PasswordState

An end-user review of Passwordstate, a shared web-based password list software that gets you all the additional features you wanted over KeePass and other equivalents.

Before we start… Sorry about the large gap in posts, a mix of writer’s block and working on a reviews for a handful of things (Zultys PBX, ScreenConnect, etc.), there will be MUCH more to come soon!

I’d also love to write about more IT subjects in Chattanooga (locally developed software, startups, IT community, or businesses), if you have any suggestions feel free to throw them my way!

What is Passwordstate?

Passwordstate is a web-based password management tool written by Clickstudios. Think of it as KeePass on the web, but deployed inside your own private network.

Why Use it Over KeePass?

I personally love KeePass, I can’t talk about it enough, I wrote a post awhile ago all about it. However as much as I like it, it falls short on some management features that I feel I need when working in a team of diverse responsibilities and access levels. While we can create a lot of process and hoop jumping to resolve this issue, I’d rather not if it could be avoided (plus, we’re IT, we want software to do the hoop jumping and process for us! That is what it is there for).

Prerequisites For Install

The requirements for installation are pretty straightforward, IIS7+ and MSSQL 2005+, once these requirements are made the install for Passwordstate is easy. I’m deploying it on IIS8 and MSSQL 2012 Express on top of Windows 2012 R2 for this review.

Organization

Password state makes everything pretty easy to get to, unlike KeePass passwords are kept in “password lists”, imagine these lists as folders in KeePass. These lists can have a long list of permissions and customizations added to them (see later in this review for those options). On top of password lists you can create folders to store groups of password lists.

Navigating password lists is pretty simple.

In the example above we have a folder for development environment passwords, we could grant access to our storage admin to “Storage Arrays”, our DBA to “Database” and so on. Allowing fine control to lists. Additionally I have a personal password list named “William’s Password List”, more on personal password lists later. Creating and editing passwords is pretty straight forward, a handful of fields you’re pretty familiar with if you use a password vault. Nothing really too special here other than a very nice UX design.

Auditing

By far the biggest benefit over a system like KeePass is the ability to audit access to passwords. What to know who last updated the password on a service account? System admin scanned all passwords before leaving? KeePass won’t tell me any of that.

Simple UI, easy to grab a password or check recent audit events.

Audit reports can be sent at regular intervals to your e-mail so you can stay on top of what is going on.

Further details on the state of your password lists.

Personal Password Lists

Passwordstate has a different kind of password list for personal use, you can make a list for yourself that has additional security features (while you can password regular password list, I usually can justify additional passwords on personal lists a lot easier). In this case I’ve put a separate password on it from my account, requiring another step of authentication. These lists cannot be seen by administrators and stick with you.

Keeping personal passwords centralized have many benefits too.

The ability to keep your passwords in Passwordstate allows you to easily hand over all account passwords for various pieces of software (for example, if you hold a lot of licensing portal credentials on your personal e-mail account).

Password List Options

Another very powerful addition over Keepass is the customization behind your password lists.

A long list of configurable options to help make each list customized to it’s purpose.

You can have some lists sync with Active Directory, others have very strict password complexity requirements, some lists only available during work hours, and other lists have expiration dates.

Problems With Passwordstate

There are a handful of issues with Passwordstate, first and foremost is that everything has to be done via the web UI. While Passwordstate is configured for SSL upfront, I can understand the argument that browsers are one of the most exposed pieces of software we use on a daily basis, putting our passwords in that basket may not be the best idea.

Additionally if you lose your Passwordstate server, your passwords are unavailable. Passwordstate does provide high availability options (additional cost for that though), but I’d throw an export of your password list every once in awhile with a DB backup into a fire safe and offsite just in case things get really bad. Update: version 7 includes an ability to export to a KeePass database which will help if your network is down.

A small annoyance is I can’t do upgrades unless I set up a backup path, when I’m backing up the entire machine with Veeam and I do an upgrade after a snapshot, I really don’t care if I have to roll the entire VM back, but I don’t really have the option. Really minor gripe though, I know why they’ve done it (for those that don’t have good backups in place). Update: version 7 doesn’t enforce this allowing you to upgrade and rely on your own backups.

Overall

With it being free up to 5 users, I don’t see why not for small businesses! Even beyond that I’d say the additional safety and auditing is worth the relatively low price $37/user (that lowers as you add more users) and tops out at $4272 for unlimited user installs. This is by far not an exhaustive list of what Passwordstate can do (we’ve just skimmed the surface), so go grab a 5 user license and try it out today!

As we use more and more applications online, it becomes more important to be able to stay secure after a data breach at any one of them, last thing we want is to find out one of the sites you subscribe to has had a data breach and uses weak encryption, and a hacker uses that password you’ve reused to gain access to other accounts of yours!

Why Use A Password Generator?

One of the main security recommendations is to use a unique password for every application we have. In my case I’d have to remember over 100 passwords! There are some methods that I’ve seen out there to memorize that many passwords including PasswordCard, but even remembering 100+ combinations of colors/symbols can be difficult. Even when I had rotations of passwords it was hard to remember which sites used which passwords.

Until we move onto something like Public-key authentication (Linux has an option to use this), it is best for us to find a software suite that will assist us in following this very important security guideline.

What Is Keepass?

KeePass is a desktop application (there are mobile versions for Android and iPhone available) that allows you to manage your passwords via a heavily encrypted file. This password can be encrypted using a master password, a keyfile, your Windows account, or any combination of the three. Because your KeePass file is encrypted, you can share it using really simple methods such as storing it on a web server, however I’ve found it best to drop it on something like DropBox or your own cloud using SharePlan or OwnCloud.

Creating a new KeePass database file.

Managing passwords is a snap, it also comes with an auto-type feature, where you put your cursor in the box on the website, go to KeePass, and click “Perform Auto-Type”.

Right click menu, showing auto-type, editing keys, etc.

Additionally KeePass will generate very long and complex passwords, you can tweak the password generation options depending on your need (some sites limit you to a maximum length, very annoying when you have a more secure password you’d like to use).

A long range of options for password generation.

You can store a lot of relevant data with your KeePass passwords, don’t ever forget a username again (for those pesky sites that don’t use your e-mail address)!

New password screen, showing a very complex password length you couldn’t memorize.

Other Options

LastPass / RoboForm / 1Password / Dashline

All of the above applications follow the same general idea: store your passwords on the public cloud. They typically have better integration with browsers to auto-fill form fields (KeePass can get “confused” at times due to form layout, and not fill it out properly). Additionally you don’t run the risk of losing your passwords because you lost your KDBX file, and the sharing of your passwords between your multiple devices is simplified.

Software like LastPass offer local-only decryption, which I find is a requirement before I even consider a cloud offering. However LastPass has had a data breach before that resulted in all master passwords needing to be reset, so it’s hard to gauge how secure the system can be when everything is hinging on your master password that you regularly communicate to LastPass with.

PasswordState is a web based application that provides similar features to the above systems, but for a corporate environment on a private cloud, where password lists may need to be shared or be able to be transferred in the event of a staff member leaving. On top of that you’d want a full audit log of users looking up passwords, and PasswordState provides all of this in a slick interface. This doesn’t seem to have the nice accessibility tools for mobile devices that some of the offerings above have, but the price is cheap (free for up to 5 users, and ~$400USD will cover 10 users for a year, with support being ~$70USD) and for stuff like corporate passwords I strongly recommend private cloud solutions, especially where the sharing of passwords between multiple accounts makes it easier for outsiders to crack into it.

Tag Archives: PasswordState

Passwordstate – Enterprise Password Management Review