Linking Multiple Websites to One Password Credential

Our Technical Support Team recently assisted a customer with an issue related to form-filling credentials for a website where the website redirects to a secondary page.  This can happen when the primary URL for the website redirects the user to another URL for part of the login process. 

Example: Microsoft Advertising

The example we’re using for this is Microsoft’s Advertising login.  The primary URL we’re using takes us to the username webpage of https://ads.microsoft.com/and automatically form-fills the email address as our username;

However, the password webpage is located at https://login.live.com/ and because of this the Browser Extension doesn’t correctly form-fill the password;

Linking Multiple Website URLs

To fix this we need to add in the additional URL for the credentials in Passwordstate.  To do this, login to Passwordstate, select the Password Record and using the Action icon select Link Account to Multiple Web Site URLs;

From there you’ll need to add in the additional URL, in this case https://ads.microsoft.com/ as the URL above is https://login.live.com/ ;

Once this is saved, you’ll either need to logout and then back into you Browser Extension, or alternatively wait at least a minute before retrying.  Once you’ve done that credentials in our example now correctly form-fill on both screens.  The Enter Password Screen is shown now form-filling below;

As always, if you’ve got any feedback you’d like to share please send it to support@clickstudios.com.au.

Dipping the Big Toe in the Water – Trialling Scheduled Password Resets

We were having this discussion the other day about “dipping your toe into the water” and one of the new hires in our Technical Support Team had never heard the saying before.  So… the hunt was on during lunch to find the history of the saying.  According to idiomorigins.org it’s a metaphor that means “to try something new or start a new project cautiously without over-commitment or too much risk.  It dates from the late 20th century and derives from the obvious allusion of dipping a toe into water to test the temperature”.

Or another way to look at it, is to “start doing something slowly and carefully, because you’re not sure whether it will be successful or whether you will like it”.  That sounds like a great angle for trialling scheduled password resets in your organization.

What are Scheduled Password Resets

Scheduled Passwords Resets are part of the Privileged Account Management (PAM) functionality provided in the core Passwordstate product.  It enables customers to perform on-demand or scheduled password resets across multiple different systems and platforms. It uses a flexible and extensible design, through the use of PowerShell scripts, to allow password resets across your IT Infrastructure and Business Systems.

But why is this so desirable?  As an example, let’s work on the basis that you’ve got a couple of hundred PCs in your business.  Each of these has a Local Account.  As part of a best practice approach, the credentials for each of these Local Accounts should be unique and reset periodically, in accordance with your organization’s password management policy. 

That’s a lot of effort when you have to manually logon to each PC, reset the password and record the details in your password management system.  Passwordstate allows you to record the accounts for all these hosts, perform an initial reset on the account to allow it to be managed and then schedule regular password resets for the Local Account.

What you need before you get started

The only real prerequisites for performing automated password resets on local accounts, is to enable PowerShell Remoting and have a Shared Password List that has been setup with the Enable Password Resets setting selected.

PowerShell Remoting is enabled by default for Windows Server 2016 and above but not for Windows 10 Clients.  You can enable it via group policy as per the following article by TechRepublic (as an example) https://www.techrepublic.com/article/how-to-enable-powershell-remoting-via-group-policy/

To enable PowerShell remoting on some test machines, login to each of them and start PowerShell, choosing to Run as administrator, and execute enable-psremoting -force as per the screenshot below;

Next, you’ll need import the required PCs or Servers into Passwordstate.  To do this you’ll need to setup a Host Discovery job to scan Active Directory and import the hosts on into Passwordstate automatically.  The example below shows a Host Discovery job for Windows 10, 8 and 7.  To setup a Host Discovery Job navigate to Hosts->Host Discovery Jobs->Add Discovery Job and Add a new Discovery Job like the screenshot below;

Note you’ll need to have a Privileged Account Credential which should be a member of the Domain Users Security Group so it can read Active Directory for the information relating to the hosts you are discovering.  We have a comprehensive video, showing how to set up a Host Discovery job, available from our YouTube Channel here https://www.youtube.com/watch?v=UifVi2rH8x0

Discover your Local Accounts

Now that you’ve discovered all of the target PCs, Passwordstate can begin scanning them for you and adding in any Local Accounts, as individual Password Records into a specific Password List.  This can also set them up for automatic resets when it adds the account into Passwordstate if you choose, or you can do this at a later date. 

In our example we’ll setup a Windows Local Admin Accounts discovery job by navigating to Tools->Account Discovery and Add a new Discovery Job by clicking on the Select Discovery Job Type to Add… and select Windows Local Admin Accounts as per the screenshot below;

The discovery job in the example above is creating Password Records for all Local Accounts in the shared Password List Workstation Accounts.  However, the discovery job is set for Enabled for Heartbeats only at this stage as per the screenshot below;

There is also a video on how to setup your Account Discoveries here https://www.youtube.com/watch?v=YKH0ev6MrI8&t=313s

Note, with all discovery jobs, you can choose to run them in Simulation Mode, which performs the scan and reports back what it finds via email without adding any of the results into your Passwordstate instance.  That’s how the 2 jobs in the examples for this blog have been setup.  It’s a great way of initially building confidence in the process before making changes to production machines.

Setup a Trial Password Reset Job

Now you’re ready to dip that proverbial big toe in the water.  To do this you’ll run your Host Discovery job as normal, not in simulation mode, to import all the hosts that you’re interrogating for Local Accounts. 

Next you need to run the Windows Local Admin Accounts discovery job. Again, not in simulation mode and making sure you haven’t selected the Enabled for Resets tick box.  This will discover all the Windows Local Accounts against the target hosts you’ve imported and add them into the specified Password List, in this example Workstation Accounts.

At this stage no passwords are reset, as Enabled for Resets hasn’t been ticked.  Now simply edit the Password Records, for a select number of hosts, and tick the Enabled for Resets box and save the record.  Passwordstate will now reach out to those hosts and reset the password with the newly generated password recorded in Passwordstate.

You can now logon using the Local Account on each of those hosts, using the password that’s recorded in Passwordstate, to confirm the process has worked as expected.  Once you are comfortable that the process worked as expected you can perform the Bulk Update Password Reset Options from the List Administrator Actions dialog beneath the Password Record Display Grid.  You can now search for the password records to update, choose the fields to update tab, select the Managed Account, tick the box to Enable Password Resets Option for all these accounts and select Save.

Additional Information

Documentation on both the Host Discovery and Account Discovery jobs can be located in your Passwordstate instance here;

Help->User Manual->Hosts->Hosts Home Screen->View Host Discovery Jobs, and,

Help->User Manual->Passwords->Tools Menu->Accounts Discovery

As always, if you’ve got any feedback you’d like to share please send it to support@clickstudios.com.au.

Configuring the Brute Force IP Lockout Feature

Brute Force Attacks use a process of trial-and-error to guess the right credentials.  The attack works by using repeated sequential attempts to try and guess your username and password combination and force their way into your private accounts.  While considered an old attack method it’s still effective and popular with Cyber Criminals as it can result in relatively quick results depending on the length and complexity of your passwords.

Brute Force Attacks come in many unsavoury flavours and include;

Simple Brute Force Attacks: Where the attempt is to logically guess your credentials without the use of software tools or other means.

Dictionary Attacks: Where targeted accounts are subjected to repeated attempts of gaining access based on dictionaries containing known passwords.  Dictionary attacks are considered one of the most basic tools used in brute force attacks.

Reverse Brute Force Attacks: This style of attack starts with a password and then millions of usernames are searched through until a match is found. The starting point is usually by referencing leaked passwords available as a result of data breaches.

Credential Stuffing:  Is where Username and Password combinations that have worked for one website are retried against other websites the targeted individual may use.

Does Passwordstate Protect Against Brute Force Attacks

Yes, Passwordstate has a number of options for Blocking Brute Force Attacks to your Passwordstate webserver.  The first is located under Administration->System Settings->authentication options->Web Authentication Options.  Here you can specify the number of permitted failed login attempts before Passwordstate locks out the IP Address for the active session as per the screenshot below;  

You can also delay the returned error message by the specified number of seconds.  This makes it harder for Cyber Criminals to identify if the account actually exists (so they can harvest valid account details), or if the password supplied is simply incorrect.

The next option is to configure X-Forwarded-For support.  X-Forwarded-For is a standard header for identifying the originating IP address of a client connecting to a web server through a Firewall, HTTP proxy or load balancer.  When configured, in Passwordstate and your upstream devices, it enables you to lock-out the IP address of the computer the user is logged into and not the upstream device such as the Firewall.  Note your upstream device also needs to be configured for X-Forwarded-For support.

To tell Passwordstate you have configured your device for X-Forwarded-For support, navigate to Administration->System Settings->proxy & syslog servers-> X-Forwarded-For Support and enter the IP Addresses of trusted devices as per the screenshot below;

Note as of Passwordstate V9 Build 9117, we have added in an additional feature that takes the username into consideration when locking out an IP Address.  In these examples, it means that 3 unsuccessful login attempts, from the same user/IP address will lock their IP Address out if they were accessing your site from behind a device that isn’t configured for X-Forwarded-For Support.

Some users have been incorrectly Locked Out

This can happen if you set too aggressive a target for failed logins.  It’s a fine balancing act between not penalizing users when they incorrectly enter their details and preventing Brute Force attacks.  Every organization should consider the risk and impact and set the number of failed logins accordingly.

However, if a user’s IP address has been incorrectly blocked you can remove the blocked IP address by navigating to Administration->Brute Force Blocked IPs and select the Action icon next to the incorrectly blocked IP and click on Remove Blocked IP Address as per the screenshot below;

Make Brute Force Attacks Harder

Even though you can apply the settings outlined above there are still some prudent steps you can take to make it harder for a Brute Force Attacks. 

The first of these is to always use strong passwords.  Remember dictionary attacks using a list of common passwords, or a hybrid brute force attack that performs small changes to words by adding numbers or changing the letter case, are likely to succeed in some cases.  You need strong passwords to make their life harder.  Secondly, use 2FA where it makes sense.  Two-factor authentication can prevent Cyber Criminals from gaining access to your accounts.  It makes it nearly impossible for them to gain access to an account via a Brute Force Attack.

Have feedback, then we’d love to hear it via support@clickstudios.com.au.

Base Passwordstate Installation in Azure and AWS

­­­­­­Passwordstate is marketed as an on-premise web based solution for Enterprise Password Management.  However, “on-premise” doesn’t really mean it has to be based out of a physical bricks and mortar location.  On premise really means from a “location” where you’re in control of network access to the product, can configure the physical or virtual resources that service the product, and are responsible for granting permissions to known individuals and groups to be able to access the data stored within Passwordstate.

Based on this you can, if you choose to, host Passwordstate within a Cloud Service where that Cloud Service provides an extension to your own network, account directory and credentials.  Click Studios has tested and supports hosting of Passwordstate within both Azure and AWS.

The installation for Passwordstate is pretty much the same regardless of where you install it.  The majority of the changes relate to the configuration of the cloud platform.  This Blog will show you the key setup areas required to host Passwordstate on these platforms.

Hosting Passwordstate on Microsoft Azure

The specifics of your Passwordstate server will be dependent on your workload and the number of Users and Credentials stored within Passwordstate.  The System Requirements can be located here https://www.clickstudios.com.au/passwordstate-system-requirements.aspx and apply to both on-premise and virtual implementations.  As an indication our own Azure based instance has the following characteristics.

You have a number of options when it comes to SQL Server for your Azure hosted Passwordstate instance.  If you’ve simply provisioned an Azure Windows Server, and want to host your web and database server on the same machine, you can follow the standard installation instructions, located on the Documentation page on our website here https://www.clickstudios.com.au/downloads/version9/Installation_Instructions.pdf.  Alternatively, you may want to take advantage of the other services available within Azure such as the Azure SQL.  Azure SQL is Microsoft’s fully managed cloud relational database service that shares the same code base as their traditional SQL Server offerings.

One key point with setting up Passwordstate in Azure is that our installer is unable to create the blank database, used during setup of Passwordstate, if you have elected to use Azure SQL.  You are also unable to use the SQL Management Studio Tools as per our installation instructions.  Instead, you’ll need to login to Azure and create the blank database in Azure SQL by navigating to SQL Databases:

Now create a new database by clicking on Create and then Create SQL database,

This will take you to the Create SQL Database.  Set the Database name to passwordstate and choose an existing Azure SQL Server to host this database.  If you do not have an existing SQL Server in Azure you’ll need to create one and assign a Server Admin.  Take note of the Server Admin details as you’ll need these credentials to connect with SQL Management Studio Tools in one of the following steps.

Next, you’ll need to create a local SQL account called Passwordstate_user.  To do this right Click Master Database and select New Query.  Then copy and paste the following into the window and click Execute:

CREATE LOGIN passwordstate_user WITH password='<choose a password>’

GO

Now, you’ll need to assign db_owner rights for the passwordstate_user account to the Passwordstate database you’ve previously created.  To do this right click on the Passwordstate database, select New Query and run the following;

CREATE USER passwordstate_user FOR LOGIN passwordstate_user WITH DEFAULT_SCHEMA=[dbo]

GO

EXEC sp_addrolemember ‘db_owner’, ‘passwordstate_user’;

GO

Now when you install Passwordstate, for the Database Setting make sure to select the second tab connect to blank database and choose Microsoft Azure, entering your Azure SQL Database Server Name, SQL Server Instance Name, Database Name, and the passwordstate_user account and password you created.  Passwordstate will then proceed to populate the created database and the install will then finish as normal.

Hosting Passwordstate on AWS

When it comes to the database requirements for Passwordstate hosted in AWS you can select the database engine to be SQL Server Express, SE (Standard Edition) or EE (Enterprise Edition) depending on your requirements.  You’ll need to create a Database Instance in AWS  when logged in to the AWS console, and select Services and click on RDS as per the image below;

This allows you to create the RDS based on your choice of either SQL Server Express, SE or EE.  Click on Get Started Now, and then select the Database Engine that best suits your requirements.  In the example below I’ve selected the SQLExpress 2019 version;

Next, create a DB instance identifier name of anything you like.  In the example we’ve called it passwordstate.  Then create a Master username that you will use to administer this instance.  By default, the username is admin.  Take note of the password you are setting for this account:

Next on the Connectivity screen ensure you select ‘Yes’ for Public Access – This will allow you to connect to your RDS database instance from anywhere,

You should now be able to create your database.  Once it’s created, you can now connect to it using SQL Management Studio Tools.  This official Amazon guide shows how to find your connection details, and establish a connection: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ConnectToMicrosoftSQLServerInstance.html

Once you are connected, you will be able to use the SMSS tools to create the empty database, and a SQL account used to connection between the Passwordstate website and the AWS RDS database.  To do this right click on Databases and select New Database,

Call the database “passwordstate” and click OK,

Next, expand Security, right click on Logins and select New Login,

Select the account type as SQL Server authentication, and set the Login name to be passwordstate_user.  Now choose a strong password and click OK,

Now select the User Mapping menu, and assign the db_owner rights to the passwordstate database.  Click OK to save this,

Now when you install Passwordstate, for the Database Setting make sure to select the second tab connect to blank database and choose Amazon RDS, entering your Amazon instance in the Database Server Name field, Database Name, and the passwordstate_user account and password you created. 

Passwordstate will then proceed to populate the created database and the install will then finish as normal.

Migrating Existing Passwordstate Instances to the Cloud

The above details can also be used when migrating from an on-premise instance to the cloud.  Just remember to follow the documentation, located under Passwordstate General Administration here https://www.clickstudios.com.au/documentation/, the documents you want are Moving Passwordstate To A New Database Server and Moving Passwordstate To A New Web Server and theinstructions need to be performed in that order.  Finally, please remember to migrate them before decommissioning your existing instance.

Have feedback, then we’d love to hear it via support@clickstudios.com.au.

Performance Improvements – How to Troubleshoot and Resolve Issues

From time to time we receive support requests from customers having performance issues with Passwordstate.  In a significant number of cases the issues contributing to, or even the direct cause of the performance issues, are related to configuration or environmental considerations within a customer’s network.

To begin with, let’s recap on a set of very simplified installations.  The following image outlines 2 different Passwordstate installations that are typically encountered by our Technical Support Team;

The top of the image above shows a simple Passwordstate instance, with the webserver and database installed on the same Windows Server.  This could be either a physical or virtual server.  In this example the customers client PCs are connected via Wi-Fi to a simple Switch with in-built Wi-Fi.   

The bottom of the image shows a larger setup, with a dedicated Passwordstate webserver, deployed in High Availability mode and stack of virtual servers.  In this example the webserver and database servers are installed on separate Windows Servers and all members in the example are connected over a traditional ethernet network.  The Passwordstate webservers site behind a load balancer. 

In all instances, when a user has been authenticated and navigates to a screen in Passwordstate, their web browser is rendered based on the HTML for the screen they are accessing on the webserver, validated by the permissions they have been assigned as recorded in the SQL database, and the results of the SQL query for the data they are requesting.  This by necessity requires multiple interactions (queries and responses) between the webserver and SQL database before the results are rendered in the user’s web browser.    

Common Performance Issue Symptoms

Using the 2 typical implementations above, we are on occasion advised that users are experiencing performance issues.  These can typically be broken down into the following types of performance issues;

  • Overall responsiveness in Passwordstate
  • Slowness in navigating through Folders and Password Lists
  • Passwordstate sessions abruptly terminated
  • Features not working correctly or at all

There is some duplication between the underlying causes for the above and a number of these can, when aggregated, result in a significant impact to performance of your Passwordstate implementation.     

Examples of Approach to Issue Identification and Resolution

The following are examples of approaches toward identifying the underlying cause of the performance issues and resolving these. 

Overall Responsiveness:  The overall responsiveness in Passwordstate can depend on a number of factors.  This includes;

  • network connectivity between the client PC, Passwordstate webserver and SQL database
  • it can be affected by the number of Folders and Password Lists on the Passwords Tab and Folders and Nodes on the Hosts Tab
  • misconfiguration of any Load Balancers and Reverse Proxies
  • excessive number of entries in the auditing table

To test and resolve these, it’s recommended to;

  • confirm the issue with responsiveness is widespread or confined to only some users
  • verify there are no inherent network connectivity issues between the clients PC, the Passwordstate webserver and SQL database
  • test local authentication as opposed to Cloud based SAML authentication
  • develop and test a User Account Policy that applies Load on Demand and Node Capping
  • review and remove unnecessary Folders and empty Password Lists
  • reduce the size of your auditing table to less than 500,000 entries by archiving
  • bypass the Load Balancers and/or Reverse Proxies.  If this resolves the issue please liaise with the vendor supporting these

Slow Navigation with Passwordstate:  This is usually affected by the number of Folders and Password Lists on the Passwords Tab and Folders and Nodes on the Hosts Tab.  As an example, on the Passwords Tab you have a folder hierarchy with 1000 Folders and underneath each of these a number of Password Lists.  By default, when you navigate to the Passwords Tab the underlying query will validate your access to view and then retrieve the details of the 1000 folders, along with the Password Lists contained within these folders.  This produces a substantial amount of data that will then need to be rendered within your web browser.  It can also be affected by;

  • setting the password records display grid to a very large number of records
  • poorly behaved Anti-Virus software

To test and resolve these, it’s recommended to;

  • again, confirm if the issue is widespread or confined to some users
  • set your Password Records display grid to no more than 10 records
  • use the Search capability to locate the Password Record rather than browsing through Folders, Password Lists and long display grids
  • use a User Account Policy that applies Load on Demand and Node Capping
  • review and remove unnecessary Folders and empty Password Lists
  • test if your Anti-Virus software is the cause by temporarily setting exclusions on the Passwordstate folder structure on your webserver.  You can also temporarily disable the AV software to test this.  Please note if this resolves the issue you should enable your AV software and remove any exclusions before contacting the vendor for a permanent fix.

Passwordstate sessions abruptly terminated:  This is usually caused by either badly behaved Anti-Virus software or Windows Patching having installed patches that require a subsequent reboot.  Windows patching has in some cases caused Passwordstate sessions to intermittently fail.    Some Anti-Virus Software products are known to kill sessions in IIS with the following types of error being reported in Passwordstate Error Console screen;

  • It appears the user’s session in IIS has been prematurely ended, causing the following error
  • Object variable or With block variable not set
  • Error Code = Incorrect syntax near the keyword ‘DEFAULT’
  • Error Code = Thread was being aborted
  • ApplyScreenCustomisations
  • There was an issue validating both the AuthToken session variable and cookie
  • The parameterized query
  • Specified argument was out of the range of valid values in conjunction with ApplyScreenCustomisations()

Some Reverse Proxies and Load Balancers can also cause these errors.  In order to rule these out please bypass them and monitor the Error Console.

Features not working correctly:  The single biggest cause of Passwordstate features, such as Self-Destruct Messages, Password Reset Portal, API issues, SAML Authentication and HA polling not working correctly is misconfigured Load Balancers and Reverse Proxies.  To determine if these are negatively impacting on the functioning of Passwordstate please bypass them and retest.

By working through some basic troubleshooting steps you can usually find what is causing the underlying performance issues with your instance.  If you are still experiencing issues after having worked through the above, or there are other errors being reported in the Error Console then please send these through to support@clickstudios.com.au for assistance.

Once again if you have feedback, we’d love to hear it via support@clickstudios.com.au.

Mitigating The Need for Internet Access

Mobile Client support, introduced back in Passwordstate 6.2 (2013), enabled access to your password credentials from iOS, Android, Windows Phones and Blackberry devices.  Its primary focus was providing remote access to managed credentials while away from your normal place of work, be it your day-to-day PC or LAN, or while out of the physical office. 

The architecture required a Mobile Gateway, installed on either your main Passwordstate webserver, or optionally, on a separate webserver hosted in your DMZ (Demilitarized Zone) talking back to your main Passwordstate instance. Once configured within Passwordstate, all that was required was a supported mobile device, capable of HTML5 rendering via its web browser.  Users would effectively login to Passwordstate, via the Mobile Gateway using their UserName and the preconfigured PIN. 

Under this architecture a user would access credentials live against their Passwordstate instance.  The implications being that network coverage using either, a WiFi connection for access inside your network, or cellular connection for access outside of your network, was required.  If there wasn’t an active network connection, you couldn’t talk to the Passwordstate instance, and you couldn’t access your credentials.    

Replacement under Version 9

The approach to mobile device access under V9 has been completely redesigned and the original Mobile Client support, as it existed under Version 6.0 through 8.9, has been deprecated. 

The new architecture requires the installation of a Passwordstate App Server.  This replaces the previous Mobile Gateway and is an extensible platform for future requirements.  Under the new architecture the App Server brokers the connectivity between the client device and the Passwordstate instance.  The App Server can again be installed on your main Passwordstate instance, or on a webserver within your DMZ.

The smartphone clients are now purpose-built iOS and Android apps, that authenticate using an independent credential set.  The smartphone apps allow for storing password records that a user is authorized to access, locally on the smartphone, within an encrypted cache.  Security has been increased, and also allows the option for using the biometric capability of the smartphone, when accessing the data within the encrypted cache.  All authentication and access of credentials is audited and synced back automatically with Passwordstate on next connection.    

Advantages of the new Architecture

From a usability perspective the primary benefit of the new architecture is that all the password credentials, and only those that the user has been authorized access to, can now be stored in an offline encrypted cache on their device.  This effectively provides the user with access to the credentials anywhere, anytime and regardless of the need for an active network connection. 

This cache is valid for the number of days set at Specify the number of days the user can access their offline cache before they need to re-authenticate again to the Passwordstate App Server.  This is set globally under Administration->System Settings->mobile access options->Mobile App Settings or individually under Administration->User Accounts-> “select a user” ->Edit User Details->Mobile Access Options.  The latter option overriding the global setting for that user. 

Please note that every time the user performs a sync within the Mobile App the time to live for the offline cache will be reset back to the specified number of days for that user.

From a security perspective the biggest benefit is that you potentially no longer need to have your Passwordstate Server running the “mobile gateway” internet facing.  As long as your staff have internal network access to the Passwordstate App Server, and can resync their offline encrypted cache before it is due to be wiped, then you potentially no longer need Passwordstate to be internet facing. 

Note that this currently only applies to the use of the Mobile App.

Levels of Security on the Mobile App

There are a number of levels of security associated with the use of the Mobile App, ranging from the length of time an offline cache can remain valid, the password strength for each user’s Master Password, protection against brute force dictionary and Man-in-the middle attacks,

Add to this the previously mentioned biometric capability of most current smartphones and access to the offline cache is kept secure.

How to Source and Install the App Server

To source and install the App Server you need to be on Passwordstate Version 9.  Simply navigate to Administration->System Settings->mobile access options and click on the Download App Server Installer.  Both the installer file and install guide are sourced from your existing Passwordstate Installation and the file is located under \inetpub\Passwordstate\downloads,

If you don’t have V9 installed then you’ll first need to perform a Manual Upgrade to Version 9.  Instruction for this can be found at https://www.clickstudios.com.au/documentation/ and is located under Upgrade Instructions on the page.

The use of the Passwordstate App Server and native iOS and Android apps can mitigate the risk of having your Passwordstate instance internet facing in some use cases.  Each organization should look at their usage requirements and perform internal risk assessments to ensure their design, risks and associated mitigating factors are appropriate for their business.

Once again if you have feedback, we’d love to hear it via support@clickstudios.com.au.

One Time Passwords and The Browser Extension

This week’s blog almost sounds like a modern take on one of Aesop’s fables, except instead of featuring animals with human attributes we’re using a modern “technology take” on the story.  There’s no moral taught in this story (blog), just another nifty feature to make your life easier.

Most Users of Passwordstate that have created Password Lists would know that there are a number of templates that can be used when creating them.  You don’t have to use these, however for those of us that don’t regularly create Password Lists, the Add Shared Password List Wizard can streamline the creation and permissions processes.

Add Shared Password List Wizard

So, let’s set the scene first.  Your organization has recently signed up for a new Cybersecurity defense solution and enrolled a pilot group of users.  This has proven to be very successful and you’ve been tasked with extending the enrolment, via the web-based Administration Console, to all users within your organization.

The problem is, the administration console requires multi-factor authentication, in this case a Username, Password and OTP (One-Time Password) to enable login.  This is a pain as you’re using two sources for the information.  You’re using Passwordstate for the Username and Password and a Mobile App for the One-Time Passwords.  But you don’t have to.  Instead, you can create a Password List based on the One-Time Password Authenticator template.

First navigate to the Passwords tab and right click on Passwords Home and select Add Shared Password List.   This will bring up the Add Shared Password List Wizard.  Enter the details for the Password List and choose the One-Time Password Authenticator template as per the image below; 

Enter all the details you require and click Next.  This will take you to the Permissions section where you’ll then be able to specify the Security Groups or Users you want to assign permissions for (for this Password List).  Once you’ve entered all your details click Next.  This will take you to the Confirmation section allowing you to review your details before clicking Finish to create the Password List.  The details for the Password List I’ve created are as follows;

Please note you can modify an existing Password List and simply select the Enable One-Time Password Generation to add the OTP section to all Password Records in that list.  However, in the scenario above I’ve elected to keep all Password Records requiring the additional One-Time Password authentication together in the one purpose designed Password List.

Add a Password Record for MFA

Now that we have the Password List, enabled for OTP setup, I’m going to add-in the credentials for our Cybersecurity defense solution.  To do this navigate to the Password List and click on Add underneath the Password Record grid.  Enter all the details for the Password Record and importantly, scan the QR code that was supplied by the issuer. 

If you don’t have a QR code you can enter the Issuer, Secret and algorithm specified by the issuer and click Save.  The image below shows the completed Password Record;

Access all Details via Browser Extensions

Now when you browse to the web-based Administration Console the Browser Extension will automatically form fil the Username and Password Fields.  But where’s the OTP details?    When the Browser Extension identifies the Password Record it will, in the Browser Extension menu, provide a right arrow-head next to that record.  Clicking on this will bring up the details for the Password Record including the Username, Password and One-Time Password as per the image below;

You’ll note the OTP shows the time to live for the current OTP code.  This allows you to ensure you have sufficient time to copy and paste that OTP code before it regenerates.

It really is as simple as that.  Now you can use a consolidated approach to storing the Password Credentials for sites requiring multifactor authentication with One-Time Passwords.

If you have feedback, we’d love to hear it via support@clickstudios.com.au.

Searching in System Settings and Feature Access

There’s no denying that Passwordstate has a significant number of options for configuration and customization.  That can sometimes make it hard to remember exactly where a configuration option lives (or is hiding).  That’s why in V9 we introduced a search facility, to find exactly where you need to go, so that you can configure that option.

Search Settings Locations

The Search Settings exists for 2 different areas in Passwordstate, System Settings and Feature Access.  To locate either of these simply navigate to Administration->System Settings or Administration->Feature Access as per the screenshots below; 

In both areas you’ll find the Search Settings dialog at the top of the screen, located just under the page title.  So how does the Search function in these areas operate?

Practical Example of Search Settings

Let’s use a practical example of the Search Settings.  In this scenario you’ve been working as part of the Business Integration Team, looking at what’s required to integrate your Passwordstate Instance into a new organization that’s been formed through the merger / acquisition of another business.

The two original Business Names are to be replaced with a new Entity Name.  The integration Team have suggested renaming the Passwordstate instance to reflect the new Entity Name.  You remember that once you’ve changed the existing Passwordstate instance URL you’ll need to also change this so it appears correctly in all emails, permalinks, etc.  But where to look?

What you could do is search for URL, which instantly drops down a list of the Tab’s and Settings that match the search criteria you’ve entered, as per the screenshot below;

On selecting the first result in the list you are taken to that Tab and the relevant area is highlighted in yellow showing you where you need to make that setting, again as per the screenshot below;

Note the Search Settings criteria is “sticky” until you use the eraser to clear it.  This means that if you remembered you also needed to make changes to the Mobile Access URL for your App Server you can simply select that result (3rd in the list of the search results) and navigate to that tab and make your changes there too. 

It also means that you don’t have to re-enter your search criteria if you selected an option from the results drop down that didn’t match exactly the area you were looking for. We think the Settings Search is a nifty little improvement.  As always, we welcome your feedback via support@clickstudios.com.au.

Real World Example – Importance of Password Management

Let’s start of this week’s blog with a confession.  Here at Click Studios we want businesses to buy and use Passwordstate!  When you buy licenses for our products, and take-out Annual Support and Upgrade Protection, you help us to maintain and grow our business.  We don’t deny that. 

However, take a look at our pricing structure and the catch-line on our website which summarizes our philosophy.   Password Management Should Be Affordable For Everyone.  Because It’s Important. 

We genuinely believe that all businesses should have the opportunity to access a secure, flexible and affordable Enterprise Password Management System.  One that your IT and Security staff can use to access and share sensitive password credentials.  Without a solution like Passwordstate,

  • How do you centralise control of, and allow secure access to, these sensitive credentials?
  • Do you know who is accessing your privileged credentials and when are they doing it?
  • Can you provide access to them based on an employee’s role?
  • Can you quickly change them when an employee leaves?
  • How do you ensure these critical passwords aren’t being copied, changed or exported for other uses?
  • How can you manage password resources on discreet networks?
  • Is your password store secure?
  • Can you rely on access to your passwords when you really need them?

If your business uses Information Technology, in any fashion, then the above points are important and relevant.  Your accounts, especially those with higher privileges can be used to exploit your most sensitive information and critical systems.  Privileged access gives individuals the power to alter your data, change the configuration of applications and infrastructure and have the potential to cause you irreparable reputational and financial damage.  If this were to happen would your business survive?

Credential Breaches Are Real!

On 2nd February 2021, Cybernews reported the Largest compilation of emails and passwords leaked for free on public forum, with more than 3.2 billion unique pairs of cleartext emails and passwords leaked on a popular hacking forum.  This is known to be an aggregation of past leaks from Netflix, LinkedIn, Exploit.in, Bitcoin and other sources.  This is referenced as a Compilation of Many Breaches or COMB.

A subset of entries contained in a previous COMB in 2017 were tested by Constella.  They found that “most of the tested passwords worked” and “Given the fact that people reuse passwords across their email, social media, e-commerce, banking and work accounts, hackers can automate account hijacking or account takeover”.

What’s more the breach isn’t just a list of stolen credentials, but rather an interactive database that allows quick searching of credentials.  In other words, it allows the lookup of specific credential sets to make selective targeting of individuals and businesses easier!

You can find the full report on Cybernews website: https://cybernews.com/news/largest-compilation-of-emails-and-passwords-leaked-free/ and reference their data leak checker: https://cybernews.com/personal-data-leak-check/

Implications and Impacts

The implications of this breach may be far reaching (I would have said unprecedented – but that word was done to death in 2020!).  The majority of people still reuse their passwords and usernames across multiple accounts. 

This gives our unfriendly Cyber Criminals a head start with rich information for credential stuffing attacks.  The unfortunate fact is that if a user has the same passwords for their LinkedIn or Netflix accounts and an email account, then attackers can and will target other more important business accounts. 

These users typically become recipients of targeted Spear Phishing attacks, receive high levels of spam emails and imposter attacks via social media platforms.

Use Passwordstate to Protect Your Assets

First, get Passwordstate up and running within your business!  If you already use it then look at how you can improve it’s use within your business.  If you don’t have it installed then download the 30 Day Free Enterprise Trial here.  You can see how affordable our software is here.

Second, stop reusing passwords and usernames across multiple accounts.  If you do, and your account details are compromised in a breach, it’s just a matter of time before your other accounts are targeted.  And it’s not just Celebrities and Millionaires that are targeted with Spear Phishing attacks.  It’s also Help Desk Staff, Accounts Payable Clerks, Middle Management and those IT workers with increased privileges (yes, I’m talking about you System and Network Admins).  Setup Password Strength Policies and Generators in Passwordstate that create unique, strong passwords every time.

Third, regularly reset your passwords automatically.  Don’t keep the same passwords for ever.  It’s not that hard to change a password every 90 days (just an example, your IT policies may require shorter timeframes).  It you’ve got lots of accounts then stagger the resets to make it manageable.  Use our tools like Browser Extensions, to automatically generate and save an updated password back to Passwordstate, when changing it online.  Automate wherever you can to make your life easier!

Then look at implementing 2 Factor Authentication where it makes sense.  You can still do this if you use Single Sign-On and you can selectively target accounts.  View your accounts as assets and manage them based on risk and impact.  As an example, Banking Accounts and System Administrators Privileged Accounts should always have 2FA enabled.  Even if your credentials are compromised hackers can’t access the account if you use 2FA.

Be informed, take control of your assets and as always, we welcome your feedback via support@clickstudios.com.au.

Cyber Criminals Tools & Techniques

Building on last week’s blog Cyber Criminals Exploit the Human Factor, this week we’ll explore a little more detail around the tools and techniques used by Cyber Criminals to convince selected and targeted individuals to take action.

To be effective in obtaining credentials and/or sensitive information through phishing attacks Cyber Criminals rely on an arsenal of tools and techniques. These are focused on building rapport with selected individuals, creating situations that appear to be authentic, and help to establish credibility and typically a sense of urgency.

Social Engineering

Social engineering principles form the core of the majority of attacks. These range from simple lures designed to appeal to our curiosity, for example a fake invoice sent to the Accounts Payable Department, or a Job Description for an attractive role/vacancy to an IT Department Systems Administrator. 

More sophisticated approaches can include union action over a fabricated unresolved Health and Safety incident or media exposure of non-conformance to government procurement guidelines.  Themes can vary based on Cyber Criminal groups, industry type and selected individuals.  Typical themes spanning most industry types include Love, Money, Food and Real Estate.

The Carbanak Campaign

A well known example is the Carbanak campaign, predominately targeting financial institutions for the purpose of monetary theft.  A Windows based malware payload was introduced via phishing emails and has been reported to have resulted in over $900 Million USD from Banks and selected individuals.  The email attack used authentic looking lures with professional documentation in the form of attachments that distributed multiple strains of malware.  The email author claimed to have been double-charged and demanded an urgent resolution. It used stolen vendor branding and claimed to be protected by that vendor’s technology.  Instructions provided for unencrypting the document were actually the steps required to enable macros and allow the installation of the malware.

Real Estate Lures

Real estate transactions typically involve multiple parties, a degree of urgency, and the opening and exchanging of both personal information and digital signatures.  This is why they represent a frequent target for Cyber Criminals using phishing and malware attacks. DocuSign, a trusted source for electronic signatures, is routinely abused using Brand Impersonation along with Real Estate and Bank Portals that look legitimate. The processes of buying a home and/or applying for a rental property create readily exploitable opportunities, especially when the selected individuals are not familiar with the many steps involved.

Fake Jobs

An increasingly effective tactic, especially as economies commence rebuilding post COVID-19, is the fake job add.  These typically use multiple points of contact to establish a relationship with the selected individual.  Popular career platforms such as LinkedIn are used to send invitations from a legitimate account to the selected individual.  These are then followed up with personalised emails without any malicious content.  At some stage in the ongoing exchange, once a rapport has been built, Cyber Criminals sends the malware bearing email.  Selected individuals, typically with access to corporate accounts or sensitive information, are targeted with the ultimate aim of initiating fraudulent money transfers or providing sensitive personal and/or business information.  In most cases the Cyber Criminals impersonate a known business leader in a position of authority.

Brand Theft

Believable (but fake) domains and web presences tangibly support social engineering efforts. Fraudulent Websites using stolen branding and registered domains resembling real brands are all part of the Cyber Criminals arsenal.  Look-alike domains are becoming increasingly sophisticated and are close enough to the original that they are infrequently questioned.  Legitimate sounding variations of known brands provide Cyber Criminals with the ability to execute account fraud, also known as angler phishing, impostor email attacks and more.

Legitimate Platform Abuse

Cyber Criminals are increasingly taking advantage of file-sharing and collaboration tools as businesses move to Software as a Service platforms.  This is made easier due to business familiarity and whitelisting allowing easy distribution of malware and phishing templates.  Frequently abused platforms include;

  • Google Drive and Microsoft Office 365
  • Box and Dropbox
  • MailChimp and SendGrid
  • Payment services allowing outbound mailing of invoices
  • Social Media Platforms

These services readily leverage the human factor as we work from a position of trust, opening links received via email without considering the potential for malware or reconnaissance leading to credential theft.  Targeted infiltration of a SaaS platform enables secondary attacks that are hard to detect and be identified by users. It allows for internal phishing and can result in credential dumps that are used for credential stuffing or brute-force attacks.

Imposter Attacks

Impostor attacks utilize a range of techniques to convince targeted individuals they are communicating with a trusted entity. These include display-name spoofing, where the email appears to be coming from a known trusted source, domain spoofing, where an attacker appears to use a company’s domain to impersonate a company or employee, and look-alike domains.  The basis of these attacks is Identity Deception, as opposed to more common attacks simply using throwaway attacker-owned addresses and domains, and they are proving to be highly effective.

How can Click Studios Help?

Another element of the human factor is the reuse of passwords.  Recent research suggests that greater than 40% of businesses have at least one compromised account and 6% of businesses have at least one VIP account that is compromised.  This makes internal phishing and Business Email Compromise easy for Cyber Criminals.

Click Studios Passwordstate, an on-premise web based solution for Enterprise Password Management, facilitates unique combinations of account and passwords for all systems.  Passwords can automatically be reset on a scheduled basis, only be accessed by authorised users via Role Based Access Control, and full end-to-end auditing keeps track of who has accessed the credentials and when.

As always, we welcome your feedback via support@clickstudios.com.au.