Encryption and Obfuscation
To protect the privacy of sensitive data, all passwords are stored within the database using industry standard .NET Framework 256 Bit AES Encryption, and sensitive code is protected by the use of precompiled ASP.NET pages and obfuscated .NET Assemblies. Web or database administrators are unable to gain access to data they are not authorised to view.
This encryption and obfuscation provides the following protection:
- All passwords are encrypted in the database, and no two identical passwords within Passwordstate would look the same when viewing the raw data in the database
- Many sensitive encrypted fields are also salted and hashed, consisting of random and known bits, which prevents moving or copying encrypted fields between database tables
- Database Administrators cannot change records in the database and grant themselves, or others, access to passwords they are not meant to have access to. They are also unable to grant or modify their roles within Passwordstate
- Web and System Administrators cannot write their own ASP.NET pages to try and retrieve data from the database
- Many of the .NET assemblies for the web site, Mobile Client and API are obfuscated, so even using a disassembler users are unable to view critical areas of methods/functions/classes for retrieving data.
Digitally Signed Executables, DLLs and Installers
Click Studios allways digitally signs DLLs, Executables and Installers to confirm the software is from us and guarantee the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to validate authenticity and integrity.
TLS 1.2 Support
Passwordstate is fully compliant with only having the TLS 1.2 protocol enabled on your web server. It is recommended you disable the following protocols when hardening your web servers - Multi-Protocol Unified Hello, PCT 1.0, SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1.
Authorized Web Servers
You must specify which web server host names are authorized to host the Passwordstate web site. This is further protection to mitigate against theft of the Passwordstate database, and hosting it in an untrusted environment.
Unique Initialization Vectors
Every encrypted field, and every encrypted record, uses its own unique Initialization Vector for the encryption and decryption of data.
Secret Splitting
Two unique encryption keys are used for every Passwordstate installation, with the encryption keys being split into 4 secrets, which are independently stored on your web and database servers. Having the encryption keys split into secrets, and stored in different locations, means more than one Windows Server would need to be compromised in order to obtain your encryption keys.
Encryption Key Rotation
Generate new encryptions keys on which ever scheduled necessary for your organization, and re-encrypt all your data with these new encryptions keys. Key Rotation also logs auditing data, for complete traceability over who performed the key rotation, and when.
Encryption Key Disaster Recovery
To assist with recovering your Passwordstate installation in the event of a disaster, it's possible to export your encryption keys (in split secret format) to a password protected zip file for safe external storage if required - this is not required if you backup your Passwordstate folder and database. Exporting the encryption keys also adds relevant auditing data.
Data Integrity using HMAC-SHA512 Hashing Algorithm
To ensure no data is intentionally manipulated directly in the database, HMAC-SHA512 Hashing algorithm and data Salting is used to protect your sensitive data. If a DBA where to manipulate data directly, to grant themselves access to passwords as an example, a data integrity error will be displayed in Passwordstate, preventing the user from accessing Passwordstate.
PowerShell Scripts are Encrypted and Securely Stored
All PowerShell scripts used by Passwordstate are encrypted and securely stored within the database. This applies to both built-in PowerShell Scripts as well as any custom scripts that are added by a customer. This ensures the integrity of all PowerShell scripts used for Discoveries, Backups, Password Resets and Validations.
OWASP Development Methodology
Click Studios follows the Open Web Application Security Project (
OWASP) methodology of software development, to mitigate against Cross Site Scripting (
XSS) attacks, SQL Injections, and various other vulnerabilities.
Application Penetration Testing
Click Studios performs Penetration testing of our networks, systems and own Production Passwordstate instance bi-annually. We do not provide copies of internal or customer Penetration Testing results to other organizations, instead we actively encourage customers to pen test the software within their own environment.
FIPS Support
If you are required by the United States Government to configure your Microsoft Windows environment in
FIPS compliance mode, then Passwordstate can also be configured in FIPS mode during the initial installation.
Encrypt settings in the Web.config file
To further secure access to the database and encryption keys, we provide instructions with our installer for encrypting the database connection string, and split secrets, in the web.config file for the Passwordstate web site.
Integrated Windows Authentication
Integrated Windows Authentication provides a greater level of secure access to Passwordstate. Multiple options can be set for allowing passthrough authentication to the Passwordstate web site, or users can be forced to manually enter their domain credentials.
Brute Force Dictionary Attack Detection and Blocking
Both the web interface, and the mobile client, have a configurable option for locking out failed Brute Force Dictionary Attacks, further securing your Passwordstate environment.
Password Hiding & Clipboard Clearing
Options can be set to automatically hide viewed passwords, or clear the clipboard from copied passwords, after a specified amount of time.
Automatic Logout Period
An Automatic Logout Period can be specified for inactive sessions i.e. if a user leaves Passwordstate open on the screen, it will be automatically logged out once the logout period is reached. Different time-out periods can be configured for when you are in or out of the office.
