fecton.ernst.meinhart

+1

We would like to see native authentication options within the browser extension as on Passwordstate Web Portal. To be more specific, the browser extension should perform the exact same authentication flow as when trying to login to the web portal. Users within an organization should generally not handle any kind of "Master Passwords" with some very rare exceptions. Instead most (and probably all larger companies) try to create a unified authentication experience with some IDPs like AzureAD. In our case we integrate using SAML2 with AzureAD, where authentication, SSO, MFA, device compliance check and so on is performed. We do this for all internal applications in our organization and it´s the best suitable and manageable way with a great user acceptance. Handling master passwords would be a security concern because users could simply store those password in an text file on the desktop f.e. which is practically impossible to control / audit. As we are humans, something like this will happen. It is also a security concern as this eliminates the MFA / device compliance process in our case. Also this is not a comfortable way and user acceptance of the browser extension is very limited. In our organization users prefer to login to Passwordstate web portal and copy the credentials they instead of managing a master password. I understand that changing this behaviour is a lot of work because of existing API architecture and so on, but at least in my opinion this is the most needed feature from all.

+1

Currently there is an option to schedule the "Have i been pwned" report to be sent automatically. Sadly there are no options to filter for specific password lists / folders (multiselect) for this report. So the feature request is to be able to filter for specific password lists / folders within the reporting settings. We would like to filter on a subset of Password lists of the Passwordstate instance only. The reason for this is, that we use Passwordstate to store credentials from customer systems and we don´t want that those informations will be sent to third party services like Have i been pwned. But we would like to use this service for our organization internal credentials. The only work around i see for the moment is to go to each password list and fetch the result using Passwordlist Administrator actions. Doing it that way means more time spent for fetching, consolidating in comparison to an scheduled report. Also this is manual work which needs to get tracked accordingly if this has been done, which is generally more error proune and could be a security concern.

As an Passwordstate Admin i want to configure "Bad Passwords" configurations within each Password Strength Policy on it´s own. Depending which policy is set on an password list the linked bad passwords configuration should take effect. Our use case: We are storing some passwords, which won´t meet the requirements to pass through Bad Passwords check, but we have to store them in Passwordstate. I have this situation on special password lists only, so it´s just a small subset of the system where this should be allowed. Right now i have to change this setting for the whole Passwordstate instance. This allows unsafe Passwords on Password lists where i don´t want to allow it. On Update the default Bad Passwords configuration should get copied to all existing password strength policies.