Jump to content

How to unlock a user account in Passwordstate!?


Lennart

Recommended Posts

Hi there,

 

Right now I got a user that is blocked from accessing Passwordstate and Im unable to find any options to unlock it (Im a Security Administrator).

 

Please provide information about this, the sooner the better as I suspect this will happen with more frequency in the coming future.

 

Thanks.

//Lennart

Link to comment
Share on other sites

Is there a way to disable this feature? We're getting too many accounts locked out. We don't allow public access to Password State and I guess users are typing their password wrong enough to cause lockouts. 

Link to comment
Share on other sites

Hi abj,

 

For security reasons, we have no way of disabling this feature.

Is it the IP Addresses of your user's workstations that you are seeing being blocked, or is it some sort of network device? If it's a network device, we do have x-forwarded support, which can be configured on the screen Administration -> System Settings -> Proxy & Syslog Server tab.

 

Your network devices also need to be configured for x-forwarded support, and then the correct IP Address of your workstations will be detected.

Regards

Click Studios

Link to comment
Share on other sites

I'm not sure what makes this security feature so special that it can't be disabled, but all the other security features can be configured. Is this how you will be doing product development in the future, where you just add security features as you see fit and not provide any options to configure them?

 

100% of the IPs blocked so far by this feature have been false positives. At least provide a threshold so that users are not getting blocked so quickly / add an auto-unblock option. We do not have any network devices in front of Password State, all the IPs blocked were individual workstation IPs. 

Link to comment
Share on other sites

Hi abj,

 

Most customers appreciate us implementing new security features like this, and in this case it's to prevent brute force login attempts into your Passwordstate environment - is that not of a concern to you?

 

What IP Addresses are being reported, if you have no network devices in between your Passwordstate web server and your clients?

 

If you go to the System Settings screen, you can configure the blocked threshold, so we do provide features that can be configured.

Regards

Click Studios

Link to comment
Share on other sites

Our Passwordstate instance is not exposed to the Internet and we use 2FA authentication as well, so brute force is not a concern for us. 

The IP address of end user workstations is being reported. 


Thanks for the pointer to the threshold, I have set it high enough that this should not be an issue for us anymore. 

Link to comment
Share on other sites

Hi Abj,

 

It's also applicable for internal - i.e. malware, account compromises, etc.

 

Ad that's good it's reporting the IP Address of your workstations' What was the false/positives you were referring to?

Regards

Click Studios

Link to comment
Share on other sites

  • 3 weeks later...

I'm going to second report this feature being an issue. after upgrades last night, have had 2 users report issues with accounts being blocked after an error relating to 2fa. Will be opening a ticket, but wanted to throw this here to be visible. 

What I've discovered: removing them from the blocklist does not work- the users immediatly get re-added to the blocklist the next time they try to sign in. However, using a browser on the same PC in incognito mode does let them log in from the PC on the blocklist. This.. doesn't make a lot of sense from a blocklist perspective, but it has given us a workaround. Will have to test if increasing the number of failures allows them to log in normally. 

I will second that this feature is not really something that we want. We also have passwordstate only accessible from on our network, and 2fa /should/ be adequate protection against malware or compromised PCs. If an attacker is already able to bypass or deal with 2fa, being blocked on a single IP doesn't seem to be much of a hinderance. And if the ability to use browsers in private/incognito mode is not something specific to a glitch we are encountering, it seems that this isn't much of a hinderance, more an annoyance. 

Link to comment
Share on other sites

Hello All,

 

Please upgrade to build 9112, and you will now have options to disable this feature (not recommended), and the feature will also now track per UserID - so one user will not be able to lock out another user.

Regards

Click Studios

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...