
  • Send Outage Notification:  This button is used to send outage notifications
  • Upgrade Information: Is used to obtain upgrade information

The Passwordstate Maintenance Mode feature is designed to place your instance into a restricted login state.  While in this state all new user login requests will be rejected.  Only the user account that has enabled Maintenance Mode can access Passwordstate.  It is highly recommended that you place your instance in Maintenance Mode before performing any upgrades to Passwordstate.

You can also monitor and terminate existing users.

So… How Do You Enable Maintenance Mode?

This is really simple, first you navigate to Administration->Passwordstate Administration->Maintenance and Upgrades and click on the Enable Maintenance Mode button,

Specify the number of minutes that you want to wait before terminating any other users that are logged in and click on the Enable Maintenance Mode button as show below,

In the display grid shown in the green box above, you’ll see all currently logged in users.  These users that are logged into the Passwordstate User Interface will receive a pop-up message advising their session is about to end, to save work and log off.

Please note, as stated on the screen above, if users’ sessions are not clearing it’s because they have closed their browser without logging out. You will need to wait or restart the your Passwordstate web site in IIS and log back in with the user account used to Enable Maintenance Mode.

How do you exit from Maintenance Mode?

How do you disable Maintenance Mode?  If you’ve enabled it and performed an upgrade, your instance will automatically be taken out of Maintenance Mode, on completion of the upgrade process.

If you need to disable it manually, simply return to Administration->Passwordstate Administration.  The section that was previously show as Maintenance and Upgrades is now shown in red as Maintenance Mode – Active.  From here you can click on the Disable Maintenance Mode button,

If you’d like to share your feedback please send it through to

OTP Codes And Simplifying Your Life!

Have you ever had the extreme pleasure of using an authenticator app that, for some completely random reason, decides it can no longer access its database.  And to top it off, you think “no problem, I’ll just restore my backup of the app”, only to find that it doesn’t allow backups of its database.

If you’ve ever been in this position you’ll have experienced the absolute “pain in the proverbial” that this causes.  There is nothing more tedious and time consuming than having to run through the process of setting up your One Time Password codes all over again.

Well, there is a better way!

Passwordstate Mobile App

The architecture of the Passwordstate native Mobile Apps is set so that the Master repository of the data is your Passwordstate instance.  The mobile app, both Android and iOS, contain a synchronized encrypted offline cache of the Password Lists and Password Records, that you have been granted access to. 

This remains available on the device for up to 30 days without re-authenticating before it is automatically deleted from the device.  Your Passwordstate Security Administration can globally set the “time to live” for 1, 3, 7, 14 and 30 days for the encrypted cache.  The settings can also be set individually under Administration -> User Accounts -> ”Selected User” -> Mobile Access Options

Each time you login to the Mobile App it will;

  • try to re-authenticate back to your Passwordstate instance,
  • if successful resets the “time to live” back to the specified number of days,
  • resynchronizes the contents of the offline cache, and,
  • transmits the contents of its internal audit database ensuring all access to offline stored credentials is merged with the Passwordstate Auditing tables in your instance.

The huge advantage here is, if you ever lose or replace your smart device, all you need to do is install the Passwordstate Mobile App on the new device, pair it with your Passwordstate instance, login to the app, and all your OTP codes will be automatically synchronized to the encrypted offline cache (meaning there is no having to rebuild you OTP list from the start – Yay!).

One Time Passwords

So how are the One Time Password records ordered within the App? On the OTP tab, all OTP codes are displayed alphabetically based on Password List name and then all appropriate Password Records within that list.  As stated before, you only have access to the Password Lists and Password Records you’ve been granted access to,

If you look at an individual Password Record, one that is setup for OTP codes, you’ll also see that OTP code shown in the record details,

And within Passwordstate, the same Password Record is shown as below.  Note that the OTP code shown is different as it has automatically rotated,

Set Your Home Page

You can specify which tab to automatically open within the Mobile App under Settings.  From here you can specify if you want to use your device’s Biometric Unlock capability, the timeout values for App Lock and Clipboard, if you want to use the Autofill Service to form-fill credentials in applications or websites, set the Homepage to either OTP or Password Lists and select the Theme for the appearance of the App,

The Passwordstate Mobile Apps allow to securely access Password Records and OTP codes.  All data is based on that you’ve been granted access to, and when you replace the device you can automatically synchronize the data to the new device.  It really is about accessing your OTP Codes and simplifying your life!

If you’d like to share your feedback please send it through to

Password Change Post Processing

Passwordstate includes PAM functionality as part of the core software.  This allows you to perform on-demand or scheduled Password Validations (heartbeats) and Resets across multiple different systems or platforms.  You can also perform on-demand or scheduled Account Discoveries and automatically import accounts into a Password List, with or without first resetting the password for each account.  For a list of supported systems please refer to our webpage here

In addition to performing Resets on accounts, you can also perform actions post the reset of the password.  What type of activities you can perform is up to you and your ability to write PowerShell scripts.

Example Use Case

As an example, Click Studios maintains a Change Management listing of all Password Resets on Service Accounts.  The way this works in our environment is that once a Password Reset is automatically performed on a Service Account, we run a PowerShell script to send an email to a PC running a program, that extracts the details from the email and updates a Change Management register of all resets on Service Accounts. 

It’s a rudimentary approach but works well as a sanity check for updates in our QA environment and proof that the post processing functionality is working correctly.  This same script has been replicated in our Demonstration Passwordstate instance for this blog.

Location Of PowerShell Script

In our example use case outlined above, we’ve first created a PowerShell script by navigating to Administration->PowerShell Scripts and clicked on the Password Resets button, 

This takes us to the Password Reset Scripts screen.  Here we’ve previously created the script called Update CM_Service_Account_Password_Events,

You can see that the script has been used 4 times by looking at the figure under Usage Counter in the display grid.  By clicking on the name for the script (it’s actually a hyperlink), the editor opens allowing you to create or edit the script,

This PowerShell script creates and sends an email to a specific email address.  What is sent is the details associated with the Password Record that has changed.

To specify that a Password Record uses the PowerShell script post the password being changed, we navigate to the Password List containing the Password Records for our Service Accounts.  In the example use case they are located in the Password List Active Directory Accounts, located under Passwords->Infrastructure.  Then we select the Service Account we want to Add Dependency to, click on the Action icon and choose View Password Reset Dependencies.  You are now on the Password Reset Dependencies screen for the specific Password Record and need to click on Add Dependency,

From here on the Add Dependency screen we select the Post Reset Script Update CM_Service_Account_Password_Events from the drop down list (note the suffix of .PS1 is not shown here),

Now every time the Password is changed on that specific Password Record the Post Reset Script will execute and email the changed details through to our Change Management register.

If you’d like to share your feedback please send it through to

Where’s My Password Reset Portal?

Back in June this year we published a blog post that ran through What Passwordstate Options Are Installed And Where?

But guess what… yeah that’s right… the author went and forgot to include the details for where the Password Reset Portal is installed!  So… this mini-blog-post should be read in conjunction with the original here

What Is The Password Reset Portal?

The Click Studios Passwordstate Password Reset Portal is a subscription based Self-Service Portal for your users to unlock, or reset the password for their Active Directory Domain account.  It requires Passwordstate to be installed and you must have active Annual Support and Upgrade Protection on your Passwordstate instance.

It uses secure verification policies to identify your users, allows them to unlock or reset their Active Directory password 24/7 and provides tools to assist with diagnosing where lockouts are occurring.  Once you apply your subscription license key you can access the settings under Administration->Password Reset Portal Administration,

Users access the Password Reset Portal by navigating to the designated URL you have supplied.  The appearance of the site can be tailored under Administration->Password Reset Portal Administration->System Settings->branding,

How Do I Find Where It’s Installed?

The URL for your Password Reset Portal is located under Administration->Password Reset Portal Administration->System Settings->miscellaneous as per the image below (note I’ve redacted the URL in the example), 

Now you can locate the IP address for that webserver.  You can do this by looking up the DNS record for that webserver.  I’m on a Windows 11 client, and to do this I can open a Command Prompt with Administrative privileges, and type nslookup followed by the URL minus the https://,

As an example, if your URL for the Password Reset Portal was then you would type,


And it will return your IP address for that webserver. And yes, it really is as simple as that. If you’d like to share your feedback please send it through to