One Time Passwords and The Browser Extension

This week’s blog almost sounds like a modern take on one of Aesop’s fables, except instead of featuring animals with human attributes we’re using a modern “technology take” on the story.  There’s no moral taught in this story (blog), just another nifty feature to make your life easier.

Most Users of Passwordstate that have created Password Lists would know that there are a number of templates that can be used when creating them.  You don’t have to use these, however for those of us that don’t regularly create Password Lists, the Add Shared Password List Wizard can streamline the creation and permissions processes.

Add Shared Password List Wizard

So, let’s set the scene first.  Your organization has recently signed up for a new Cybersecurity defense solution and enrolled a pilot group of users.  This has proven to be very successful and you’ve been tasked with extending the enrolment, via the web-based Administration Console, to all users within your organization.

The problem is, the administration console requires multi-factor authentication, in this case a Username, Password and OTP (One-Time Password) to enable login.  This is a pain as you’re using two sources for the information.  You’re using Passwordstate for the Username and Password and a Mobile App for the One-Time Passwords.  But you don’t have to.  Instead, you can create a Password List based on the One-Time Password Authenticator template.

First navigate to the Passwords tab and right click on Passwords Home and select Add Shared Password List.   This will bring up the Add Shared Password List Wizard.  Enter the details for the Password List and choose the One-Time Password Authenticator template as per the image below; 

Enter all the details you require and click Next.  This will take you to the Permissions section where you’ll then be able to specify the Security Groups or Users you want to assign permissions for (for this Password List).  Once you’ve entered all your details click Next.  This will take you to the Confirmation section allowing you to review your details before clicking Finish to create the Password List.  The details for the Password List I’ve created are as follows;

Please note you can modify an existing Password List and simply select the Enable One-Time Password Generation to add the OTP section to all Password Records in that list.  However, in the scenario above I’ve elected to keep all Password Records requiring the additional One-Time Password authentication together in the one purpose designed Password List.

Add a Password Record for MFA

Now that we have the Password List, enabled for OTP setup, I’m going to add-in the credentials for our Cybersecurity defense solution.  To do this navigate to the Password List and click on Add underneath the Password Record grid.  Enter all the details for the Password Record and importantly, scan the QR code that was supplied by the issuer. 

If you don’t have a QR code you can enter the Issuer, Secret and algorithm specified by the issuer and click Save.  The image below shows the completed Password Record;

Access all Details via Browser Extensions

Now when you browse to the web-based Administration Console the Browser Extension will automatically form fil the Username and Password Fields.  But where’s the OTP details?    When the Browser Extension identifies the Password Record it will, in the Browser Extension menu, provide a right arrow-head next to that record.  Clicking on this will bring up the details for the Password Record including the Username, Password and One-Time Password as per the image below;

You’ll note the OTP shows the time to live for the current OTP code.  This allows you to ensure you have sufficient time to copy and paste that OTP code before it regenerates.

It really is as simple as that.  Now you can use a consolidated approach to storing the Password Credentials for sites requiring multifactor authentication with One-Time Passwords.

If you have feedback, we’d love to hear it via

Searching in System Settings and Feature Access

There’s no denying that Passwordstate has a significant number of options for configuration and customization.  That can sometimes make it hard to remember exactly where a configuration option lives (or is hiding).  That’s why in V9 we introduced a search facility, to find exactly where you need to go, so that you can configure that option.

Search Settings Locations

The Search Settings exists for 2 different areas in Passwordstate, System Settings and Feature Access.  To locate either of these simply navigate to Administration->System Settings or Administration->Feature Access as per the screenshots below; 

In both areas you’ll find the Search Settings dialog at the top of the screen, located just under the page title.  So how does the Search function in these areas operate?

Practical Example of Search Settings

Let’s use a practical example of the Search Settings.  In this scenario you’ve been working as part of the Business Integration Team, looking at what’s required to integrate your Passwordstate Instance into a new organization that’s been formed through the merger / acquisition of another business.

The two original Business Names are to be replaced with a new Entity Name.  The integration Team have suggested renaming the Passwordstate instance to reflect the new Entity Name.  You remember that once you’ve changed the existing Passwordstate instance URL you’ll need to also change this so it appears correctly in all emails, permalinks, etc.  But where to look?

What you could do is search for URL, which instantly drops down a list of the Tab’s and Settings that match the search criteria you’ve entered, as per the screenshot below;

On selecting the first result in the list you are taken to that Tab and the relevant area is highlighted in yellow showing you where you need to make that setting, again as per the screenshot below;

Note the Search Settings criteria is “sticky” until you use the eraser to clear it.  This means that if you remembered you also needed to make changes to the Mobile Access URL for your App Server you can simply select that result (3rd in the list of the search results) and navigate to that tab and make your changes there too. 

It also means that you don’t have to re-enter your search criteria if you selected an option from the results drop down that didn’t match exactly the area you were looking for. We think the Settings Search is a nifty little improvement.  As always, we welcome your feedback via

Real World Example – Importance of Password Management

Let’s start of this week’s blog with a confession.  Here at Click Studios we want businesses to buy and use Passwordstate!  When you buy licenses for our products, and take-out Annual Support and Upgrade Protection, you help us to maintain and grow our business.  We don’t deny that. 

However, take a look at our pricing structure and the catch-line on our website which summarizes our philosophy.   Password Management Should Be Affordable For Everyone.  Because It’s Important. 

We genuinely believe that all businesses should have the opportunity to access a secure, flexible and affordable Enterprise Password Management System.  One that your IT and Security staff can use to access and share sensitive password credentials.  Without a solution like Passwordstate,

  • How do you centralise control of, and allow secure access to, these sensitive credentials?
  • Do you know who is accessing your privileged credentials and when are they doing it?
  • Can you provide access to them based on an employee’s role?
  • Can you quickly change them when an employee leaves?
  • How do you ensure these critical passwords aren’t being copied, changed or exported for other uses?
  • How can you manage password resources on discreet networks?
  • Is your password store secure?
  • Can you rely on access to your passwords when you really need them?

If your business uses Information Technology, in any fashion, then the above points are important and relevant.  Your accounts, especially those with higher privileges can be used to exploit your most sensitive information and critical systems.  Privileged access gives individuals the power to alter your data, change the configuration of applications and infrastructure and have the potential to cause you irreparable reputational and financial damage.  If this were to happen would your business survive?

Credential Breaches Are Real!

On 2nd February 2021, Cybernews reported the Largest compilation of emails and passwords leaked for free on public forum, with more than 3.2 billion unique pairs of cleartext emails and passwords leaked on a popular hacking forum.  This is known to be an aggregation of past leaks from Netflix, LinkedIn,, Bitcoin and other sources.  This is referenced as a Compilation of Many Breaches or COMB.

A subset of entries contained in a previous COMB in 2017 were tested by Constella.  They found that “most of the tested passwords worked” and “Given the fact that people reuse passwords across their email, social media, e-commerce, banking and work accounts, hackers can automate account hijacking or account takeover”.

What’s more the breach isn’t just a list of stolen credentials, but rather an interactive database that allows quick searching of credentials.  In other words, it allows the lookup of specific credential sets to make selective targeting of individuals and businesses easier!

You can find the full report on Cybernews website: and reference their data leak checker:

Implications and Impacts

The implications of this breach may be far reaching (I would have said unprecedented – but that word was done to death in 2020!).  The majority of people still reuse their passwords and usernames across multiple accounts. 

This gives our unfriendly Cyber Criminals a head start with rich information for credential stuffing attacks.  The unfortunate fact is that if a user has the same passwords for their LinkedIn or Netflix accounts and an email account, then attackers can and will target other more important business accounts. 

These users typically become recipients of targeted Spear Phishing attacks, receive high levels of spam emails and imposter attacks via social media platforms.

Use Passwordstate to Protect Your Assets

First, get Passwordstate up and running within your business!  If you already use it then look at how you can improve it’s use within your business.  If you don’t have it installed then download the 30 Day Free Enterprise Trial here.  You can see how affordable our software is here.

Second, stop reusing passwords and usernames across multiple accounts.  If you do, and your account details are compromised in a breach, it’s just a matter of time before your other accounts are targeted.  And it’s not just Celebrities and Millionaires that are targeted with Spear Phishing attacks.  It’s also Help Desk Staff, Accounts Payable Clerks, Middle Management and those IT workers with increased privileges (yes, I’m talking about you System and Network Admins).  Setup Password Strength Policies and Generators in Passwordstate that create unique, strong passwords every time.

Third, regularly reset your passwords automatically.  Don’t keep the same passwords for ever.  It’s not that hard to change a password every 90 days (just an example, your IT policies may require shorter timeframes).  It you’ve got lots of accounts then stagger the resets to make it manageable.  Use our tools like Browser Extensions, to automatically generate and save an updated password back to Passwordstate, when changing it online.  Automate wherever you can to make your life easier!

Then look at implementing 2 Factor Authentication where it makes sense.  You can still do this if you use Single Sign-On and you can selectively target accounts.  View your accounts as assets and manage them based on risk and impact.  As an example, Banking Accounts and System Administrators Privileged Accounts should always have 2FA enabled.  Even if your credentials are compromised hackers can’t access the account if you use 2FA.

Be informed, take control of your assets and as always, we welcome your feedback via

Cyber Criminals Tools & Techniques

Building on last week’s blog Cyber Criminals Exploit the Human Factor, this week we’ll explore a little more detail around the tools and techniques used by Cyber Criminals to convince selected and targeted individuals to take action.

To be effective in obtaining credentials and/or sensitive information through phishing attacks Cyber Criminals rely on an arsenal of tools and techniques. These are focused on building rapport with selected individuals, creating situations that appear to be authentic, and help to establish credibility and typically a sense of urgency.

Social Engineering

Social engineering principles form the core of the majority of attacks. These range from simple lures designed to appeal to our curiosity, for example a fake invoice sent to the Accounts Payable Department, or a Job Description for an attractive role/vacancy to an IT Department Systems Administrator. 

More sophisticated approaches can include union action over a fabricated unresolved Health and Safety incident or media exposure of non-conformance to government procurement guidelines.  Themes can vary based on Cyber Criminal groups, industry type and selected individuals.  Typical themes spanning most industry types include Love, Money, Food and Real Estate.

The Carbanak Campaign

A well known example is the Carbanak campaign, predominately targeting financial institutions for the purpose of monetary theft.  A Windows based malware payload was introduced via phishing emails and has been reported to have resulted in over $900 Million USD from Banks and selected individuals.  The email attack used authentic looking lures with professional documentation in the form of attachments that distributed multiple strains of malware.  The email author claimed to have been double-charged and demanded an urgent resolution. It used stolen vendor branding and claimed to be protected by that vendor’s technology.  Instructions provided for unencrypting the document were actually the steps required to enable macros and allow the installation of the malware.

Real Estate Lures

Real estate transactions typically involve multiple parties, a degree of urgency, and the opening and exchanging of both personal information and digital signatures.  This is why they represent a frequent target for Cyber Criminals using phishing and malware attacks. DocuSign, a trusted source for electronic signatures, is routinely abused using Brand Impersonation along with Real Estate and Bank Portals that look legitimate. The processes of buying a home and/or applying for a rental property create readily exploitable opportunities, especially when the selected individuals are not familiar with the many steps involved.

Fake Jobs

An increasingly effective tactic, especially as economies commence rebuilding post COVID-19, is the fake job add.  These typically use multiple points of contact to establish a relationship with the selected individual.  Popular career platforms such as LinkedIn are used to send invitations from a legitimate account to the selected individual.  These are then followed up with personalised emails without any malicious content.  At some stage in the ongoing exchange, once a rapport has been built, Cyber Criminals sends the malware bearing email.  Selected individuals, typically with access to corporate accounts or sensitive information, are targeted with the ultimate aim of initiating fraudulent money transfers or providing sensitive personal and/or business information.  In most cases the Cyber Criminals impersonate a known business leader in a position of authority.

Brand Theft

Believable (but fake) domains and web presences tangibly support social engineering efforts. Fraudulent Websites using stolen branding and registered domains resembling real brands are all part of the Cyber Criminals arsenal.  Look-alike domains are becoming increasingly sophisticated and are close enough to the original that they are infrequently questioned.  Legitimate sounding variations of known brands provide Cyber Criminals with the ability to execute account fraud, also known as angler phishing, impostor email attacks and more.

Legitimate Platform Abuse

Cyber Criminals are increasingly taking advantage of file-sharing and collaboration tools as businesses move to Software as a Service platforms.  This is made easier due to business familiarity and whitelisting allowing easy distribution of malware and phishing templates.  Frequently abused platforms include;

  • Google Drive and Microsoft Office 365
  • Box and Dropbox
  • MailChimp and SendGrid
  • Payment services allowing outbound mailing of invoices
  • Social Media Platforms

These services readily leverage the human factor as we work from a position of trust, opening links received via email without considering the potential for malware or reconnaissance leading to credential theft.  Targeted infiltration of a SaaS platform enables secondary attacks that are hard to detect and be identified by users. It allows for internal phishing and can result in credential dumps that are used for credential stuffing or brute-force attacks.

Imposter Attacks

Impostor attacks utilize a range of techniques to convince targeted individuals they are communicating with a trusted entity. These include display-name spoofing, where the email appears to be coming from a known trusted source, domain spoofing, where an attacker appears to use a company’s domain to impersonate a company or employee, and look-alike domains.  The basis of these attacks is Identity Deception, as opposed to more common attacks simply using throwaway attacker-owned addresses and domains, and they are proving to be highly effective.

How can Click Studios Help?

Another element of the human factor is the reuse of passwords.  Recent research suggests that greater than 40% of businesses have at least one compromised account and 6% of businesses have at least one VIP account that is compromised.  This makes internal phishing and Business Email Compromise easy for Cyber Criminals.

Click Studios Passwordstate, an on-premise web based solution for Enterprise Password Management, facilitates unique combinations of account and passwords for all systems.  Passwords can automatically be reset on a scheduled basis, only be accessed by authorised users via Role Based Access Control, and full end-to-end auditing keeps track of who has accessed the credentials and when.

As always, we welcome your feedback via

Cyber Criminals Exploit the Human Factor

Cyber criminals use social engineering approaches to install malware, steal information, perform fake transactions and even shutdown businesses. Greater than 97% of reported attacks target “the human factor” as opposed to making use of known system vulnerabilities.

Social engineering approaches used by Cyber Criminals focus on people, their role in the business, the data they have access to and the likelihood they can be enticed to perform an action. The human factor, our ability to be curious, the biases we have and their effect on our decision-making processes, our emotional state of mind, the way in which we monitor and evaluate situations on the basis of risk or reward, and the level of boredom in our roles all contribute to people being the most effective attack vectors in infiltrating businesses to facilitate fraud, theft and potentially worse.

Over the last 3 years there has been a marked shift towards information-stealing malware, with “the human factor” becoming ever more effective at preying on people. From impostor messages, where an email appears to come from a person the target knows, or malware that silently profiles individuals and steals data and credentials for future attacks, Cyber Criminals have their eyes firmly set of your businesses most valuable assets and the monetary value it holds.  This ultimately fuels their revenue streams and funds future attacks.

Who is the Focus?

The Social Engineering approach, focused on “the human factor”, is all about exploiting select individuals and identities in targeted industries, not infrastructure and systems.  Conversely, most businesses focus their IT Security budgets on infrastructure and systems,

The largest attack vector is still email, with 93% of all breaches targeting select individuals via approaches ranging from spam to imposter attacks.  These select individuals are targeted on the basis of obtaining credentials to,

  • Feed further attacks against the targeted business,
  • Improve the effectiveness of the Social Engineering techniques with which they can obtain credentials and information,
  • Committing fraud

The people representing the greatest source of risk in business are,

  • Very Attacked Persons or VAPs.  These are easily discovered identities and shared accounts.  More than 35% of identified VAPs details are found online via corporate Websites, social media platforms, newsletters and annual reports
  • VIPs and C-Level executives.  Again, these are readily discovered via social media platforms and more than 20% of the email addresses can be discovered via simple Google Searches
  • VAPs, VIPs and shared accounts in Education, Finance and Banking, Automotive & Manufacturing, IT, Media & Advertising (including Marketing) and Retail are frequently the most targeted

What are the Attacks?

As shown in the diagram, email is still the biggest initial attack vector for businesses.  In 2018-19 generic email harvesting accounted for almost 25% of all phishing schemes.  These were in the main focused toward credential harvesting.  Over 99% of emails distributing malware require human intervention, this includes following links, opening attached documents, enabling macros, accepting security warnings and saving and unzipping executables for them to be effective.

Malware free Imposter Message attacks, including Business Email Compromise (BEC) are on the rise.  Imposter Messages and BEC are used by Cyber Criminals to build rapport with attacked individuals, obtain multiple points of contact and create a sense of urgency around the activities they require the targeted individuals to perform.  These activities include approving payments for fake invoices, or releasing business data.

Phishing lures typically simulate well-known brands such as Banks, Retailers and Webmail, offering login portals that seek to capture specific service credentials or simply obtain email logins that are used in future credentialstuffing attacks.

Domain fraud continues to increase, with attackers using techniques from look-alike domains to legitimate certificates to make malicious Websites appear trustworthy.

How are Select Individuals Identified?

Cyber Criminals are increasingly focused on attacking select individuals in a business instead of every user and reviewing which attacks are successful. These select individuals are either targets of opportunity or identified users with sufficient access and privilege.  These people make up the group of VAPs in a business.

VIPs, C-level Executives and Members of the Board are often not VAPs.  VAPs are typically more easily identified online, presenting a simpler and more direct means for Cyber Criminals to discover their role and contact details, then targeting them with multiple attacks. On average, across all industries, more than 35% of VAPs details can be found online.  The following graph shows the average % of VAPs identified by Web based source,

as opposed to the common source of VIP identities,

However, one area of significant risk for businesses is VIPs who are also VAPs.  In these cases, the average, across all industries, is greater than 20% of their email identities could be discovered online via a Google search.

How can Click Studios Help?

Click Studios specialises in the development of Passwordstate, an on-premise web based solution for Enterprise Password Management, allowing teams of people to access and share sensitive password resources.  Our solution uses role based access control, with end-to-end event auditing, to provide a secure platform for password storage, management and collaboration. 

For more information on how we can help please contact and as always, we welcome your feedback via

Click Studios Support

Click Studios has built its well-earned reputation on three Pillars.  The First Pillar: Continuous development of an Enterprise grade Password Management Solution that is feature rich and scales from the smallest not-for-profit to the largest multinationals. The Second Pillar: Our solution must remain affordable for all businesses ensuring that everyone has the opportunity to protect their privileged accounts and access to data.  The Third Pillar: Provide excellence in the technical support of our solution by hiring inquisitive, technically savvy, customer focused team players that are truly passionate about helping others.  

Click Studios Support

The Passwordstate product suite, including the core product covered by Client Access Licenses (CALs), Enterprise and Global Licensing along with the High Availability Module are all able to be placed under maintenance.  The Click Studios term for maintenance is Annual Support and Upgrade Protection.  Active Annual Support and Upgrade Protection entitles customers to all minor and major releases of Passwordstate, Priority Email and Phone support covering technical questions, how to questions, general enquiries and Remote Desktop assistance if deemed necessary by our Technical Support Team.

Our subscriptions for the Password Reset Portal and Remote Site Locations are only available if you have Active Annual Support and Upgrade Protection and the duration of the subscription is bound to your support expiry date.

What is covered (in detail)?

By purchasing Annual Support and Upgrade Protection you are covered by the terms and conditions as outlined here.  When you navigate to the support page on our Website, you’ll see the following displayed;

It’s important to read through the details on this page to understand what is covered and what is excluded.  The following is a brief outline of what is supported and when;

  • Only the current Major version and one previous Major version and their associated add-ons are supported.  This will mean that 90 days after the release of Passwordstate V9 we will only be able to support Passwordstate Version 9 and Passwordstate Version 8 (back to June 2017).
  • Email support is available from Mon-Fri, 6:00am-6:00pm UTC +09:30 (Adelaide, Australia)
  • Phone support is available from Mon-Fri, 8:30am-5:00pm UTC +09:30 (Adelaide, Australia)
  • Emails and Support Tickets generated between the support hours described above will receive a response within 2 hours.  Outside of standard support hours we guarantee a 24 hour response (generally within 12 hours)
  • We are unable to cover third party applications, hardware or the use of Click Studios software in unsupported environments.  This includes assistance with Load Balancers, Network configuration and assistance in maintaining your Microsoft SQL Databases.

Please note, if you have accidentally allowed your Annual Support and Upgrade Protection to lapse we’ll be unable to provide you with any assistance (even though the Technical Support Team will want to).  The Technical Support Team will advise you of this and will CC in to assist with a quote to reimplement your Annual Support and Upgrade Protection.

How to log a Support Call

When needing to log a support call you have 3 options.  The easiest is of these is to Generate A Support Ticket, followed by directly emailing our Technical Support Team and lastly via calling support. 

To Generate a Support Ticket simply browse to the Click Studios Website Support Page and you’ll be presented with the following screen,

This page details the support hours for Email Support (including Support Tickets), the current date and time for Adelaide Australia and the international phone number if needing to call for support.  It also provides the email address if you need to email us directly.  As indicated, you’ll need to provide us with;

  • The Passwordstate Build Number, e.g. 8973
  • The Web Server Operating System selected from the drop down list, e.g. Windows Server 2019

Once you’ve entered these and clicked on Generate Support Ticket you’ll be presented with an email as per below;

You’ll notice that the above email has prepopulated the Build Number and Server OS fields and generated a Support Ticket ID for this request.  Now comes the important part, we need as much information as possible relating to your issue.  This includes,

  • The Web Browsers you are using to connect to the Passwordstate web site e.g. Edge Version 85.0.564.51
  • Screenshots of any errors
  • Description of what you were doing in Passwordstate at the time
  • Instructions on how to reproduce the error

Call Support

While we prefer to accept Support Requests via Generating A Support Ticket or direct email we will of course accept phone calls. 

The reality is that more than 99% of our Support Requests are in the form of Support Tickets and direct Emails, and as this medium supports the supply of diagnostic rich information, it is far more effective for both parties.

What about Trial Implementations and “Free for 5 Users”?

Click Studios understands that Support Requests may be submitted by organisations that are trialling Passwordstate and for small business that have taken up the offer of “Free for 5 Users” licensing.  In these instances, Click Studios will use reasonable efforts to provide technical support on the following basis,

  • Customers with active Annual Support and Upgrade Protection will be prioritised highest in the queue for support
  • Potential Customers with active Trial licenses and are still trialing Passwordstate are prioritised next
  • Small businesses with “Free for 5 Users” licensing are prioritised last

Extended Support

Click Studios offers Extended 24 x 7 Support which is in addition to the standard support coverage.  The Extended Support is for critical events where the Passwordstate Website is not accessible for all users.  Customers must have attempted to restore their Passwordstate Instance system from the last known good backup before contacting Click Studios.

The Support Request process is initiated via calling the Extended Support phone number, issued after Extended Support has been purchased.  Your call will then be routed to the on-call Technical Support Engineer.  Please note the Technical Support Engineer does not monitor the Click Studios Ticketing system for incoming Support Requests.  In these cases you should only email through information for the on-call Technical Support Engineer when requested by them.

The limitations associated with Extended Support are,

  • Any minor events or issues logged as part of the Extended Support will incur additional charges
  • Email requests received outside of standard support hours will not be processed until the next business day
  • It is not available for Trial or “Free for 5 Users” licenses
  • Click Studio reserves the right to determine which customers qualify for the Extended Support prior to accepting the order
  • Additional charges may apply in instances where upgrades have been attempted and backups have not been performed and/or instructions have not been followed

If you have any queries, or want to provide feedback, please email it through to

Buy Now – Options and Information Required

You may be a new customer, having trialed Passwordstate, and are about to jump in and make your first purchase.  There are a number of different ways in which you can purchase Passwordstate, so which do you choose?  This week’s blog entry is a quick overview of using the BUY NOW menu option available from our Website.

Locating the BUY NOW Options?

When you browse to the Click Studios Website you’ll notice the third menu item, from the left at the top of the screen, is BUY NOW.  This menu provides a range of different options and information to ensure you have everything you need to complete your purchase.

Buy Now

When you select the Buy Now option you will be taken through to our Purchase Passwordstate page  This allows you to enter the quantities and types of licenses you require.  In all the examples for this week’s blog entry we are using a fictitious company called Contoso,

In our examples Contoso are about to purchase 60 x Client Access Licenses (CALs) with Annual Support and Upgrade Protection and a Password Reset Portal Subscription for up to 100 Users.  The cost for the purchase is presented to the customer and they can fine tune the quantities up and down as required before selecting Buy Now.  It is important to note that outside of Australia the purchaser is responsible for any applicable sales and value-added taxes in their jurisdiction.  These taxes are not factored into the prices presented on the Purchase Passwordstate screen.  Our Australian customers will be presented with the GST component on this screen and it is factored into the Total Price. 

On clicking Buy Now you will be directed to our Webpage that links through to our global eCommerce partner BlueSnap,

When entering your payment details you should note;

  • If you don’t see the Order Information as per above click on the + symbol in the circle.  That will expand the Order Information summary.  To see the full description, hover your mouse cursor over the description.
  • You’ll note that BlueSnap have automatically added the Tax for your Jurisdiction.  This controlled by BlueSnap and is legally required by them.  For European customers with tax exemption you will have the option to input your exemption code and BlueSnap will not apply this Tax component.

Once you’ve completed filling out your details click on submit.  You will receive an email with the order details and your license keys will be emailed through within a maximum of 48 hrs (typically 12 hrs).

Get a Quote

When you select the Get A Quote option you will be taken through to our Create Passwordstate Quote page  This allows you to create a formal quote and have that emailed through to a nominated email account.  Simply supply the Company Details and enter the quantities and types of licenses you require as per the image below,

On clicking Submit the nominated email account will receive a copy of the Quote as per below,

You’ll also note that at the bottom of the quote you are presented with a number of options to proceed with the order,

  • If you click on the Click to order Online link at Option 1 you’ll be taken through to our Webpage that links through to our global eCommerce partner BlueSnap.
  • If you click on the Click for Purchase Orders Instructions link at Option 2 you’ll be directed to and be presented with the details to be included on your Purchase Order, 
  • If you elect to take Option 3 and provide a Direct Bank Deposit / Wire Transfer please note that IBAN (International Bank Account Number) is not used in Australia.  We have followed the recommendations issued by the Commonwealth Bank of Australia on how to represent an IBAN.  You can reference their information here.  Please ensure you email us with the License Registration Name, typically your Company or Business Name, your contact details including First Name, Surname and email addresses of up to 4 contacts and the details of the transaction.  Don’t forget to reference the quote or invoice number in the deposit / transfer description so that we can trace the payment.  Once we have received payment we will generate the licenses keys and email them through.
  • Lastly, if you decide to pay by Check and are based outside of Australia it can take between 8 to 12 weeks for the Check to arrive.

We hope this helps in better understanding your purchasing options.  If you have any queries or would like to provide feedback please email it through to

Final Sneak Peek of Passwordstate 9

This is the final Sneak Peek at Passwordstate Version 9.  Our Managing Director and Chief Executive Officer has kindly requested all Click Studios employees to stop finding new functionality to incorporate into the release (but we can’t help it 😊).   The last of the code is currently being run through Systems Testing and will soon progress to our internal UAT (User Acceptance Testing) Team.

So, on to this week’s blog and your final tease of the new features that form part of Passwordstate V9.

Automatically update passwords in Passwordstate when updated on a Website

Up until Version 9 of Passwordstate, when you needed to change a password for an existing password record linked to a Website login, you were required to change it on the Website, then login to Passwordstate and update the password for that record manually.

With Passwordstate 9 and using our Browser Extensions you can automatically update the password for that password record when you change it on the Website.  Once you’ve changed the password on the Website the Browser Extension will automatically identify the record to be changed and prompt you with the following screen,

As indicated above, you have the option of selecting Later and manually updating as per version 8, or selecting Update to write the new password back to the password record in Passwordstate.  The Password List is automatically selected as per the existing password record details.  We’ve also enabled a visual indication of Ignored URLs by turning the Browser Extension icon blue when you browse to a website that has been previously recorded as ignored.

New Mobile App autofill of credentials for Smartphone Browsers

Our new Passwordstate Smartphone app is being released to coincide with Version 9.  This is a true native app for Android and iOS devices and is offered alongside our existing Mobile Client.  In addition to the offline mode allowing access to an encrypted cache of credentials the Passwordstate app is capable of autofilling your Website credentials – just like our Browser Extensions!

Folder Permission Model

The old Folder Permission Model has been enhanced and now incorporates additional permission settings as per the image below;

The Standard Permissions Model is the old Passwordstate permissions model.  This in effect roles-up the permissions applied to Password Lists at the Folder Level.  In the image above the Permissions applied to all the Password Lists within Business Systems are applied to the Business Systems Folder.  This is a bottom-up approach to applying Permissions,

With the Advanced Permissions Model the Permissions are specified at a Parent Folder and are propagated down to all child folders and Password Lists.  This is similar to the approach for applying NTFS Permissions on a Windows Folder Structure.  The example below is for the Contoso Folder,

You’ll also note that the Folder’s with the Advanced Permission Model have the blue downward arrow shown next to the folder icon indicating they have the Advance Permission Model applied to them.  If you see a red X next to a Password List, such as the Web Sites Password List (Passwords example above), it means that inheritance from above is being blocked.

Improved built-in Backup Feature

We’ve listened to feedback on how to improve our built-in Backup solution and have incorporated a number of new features under Administration->Backups and Upgrades.  The image below outlines the new features,

The section Backups Settings has been renamed to Backup Schedule and Settings and now incorporates the following;

  • You can specify different backup paths for Web Files and Database backups,
  • There is now an option to backup your Split Secrets in a separate zip file.  This is backed up to the same path as your Web Files backups.
  • An option to password protect your backup files can now be enabled.  Once enabled you’ll need to specify the password and record it somewhere safe for when you need to recover Passwordstate from a backup.

There is also a section called Backup File Naming Convention where you can specify the naming convention for each of the types of backups (Web Files, Database and Split Secrets).  When backups are performed the naming conventions you have provided are appended with the Date and Time that the backup was performed.  The format used for appending the Date and Time is the same as for Version 8, using the format of YYYYMMDDHHMMSS where YYYY is Year, MM is Month, DD is Day, HH is Hour, MM is Minute and SS is Seconds.

Tweaked UI

Lastly, with Passwordstate V9 we’ve tweaked the UI (User Interface) in a number of areas.  The image below is a composite image showing a number of changes,

The first of these is represented by the numbered green dots 1, 2 & 3.  In previous versions of Passwordstate, hovering over the Menu item caused that menu to pop out to the right.  In V9 you can toggle the Menu item by clicking on the ^ to collapse the menu or V to expand it.  When expanding the Menu item, it now appears below the Menu Heading.  In the left-hand side of the image you can see Passwords (1) is expanded while Tools (2) and Preferences (3) are collapsed.  In the right-hand side of the image Passwords (1) has been collapsed while Tools (2) and Preferences (3) are expanded.

The second of the tweaks relates to the new icons for folders and password lists as shown in the right-hand side of the image in the golden rectangle.  These are brand new icons, have been optimized for performance when loading screens and are consistent with the icons used in the new Mobile App for iOS and Android.

We hope you like this final sneak peek and can’t wait to get your hands on V9 (just like us 😊).

All suggestions and feedback are welcome via

Creating New Private Password Lists for New Users

Passwordstate allows teams of people to access and share sensitive password credentials through the concept of Shared Password Lists. This enables your organization to implement granular control over who has access to your privileged account credentials through Role Based Access Control.  This in turn enables built-in auditing and compliance capabilities to track who has accessed credentials and when.

Equally important is the concept of Private Password Lists, where individuals can securely record and manage credentials that are used for private use.  The ability to create and use Private Password Lists is free and provided as part of the named User Licensing Model that Passwordstate uses.  But what does this mean?  It means that if a user has access to login to Passwordstate, they are enabled and have a Named User License automatically applied to their account, license count permitting.

Organizations that don’t allow the use of Private Password Lists for their users typically struggle with enforcing the use of Shared Password Lists.  This is understandable as you are in effect stating that credential management is only important for business use and not personal use.  On the other hand, organizations that adopt and promote the use of Private Password Lists typically build a healthy cybersecurity awareness in their workforce with employees embracing credential management for both personal and organizational use.

So how do you minimize the impact on Security Administrators having to setup Private Password Lists for all your employees.

Automatically create Private Password Lists for New Users

To reduce the workload on your Passwordstate Security Administrators, and make life easier for your users, you can automatically create Private Password Lists for all new user accounts as they are added to Passwordstate.  This is done by enabling the option to automatically create a Private Password List for new users.  To do this navigate to Administration->System Settings->password list options and click the Yes radio button underneath When a new User Account is added to Passwordstate, automatically create a Private Password List for the user option.  You can also specify the name of the Private Password List using the variables FirstName and Surname shown below,

In doing this all new users that are added will have a Private Password List created in the root of the Passwords Tab.  If you decide to not use the variables in the name then all Private Password Lists will look to have the same name, however they will all have a unique PasswordListID that is used to identify them at a system level.  And of course, each Private Password List will only have Administrator permissions assigned to the appropriate user.

Customize Private Password List Fields with User Account Policies

It is possible to create all Private Password Lists with additional fields that the user may want to use.  For example, these could be fields for a support email, PIN for 2FA, a phone number, or an address.  By default, automatically created Private Password Lists include the URL field, however they aren’t based on any of the templates located under Administration->Password List Templates.

In order to add specific additional fields, you’ll need to create a User Account Policy for all users, that references a custom Password List Template.  First, you’ll need to create a template that contains the fields that you want to provision for new users.  To do this navigate to Administration->Password List Templates and click on Add New Template,

Give the template a Name, Description, choose an image and define the required Password Strength Policy, Password Generator Policy and any Additional Authentication you require.  Then select the customize fields tab and specify the additional fields you want to provision.  In the example below I’ve created the following text fields email, PIN, Phone Number and Address,

Now create a User Account Policy that will use the new Password List Template.  In my example I’ve named it “Private Password Lists”.  Navigate to Administration->User Account Policies and click on Add to create a new User Account Policy,

Supply a Policy Name, Description and on the password list options tab, for Setting ID E4, select the name of the Password Lists Template you wish to reference,

Then click Save.  Now click on the Actions icon and select Apply Policy to Users, selecting All Users and Security Groups,

Now every time a New User is added to Passwordstate they will have an automatically created Private Password List with all the Fields that you’ve selected.  Each individual user will be the Administrator of their Private Password List and will be able to edit it as desired.

Don’t forget, we welcome your feedback via