Important Changes to Browser Extensions

Click Studios is making changes to Passwordstate and our Browser Extensions.  We’ve been maintaining a legacy code base in Passwordstate and the Browser Extensions since Build 8782, released way back in September 2019.  This code base can no longer be supported.  In removing it we remove unnecessary complexity from the ongoing development of Passwordstate and our Browser Extensions, and open up the ability for richer functionality in both.

The first of these changes relates to the authentication method used in our Browser Extensions for Chrome, Edge, Firefox and Brave web browsers.  This will come into effect when first upgrading Passwordstate from Build 9753 (or lower) to Build 9785 (or higher)Once Passwordstate has been upgraded all users Browser Extensions will be in a state of being unauthenticated and the extension icon will be Red.

To authenticate you’ll need to create a new Browser Extension Master Password and follow the process as outlined in this blog.

Create A Master Password!

From Passwordstate Build 9785, Browser Extensions will first require a Master Password to be entered in order to effectively authenticate against your Passwordstate instance and be unlocked to retrieve credentials.  Each end user needs to do this themselves as this Master Password authenticates their use.

To create the Browser Extension Master Password, navigate to Preferences->Browser Extension->Browser Extension Master Password and create the Master Password by entering it in the field indicated.  Note, your Security Administrator will have specified a Password Strength Policy that this Password must adhere to.  Feedback is provided underneath the input field providing guidance on what is required as the user types in this field,

Once you’ve finished click on the Save & Close button.Now you’ll need to click on the Red Browser Extension icon.  This will open a dialog asking you to confirm the URL for the source of your credentials,

this will be either your Passwordstate instance URL (the base URL you’ve just logged into) or the URL of the APP Server that processes these requests.  If you have any doubt, check with your Passwordstate Security Administrator.  Only if the URL matches should you enter the Browser Extension Master Password previously created, then click on the Login button, 

You can then also click on the OK – I understand button if it is still displayed.  While on the Master Password / Login dialog box it’s important that you do not move the focus from this box.  It is deliberately designed so that if you click on anything outside of the dialog box the process will be terminated.  If this happens, logout of Passwordstate and start the process from the beginning (you won’t need to recreate the Browser Extension Master Password).

What Will I See?

You are now authenticated and unlocked as indicated by the Browser Extension, having turned Black. You can now add and retrieve credentials as normal,

Browser Extensions can be in various states.  Each of these is color coded as per the image below,

Red: The Browser Extension is not active. It has either been logged out of your Passwordstate Instance, or is waiting for the initial configuration against your Passwordstate instance’s base URL. To activate the Browser Extension simply browse to your Passwordstate website login URL, login as normal, confirm the URL presented is the same as your Passwordstate instance’s base URL, enter the Master Password and click Login.  Please note your Security Administrator controls the Browser Extension Session Timeout setting.

Blue: Indicates the Browser Extension is active, authenticated, unlocked and the URL on the active tab of your browser is set to be ignored.  Ignored URLs do not automatically form-fill existing, or prompt to save new, credentials for that website.

Black: Your Browser Extension is active, authenticated, unlocked and able to automatically form-fill saved credentials for a website or add new credentials.

Yellow: Your browser extension is in a “locked” state, and you will need to unlock it using your Master Password.  This typically occurs when you have closed your web browser but have not exceeded the Browser Extension Session Timeout setting.  While in a “locked” state you are unable to retrieve or add credentials to Passwordstate.

How To Unlock The Browser Extension?

As outlined in the section above, when the Browser Extension is showing as Yellow it is locked and will not allow you to retrieve or add credentials to Passwordstate.  To unlock the Browser Extension simply click on the icon, enter your Master Password and click on the Unlock button,

Again, do not move the focus from this dialog box.  If you click on anything outside of the dialog box the process will be terminated and you will have to start the process again.  If you click on Logout your Browser Extension icon will turn Red and you’ll be required to login to Passwordstate to reauthenticate and then re-enter the Master Password.

If you’d like to share your feedback please send it through to

Getting More Out Of Passwordstate

Passwordstate commenced development way back in 2004, as a result of witnessing first hand, the number of clients that had adopted poor Password Management practices.  Approaches such as storing simple passwords, in unprotected spreadsheets, stored on network file shares and personal computers, posed a real risk to these clients.  And we weren’t just talking about small businesses.  Our clientele came from industry verticals including Property Management, Gaming & Entertainment, Hospitality, Health & Fitness, Lotteries and Agriculture.

Passwordstate has come a long way since those early days.  Today we can boast having more than 29,000 Customers and 370,000 Security & IT Professionals globally, spanning industry verticals including Defence, Banking & Finance, Media and Entertainment, Space & Aviation, Education, Utilities, Retail, Mining, Automotive, Service Providers and IT Security Integrators.  Please note, the screenshot below is of V2.0.  We’ve intentionally removed all images of V1.0 as it didn’t look all that flash.

Passwordstate’s Core Functionality Is…

All about the secure storing, management and use of credentials.  The approach taken in Passwordstate is the same regardless of the credentials being Shared or Private

Access to Shared Password Lists, and the Password Records contained within those Lists are permission based.  The same is true in principle with Private Password Lists and Records, except that with these you’re prevented from sharing or granting access to these Lists and Records at a system level (and there are no workarounds while they remain Private).

But that’s not all that Passwordstate has to offer.  In the Core functionality to can also perform Privileged Account Management, discover local accounts on equipment (such as switches and servers), change then password for those accounts and mange them from that point onwards.  You can also store documents relating to Work Instructions, Change Approvers (or anything at all).

Extend Access to Credentials

Once you’ve got your credentials securely centralized, you can extend access to these using our Android and iOS Mobile Apps.  The Mobile Apps use an independent credential set per user and store password records on the smartphone within an encrypted cache.  This encrypted cache can have a ‘Time to Live’ of up to 30 days, with the value configurable by your Security Administrator.  You can also assign permissions on who is permitted to use the Mobile Apps based on User and Security Groups.

All authentication and access of credentials is audited and synced back automatically with Passwordstate on next connection so there is always an audit trail on credentials that have been accessed.

Once you have the Mobile App installed you can do away with any existing Authenticator Apps.  Access to your One-Time Password codes can be done right in the Passwordstate Mobile App.  This means when you replace your device you can automatically synchronize all applicable Credentials and OTP Codes to the new device,

Self-Destruct Messages

You can also use Self Destruct Messaging, allowing you to send messages containing content highly confidential information, that can only be viewed for a specified period of time.  The content you share is stored only within the Passwordstate Self Destruct Messaging portal.  You specify who can send Self Destruct Messages and control both the ‘Time to Live’ and number of times the data or a Password Record can be viewed.

When the recipient views the content of a Self Destruct Message it is presented via the Passwordstate Self Destruct Messaging portal,

Remote Host Connections

Passwordstate has 2 first-in-class Remote Access Solutions, a Browser Based Launcher and a Client Based LauncherThese are included with the core Passwordstate product and at no additional cost.

The key advantage for these built-in launchers is the use of Remote Session Credentials which enable automatic authentication to your remote hosts.  This feature is especially useful for enabling contractors or vendors accounts to be configured for authenticating to hosts without having to have access to the password record.  The encrypted credentials are retrieved from Passwordstate, sent to the Remote Session Launcher utility/gateway, decrypted and passed to the remote client. 

While the Browser Based Launcher only supports RDP and SSH connections you also have the ability to record sessions and be able to playback the Session Recordings at a later time.

It’s Not Just About Passwords!

Passwordstate can be used to record many types of information, from Credit Cards, Hardware Maintenance Contracts, Software License Keys to SSL Certificates and many more.  This allows you to record and use many types of business information, that is both associated and unassociated with the credentials you manage.

It allows you to share the information with those that need it and maintain a full audit trail of all access to that information.

You may think that Passwordstate is just an effective and affordable Enterprise Password Management System.  But it can offer so much more, and while it isn’t designed to be a complete document management system or Remote Desktop Solution, it offers some of the functionality of more expensive 3rd party solutions at no additional cost.  You can get more out of Passwordstate, you just need to think about how else you can use it.

If you’d like to share your feedback please send it through to

Importing Hosts In Bulk

The Hosts tab facilitates two main functions.  To allow Hosts to be added into Passwordstate, and in doing so enable local accounts on those hosts to be managed in the form of Account Discoveries, Password Resets and Account Heartbeats.  And to access these Hosts using our Remote Session Launcher via RDP, SSH, Telnet, VNC, SQL and Teamviewer.  The types of connections that can be used is dependent on the Remote Session Launcher selected.

When navigating to Hosts Home, located on the Hosts Tab in Passwordstate, you are provided with summary information on all the Hosts added to your Passwordstate instance.  This includes the total number of Hosts, a breakdown by type, and the Remote Session Credentials used to access your Hosts.  As Passwordstate uses Role Based Access Control (RBAC) you will only be able to access the Remote Session Credentials you have been granted permission to.

You also have links to Add Host records, View All Host Records and View Host Discovery Jobs.  While this blog is about Importing Hosts in bulk into Passwordstate, you can of course add individual Host Records.  To do this you would simply click on Add Host,

this will present you with the Add New Host screen (the image below is only part of that screen).  Just fill out all the required details and click on Save, or if adding multiple new records, click on the Save & Add Another button,

Add Hosts Through Discovery Jobs

From Hosts Home you have the option of viewing and adding Host Discovery Jobs.  Host Discovery jobs are essentially the same as Account Discovery jobs, except instead of collecting local account information on devices, you’re collecting information about the devices themselves.  At this stage we need to point out that Passwordstate collects this information from Active Directory (AD).  Our software doesn’t “trawl your network” looking for devices.

To add a discovery job to import your Hosts, navigate to Hosts->Hosts Home and click on View Host Discovery Jobs.  This will take you to the Host Discovery Jobs screen.  Underneath the display grid, showing any existing Discovery Jobs, you’ll find the option to Add Discovery Job,

This will take you to the Add Hosts Discovery Job screen.  From this screen you can enter all the specifics associated with the discovery job,

The information you can enter includes,

  • The Discovery Job Name,
  • A Description for the job,
  • The Site Location, only used if you have multiple Remote Site Locations configured,
  • Which Active Directory Domain to query for this discovery job,
  • Selecting the Simulation Mode allows you to receive an email on the results of the discovery job without processing those results,
  • Only Discover hosts with the following Operating Systems by selecting that OS,
  • Only discover Hosts where the Last Logged on date is greater than or equal to a specific date, i.e., only machines logged into since July 2022
  • If you want to, you can Populate the Host’s Tag field with the Organizational Unit (OU) it belongs to,
  • When a new Host is found, set its Remote Connection Properties to a Specific Port Number and connection type,
  • Choose what to do If an existing Host in Passwordstate is no longer found in any of the OUs specified,
  • Specify the Privileged Account Credential used to query your AD Domain.

To query specific AD OUs, click on the active directory ous tab and specify them there.  Lastly on the schedule tab you can specify the time and frequency for running the Host Discovery Job.

Import Hosts via CSV File

From Hosts Home you also have the option of viewing and importing Host Records.  To View All Host Records, navigate to Hosts->Hosts Home and click on View All Host Records.  This will display any existing Host Records in the display grid.

Above the display grid is a Host Filters section which allows you fine tune the Host Records you are searching for. Beneath the display grid are options to Add Host, Import and Export Hosts.  To perform a bulk import of Hosts click on Import,

This will take you to the Import Hosts screen.  From here you’ll need to generate a CSV template, that includes all the fields for a Host Record.  The template shown specifies what fields are required, and allows you to specify the Host Type and Operating System from the drop down lists,

On clicking the Generate CSV Template button, Passwordstate will generate the CSV template and download it to your PC.  For Windows based systems this will typically be C:\Users\<your username>\Downloads.  You can now populate this template with the Hosts you wish to import.  Once you are ready, simply use the Select button, navigate the file system, select the file and then click Submit.  In the example I’ve named the populated template Click_Studios_hosts_template.csv,

On completion of the import process, you’ll be presented with the Import Successful screen advising the number of records that were imported.  Click on the Continue button to return to the Hosts Home screen.

Import Hosts via Scripting With API

Lastly, you can also use the Passwordstate API to import Hosts.  The example PowerShell script below uses the Standard API (the API Key needs to be provided) to import 3 computers.  Please note the script directly below has some data removed, such as the full server names, Passwordstate URL and API key,

This code can be loaded into PowerShell ISE and run.  Again, data such as the full server names, Passwordstate URL and API key has been redacted,

In summary, there are 3 different methods of importing Hosts in Bulk into Passwordstate.  This provides you with the choice of method that best suits you and your environment. If you’d like to share your feedback please send it through to

All About Licensing

Click Studios receives requests, related to explaining Passwordstate licensing, on a regular basis. 

While we have the majority of the details covered here we still have other associated questions posed to us regularly.

This blog post is aimed at offering an end to end view of licensing and applying the keys.

What are Core License Types?

There are 3 different categories of Licensing used for Passwordstate.  These are Core Licensing, Annual Support and Module based licenses.

Core Licensing includes Client Access Licenses, Enterprise Licensing and Global Licensing.  All 3 of these are a once off purchase, have exactly the same Passwordstate functionality, with the only differentiator being the number of users that can access Passwordstate and the number of instances of Passwordstate you can install. 

Client Access Licenses limit the number of users accessing a Passwordstate instance to the number of licenses you have purchased.  The example being you have purchased 52 Client Access Licenses so only 52 named users can access the instance.  Please Note: the first time you purchase Client Access Licenses, with Annual Support and Upgrade Protection, we’ll add an extra 5 Client Access Licenses to the quantity you purchase in lieu of the “Free for 5 Users” license.

Enterprise Licensing is price capped at the cost of 200 Client Access Licenses.  It allows for an unlimited number of users to access the one Passwordstate instance.  The example being you need 500 users to access your Passwordstate instance so you purchase an Enterprise License.  If you request a quote to purchase more than 200 Client Access Licenses, we’ll convert your quote to an Enterprise License.

Global Licensing enables you to have an unlimited number of Enterprise License instances, each allowing for an unlimited number of users accessing each instance.  The example being you need Passwordstate instances deployed, in multiple countries or locations, and each need to potentially cater for up to 200 or more named users.

“Free for 5 Users” Licensing is a version of Client Access Licenses.  We provided it at no cost for small businesses because we believe that password management should be Affordable for Everyone. Because it’s Important!  While this version allows the customer to upgrade Passwordstate to later versions the provision of technical support does require active Annual Support and Upgrade Protection.

What are Annual and Module Based Types?

The Annual and Module Based Licensing covers Annual Support and Upgrade Protection, the High Availability, Password Reset Portal and Remote Sites Locations Modules.

Annual Support and Upgrade Protection, is the maintenance for your Passwordstate Core Licensing and the High Availability Module.  The cost is calculated at 20% of the current value of your Licenses, allows you to upgrade to the latest version of Passwordstate, as well as receive Technical Support.  Greater detail around what is included with Annual Support and Upgrade Protection can be found here

The High Availability Module is a Once Off purchase and allows you to replicate your instance of Passwordstate, for the purpose of Load Balancing, Disaster Recovery and Business Continuity.  Each HA instance requires a license, and you must purchase the High Availability license if you wish to use Virtual Server Replication technologies for disaster recovery or business continuity purposes.  You can implement High Availability in either an Active / Passive or Active / Active configuration.  You can purchase multiple HA instances for Load Balancing or implementing DR and Business Continuity across multiple sites.

Our Password Reset Portal Module is Subscription based, with the subscription option chosen for the required number of users to be covered.  The subscription is sold in blocks starting at 100 Users, and then covering 500, 1,000, 2,000 5,000, 10,000 and Unlimited Users.  The subscription is tied to your Annual Support and Upgrade Protection Expires Date.  You do not need to match the Subscription size for Password Reset Portal to your core license quantity, just the number of users you want to have the Password Reset Portal available to.

The Remote Site Locations Module is also a Subscription based module, with the subscription option chosen for the required number of sites to be covered.  The subscription is sold in single sites starting at 1 through to 30 Sites with an option for Unlimited Sites also available.  Again, this subscription is tied to your Annual Support and Upgrade Protection Expires Date.

What Modules are Applicable to Each Core License Type?

In terms of “Mixing and Matching” what License types and Modules go together?  The table below summarizes what Core License Types can be used with each of the Module Based Licenses,

As can be seen in the above table, Client Access, Enterprise and Global Licensing can be purchased without Annual Support and Upgrade ProtectionWhen there is no Annual Support and Upgrade Protection the only Module that can be purchased is the High Availability Module.

Purchasing Annual Support and Upgrade Protection, and keeping this active, is strongly recommended.  It entitles you to all bug fixes, performance improvements, new features and Update/Upgrade releases as well as allowing you to receive Technical Support.

As the “Free for 5 Users” licensing does not include Technical Support and there is no Annual Support and Upgrade Protection Expires Date.  This prevents adding both the Password Reset Portal and Remote Site Locations Modules.  Click Studios policy also prevents “Free for 5 Users” from purchasing the High Availability Module.

I’ve Placed My Order – What Happens Now?

To place and order, you’ll either have,

  • Placed the order online via the  This is only for customers placing their first order.  If you are an existing customer, you must first email and request a quote.  Without doing this you run the risk of incorrectly ordering your licenses.  Once license keys have been generated we are unable to change them.
  • Placed the order based on a custom Buy-Now link, sent us a Purchase Order based on a self-generated quote, or one we have sent you, or,
  • Placed the order via an Authorized Reseller.

All orders are ultimately processed by Click Studios.  When we complete processing your order, we’ll send your License Keys via email to your Nominated Contacts.  We’ll also send a courtesy copy of the License Keys to the Authorized Reseller if you’ve ordered via them.

Every order, whether it’s renewing your Annual Support and Upgrade Protection, or purchasing additional Licenses or Subscriptions, will require you to apply the License Key details you receive to the fields in your Passwordstate License Information screen.

Our email, with a subject line of Passwordstate License Keys, contains details that are color coded.  This makes it easier for you to identify what needs to be updated.  If the email contains any red bolded text, then these are the only details that need to be updated.  Simply login to your Passwordstate instance, navigate to Administration->License Information screen, select each License Type that corresponds to the block in the email containing the red bolded text, and Cut & Paste the red text into the corresponding field, an example being,

The example above (with redacted details) shows updating the Expires and Registration Key details from an email into the License Type of Annual Support.  If the Passwordstate License Keys email contains no red bolded text then all details in the License Type block will need to be input.  Modern Builds of Passwordstate will automatically remove leading and or trailing spaces on the input fields when you click save.

Traps For Young Players

The most common issues we see when customers place an order for Annual Support and Upgrade Protection are,

  1. You’ve placed your order, but are still receiving notifications from us advising to organise your renewal with Click Studios,

This notification isn’t sent by Click Studios, it’s being sent by your Passwordstate instance.  This means that you haven’t applied the updated license keys that you received via email.  These are sent to your Nominated Contacts (up to a maximum of 4 contacts).  The new License Keys need to be applied by navigating to Administration->License Information screen.

  1. Applying the updated Annual Support Registration Key, but not applying the new Expires Date.  Both need to be applied for the updated license key to be successfully applied.
  2. You’ve attempted to update the license keys but are receiving the following error,

This is because you have either mistyped the Registration Name, License Count, Expires date or Registration Key.  Cut & Paste the License Details directly from the email provided whenever possible or export.  Modern Builds of Passwordstate will automatically remove leading and or trailing spaces on the input fields when you click save.

  1. When you have installed Passwordstate you have chosen FIPS Encryption, or you have chosen to re-encrypt using FIPS 140-2 Encryption during the Encryption Key Rotation Process.  To resolve this please contact Click Studios and request that your license keys be generated as FIPS Compliant.  By default, all Passwordstate License Keys are generated for 256 Bit AES Encryption.

Ordering, receiving and applying your Passwordstate licensing is easy-peasy.  Just take your time and follow the instructions.

If you’d like to share your feedback please send it through to

OTP Codes And Simplifying Your Life!

Have you ever had the extreme pleasure of using an authenticator app that, for some completely random reason, decides it can no longer access its database.  And to top it off, you think “no problem, I’ll just restore my backup of the app”, only to find that it doesn’t allow backups of its database.

If you’ve ever been in this position you’ll have experienced the absolute “pain in the proverbial” that this causes.  There is nothing more tedious and time consuming than having to run through the process of setting up your One Time Password codes all over again.

Well, there is a better way!

Passwordstate Mobile App

The architecture of the Passwordstate native Mobile Apps is set so that the Master repository of the data is your Passwordstate instance.  The mobile app, both Android and iOS, contain a synchronized encrypted offline cache of the Password Lists and Password Records, that you have been granted access to. 

This remains available on the device for up to 30 days without re-authenticating before it is automatically deleted from the device.  Your Passwordstate Security Administration can globally set the “time to live” for 1, 3, 7, 14 and 30 days for the encrypted cache.  The settings can also be set individually under Administration -> User Accounts -> ”Selected User” -> Mobile Access Options

Each time you login to the Mobile App it will;

  • try to re-authenticate back to your Passwordstate instance,
  • if successful resets the “time to live” back to the specified number of days,
  • resynchronizes the contents of the offline cache, and,
  • transmits the contents of its internal audit database ensuring all access to offline stored credentials is merged with the Passwordstate Auditing tables in your instance.

The huge advantage here is, if you ever lose or replace your smart device, all you need to do is install the Passwordstate Mobile App on the new device, pair it with your Passwordstate instance, login to the app, and all your OTP codes will be automatically synchronized to the encrypted offline cache (meaning there is no having to rebuild you OTP list from the start – Yay!).

One Time Passwords

So how are the One Time Password records ordered within the App? On the OTP tab, all OTP codes are displayed alphabetically based on Password List name and then all appropriate Password Records within that list.  As stated before, you only have access to the Password Lists and Password Records you’ve been granted access to,

If you look at an individual Password Record, one that is setup for OTP codes, you’ll also see that OTP code shown in the record details,

And within Passwordstate, the same Password Record is shown as below.  Note that the OTP code shown is different as it has automatically rotated,

Set Your Home Page

You can specify which tab to automatically open within the Mobile App under Settings.  From here you can specify if you want to use your device’s Biometric Unlock capability, the timeout values for App Lock and Clipboard, if you want to use the Autofill Service to form-fill credentials in applications or websites, set the Homepage to either OTP or Password Lists and select the Theme for the appearance of the App,

The Passwordstate Mobile Apps allow to securely access Password Records and OTP codes.  All data is based on that you’ve been granted access to, and when you replace the device you can automatically synchronize the data to the new device.  It really is about accessing your OTP Codes and simplifying your life!

If you’d like to share your feedback please send it through to

Password Change Post Processing

Passwordstate includes PAM functionality as part of the core software.  This allows you to perform on-demand or scheduled Password Validations (heartbeats) and Resets across multiple different systems or platforms.  You can also perform on-demand or scheduled Account Discoveries and automatically import accounts into a Password List, with or without first resetting the password for each account.  For a list of supported systems please refer to our webpage here

In addition to performing Resets on accounts, you can also perform actions post the reset of the password.  What type of activities you can perform is up to you and your ability to write PowerShell scripts.

Example Use Case

As an example, Click Studios maintains a Change Management listing of all Password Resets on Service Accounts.  The way this works in our environment is that once a Password Reset is automatically performed on a Service Account, we run a PowerShell script to send an email to a PC running a program, that extracts the details from the email and updates a Change Management register of all resets on Service Accounts. 

It’s a rudimentary approach but works well as a sanity check for updates in our QA environment and proof that the post processing functionality is working correctly.  This same script has been replicated in our Demonstration Passwordstate instance for this blog.

Location Of PowerShell Script

In our example use case outlined above, we’ve first created a PowerShell script by navigating to Administration->PowerShell Scripts and clicked on the Password Resets button, 

This takes us to the Password Reset Scripts screen.  Here we’ve previously created the script called Update CM_Service_Account_Password_Events,

You can see that the script has been used 4 times by looking at the figure under Usage Counter in the display grid.  By clicking on the name for the script (it’s actually a hyperlink), the editor opens allowing you to create or edit the script,

This PowerShell script creates and sends an email to a specific email address.  What is sent is the details associated with the Password Record that has changed.

To specify that a Password Record uses the PowerShell script post the password being changed, we navigate to the Password List containing the Password Records for our Service Accounts.  In the example use case they are located in the Password List Active Directory Accounts, located under Passwords->Infrastructure.  Then we select the Service Account we want to Add Dependency to, click on the Action icon and choose View Password Reset Dependencies.  You are now on the Password Reset Dependencies screen for the specific Password Record and need to click on Add Dependency,

From here on the Add Dependency screen we select the Post Reset Script Update CM_Service_Account_Password_Events from the drop down list (note the suffix of .PS1 is not shown here),

Now every time the Password is changed on that specific Password Record the Post Reset Script will execute and email the changed details through to our Change Management register.

If you’d like to share your feedback please send it through to

Can you setup a Test Instance with Production Data

Did you know that Click Studios allows you to use your Passwordstate Production License Keys for One (1) non-production instance for Development, Staging or Quality Assurance (QA) purposes?  This information is included under section 3.5 Number of Instances in our EULA (End User License Agreement).  You can obtain the most up to date version of the EULA here,

The relevant section is reproduced below,

Unless otherwise specified you may install one (1) Passwordstate Instance on systems owned or operated by you or one of your Authorized Users. We allow you to deploy (1) non-production instance for development, staging or QA purposes. No other Passwordstate Instances are permitted, unless Multiple License Sets, the Global License, or the High Availability license options are purchased.

But you may be wondering, how exactly do I get a copy of my production data into a development instance?  Well, let’s read on.

Creating your Test Instance

First, you’ll need to decide on what you’re hoping to achieve with this second non-production instance.  For the purpose of this blog, we’re setting up a QA Server that matches our production instance.  This means it is identical except for its Netbios name, URL for accessing, IP address and DNS entry.

Once we’ve setup our server(s) at the physical / operating system level we’re ready to migrate a copy of our existing Passwordstate instance to our new QA server.  Note If your Production instance has the webserver and database on different servers then ideally you would replicate this setup for your QA Server.

The steps you need to follow can be obtained from our website here,

It is important to follow the instructions in the order show above by the Red Circles 1 and 2, e.g., Perform the instructions from Red Circle 1 first and then those from Red Circle 2.  You should also ensure you have a backup before beginning the process (just good practice).

Once we’ve followed the instructions, we now have a copy of our production data on our new QA instance.

Important Things to Change

As we’ve now got a replica of our Production Passwordstate instance, with its associated Password Records and Reset jobs, it’s a good idea to prevent the QA instance performing unattended updates on your production data.  To do this,

Start the Microsoft Services Desktop Application on your Passwordstate webserver, select the Passwordstate Service, right click on it and select Stop,

you should also set the Properties, Startup type to Disabled as per below and click OK.

This will prevent the Passwordstate Service from starting when you reboot or start the webserver.  A full list of the events managed by the Passwordstate Service are;

  • Scheduled Password Resets, Discoveries and Heartbeats
  • Scheduled Backups
  • Sending Email Notifications
  • Checking for new Builds
  • Sending Audit Log data to Syslog Server
  • Synchronizing AD Security Groups
  • Sending Scheduled Reports
  • Archiving Auditing data
  • Removing Time Based Permissions

You should also review the Users and Security Administrators that have access to the QA Instance and adjust these as necessary.  Longer term it would probably pay to remove critical Password Records from this instance as well. 

As you can see, the process of populating a test Passwordstate instance with production data is straightforward and permitted under our EULA.

If you’d like to share your feedback please send it through to

Passwordstate User Preferences

Passwordstate provides individual users the ability to customize some aspects of the UI (User Interface) and how the software operates.  This is offered so that frequent users can tailor the use, look and feel to better match their own preferences.

This week’s blog runs you through what can be set, and if these settings are overridden by global settings, that your Security Administrator may have put in place in accordance with organizational policies.

To access your Preferences, go to the Main Navigation Menu on the Left Hand side of the screen, click on the Person icon and then select Preferences.

Passwords Tab

Under Preferences is the first tab, Passwords Tab.  From here you can set individual preferences for;

  1. How the Passwords Navigation Tree is handled.  This includes showing it collapsed or remembering what Nodes,or Password Lists and Folders, were expanded.  If all Password Lists / Folders were shown or hidden,
  2. Limiting the number of Nodes shown, or showing all of them,
  3. If you want to show the Permission Model icons next to the Nodes in the Passwords Navigation Tree,
  4. Preferences for the type of Remote Session Launcher, if used from any Hosts in the Passwords Tab.
  5. If you wish to use the Load On Demand feature for faster loading of Nodes in the Passwords Navigation Tree.

It also provides reference to some of the impacts associated with the Load On Demand feature that users need to be aware of.

Hosts Tab

The next tab is the Hosts Tab,

and you guessed it, on this tab you can set your individual preferences for;

  1. Limiting the number of displayed Nodes, this time Folders and Host Records, in the Hosts Navigation Tree,
  2. If you wish to use the Load On Demand feature for faster loading of Nodes in the Hosts Navigation Tree, and,
  3. Settings associated with using the Browser Based Remote Session launcher.

With the Browser Based Remote Session launcher, you can select a number of session based performance settings,

As well as specifying a different Keyboard layout for RDP sessions.  For SSH Sessions, you can specify the font size as well as Background Color and Font Color.

Miscellaneous Tab

The Miscellaneous Tab handles all preferences that are not aligned to specific groups of functionality,

This includes,

  1. If you want the password field, in Add / View and Edit pages, visible or masked by default,
  2. Auto Generating New Passwords when adding a new Password Record,
  3. Setting Search Criteria Stickiness across Password Screens,
  4. The Position of the Actions Toolbar,
  5. Sorting order on all Password List screens,
  6. Sorting order for Search Results and Favorite Passwords from the Passwords Home screen,
  7. Base settings from selected Template for new Shared Password Lists,
  8. Base permissions from selected Template for new Shared Password Lists, and,
  9. The Date Format you prefer.

Color Theme

The Color Theme tab simply allows you the option of either using the System Wide color theme or you can choose to set your own by clicking on Choose My Own,

If selecting Choose My Own you can then select the Base Color you wish to use throughout Passwordstate.

Authentication Options

The Authentication Tab provides the largest selection of options, all related to you authenticating with Passwordstate.  The options can be used for accessing the Passwordstate website, and as secondary authentication when accessing a Password List

Once you have selected the type of Web Authentication Option you wish to use you will need to ensure you’ve configured the corresponding authentication type.  Note I’ve selected Manual Login and Google Authenticator as my preference.

This first image shows the sections for ScramblePad Pin Number and One-Time Password Settings,

This second image shows the sections for YubiKey Authentication Settings and RADIUS Username, SecurID User ID, and Duo Security Username,

This third image shows the sections for Email Temporary Pin Code and Google Authenticator.  Here you can see I’ve gone through the process of enrolling, have scanned the generated QR code into my App (I’m actually using our Passwordstate Mobile App for this) and have saved the corresponding Secret Key,

Mobile Access Options

Next is the Mobile Access Options Tab.  Here you create the Master Password for your native iOS or Android Mobile App and generate the required QR code.  This is needed when setting up your Mobile App to sync with your Passwordstate Instance,

Browser Extension

The Browser Extension Tab controls the preferences for Automatic logout from the extension and any personal Ignored URLs,

Automatic logout of the Browser Extension can be set for,

  • When you close the browser, and,
  • When your computer has been idle for the specified number of minutes.

You can also clear the clipboard after a specified number of seconds, when performing the Copy to Clipboard from within the UI or from the Browser Extension.   


If you wish to use a One-Time Password code when using the Windows Integrated API (Application Programming Interface), you can set this on the API Tab,  

Preferences Overridden by Global Settings

Your Passwordstate Security Administrator can use a feature called User Account Policies, which may override the majority of the settings you can specify under your Preferences.  If this has been done then those settings on an individuals Preferences screen will be disabled.

Browser Extension settings, including logging out on browser closure, ignored URLs and permission to use the Extension can be set by your Security Administrator.  As can permission to use the native iOS and Android Mobile Apps.  If you don’t have permission to use you will not be able to fill out the details for your QR Code and enrolment.

If you believe you should be able to set your own Preferences, or have issues with enabling the Browser Extension or native Mobile Apps please speak with your Security Administrator in the first instance.  Further details on how to configure each of the preferences can be found on our website’s documentation page here,

If you’d like to share your feedback please send it through to

Adding Corporate Bad Passwords

Passwordstate uses a number of approaches to prevent users from selecting easy to guess words for their Password.  It does this by referencing a list of words that you want to prohibit from being used.  The options, for where to reference the list of words you want blocked from being used, is Located under Administration->Bad Passwords

From here you can,

  1. Select the approach for referencing a Bad Passwords Database.  This can be based on either a Custom Database, where you populate the Bad Passwords, or by referencing a list of known bad passwords by using the Have I Been Pwned API.  You can even select an option for using Both if you are you are running Passwordstate V9 Build 9000 or above.
  2. You can Add, Import and Export your Custom Database containing both the default Bad Passwords that ship from Click Studios as well as any words that you have added to it.

Before we get into the main body of this blog article, we must mention the website, and the API that Click Studios references, is courtesy of Troy Hunt and the excellent work he’s done in providing details on credentials caught up in data breaches.  He provides this information as a free resource for everybody.

Include Words from Your Corporate Dictionary

A corporate dictionary, sometimes referred to as a corporate glossary, contains words, terms and their meanings.  They are typically used to assist employees in being able to speak the same business language.  For example, the Oil and Gas industry uses certain words to name and describe geology, products, processes, outputs etc. that relates to that industry.  The Corporate Dictionary is available as a resource that can be referenced to ensure that employees, colleagues and even industry partners can accurately understand what is being discussed.

Unfortunately, these resources are sometimes referenced as a source of passwords.  As an example, people outside of the Oil and Gas or Legal  industries may rarely come across a word such as sequestration.  Excellent, I should use that as my password! Nuh-uh! Those cybercriminals that are targeting your organization will already have done some easy preparation and likely downloaded a list of Oil and Gas terms for use in a Brute Force Dictionary Attack.  You could send out an email and ask all employees not to use the words in the corporate dictionary – but you and I both know that doesn’t work!

So… let’s stop those words from being used as passwords by adding them in to the Bad Passwords Custom Database.  You could add each word individually by clicking on Add, located underneath the Custom Database display grid.  This will open the Add New Bad Password screen allowing you to add a word and then click Save,

Alternatively, you can click on Import, again located beneath the Custom Database display grid.  This will open the Import Bad Passwords screen,

From here simply click on Generate CSV Template.  This will create and download a simple template to your computer.  As shown in the image above, the CSV File Format includes one Field with a heading of BadPassword and the size of the field is a maximum of 255 characters

I’ve opened the template in Microsoft Excel, populated it with a selection of words from an Oil and Gas companies corporate dictionary (using a sample found via a Google Search), and I now have a selection of words I want to prevent being used as Passwords.  I’ve then saved this file as badpasswords_OAG.csv,

Now, all I need to do is click on the Select button, pick the file using File Explorer and then click on Submit as per the image below,

This will import the contents of the CSV file and add those records to the Custom Bad Passwords database.  The Import Process will, as a confirmation, show the Import Successful screen and the number of records that were imported.  Click Continue to return to the Bad Passwords Screen,


Now, back on the Bad Passwords screen you can see confirmation in the image below that the required words have been loaded and will be prohibited from being used as passwords.

And…One Last Fine Tune

You can also prevent those words in the Custom Database from being used as part of a Password.  To do this you’ll need to navigate to Administration->System Settings->miscellaneous and select Yes for Use regular expressions when matching ’Bad Passwords’.  As an example, this will ensure that users can’t fool the system by trying a known bad password with ‘01’ appended to it.

By adding in words from your organization’s Corporate Dictionary you strengthen your Password policies and remove yet another potential attack vector through Brute Force Dictionary Attacks consisting of easy to guess ‘bad passwords’.

If you’d like to share your feedback please send it through to

How to Access Passwordstate During A DR Event

You get the phone call you’ve been dreading, “We’ve lost our network and Active Directory.  We’re unsure of the status of most systems but do have successful backups that we can recover from if required.  When can you get in to the office as we’re calling a DR Event.”. 

Great!  You’ve been asking for the budget to establish High Availability for critical systems for a while but nobody’s interested.  And having good backups is all well and good but not much use if you don’t have access to your privileged accounts!  And you can’t access your Passwordstate instance as the network is down.  Looks like you’re out of luck… or are you?

Is Passwordstate Self Contained on the One Server?

The scenario we’re using in this blog (based on there being no network, high availability for critical systems or AD), will only work for those systems that have their Passwordstate database and website (Microsoft Internet Information Services) installed on the same server.  If your instance is split between 2 servers, one for the webserver and a separate server for your database you’re out of luck (…because you don’t have a network).

Create a HTTPS Binding

The first thing you’re going to need to do is bypass your production server’s HTTPS binding.  To do this you’re going to need to be able to login via the console on your Passwordstate Server (again… no network).  Hopefully you have a Local Login and access to the password for this.  If you haven’t, then the first thing you’re doing once you’re out of the DR event, is to download our native iOS and Android Apps and sync these to your Passwordstate instance.  This’ll give you a secure encrypted cache containing all of all the credentials you’ve been granted access to.

Next, you need to perform the following steps;

  1. Start Microsoft IIS,
  2. Select the passwordstate website,
  3. On the left hand side of the IIS console, under Edit Site click on Bindings…,
  4. Click on the Add button,
  5. In the Add Site Binding dialog select the Type as HTTPS, set the Port as 443. Type a Host name of localhost, and select Require Server Name Indication if you have other servers using the same port number,
  6. Select your SSL certificate from the drop down box,
  7. Then click the OK button.

And finally click on the Close button.

Browse to your Passwordstate URL

Now you potentially have 2 options available to you.  If you have a Local Login with appropriate Security Administrator roles and permissions to the required Password Lists etc. you can logon with that account.  You can then access all the required credentials as appropriate.  Simply browse to https://localhost and click on the indicated buttons and links,

However, if you don’t have a Local Login then you’ll need to login via the Emergency Access Account.  This can be accessed via browsing to https://localhost/emergency,

In the example above we have 2FA enabled for the Emergency Access Account.  The limitation with using the Emergency Access Account is that you won’t have easy access to the credentials you’ll need.  Instead, you’ll need to Export All Passwords to a password protected .ZIP file and then copy this to a USB drive if required. 

Note this will only export Shared Password Lists, you have no access to user’s Private Password Lists.  To export all passwords, navigate to Administration->Export All Passwords and select the Export Option you want and click on Export,

As long as you have console access to your Passwordstate server, and have the webserver and database installed on the same server, you can access your credentials via one of the 2 options outlined above.

If you’d like to share your feedback please send it through to