Jump to content

Browser Extension Master Password Requirement


Recommended Posts

In 2023 Click Studios updated our Browser Extensions to use a Master password.  Below is some information about why we introduced this new security feature, and some hints on how you can adjust the settings to suit your environment:


Reason for the Change

  • We've been maintaining legacy code in the browser extension since 11th September 2019. This legacy code base can no longer be supported from both development and functionality perspectives
  • Access and Refresh tokens are now used to more securely facilitate communication between the browser extensions and Passwordstate (the API in Passwordstate)
  • Security Administrators can now also revoke Access Tokens for users if required
  • The per user Master Password, forms the basis of encryption for the tokens


**EDIT** Updated March 2024 - As of build 9823, the requirement for the Master Password can be disabled if required.  Please read FAQ below which explains how it works, and then make an assessment if you want to disable the Master Password.


Frequently Asked Questions

Question: Why is a Master Password required?

Answer: With the encryption of the tokens mentioned above, a static known value is required for perform this end-to-end encryption. The user authenticates with their Master Password, and this is validated against what's stored in the database


Question: What options are available for Browser Extension timeout settings, and locking/unlocking of the extensions?

Answer: In the following Security Administrator's manual https://www.clickstudios.com.au/downloads/version9/Passwordstate_Security_Administrators_Manual.pdf, please refer to Section "2.8 Browser Extension Settings" - Page 27 to Page 30.


Question: Can we disable the use of the Master Password?

Answer: No, you cannot, because of the encryption requirement mentioned above. You can however assess whether you want to use the "Auto Unlock" feature, which will significantly reduce the number of times users will need to enter their Master Password. Again, refer to Security Administrators manual above


**EDIT** As of build 9823, due to feedback from our community, we have introduced an option to disable the Master Password.  Please consider the risk in disabling the Master password before making the decision to turn it off, and this this Restricted Feature can be found on the screen Administration -> Feature Access -> Restricted Features tab.  Please submit an unlock code to Click Studios Support as a once off process to remove the Master Password requirement.


Question: Can we set a common Master Password for all users?

Answer: No, you cannot. This goes against best practice of sharing passwords, and each user must set their own on the screen Preferences -> Browser Extension tab


Question: What if our users forgets their Master Password?

Answer: They can log back into Passwordstate and reset it under their own personal preferences.


Question: I'm running build 9786 of Passwordstate and the maximum timeout session settings for the browser extension is 3 days.  Can we set this to a larger value?

Answer: Build 9795 includes more options to set for this value, 7, 14 and 30 days.


Question: I'm required to enter my Master Password for the browser extension every time I open a new browser.  Can I prevent this?

Answer: You can set the Auto-Unlock feature under Administration -> Browser Extension Settings page.  The user will not be required to enter their Master Password again unless their session expires.


Question: What is the Sliding Token for this Master Password and how does it affect how I authenticate to the extension?  I have the Auto Unlock feature enabled with the Session Timeout set to 30 days and want to make this as simple as possible for me end users to use the extension.

Answer:   1.    The user enters their Master Password into the extension and this creates a session token on for 30 days.
                 2.    This session token is known as a “sliding token” which means every time the browser extension connects back to your Passwordstate website for any reason, the token time gets reset back to 30 days.  This means the Auto                                    Unlock feature is valid for another 30 days and the Master password will not be required for that time frame. 


Question: What conditions does the Browser Extension connect back to your Passwordstate website? 
Answer:   1.    If the user opens their browser. It will immediately connect back and sync any data.  Sliding Token is refreshed and reset back to default session timeout.
                 2.    Whilst the browser is open, it will automatically sync on a 60 minute schedule to check if there is any new data.  Sliding Token is refreshed and reset back to default session timeout.
                 3.    If your user visits a third party website such as Facebook for example, and they either save, autofill or update credentials for that page, it sends data back to your Passwordstate website, refreshing the Sliding Token to the default                          timeout.

                 4.    You can manually trigger an immediate data sync within the Browser Extension which refreshed the Sliding Token.


Question: Have you got any guides I can forward onto my end users on how to use this new extension?

Answer: We have produced a blog article which outlines the changes in functionality, how to create the Master Password and unlock the Browser Extension https://blog.clickstudios.com.au/important-changes-to-browser-extensions.


Question: When is the cut off date to upgrade Passwordstate

Answer: Effective week commencing Monday 31st October, Click Studios will be releasing updated versions of our Browser Extensions for Chrome, Edge, Firefox and Brave web browsers.  Click Studios has no control over the timing of deployment to customers systems once the updated Browser Extensions have been released to the relevant application stores.


Question: Can any of the two factor logins into Passwordstate work in place of the Master Password?

Answer: No, logging into Passwordstate with a 2FA such as SAML or DUO does not replace the need for the Master password.  A Master password must be set as the unique value of that password forms the encryption on the user device.


Question: Do users still need to set an initial master password if we use the Auto Unlock feature?

Answer: Yes, the Master Password must still be set and used to log in the first time. 


Question: Can I test this out ahead of time, so I can see how this works and document any changes I need for my environment?

Answer: Your license agreement with Click Studios states that you can use your production license keys on a dev\test instance, so we encourage you to set on up, possibly with production data so you can test upgrades and new feature in Passwordstate. Please see this blog post for more information o how to do this:  https://blog.clickstudios.com.au/can-you-setup-a-test-instance-with-production-data/




Link to comment
Share on other sites

  • 2 months later...

Thanks.  To be clear, October 31 the new browser extension is released.  All browser extensions currently installed will automatically update to this new extension release without user intervention.  If our Passwordstate instance is not upgraded to at least build 9785 the newly released and automatically upgraded extensions will not work.

Link to comment
Share on other sites

Thank you so much for this post. I came to the forums to find out if anyone else was unhappy with this new Master Password requirement and discovered how to properly manage the system instead. This makes things much better. As always, I still love and recommend this product over any other out there.

Link to comment
Share on other sites

  • 1 month later...

I have been having some major issues with the new extension, even with the settings above. I am constantly having to enter my master password to the extension. By constantly, I mean daily, even though I had it set to 30 days in the Administration->Browser Extensions.  I know there's only so much I can do, is anyone else reporting that it's not working regularly?  I rely on this extension so much that I might need to find a new solution until it's fixed.

Link to comment
Share on other sites

Hi Ehanderson,


This sounds like maybe you aren't preserving cookies maybe with the browser closes, or something that is clearing the session.  Maybe upgrade to the latest build and there is a feature you can use to completely disable the Master password if you like. You'll need to log a support call with Click Studios to unlock this feature, and you can do this through this page:  https://www.clickstudios.com.au/support.aspx


Please provide an unlock code in your support call, and please note Click Studios support will reply with an unlock code, and will CC in any contact we have for your company.  This is just to make at least two users aware at your company that this change is going to take place



While we have most users using the new master password and whilst we here at Click Studios will always recommend the most secure options, we do have some that are disabling the Master Password, as they have done their own risk assessment and are happy to bypass that layer of security.




Link to comment
Share on other sites

  • 5 months later...

Thank you for the clear guide.


I have a question about the actual risk of using the 'unlock browser extension upon browser startup' feature.


For user convenience I would like to make sure that users don't have to re-enter their master password for at least one full working day. The manual says that we need to do a risk assessment for this.


So my question is: what is the actual risk of keeping the extension session with the Passwordstate API alive? Does this mean that a stolen browser session enables an attacker to use this API token to retrieve passwords from our Passwordstate instance?






Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...