Monday, May 25, 2015

Move to GitHub

No, we aren't dead!  In fact, due to requests from people wanting to help contribute more easily and Google Code shutting down, the project has moved to GitHub.  A new release is being worked on but feel free to fork it and your pull requests are very welcome!

Sunday, July 7, 2013

WebPasswordSafe v1.3 Released!

Okay, so the next version took a little longer than expected, but it was worth the wait.  Many new features and user requests are included, as well as a pre-built sample .war file in the download area by popular request.  Here are highlights of the changes:

  • Major changes to extensible reports architecture
    • Reports can take optional input parameters
    • New Password Expiration Report
    • New System Audit Log Report
  • Tag name autocomplete input on password edit screen
  • Groups and Templates can be permanently deleted
  • Bypassing of password permissions for "admin" role is now a configurable option to turn on or off
  • Better support for root context and reverse-proxy deployments
  • New RESTful Web Service API
  • CSP implemented for additional layer of security
  • Password Title no longer required to be unique
  • Various Username and Password fields standardized on 100 character max length
  • Tags on password search screen customized for logged-in user
  • Help documentation now links to locally deployed site

Sunday, May 27, 2012

WebPasswordSafe v1.2 Released!

Yes finally, an update!  With this upgrade comes many enhancements requested by you and the next version won't be as far away.  Release notes you ask?
  • Internationalization (i18n) support
  • Strong CSRF/XSRF protection completely rewritten for better compatibility and standardization
  • Password Search enhancements including: quick search of tagged passwords by double-clicking on tag in list; support for both 'OR' and 'AND' searches when filtering multiple tags; case-insensitive search
  • Password title and username now both updatable with augmented audit logging
  • Can specify characters to exclude when generating password, for optionally excluding "look-a-like" characters
  • Update 3rd party dependencies to latest patched versions

Monday, June 13, 2011

WebPasswordSafe v1.1 Released!

And what is new in this version you ask?  Here are some highlights and release notes:
  • Created new Authenticator plugins that will disable a user and/or block an IP address after configurable number of consecutive failed authentication attempts to prevent brute force or denial of service attacks
  • New admin user menu option to unblock an IP address
  • Add menu options to open password and view current password data as an alternative to double-clicking in the password search results grid (read: iPad/mobile support)
  • Updated all 3rd party dependencies to latest stable versions - GWT, Ext GWT, Hibernate, Spring Framework, GWT-SL, Gilead, Jasypt, ESAPI, etc
  • Namespace and package names changed from com.joshdrummond.webpasswordsafe.* to net.webpasswordsafe.*
  • Bug fixes and other cleanup

New to WebPasswordSafe?

Thursday, March 31, 2011

WebPasswordSafe vs . . .

So how does WebPasswordSafe compare with other similar solutions?

If you are looking for a single-user solution to safely store the various personal passwords you have, you'd probably be better off using Password Safe, KeePass, or LastPass.  These are desktop applications or browser plugins that typically use a single password to unlock access to multiple encrypted password entries you store in it.  They only offer all-or-nothing single-user access.

If you are looking for a complete "privileged identity management" system to take over your enterprise accounts and passwords, you may want to pull out your checkbook and take a look at BeyondTrust, Cyber-Ark, or e-DMZ/Quest TPAM PPM.

Between those two extremes are centralized multi-user password safe products that may include some extra features of the heavy-weight management solutions such as remote password changing.  These solutions target the set of passwords that are shared between groups of people within the organization, most often privileged or service accounts, where you need to securely store them for disaster recovery purposes in a central location with auditing, but need delegated access controls because all-or-nothing access for everyone in the organization is inappropriate.  This is the product space where WebPasswordSafe most closely fits, and examples include Password Manager Pro and Thycotic Secret Server.  These examples, especially the latter, are from which I point out some of the key differences and why WebPasswordSafe may be the best fit for you:

  • Free
  • Open source, with transparent security
  • Multi-platform (doesn't require Windows and MSSQL)
  • Simple and easy to use user interface
  • Plugin modules for audit logging, authentication, authorization, data encryption, and password generation allowing the choice between customizable integration with your organization's existing technology or using the default out-of-the-box implementations
  • Useful and customizable reports
  • Better categorization of passwords based on free-form tags rather than hierarchical folders
  • Permission templates that allow more reusability and flexibility of applying common permission combinations on passwords than forced hierarchical folders
  • More fine-grained audit events, such as the difference between viewing a password's properties and the password's actual decrypted value
  • Basic SOAP web services interface
  • Built with security in mind from the ground up, with features that IT security professionals demand

These differences are all in addition to many other features that it shares with the other products, which you can read about on the main project page and documentation pages on the wiki.

Sunday, March 20, 2011

Meet WebPasswordSafe

WebPasswordSafe v1.0 was quietly released two months ago, and the feedback has been great so far.  Time now to publicize to a wider audience.  For first time users or administrators considering adoption, although there is ample documentation to read (AdminGuide and UserGuide), oftentimes screenshots can give a quicker and clearer picture.  So please join me while we take a quick visual walkthrough of the basic features of WebPasswordSafe!

First is the login screen.  Simple but the strength is in a multitude of authentication plugins on the backend to integrate into your existing environment or use the default.

The first task of an administrator is often to create users and groups for those who will use WebPasswordSafe in the organization.

Setting up new users and updating existing ones are a breeze.  Administrator role can also change user's passwords if using local authentication.

Creating and updating groups is similarly easy to model after your organization.

From the user-friendly interface, you can add/remove users from the groups screen...

...or add/remove groups from the user screen.  Also disable (rather than delete for audit reasons) user accounts from being able to access WebPasswordSafe.

As a regular (non-administrator role) user, the user interface will change slightly and you will spend most of your time adding, searching for, and viewing password entries.

Adding/updating a password entry is a powerful screen.  Give each entry a unique title, username/password credentials (or invoke the generate password plugin to create a new random one based on complexity policy you set), friendly one word tags for categorization, other notes, and how many historical iterations of the password to keep.

Beyond a password entry's basic attributes, you'll want to also change the default permissions (GRANT to logged in user) to share in either read/write/grant mode to other users or groups in your organization.  Fine-grained access controls on each password entry to share with members of your organization is a key feature of WebPasswordSafe.

Searching for existing passwords you have access to is easy using the simple main search screen.  Search based on text in the password title, username, notes and/or by tags, choosing whether to include inactive (deleted) ones or not.

Once you find the password entry you want, you can quickly access the current password value by double-clicking the row's password column to produce a pop-up screen containing the decrypted value to conveniently view or copy/paste.  Alternatively you can double-click any other column of the selected row to bring up the view/edit password screen.

View Password History is an option from the password screen. It displays all past password values for a particular entry based on the max history value you've set, when they were created and by whom, and copy/paste ability.

View Access Audit Log is another option from the password screen.  It displays a complete audit log of each time users have viewed the password entry's decrypted value.

Oftentimes you will find yourself applying the same set of permissions to multiple password entries.  If the set of permissions is large, you may find yourself clicking a lot.  To make this faster, you can create a permission template once, and easily apply it to multiple passwords- less clicks!

Create your permission template using a similar easy-to-use interface as when applying permissions to password entries.

Now when editing password permissions, you can Add Template to apply a whole set of permissions at once, rather than one by one!

Depending on your role (user or administrator) you will have different reports available to you, in both PDF and CSV format.

Users Report (PDF format)

Groups Report (PDF format)

Password Access Audit Report (PDF format)

Password Permissions Report (PDF format)

Current Password Export Report (CSV format)
Good for offline export and keeping in a locked safe for disaster recovery purposes.

Finishing up the few last features- easy access to Help documentation...

...the About screen...

...change password and logout.

Change password screen, if you are using the default local authentication plugin.

And that wraps up the client-side features of WebPasswordSafe v1.0.  The simple user-friendly front-end, combined with a secure, flexible, multi-platform, and highly configurable back-end makes WebPasswordSafe the ideal multi-user enterprise password safe/manager for your organization.

Wednesday, December 15, 2010


Welcome to the WebPasswordSafe blog!  Here you'll find important news, updates, and articles regarding WebPasswordSafe and related technology and trends.  You can also keep up-to-date and participate in the WebPasswordSafe community using Twitter, Facebook, and/or Google Groups.