Monday, June 13, 2011

WebPasswordSafe v1.1 Released!

And what is new in this version you ask?  Here are some highlights and release notes:
  • Created new Authenticator plugins that will disable a user and/or block an IP address after configurable number of consecutive failed authentication attempts to prevent brute force or denial of service attacks
  • New admin user menu option to unblock an IP address
  • Add menu options to open password and view current password data as an alternative to double-clicking in the password search results grid (read: iPad/mobile support)
  • Updated all 3rd party dependencies to latest stable versions - GWT, Ext GWT, Hibernate, Spring Framework, GWT-SL, Gilead, Jasypt, ESAPI, etc
  • Namespace and package names changed from com.joshdrummond.webpasswordsafe.* to net.webpasswordsafe.*
  • Bug fixes and other cleanup

New to WebPasswordSafe?

Thursday, March 31, 2011

WebPasswordSafe vs . . .

So how does WebPasswordSafe compare with other similar solutions?

If you are looking for a single-user solution to safely store the various personal passwords you have, you'd probably be better off using Password Safe, KeePass, or LastPass.  These are desktop applications or browser plugins that typically use a single password to unlock access to multiple encrypted password entries you store in it.  They only offer all-or-nothing single-user access.

If you are looking for a complete "privileged identity management" system to take over your enterprise accounts and passwords, you may want to pull out your checkbook and take a look at BeyondTrust, Cyber-Ark, or e-DMZ/Quest TPAM PPM.

Between those two extremes are centralized multi-user password safe products that may include some extra features of the heavy-weight management solutions such as remote password changing.  These solutions target the set of passwords that are shared between groups of people within the organization, most often privileged or service accounts, where you need to securely store them for disaster recovery purposes in a central location with auditing, but need delegated access controls because all-or-nothing access for everyone in the organization is inappropriate.  This is the product space where WebPasswordSafe most closely fits, and examples include Password Manager Pro and Thycotic Secret Server.  These examples, especially the latter, are from which I point out some of the key differences and why WebPasswordSafe may be the best fit for you:

  • Free
  • Open source, with transparent security
  • Multi-platform (doesn't require Windows and MSSQL)
  • Simple and easy to use user interface
  • Plugin modules for audit logging, authentication, authorization, data encryption, and password generation allowing the choice between customizable integration with your organization's existing technology or using the default out-of-the-box implementations
  • Useful and customizable reports
  • Better categorization of passwords based on free-form tags rather than hierarchical folders
  • Permission templates that allow more reusability and flexibility of applying common permission combinations on passwords than forced hierarchical folders
  • More fine-grained audit events, such as the difference between viewing a password's properties and the password's actual decrypted value
  • Basic SOAP web services interface
  • Built with security in mind from the ground up, with features that IT security professionals demand

These differences are all in addition to many other features that it shares with the other products, which you can read about on the main project page and documentation pages on the wiki.

Sunday, March 20, 2011

Meet WebPasswordSafe

WebPasswordSafe v1.0 was quietly released two months ago, and the feedback has been great so far.  Time now to publicize to a wider audience.  For first time users or administrators considering adoption, although there is ample documentation to read (AdminGuide and UserGuide), oftentimes screenshots can give a quicker and clearer picture.  So please join me while we take a quick visual walkthrough of the basic features of WebPasswordSafe!

First is the login screen.  Simple but the strength is in a multitude of authentication plugins on the backend to integrate into your existing environment or use the default.

The first task of an administrator is often to create users and groups for those who will use WebPasswordSafe in the organization.

Setting up new users and updating existing ones are a breeze.  Administrator role can also change user's passwords if using local authentication.

Creating and updating groups is similarly easy to model after your organization.

From the user-friendly interface, you can add/remove users from the groups screen...

...or add/remove groups from the user screen.  Also disable (rather than delete for audit reasons) user accounts from being able to access WebPasswordSafe.

As a regular (non-administrator role) user, the user interface will change slightly and you will spend most of your time adding, searching for, and viewing password entries.

Adding/updating a password entry is a powerful screen.  Give each entry a unique title, username/password credentials (or invoke the generate password plugin to create a new random one based on complexity policy you set), friendly one word tags for categorization, other notes, and how many historical iterations of the password to keep.

Beyond a password entry's basic attributes, you'll want to also change the default permissions (GRANT to logged in user) to share in either read/write/grant mode to other users or groups in your organization.  Fine-grained access controls on each password entry to share with members of your organization is a key feature of WebPasswordSafe.

Searching for existing passwords you have access to is easy using the simple main search screen.  Search based on text in the password title, username, notes and/or by tags, choosing whether to include inactive (deleted) ones or not.

Once you find the password entry you want, you can quickly access the current password value by double-clicking the row's password column to produce a pop-up screen containing the decrypted value to conveniently view or copy/paste.  Alternatively you can double-click any other column of the selected row to bring up the view/edit password screen.

View Password History is an option from the password screen. It displays all past password values for a particular entry based on the max history value you've set, when they were created and by whom, and copy/paste ability.

View Access Audit Log is another option from the password screen.  It displays a complete audit log of each time users have viewed the password entry's decrypted value.

Oftentimes you will find yourself applying the same set of permissions to multiple password entries.  If the set of permissions is large, you may find yourself clicking a lot.  To make this faster, you can create a permission template once, and easily apply it to multiple passwords- less clicks!

Create your permission template using a similar easy-to-use interface as when applying permissions to password entries.

Now when editing password permissions, you can Add Template to apply a whole set of permissions at once, rather than one by one!

Depending on your role (user or administrator) you will have different reports available to you, in both PDF and CSV format.

Users Report (PDF format)

Groups Report (PDF format)

Password Access Audit Report (PDF format)

Password Permissions Report (PDF format)

Current Password Export Report (CSV format)
Good for offline export and keeping in a locked safe for disaster recovery purposes.

Finishing up the few last features- easy access to Help documentation...

...the About screen...

...change password and logout.

Change password screen, if you are using the default local authentication plugin.

And that wraps up the client-side features of WebPasswordSafe v1.0.  The simple user-friendly front-end, combined with a secure, flexible, multi-platform, and highly configurable back-end makes WebPasswordSafe the ideal multi-user enterprise password safe/manager for your organization.