Forum / Devolutions Password Server - Support

Questions regarding PasswordSafe Features

  • Create an Issue
  • Cancel

Hello dear Support-Team,

we want to implement a new password management tool in our company scanplus GmbH and found out about the password server you are offering. We've already had a look at the features, but there are still some questions that were left unanswered. Those Questions are the following:

  • How does the login page handle brute-force attacks? We want our users to log into the service fast and in the past we had the problem, that when users were typing their password too fast, they were blocked for a long time. Is the handling of such cases configurable?
  • Can the UI warn the user if another program is monitoring the clipboard?
  • Can permissions be inherited? And if so is it easily understandable and usable?
  • Can we implement rules to log out inactive users?
  • How does the sytem handle credentials, that are currently edited by another user?
  • Can we migrate our data from PasswordSafe 7 to your service?
  • Can the API/SDK generate passwords following password policies?
  • Can we use RBAC to implement two different levels of administrators, one of them with the right to access private vaults?
  • Can we use 2FA to protect specific entries?
  • Can we use 2FA and 4-eyes principle to limit the access of the highest level administrator?

I hope you can answer our questions soon.

Best wishes,

Niklas Heine

Clock11 mths

Hello,

First I need to apologize, I had typed a lengthy response, and I guess I didn't submit it.

Please see my answers within your questions

  • How does the login page handle brute-force attacks? We want our users to log into the service fast and in the past we had the problem, that when users were typing their password too fast, they were blocked for a long time. Is the handling of such cases configurable?

> Our front-end is a Single Page Application (SPA), its not plain html. We havent received reports of the scenario you describe.


  • Can the UI warn the user if another program is monitoring the clipboard?

> I suspect that it is not possible with the SPA. It is achievable with our thick client, Remote Desktop Manager (RDM). To my knowledge, it is not implemented at this time.

  • Can permissions be inherited? And if so is it easily understandable and usable?

>we do have a rich Role Based Access Control. 80% of our community meet with 20% of the complexity. If you delve in the deeper scenario, the learning curve can be quite steep.

  • Can we implement rules to log out inactive users?

> This is controlled by the lifetime setting of the security token. Its configurable.

  • How does the sytem handle credentials, that are currently edited by another user?

>Last man wins, but we do have a mandatory refresh upon starting the edit mode. We also have full versioning info, so no data can ever be lost.

  • Can we migrate our data from PasswordSafe 7 to your service?

>we support their csv, as well as psafe3 format.

  • Can the API/SDK generate passwords following password policies?

>this is a feature of our front-ends. On the other hand, we've just started on a Command Line Interface (CLI), I could imagine adding this feature.

  • Can we use RBAC to implement two different levels of administrators, one of them with the right to access private vaults?

>We've elected to make private vault really private, no other admins can see any private vault. Its a differentiating factor with our competitors. If you want a vault that is "mostly" private, you can disable the private vaults at the system level, and create vaults for each individual.

  • Can we use 2FA to protect specific entries?

>not at this time, but its coming in a few sprints.

  • Can we use 2FA and 4-eyes principle to limit the access of the highest level administrator?

>we do have a checkout process and an extensive notification system. We do want to add a formal "interactive" approval workflow in the near future.

We can have a call if you need further info.

Again, sorry about the delay.



Maurice Côté

signaturesignature

Clock10 mths

Hello,

thank you for your extensive answer.
We still have a few further questions that came up, since this post was made.

  • We want to analyse the quality of existing passwords, can that be achieved? If so, which of the following criteria are involved in analyzing passwordquality:
    • complexity
    • Distance from dictionary entries
    • Distance from other user-accessible passwords
    • Distance from previous passwords
    • Distance from usernames and other resources
    • Distance from alphabet and keyboard patterns
    • Distance from entries of a blacklist
    • Age
    • on automaticaly generated passwords: true entropy
  • Does the Client react to shortcuts, when its run in the background? We had the problem, that the passwordsafe 7 client reacts to shortcuts even when it was minimized.
  • Can users of the SDK/API or UI be warned, if they try to access sensitive data?
  • Is there a expiry-date field for passwords and is it mandatory?

We also need some more information on the handling of brute-force attacks, especially when it comes to customization of the handling.

I hope you can answer those questions as well.

Best wishes,
Niklas Heine

Clock10 mths

Hello,

I must ask, why arent you imposing the use of the password generator? Many of your questions on the "Distance" point to personal passwords rather than managed/service accounts.

I hate to use the tag line of a competitor, but the last password you should ever learn by heart is the one that gives you access to your password vault.

That editorial part being said, we have reports on complexity and age, an optional number of passwords kept in history that are forbidden to use, a list of forbidden passwords, but nothing in the category of "distance".

  • Does the Client react to shortcuts, when its run in the background? We had the problem, that the passwordsafe 7 client reacts to shortcuts even when it was minimized.

>we have a setting, and a quick access button in the status bar to prevent that.

  • Can users of the SDK/API or UI be warned, if they try to access sensitive data?

>I would need more details, is a mandatory checkout sufficient for you? In our clients we have statuses, but that is not exposed in our SDK

  • Is there a expiry-date field for passwords and is it mandatory?

>available, but not mandatory

Best regards,



Maurice Côté

signaturesignature

Clock10 mths

Hello,

secure passwords are a high priority to us, but some old passwords do not follow our password policies and instead of going through every single one of them we want to see, if a password doesnt comply to our ruleset.
I agree that "distance" is off in terms of wording, but what you are offering in regards to password-quality seems like it meets our goals.

About the warning of users accessing sensitive data, it would be an optional feature to have our users be notified through a pop-up, that tells them that they are about to access sensitive data. Another option would be, that when a user wants to access sensitive data, he needs to give a reason for that.

And another question, can we customize the handling of brute-force attacks?

Best regards,
Niklas Heine

Clock10 mths

Hello,

when are we supposed to get an answer for the remaining questions?

Best regards,
Niklas Heine

Clock10 mths

Hello,

"Password quality meets our goals"

>good

Warning/notification

>as stated above, we have a checkout feature in which you must document a reason. Isnt that sufficient?

Customize handling of brute force attacks

> sadly no


Best regards,



Maurice Côté

signaturesignature

Clock10 mths

Hello,

thank you for your answers, we have everything we need for now. If we need further information we contact you.
We will get in contact if our choice falls on your product.

Best regards,
Niklas Heine

Clock10 mths

Hello,

we recently stumbled over another crucial feature, we would need, if we decide to go for your product.
That feature we need, is a way to change access permissions through the SDK/API. It would make a huge difference, if you'd offer such a feature.
If you don't offer this, is there another way to automize the migration of access permissions?

Best regards,
Niklas Heine

Clock10 mths

Hello,

We do have a python SDK that would allow for this, but support is provided solely by the engineer in charge at this time. We have started on a Command Line Interface, but security management features are planned far on the future.

Best regards,



Maurice Côté

signaturesignature

Clock10 mths

Hello again,

Your product made it into the next round of evaluation. For that reason, I need some Information about

  • Availability
  • Security

How can we achieve high-availability? Can we make redundant systems? Does it work in a master-slave configuration? How do we backup our data? What happens when we need to recover it?

What type of encryption do you use? How can the communication between client and server be safe?

Best Wishes,
Niklas Heine

Clock10 mths

Hello,

As per https://helpserver.devolutions.net/gettingstarted_topologies.htm , you have multiple choices.

Those in our community that need a HA setup typically have two web servers (maybe a load balancer in front, there are good free solutions), and rely on a good DB backup strategy, or use SQL Azure in a GEO-redundant setup.

The questions are simple:

  • what type of data loss can you suffer (5 mins, 1 hour, 4 hours?)
  • How long can you tolerate the system being down?

Those two questions drive all of your decisions. A "six nines" (99.9999%) uptime system is orders of magnitude more expensive to maintain than a "four nines" (99.99%) system.

At this time, you cannot have an active-active system, mostly because of our logging layer (we will improve that in the coming year).

And for encryption, the DB content is protected at rest by a unique encryption key generated on the server. You have to deploy a SSL certificate to ensure protection during transport, both on IIS and SQL Server.

Best regards,



Maurice Côté

signaturesignature

Clock10 mths