Passwordstate and SSL Certificates Explained

A Secure Sockets Layer Certificate, or SSL Certificate is a digital certificate that authenticates a website’s identity and enables an encrypted connection.  It’s a security protocol that creates an encrypted link between a webserver and a web browser.  SSL certificates are used by an organization to ensure secure and private communication between their website and a customer’s or employee’s web browser. 

How do you know if you’re using an SSL connection?  You’ll see a padlock icon next to the URL in the address bar followed by HTTPS (HyperText Transfer Protocol Secure).  Think of it as a means of preventing those nasty little Cyber Criminals from eavesdropping in on your communication, or worse, modifying information that’s being exchanged between the webserver and your web browser.

Those in the know will tell you that TLS (Transport Layer Security) is the current protocol that’s used but the industry still refers to the protocol as SSL (like Hoover is used for vacuum cleaner and Band-Aid for sticky plasters).

Passwordstate uses an SSL Certificate (TLS 1.2) to ensure the communication between your Passwordstate instance and your web browser or native mobile app is secure, encrypted and can’t be eavesdropped.

How do SSL Certificates Work?

SSL Certificates ensure the data transferred between Passwordstate and your web browser is impossible to read. It does this by using encryption to scramble data in transit.  A high-level overview on how the hand-shaking process works looks a little like this;

Any data that is exchanged between the Passwordstate webserver and your web browser is now sent over this encrypted and secure SSL session.

SSL Certificate Best Practices

SSL certificates should only be acquired from a trusted source and should match the URL of your Passwordstate website.  All SSL certificates have an expiry date.  This date can range from one, to many years, and it’s a good idea to track the expiry date so you can renew the certificate before it expires (Hint: you can do this in Passwordstate with the Expiry Date field and What passwords are expiring soon? report).

There are three types of SSL certificates that you can use for your Passwordstate website.  Each of these has its advantages and disadvantages.  There are Self-Signed SSL Certificates, Internal CA (Certificate Authority) SSL Certificates, and Online CA SSL Certificates.  The high-level advantages and disadvantages are shown in the table below;

Certificate TypeAdvantagesDisadvantages
Self-Signed SSL CertificateEasy to create with PowerShell as requiredBrowsers don’t trust them by default
 It’s freeRequires manual effort to for each web browser to trust
  Wild card not available with this type of certificate
Internal CA SSL CertificatesBetter securityRequires a configuration change to your DC
 It’s freeBrowsers will complain when accessing Passwordstate outside of your own network, or from a non domain joined machine
 Browsers will not complain if accessing Passwordstate from a domain joined machine 
 You can use a wildcard certificate to support multiple URLs 
Online CA SSL CertificatesMost secure certificate that all browsers will acceptIs more costly
 Best end user experience for all scenarios 

When to Use Each Type of Certificate

Self-Signed SSL Certificate:

When installing Passwordstate for the first time the default URL chosen by the installer is the name of your server.  While you have the option to change this, the installer process will create a Self-Signed SSL certificate for you that matches this URL.  This SSL certificate is recommended if you’re:

  • A small business and don’t have many users,
  • Don’t intend on accessing Passwordstate outside of your own network,
  • Would prefer not to spend additional money on a certificate,
  • Are okay with installing a certificate for your web browsers as a once off process for each machine.

Certificate Issued from an internal CA:

Internal CA generated SSL Certificates provide for better security and end user experience.  This type of SSL certificate is recommended if you’re:

  • Installing Passwordstate on an Active Directory domain joined server,
  • Already have an internal Certificate Authority setup,
  • Not anticipating the need to access Passwordstate from outside of your own network, or from a non Domain joined machine.

Certificate Issued from an Online CA:

There are multiple Certificate Authorities online that you can purchase your SSL Certificate from.  These certificates come either with a static DNS Name or as a Wildcard certificate.  Click Studios recommends you do your research and purchase from a Certificate Authority that is suitable for you where:

  • You’re are a big or small company, and intend on accessing Passwordstate from anywhere,
  • Want to access Passwordstate from a non domain joined machine,
  • Intend to use the certificate for other Passwordstate features, such as the Browser Based Gateway, the Self Destruct Site and the App Server and these are installed on different web servers,
  • You’re are an MSP, and intend on using the Browser Based Gateway with multiple Remote Sites across the internet.  In this case a wildcard certificate will be required to allow RDP and SSH sessions to remote networks.

Additional Information

Links related to Self-Signed SSL Certificates:

Links related to Internal CA Issued Certificates:

Links related to Online CA Certificates:

We hope this information helps you to understand your options for SSL Certificates and where each of the different types are appropriate.  Have Feedback? We’d love to hear it and you can send it through to

Password Lists Linked to Templates

Passwordstate provides the capability of storing both Shared Password Lists and Private Password Lists.  Shared Password Lists, as implied can be used to share either the entire contents of the list, or just individual Password Records.  Private Password Lists, again as implied, cannot be shared and are private to Owner / Password List Administrator of the list.  This is regardless of whether the Private Password List was created directly by the Owner, or it was created for them as part of the process of adding their account in to Passwordstate.

And just recapping, Passwordstate allows more than just the storing of Passwords.  In fact, the number of different types of Passwords and associated details / meta data is almost limitless.  This provides you with substantial flexibility when it comes to storing information in Passwordstate. 

To get you started Passwordstate provides 15 Password List Templates and a Password List Wizard.  You can also add your own Password List Templates to for specific fields containing data you want to control and audit access to.  You can even link your Password Lists to the Password List Template it’s based on. 

Why Link Password Lists to Templates?

When a Password List is created, you have the option to Link this Password List to the selected Template that it’s based on.  But what advantages does this provide?  Password List Templates are used to apply consistency to settings for your Password Lists.  In large implementations, instead of having to manually modify hundreds or even thousands of Password Lists to incorporate a change, you can instead link them to the Template they’re based on.  When you do this, you manage all settings for all those Password Lists from that Template.

In the example above, the PeopleSoft Password List has been created and linked to the Enabled for Password Resets Template. This means the majority of options for the PeopleSoft Password List will be disabled when you chose to Edit Password List Details as per the image below;

And to be clear, it could be any of the above settings, or fields located under the customize fields tab that need to be changed.  For any Password Lists that are linked to a Template you only need to make the change to that Template.  To do this you’ll need to navigate to Administration->Password List Templates, select the Template and click on its name in the Password List field.

Once you’ve made your changes and clicked Save, the changes are cascaded to all Password Lists that have been linked resulting in enormous savings in time!

Implications on Linking Password Lists to Templates

So you ask, what’s the downside?  You can only make individual changes to a Password Lists that isn’t linked.

To unlink the PeopleSoft Password List, from the Enabled for Password Resets Template in our example, we’ll need to click on the Action icon for that Template and select Linked Password Lists,

From there you’ll be able to select the Password List (PeopleSoft) and click on the << button and then click on Save.

Please be aware, ‘Unlinking’ Password Lists that contain any non-compatible Generic Field Types, will cause those values to be cleared in the database.  The same is true when ‘Linking’ a Password List to a Template.  You’ll be presented with a dialog box presenting you with this warning and requesting confirmation before performing the action.

How do I Find What Password Lists are Linked to Templates?

To identify which Password Lists are linked to which Templates simply look at the Linked Password Lists column in the display grid for Password List Templates.  You can click on the Linked Password Lists column to sort it based on Highest to Lowest or Lowest to Highest.  Then open the Template you’re interested in and it’ll show the names of all the Password Lists linked to that Template.

Have Feedback? We’d love to hear it and you can send it through to

Expert Insights Best-Of Cybersecurity Awards: Click Studios Awarded Again!

Expert Insights is an online publication with editorial and technical teams in the UK and US covering cybersecurity and cloud-based business technologies.

They are the leading cybersecurity resource and review platform, helping users research hundreds of B2B solutions, with editorial buyers’ guides, blog articles, industry analyses, interviews and technical product reviews written by industry experts. 

Over 80,000 business owners, IT admins and users visit Expert Insights each month to make the right cybersecurity decisions with confidence.

Expert Insights Announces Fall Best-Of Cybersecurity Awards: Click Studios Passwordstate Awarded Best-Of Business Password Management!

Expert Insights has announced their fall 2021 Best-Of Cybersecurity Awards. Click Studios, an Agile software development company specialising in the development of the secure Enterprise Password Management solution called Passwordstate, has been awarded Best-Of Business Password Management again!

Expert Insights’ Best-Of Cybersecurity Awards recognize the world’s best cybersecurity companies and products based on research by Expert Insights’ independent technical analysts and editorial team, customer feedback and industry recognition.

Click Studios Passwordstate earned its award thanks its granular admin controls, with policies around when users must reset passwords and how long and complex passwords need to be. This makes Passwordstate a good option for large organizations that need to ensure strong password security across all of their employees efficiently.

Customers continue to praise the reporting and auditing offered by Passwordstate. Admins have access to 49 pre-defined reports, giving teams more visibility over who has had access to which accounts within the organization, and where passwords have been shared.

Passwordstate is accessed via a browser, and mobile app, so employees can access their passwords wherever they need to. Access to Passwordstate and passwords can be configured for multi factor authentication, helping to ensure encrypted passwords are secure.

Click Studios Response

Click Studios General Manager, Customer Engagement and Technology stated “This is great recognition once again, that Click Studios with it’s Enterprise Password Management solution Passwordstate, competes on a feature for feature basis with the industry heavy hitters.  Where we come into our own is the outstanding quality of our Technical Support and we price our solution so that it’s affordable for everyone.  Because it really is important!”.

For more information on Passwordstate, please reach out to

To read the full announcement by Expert Insights please visit

Mobile App Settings

We recently published a blog on Reporting on Mobile Client Usage.  Since then, a number of the Technical Support team members have asked what we’ve published on how to configure the Mobile App.  Looks like there isn’t much outside of the official documentation so we’ve produced this week’s blog.

Control Who Has Access

The native Mobile Apps for iOS and Android Smartphones incorporate Biometrics Support for application access.  They provide an offline mode allowing access to an encrypted cache of credentials the user would normally have access to, all with full auditing of access that is synced back to your Passwordstate instance. 

While the apps are free and available from the Apple App and Google Play Stores you may want to control who has access to that functionality.  This is really no different in principle to the Browser Extensions feature, where you set the permission for the user, or preferably the Security Group, that you want to enable access for.

To set the permission for those users that can access the Mobile App navigate to Administration->Feature Access->mobile and click on the Set Permissions button,

From here, you’ll select the User or Security Group that you want to apply permission for.  In the example below we’re setting the permission for one of our users, Abagail, to be able to access the Mobile Native App feature.  Once you’ve selected all your Security Groups and Users click on the >> button and click Save,

Specify Settings for the App

You can now set the global mobile access options for those users that have been granted access.  To do this navigate to Administration->System Settings->mobile access options.  The first section relates to the Mobile App Settings,

Here you can make settings for;

Brute Force Dictionary Attacks:  Just like protecting your Passwordstate instance, you can specify the maximum number of failed login attempts before the active session for that mobile client is locked out.  In the image above we’ve kept the default at 3.

Enable Mobile Access Permission on Password Lists: You can choose to enable Mobile Access by default when adding permissions to Passwords Lists.

Passwords Masked or Visible:  You can specify if the passwords are masked or visible in the Mobile App.

Password Strength Policy for the Master Password:  Set the Password Strength Policy you want to use when users set their Master Password for the Mobile App authentication.

Cache Life:  Set the number of days the offline cache can live for before the user must re-authenticate.  Re-authentication occurs when entering their email account and Master Password and also when they resync their cache on the device.

The second set of settings relates to the Mobile App URL and Security,

URL for the Passwordstate App Server:  Set the URL for your Passwordstate App Server.

Reset the Pairing Secret for the App Server.

SSL Public Key:  Query and save the Public Key for the SSL Certificate.  This mitigates against Man-in-the-Middle attacks.

Once done save the settings by clicking the Save button.  Please note, if you change the App Server URL or your SSL Certificate you will need to clear then re-query and save the SSL Public Key.

Users Preferences and their Master Password

Lastly each user sets their Master Password for the authentication from the Mobile App to the Passwordstate App Server.  To do this they must navigate to Preferences->mobile access options as per the image below;

Here they will set the Master Password which generates a QR Code.  This QR code needs to be scanned in on the Mobile App that has been installed on that user’s smartphone.  The user can also set their preference for the home page search to be based on a Password List Search or Password Search.

If you’d like to provide feedback, please send it to

Reporting on Mobile Client Usage

The Passwordstate native Mobile Client apps for Android and iOS were introduced in V9 Build 9000.  These replaced the old Mobile Client support providing remote access to managed credentials while away from your normal place of work (desk). 

The native apps are designed to work with the Passwordstate App Server, which brokers the connectivity between the client device and your Passwordstate instance.  It allows for storing password records that a user is authorized to access, locally on the smartphone, within an encrypted cache.  Users have the ability to use the biometric capability of the smartphone when accessing the data within the encrypted cache.  All authentication and access of credentials is audited and synced back automatically with Passwordstate on next connection.

But how do you know when your users are using the offline copy of their passwords.  How do you ensure that they are using them when and where required?

We Have a Report for That!

Passwordstate has over 100 different Audit events, including those relating to usage of the Mobile Apps.  As stated above all access to stored credentials within the encrypted cache, and all synchronizations of credentials between your Passwordstate instance and a Mobile Client, are audited.  These audit records are uploaded automatically each time the Mobile App successfully synchronizes with the App Server. 

This ensures you can report on the activity of your users that have been setup for Mobile Client usage.  To be able to do this Navigate to Administration->Reporting 

And select the Activity Report called Mobile Client Activity,

You can now filter the report based on User Account, Site Location and Duration in terms of the reporting period you select from the drop-down list,

and once you’ve clicked Run Report button the audit records matching the selected filters will be shown within the display grid.   

You can now export the results to Excel for further manipulation as required,

Make the report a Scheduled Report

Don’t forget you can setup the Mobile Client Activity report as a scheduled report and have it emailed through on a regular basis.  Simply navigate to Reports->Scheduled Reports and add a report like in the image below.

If you’d like to provide feedback, please send it to

How to Rotate Your Encryption Keys

Click Studios uses Symmetric Data Encryption within Passwordstate to protect your sensitive data.   It does this using 256bit AES (Advanced Encryption Standard) data encryption to encrypt (cipher) and decrypt (decipher) information. At a high level the process of encryption and decryption looks like this;

AES is the first and only publicly accessible cipher approved by the US National Security Agency (NSA) for protecting top secret information. 256bit AES is practically unbreakable by brute force based on current computing power, making it the strongest encryption standard available.  In short, by using symmetric encryption algorithms, data is converted into a form that cannot be understood by anyone not possessing the secret key to decrypt it.

NIST the National Institute of Standards and Technology, recommends that Symmetric Data Encryption Keys be changed every 2 years, or earlier based on an organization’s risk factors.  Your Passwordstate Encryption Keys shouldn’t be “set and forget”, they should be managed and rotated on a regular basis.

But Before You Start…

Make sure you have a backup of your Passwordstate Database and take a copy of your Web.config file.  The built-in Backup functionality is perfect for taking a backup and you can do this by navigating to Administration->Backups and Upgrades->Backup Now

If you’ve never used the built-in functionality, you’ll need to configure settings first under Administration->Backups and Upgrades->Settings.  Information on how to do this can be found here for both Domain and Workgroup implementations.

Follow the Bouncing Ball…

Now that you’ve taken a backup of your Passwordstate database and have a copy of your Web.config file you’re ready to get started.  And it really is as easy as following the bouncing ball! 

Under Administration->Encryption Keys you’ll find 2 buttons, Export Keys and Key RotationExport Keys allows you to create a password protected Zip file containing your Encryption keys and we’ll cover more on that later.  First, we’re going to focus on Key Rotation.  To get started click on the Key Rotation button,

You’ll now be prompted to ensure you have a backup of your Passwordstate Database and a copy of your Web.config file.  Take the time to read through the information before clicking on the box next to I have read the notification above and understand some action is required of me before and after the key rotation.  If this check box isn’t ticked then you won’t be able to proceed with the Key Rotation.  Once you’re ready, and you’ve ticked the check box, you can click on the Begin Key Rotation button,

As you can see in the image above, The Encryption Key Rotation screen lists all of the tables, the number of records in each table and the Status for each.  To commence the rec-encryption process click on the Re-Encrypt Data button.

The status symbol of a Clock means that table hasn’t been re-encrypted yet.  The status of a Tick means the table has now been re-encrypted and the Flashing Blue Squares identifies the current table being re-encrypted.  A Status message of Please Wait… is shown at the bottom left-hand-side of the display grid listing the tables. 

As the tables are re-encrypted, they will cycle off the first page of the display grid and be replaced by tables awaiting to be re-encrypted.  When there are less tables awaiting to be re-encrypted, than take up the full display grid, you’ll start to see those tables that have been completed (shown by a status of Tick) moving back up the display grid.  Once complete you’ll be taken to the Key Rotation Complete Screen.  Again, take the time to read through the information before clicking the Start Passwordstate button.  This will log you off and you will need to log back into Passwordstate.

Don’t Forget… Take a copy of your New Encryption Keys

Now, cycling back to the Export Keys button.  Once you’ve successfully rotated your encryption keys it’s good practice to take a copy of them.  This can be done by navigating to Administration->Encryption Keys and clicking on the Export Keys button.  You’ll be taken to the Export Encryption Keys screen which tells you that the split secrets that make up your Passwordstate Encryption Keys are exported via a Password Protected ZIP file.  To begin the export process, click on the Export Keys button,

This will pop up the Password Protected Zip File dialog, which will require you to supply a password for the Zip file.  You will also be required to check the box stating that you cannot use the native Windows Compression to extract the contents of the Zip file.  Once that’s done you can click on the Export Keys button to create the Zip file containing the exported encryption keys.

The process of rotating your Passwordstate Encryption Keys is that simple and the effort required to rotate them is minimal.  There really is no reason not to be managing them appropriately.

We’d love to hear your feedback, send it to

Guide to set up Folder Structure and Permissions

You’ve decided that managing your organization’s passwords is essential.  You’ve selected a Password Management System that has the level of security you need, while retaining the flexibility to meet individual stakeholder’s requirements.  You anticipate there’ll be substantial interest and take-up as you roll out the solution.  The only question remains, how do you ensure that the way in which credentials are stored make them easy to locate, ensure they’re accessible to only those that need them, and make management of the solution as straightforward as possible.

Surely the best way to store all the credentials is in one big Password List stored in the root location?  That way you could just assign the permissions on a credential-by-credential basis!  Or maybe you should let everyone create their own Password Lists and store them all together.  If one user needs access to the same credential, they can just enter it in their Password List as well! …..No!  Absolutely Not!  Let’s rethink that approach!

Organizational Structure is Important

An organization’s structure lays out the official functional relationships governing the workflow and day to day operations in the organization. The structure makes it easier to add new positions and provides a flexible method for growth.  Without it, employees find it difficult to know who they officially report to and who has final responsibility over operational elements.  It provides a basis for segregation of duties to ensure appropriate governance.

Organizational structure improves operational efficiency. Departments work better together by focusing their effort on productive tasks without duplication.  The following diagram is a fictional organizational structure for the company An Example and we’ll be using it for this blog.

Using an organization’s structure is a good place to start when organizing your password credentials.  First, we’re going to create folders for all of the Level 1 entities in the diagram below.  These are the top-level functional bodies within this organization.  You’ll note that the CEO folder is grouped at Level 1 also.  There is no value in creating a CEO folder with all other folders nested beneath it so it’s grouped at the same Level as all other top-level folders.  Each of these top-level folders may or may not have additional folders nested beneath depending on the complexity of the organizational unit and the granularity of permissions you wish to set,

Next, we create the nested Level 2 folders for each of the Level 1 folders we’ve created.  The diagram below shows the examples of the two folders that will be nested beneath Operations (Chief Operating Officer), Operational Services and Metallurgical and Chemical laboratories.  Likewise, under Finance (Chief financial officer), we have IT and Legal (Legal matters).

Security Groups and Permissions

Most organizations that use Microsoft’s Active Directory (AD) will have AD Security Groups that closely match their organizational structure.  The group charged with IT Security will likely already have agreed and implemented your AD Security Groups and populated them with the appropriate user accounts aligned with the structure.  That’s the same in this example and it makes assigning permissions to your folders that much easier. 

If you aren’t using Microsoft AD and AD Security Groups you can still create your own Forms based User Accounts and Local Security Groups.  It’ll just mean there’s more initial work to create these and regular maintenance will be required to keep these up to date.

You may from time to time be tempted to use individual users instead of Security Groups to assign permissions.  Whilst this can be done it should always be used as the exception to the rule…the rule being use Security Groups whenever you can!

In the example above we’ve created a Folder under IT called Desktop Support.  We’ve thencreated a Shared Password List called Production Desktops

The permissions for accessing Production Desktops and the Desktop Support Folder is based on the AD Security Group Desktop Support.  Only members of this AD Security Group have been given Admin Access to the Password List.  IT staff not in the Desktop Support AD Security Group have no access.

Permission Model Types

It’s probably worthwhile recapping on the two permission models you can use within Passwordstate, Standard and Advanced

The Standard Permission Model applies the permissions in a bottom-up approach.  When you apply the permissions to the Production Desktops Password List the access is applied to all Folders in that hierarchy i.e. An Example->Finance->IT->Desktop Support.

Using the Advanced Permissions Model applies permission in a top-down approach.  If we were to apply the Desktop Support Security Group at the IT Folder Level it would provide access to IT->Desktop Support-Production Desktops Password List and IT->Legal and any Password Lists or subfolders located under the Legal Folder.  Note the image below is just to show the Advanced Model and doesn’t apply to the Desktop Support example we are using,

Both Permission Models are valid and can be used effectively.  The most appropriate model is the one that best suits the way in which your and/or your Security Administrators prefer to work.

Restrictions that can be Applied

There are a number of restrictions that can be applied to manage the folder structure and where Password Lists are placed.  The first is limiting who has permission to create new Folders in the root of Passwords Home.  This can be found by navigating to Administration->Feature Access->folder options and clicking on the Set Permissions button, 

The second is limiting who has permission to create Password Lists in the root of Passwords Home.  If you’ve gone to the extent of creating an organised folder structure then the last thing you’ll want is for Shared or Private Password Lists to be inadvertently dumped in the root.  This also applies to restricting who is allowed to Drag-N-Drop Password Lists around in the structure you’ve created.  These permissions can be set by navigating to Administration->Feature Access->password list options and againclicking on the Set Permissions button for each of the settings you wish to restrict,

Additional Items for Consideration

As you build your Folder structure and start creating Password Lists there are a couple of other points to consider with links to our blog entries below;

Performance Improvements:

Optimal sizing of your Password Lists:

In Summary

With a bit of thought and alignment you can effectively build a folder hierarchy and manage your Password Lists by using;

  • The Organizational Structure as your basis,
  • Using Security Groups to your advantage,
  • Using the appropriate Permission Model, and
  • Restricting who can apply structural changes

This will ensure your Passwordstate instance accommodates changes and growth while minimizing the on-going management effort.  We’d love to hear your feedback, send it to

Troubleshoot HA Polling Issues

We’ve recently had a few technical support calls querying how to diagnose High Availability issues.  To make things easier, with identifying the health of all Passwordstate Servers, we included the health status under the Authorized Web Servers screen in Passwordstate 9.0 Build 9000.  This uses a traffic light approach of “green is good”, “red needs investigation”.

So, if your HA server shows a status of red what do you do next?

Recap on HA Implementations

To start with let’s recap on Passwordstate’s High Availability offerings.  The following logical diagram shows 2 variations of Passwordstate with High Availability.  The solution, as depicted by the Green Dot 1, is an Active / Passive implementation.  This allows the Passwordstate High Availability instance to be enabled, and will provide read only access to requests in the event of an issue with the Passwordstate Primary Instance.  All access events are audited and synced with the Passwordstate Primary Instance once recovered.

The solution, as depicted by the Blue Dot 2,shows an Active / Active implementation.  This requires a Load Balancer redirecting the End User’s Passwordstate traffic to either the Passwordstate Primary Instance or the Passwordstate Secondary Instance.  This offering allows users to update data in both the Primary and Secondary instances of Passwordstate.  It requires Basic Availability Groups, or Always On Availability Groups to be implemented in Microsoft SQL Server Standard and above.

Your High Availability Server along with your Primary Server will show up on the Authorized Web Servers page.  This page is available at Administration->Authorized Web Servers and details the Polling Health, Last Poll Time, Server Role and HA Mode along with the Install Path.  Our test environment is shown in the screenshot below;  

Note the Host Names must be entered in their NETBIOS name format not FQDN (Fully Qualified Domain Name).

High Availability: Active-Passive Implementation

When running your Passwordstate High Availability model in Active / Passive mode your HA Server will initiate the polling.  It does this through the Passwordstate Windows Service attempting to contact the Primary instance’s API.  When it successfully connects to the API it will complete the poll and your Primary instance will record the Polling Health status as green for your HA Server.

If your Polling Health status isn’t showing as “green is good” you’ll need to investigate the cause.  The first thing you can check is if the API is functional.  To do this try creating a password using the password generator icon in the top right-hand side of your Passwordstate User Interface;

When clicking on the password generator a password should be generated in the dialog box as shown above.  If this works successfully then the API is functioning correctly.

You can also check if the connection to your API is functioning correctly by opening a web browser and typing in the URL for your Passwordstate instance with the following appended to the URL /api/highavailability/primarypoll/polltest.  If the connection is successful, you’ll see the following result;

If the connection fails, in this example because the Application Pool wasn’t running, you’ll see an error message like;

It does this via a GET request to the specified Uri (URL) as an asynchronous operation.  For more information on the GET request please see .

Connection issues are always caused by issues with an incorrectly configured Load Balancer, Reverse Proxy or Firewall issues between the two Passwordstate instances.  You can also check the Authorized Webserver Host Names are the Netbios names and not the FQDN.

High Availability: Active-Active Implementation

When running your Passwordstate High Availability model in Active / Active mode your High Availability Server (secondary instance) writes its Polling Health status directly into the Passwordstate Database.  As with Active / Passive implementations this will then show the Polling Health status as green for your HA Server. 

Again, the biggest issue we find with a Passwordstate instance not correctly participating in an Active / Active HA implementation is incorrectly configured Firewalls or your Passwordstate Windows Service isn’t started. Again, check the Authorized Webserver Host Names are the Netbios names and not the FQDN.

Knowing where to look when you experience HA Polling Issues is straightforward.  Unfortunately Click Studios can’t tell you how to resolve your Load Balancer, Reverse Proxy or Firewall issues as the number of suppliers for these is huge and growing. You will need to log a call with the vendor responsible for the equipment if you are unable to identify and resolve the issue.

Got feedback?  We’d love to hear it!  Send it through to

Where Can You Upload Documents in Passwordstate?

One of the key remits, or areas for active consideration for our development team, is the flexibility of use of Passwordstate. Since its first release, way back in August 2004, our developers have continually looked at how they can add flexibility and value to the core concept of secure password management.

Back in August 2020 we published a blog entry that gave suggestions on what else can be recorded in Passwordstate.  From Credit Card details, to Software Licenses and SSL Certificates.  If you haven’t read that blog entry the link is here

But what if you need to add documents, such as Operating Procedures, Process Documentation, Contract details etc.  Where can you add those, so that the documentation is located logically right alongside the information or credentials, that you’ve chosen to protect with Passwordstate?

Password Lists and Records

The first areas that documents can be added to is both at the Password List and Password Record levels. 

We have customers that add policy or ownership documentation to each Shared Password List, outlining who the business or IT owner is for the Password List, the functional roles allowed access to the list and who to contact when requesting changes be made.  Don’t forget, the Password List may not hold traditional Password Records.  As an example, it may function as a “light” contract management database, holding all software contracts for a particular business unit.  

Likewise, we have customers that add documents to individual Password Records, this can be a process or guideline document that states what a particular credential can be used for.  Alternatively, using the “light” contracts management database angle above, it may hold the contract details such as period of coverage, service level agreements and contact numbers for a single contract.

To add a document to a Password List simply click on the Password List then Documents then Add Document;

and when adding documents to a Password Record, click on the action icon next to the record, select View Documents and Add Document;

In both examples you’re then prompted with the Add New Document dialog.  Just fill in the File Name and Description and the use the Select button to open File Explorer, select the file you want to add and click Open, and the Save;

Your document is now added against either the Password List or Password Record depending on where you’ve decided to upload it. 


The next area you can add documents to is Hosts.  This is especially useful for Process and Work Instructions that are specific for certain servers. 

For instance, you may have an application server with temperamental services that requires special attention every time a Microsoft update is applied (we’ve all experienced this haven’t we).  While it would be nice for those application vendors to improve the resiliency of their software it sometimes takes them years.  In the mean time you could add a document reminding your System Admins to restart the badly behaving service or restart a series of them in a particular order.

To add a document to a Host, simply select the Host in question and click on the Add Document as per the screen shot below;

This will bring up the same Add Document dialog previously shown.  Again, simply fill in the File Name and Description and the use the Select button to open File Explorer, select the file you want to add and click Open and then Save.

What Do Lots of Password Lists and Hosts Need?

If you read the heading above then you’ll know where this is headed – that’s right, Folders. If you’ve got lots and lots of Password Lists or Hosts then you really should be making your life easier by organising them.  This is where Folders are essential, they allow you to logically organise Password Lists and Hosts into meaningful collections.

And you’ll have guessed what you can do with Folders as well.  That’s right, you can add documents to Folders.  But why would you want to do this?  Let’s use the example that you’ve got your High Availability systems distributed across geographically dispersed Data Centres.  When it comes to patching you may have procedures to only patch certain servers in each data centre on specific days.  This can be summarized in a document at the Folder Level.  Or you may have a process instruction that states system reboots for particular systems requires coordination with a key business stakeholder.

Again, the process is the same for adding the documents as it is with Hosts, Password Lists and Password Records.

How Do You Restrict This?

Firstly, only those users that have been granted access to those specific Password Lists, Password Records, Hosts and Folders have access to add Documents to those objects.  Secondly you can enable or disable documents being uploaded, limit the size of the documents being uploaded and restrict uploaded documents to specific extensions by navigating to Administration->System Settings->miscellaneous as per the screenshot below;

Note: you can also link off to external systems containing documentation by using the External Links feature on Folders and Hosts.  This may be a useful method of linking to documentation stored with SharePoint or a Wiki based system;

Adding documents to Passwordstate can be extremely beneficial, you really just need to think how can I make this work for me.  As always, if you’ve got any feedback you’d like to share please send it to

Self Destruct Messaging Implementations

Passwordstate includes a Self Destruct Messaging portal as part of the core software.  Self Destruct Messaging typically allows you to send emails or messages within an application, containing content considered to be highly confidential, to be viewed for a specified period of time.

In the case of Passwordstate’s Self Destruct Messages, the content that you share is stored only within the Self Destruct Messaging portal.  Access to be able to send Self Destruct Messages relating to a Password Record is permissions based and you can control both the ‘Time to Live’ and number of times the data or Password Record can be viewed.

How are Self Destruct Messages Sent

In this example we’ll use a scenario where we want to temporarily share a password record with a contractor that doesn’t normally have access to Passwordstate.  The Self Destruct Messaging portal we are using is the embedded implementation, meaning it is automatically included as part of your Passwordstate website and can be access by appending /selfdestruct to your Passwordstate URL.  The version of Passwordstate used in this example is V9 Build 9300.

To share the Password Record with the contractor we simply, click on the Action Menu next to the record and select Send Self Destruct Message;

This brings up the Self Destruct Message Screen where we can compose our message.  We specify the period of time the message is alive for and the number of times it can be viewed.  Both these fields are drop down lists where you can select from predefined options.  Once complete click Next;

Next, we enter the contractor’s email address, change the subject line as appropriate and click Next,

In this case we’re using Passphrase Protection, so we’ll need to set the Passphrase and advise the contractor what that is (in a separate email) and then click Send Message,

The contractor now receives the following email,

To access the details of the Password Record, the contractor will need to click on the URL, noting the ‘Time to Live’ for the Self Destruct Message is 30 min from the email being sent.  This will bring up the Self Destruct Message portal screen requiring authentication using the Passphrase separately emailed to them and then clicking Next,

The Self Destruct Message is then displayed (I’ve redacted the details in the image below),

The person that sent the Self Destruct Message will receive an email confirming when the message has been viewed by the recipient.

Self Destruct Messaging Implementations

The example used above is based on the embedded implementation, which is part of your existing Passwordstate instance.  The Self Destruct Messages under this model can only be used where you can also access your Passwordstate website.  This means that if your Passwordstate instance isn’t internet facing then you’ll also not be able to share Self Destruct Messages over the internet.

You can however implement the Self Destruct Message portal a couple of other ways.

  • The first, using a Push\Pull implementation.  This works by sending messages from your core Passwordstate website to a Microsoft SQLite database.  When the customer accesses the Self Destruct website, it reads the Self Destruct Message directly from that SQLite database and the message is deleted when they are finished with it.  This implementation doesn’t require any open ports to your Passwordstate website, or your Passwordstate database and requires no management of the SQLite database.  It enables the hosting of your Self Destruct Messaging website in a DMZ.  To configure this option, you’ll need to specify the URL for the site and generate an Encryption Key.  Instructions are located under the Administration Tab->System Settings->self destruct messages->Push\Pull Deployment Self Destruct Install Guide button.
  • The Second, is via your AppServer hosted within your DMZ.  This implementation requires you to connect to the AppServer to read the Self Destruct Messages.  This method doesn’t use the SQLite DB. Instead, it uses connectivity back to the Passwordstate database, hosted on your internal network. A port, typically the SQL port 1433 needs to be open.  If you are already using the AppServer as internet facing, in order to sync with your Mobile Apps on Smartphones, it makes sense to use this.  However, you should perform an internal risk assessment to ensure the solution meets your requirements.

There are multiple implementations available for the Self Destruct Messaging Portal and you are encouraged to select the model that best suits your organizational requirements. 

As always, if you’ve got any feedback you’d like to share please send it to