Passwork Blog (Page 5)

Releases

Latest — Jun 6, 2025

Passwork 7.0.6 update is available in the Customer portal.

Fixed incorrect background task name for LDAP synchronization in test mode
Fixed an issue where changes in role settings could not be saved after setting the minimum refresh token lifetime
Improved overall system stability and performance

You can find all information about Passwork updates in our release notes

Passwork 7.0.6 release

Releases

Jun 3, 2025 — 3 min read

In the new version, we’ve improved sorting algorithms for vaults, passwords, and shortcuts, extended settings for authorization password policies, and made numerous improvements to the UI and localization.

Improvements

Added new settings Restrict password reuse and Password history length to the authorization password complexity policies
Added an option to navigate to the initial password directory from the Recents and Favorites
Added tooltips for long group, folder, password, and shortcut names
Prevented creation of additional fields with duplicate names or names already used in system fields — identical names with different cases are allowed
Improved filters in User management and Activity log
Improved the UI, dark theme, and localization

Bug fixes

Fixed sorting of vaults, folders, passwords, and shortcuts in Favorites, Inbox, Search, and Bin
Fixed an issue where the SMTP password field sometimes displayed Empty even though a password was set
Fixed an issue where trying to open a password with a lot of characters in the Password field prevented cards from opening and users were redirected to the Recents
Fixed an issue where a prompt to change the local password sometimes appeared after logging in via LDAP
Fixed an issue where the Master password complexity policy settings appeared in role settings when the client-side encryption was disabled
Fixed an issue where some system notifications were not sent to administrators and users with permission to view them
Fixed an issue where manually imported data was reset when returning to data mapping
Fixed incorrect display of access levels in the System settings changed event
Fixed sorting by date in the Bin

You can find all information about Passwork updates in our release notes

Passwork 7.0.5 release

Webinar

May 16, 2025 — 5 min read

Unpacking the gap between compliance and culture

Introduction

Companies spend millions on cybersecurity policies — but often overlook the human side of enforcement. Why do employees ignore security rules, even when they’re clearly defined and regularly updated? And how can organizations shift from checkbox compliance to genuine behavioral change?

These were the big questions tackled in our latest Passwork cybersecurity webinar, featuring ISO 27001 consultant and ISMS Copilot founder, Tristan Roth. Together, we explored how companies can strengthen security culture, align leadership and compliance teams, and ultimately get employees to care about cybersecurity policies.

This article highlights the key insights from that discussion, offering a practical roadmap for businesses aiming to turn policy fatigue into proactive security awareness.

The compliance trap: Why policies fall flat

According to a 2024 ISACA survey, just 38% of organizations believe their compliance efforts have improved their actual security posture. The rest? Going through the motions.

They want to be ISO-certified in three weeks. They write 50 documents, sign them, and think the job is done. But there’s no substance. And without substance, there’s nothing to embed into company culture.
— Tristan Roth

Tristan noted that many companies pursue ISO 27001 purely for external reasons — sales pressure, vendor demands, regulatory requirements. But this "checkbox compliance" mindset often leads to rushed implementations, shallow training, and policies that nobody reads.

That’s precisely why meaningful certifications stand out. As a case in point, Passwork itself recently achieved ISO/IEC 27001:2022 certification — a milestone that underscores our commitment not just to technical excellence, but to real, operational security practices. You can view the certification details here. For us, it’s not about the certificate on the wall — it’s about living the standard in our day-to-day approach to product design, customer trust, and internal controls.

The real reason employees tune out

It's easy to blame employees for ignoring security policies. But in many cases, they’re not wrong to do so.

Tristan described how companies often copy-paste policy templates from the internet without adapting them to their specific context. A policy meant for
a university might get handed to a startup team. A remote work rule might ignore hybrid realities.

If a policy obviously doesn’t reflect your real work environment, of course employees will skip it. They know when no effort was made.

This disconnect between policy and reality creates distrust. Employees learn
to view documentation as bureaucracy, not guidance.

Training vs. transformation

Security training is everywhere — but it’s often treated like background noise.

Tristan emphasized that truly effective awareness programs require empathy, relevance, and context. Instead of one-size-fits-all e-learning modules, what works best is direct, human conversation. Sitting down with small groups. Tailoring sessions to different roles. Explaining why a policy exists, not just what it says.

Sometimes, the most effective approach is doing things that don’t scale. A 10-person training session can do more than a 2-hour video everyone skips.

This type of pedagogy isn’t flashy — but it changes behavior. It creates a feedback loop between employees and security teams that policy documents alone can’t.

Third-party risk: The unseen threat

In 2024, over 60% of data breaches were linked to third parties. Yet many organizations still conduct vendor assessments as a one-time task during onboarding — and never revisit them.

The companies I work closest with — I know the people. And if something changes, I can ask for proof, or pivot fast. That’s the mindset companies need to adopt.

Tristan warned against over-relying on surface-level due diligence. He stressed the importance of designating a responsible person (even in small companies) to build real relationships with vendors, revisit risk exposure over time, and keep alternative solutions in mind for business continuity.

Password mismanagement: Still the weakest link

According to Verizon’s Data Breach Investigations Report (DBIR), over 80% of hacking-related breaches still involve stolen or reused credentials.

Despite having password policies in place, many companies don’t monitor whether employees actually follow them. Shared passwords in messaging apps, weak variations of old passwords, or resistance to using MFA — these are all symptoms of convenience overriding policy.

A good password policy isn’t enough. You need to design systems assuming passwords will be compromised — and build defenses like MFA around that assumption.

Passwork and similar tools offer self-hosted or cloud-based solutions, but Tristan’s advice was clear: tools help, but they don’t replace responsibility. Compliance teams need to combine tech with empathy, audits, and clear communication.

Automating GRC without alienation

Automation can cut Governance, Risk management and Compliance (GRC) workloads by up to 60%, but it’s not a silver bullet. Poorly implemented tools can actually increase policy fatigue.

Some platforms take ten times longer than Excel. People go back to Excel — not because they don’t believe in compliance, but because the tool wasn’t built with their workflow in mind.

Instead of aiming for “full automation,” companies should focus on effective automation — solutions that reduce friction, not increase it. This means assigning a project owner, setting realistic expectations, and piloting changes before rolling them out at scale.

Leadership role in building security-first culture

Cybersecurity is often seen as an IT issue, but real change starts with leadership.

A recent PWC survey found that 80% of executives say they prioritize security — yet only 30% of CISOs feel supported. Tristan argued that this misalignment often stems from poor communication.

Security leaders need to speak the language of business. Not vulnerability management. Risk in financial terms. Loss potential. Mitigation cost. Impact.

CISOs must become translators — connecting security risks to business outcomes. When leadership understands the stakes in terms they care about, support and budget follow.

Final thoughts

Employees ignore cybersecurity policies not because they’re lazy — but because the policies feel irrelevant, the training feels generic, and the tools feel like obstacles.

Shifting that mindset requires a cultural transformation: from compliance to care, from documentation to dialogue. As Tristan put it, be the captain of your own security ship. Know your context. Use the tools wisely. But lead with empathy and clarity.

Ready to take the first step? Request a free demo and explore how Passwork helps your team move from policy fatigue to security-first thinking.

Why do employees ignore cybersecurity policies?

Employees often ignore cybersecurity rules not out of laziness, but because they feel generic, irrelevant, or disconnected from real work. True change starts with empathy, leadership, and context-driven policies. Read the full article to learn how to make security stick.

Releases

May 6, 2025 — 6 min read

In Passwork 7, we improved everything: completely rewrote the code using the latest technologies, implemented a full-fledged API, updated the interface, redesigned groups and roles, abandoned the automatic addition of system administrators to vaults, and made access rights management even more flexible. This will significantly enhance the convenience of administration and password management, as well as greatly accelerate the development of new features.

Updated interface

We redesigned the Passwork interface and updated all key sections — took into account many requests and fixed logical and functional errors while preserving the familiar convenience of working with passwords. We also added the ability to customize column widths and move interface elements — each user will be able to adapt it to their needs.

Expanded API functionality

We significantly expanded the API functionality — now it allows full interaction with all Passwork features: from copying passwords to managing users and security settings.

To simplify working with the API, we prepared an official Python connector — a developer library that allows integrating Passwork with applications and scripts in Python, and the Passwork-CLI utility, which enables working with the API from the command line.

Instead of API keys, tokens are now used — a more modern and reliable way to access the system. In addition, API access settings have been moved to the role page.

New backend and frontend

We completely updated the code using more modern methods — this will improve performance and simplify the initial installation of Passwork. Moreover, the new code will become the basis for developing desktop applications and will significantly speed up the introduction of new features.

User roles

We updated the status system by combining administrative rights and user settings, and renamed them to Roles — now, instead of two standard statuses Administrator and Employee, you can create an unlimited number of roles with individual rights and settings.

User groups

What was called Roles in previous versions has been renamed to Groups, making the user management process more intuitive and closer to common standards, such as those used in Active Directory. Groups allow restricting user access to vaults based on certain privileges.

Updated vault structure

We simplified the vault structure — instead of organization vaults and personal vaults, users will be able to create private vaults. A private vault becomes shared when other users are added to it. At the same time, administrators are no longer automatically added to new vaults.

The updated vault structure ensures reliable encryption and offers new possibilities for password management, making the process more convenient and secure.

Vault access confirmation

When adding users to groups, they will no longer automatically receive access to other users' vaults — access will require confirmation from the vault administrator. Users who gained access to a vault during LDAP synchronization also need to be confirmed. This provides additional control and prevents unauthorized access to vault contents.

Changing access levels

We’ve reworked the access level system and introduced a number of changes to some of them:

Navigation level has been replaced by an ability to view all parent directories of the folder the access level is applied to
Users with the Full access level now can view access levels of other users, manage additional access, view the history of changes within the directory and analyze passwords available to them via Security dashboard
Added the ability to assign administrative rights to users in folders. The Administration access level is inherited by child folders without the ability to change it

History of actions and notifications

We’ve expanded the list of actions that are logged, updated their descriptions and completely reworked the notification system. Soon after the release we are going to introduce notification settings, which will add flexibility to keeping track of important changes and user actions.

Using shortcuts

In order to enhance security, we’ve made some changes to the way shortcuts work:

It is now impossible to copy shortcuts for passwords which don’t allow shortcut creation
Folders which include shortcuts unavailable to a user will now be copied without them

Adding tags to passwords

Now when you create or edit a password, you will be able to pick a tag from a list of already created ones. This has an added benefit of preventing creation of tags with the same name (sales ↔ Sales, etc.). When selecting tags, only those available in the user's vaults will be displayed.

Changes to 2FA reset flow

When you reset your authorization password, two-factor authentication now won’t be reset along with it. Users won’t be able to reset 2FA without a successful login, which increases security.

Account locking option

We’ve introduced an account locking feature. You will be able to set a limit on failed login attempts, timeframe for tracking the failed attempts and lockout duration.

Other changes

Tidied settings up by making their structure more clear
Added automatic retrieval of email and name from single sign-on systems (SSO)
Added settings for automatic clearing of sessions, notifications and background tasks
Added the ability to enable a system banner that will be visible to all Passwork users. You can use it for important notifications, alerts or instructions
Added an ability to choose a time zone and date & time format
Updated filters in key sections for faster and simpler search

Upgrading to Passwork 7

To upgrade to version 7.0, you’ll need to update your Passwork to version 6.5, migrate your data, and confirm this in the customer portal. Upgrade instructions can be found here.

We recommend exploring the new features and data migration specifics in a test environment before updating your self-hosted version. For testing, you can deploy Passwork 7 on a separate server — this will allow you to review all the changes in the new version without affecting your current working environment.

Passwork 7 release

Case study

Nov 8, 2024 — 4 min read

Kindernothilfe (KNH) is a German non-profit organization dedicated to supporting vulnerable children in impoverished and underprivileged regions worldwide. Founded in 1959, it has made significant contributions as one of Europe’s largest charities dedicated to child aid. Operating in over 30 countries, Kindernothilfe emphasizes the importance of ensuring children’s rights and providing access to education, healthcare, child protection, and community development initiatives, all aimed at enhancing children’s living conditions and eradicating poverty.

Company: Kindernothilfe
Location: Duisburg, Germany
Industry: Nonprofit organization
Company size: Over 300 employees in more than 30 countries
Passwork license type: 500 users

The challenge: Finding a secure and user-friendly solution for global teams

Before choosing Passwork, Kindernothilfe relied on KeePass, a solution that limited scalability and lacked user-friendly features essential for a globally operating organization. With over 300 employees across more than 30 countries, the organization required a secure, scalable, and intuitive password management solution.

Doing so was crucial to meet the growing demands of its international team, especially for enhancing password sharing and access management capabilities for remote employees.

The solution: Switching to Passwork for improved security and simplified user access

Kindernothilfe opted for Passwork for its robust self-hosting capabilities, ensuring optimal data control and security. The seamless integration with SAML2 for Single Sign-On (SSO) streamlined access management across multiple platforms.

Furthermore, Passwork’s intuitive interface, along with its mobile app and browser extension, made it possible to manage passwords effortlessly from any device. The secure password-sharing features enhanced team collaboration, significantly reducing human error and improving overall security protocols.

The implementation: Gradual rollout and building a secure infrastructure

The implementation process took approximately two months. It was primarily focused on establishing and thoroughly testing the infrastructure to ensure Passwork met Kindernothilfe’s security requirements. The integration of SAML2 for Single Sign-On (SSO) was smooth and completed within a short timeframe.

To facilitate the successful implementation of Passwork, Kindernothilfe opted for a phased rollout rather than deploying the password management solution organization-wide all at once. They began with a smaller group of employees to showcase the benefits of the system and gradually promoted its use.

While organizing various promotional and educational activities, such as “Lunch and Learn” events, the organization encouraged employees to engage with Passwork. The goal was to achieve the point where at least 50% of the staff actively used Passwork before expanding the system to the entire organization.

The results: Increasing operational efficiency for cross-border teams

Currently, approximately 50% of the staff are actively using Passwork—a centralized, secure, and user-friendly solution for password sharing. This incremental approach not only ensured higher user engagement but also significantly strengthened security protocols across the organization.

By improving password management processes, Kindernothilfe increased its overall operational efficiency, especially for cross-border teams. Educational initiatives, such as “Lunch and Learn” sessions, were instrumental in raising awareness about Passwork and facilitating its successful adoption throughout the organization.

"Passwork met our needs with its affordable pricing and ease of use, making it an essential tool for our global workforce" — Bernd Schlürmann, network and security manager

Kindernothilfe: Simplifying global employee collaboration with Passwork

InfoSec

Oct 21, 2024 — 5 min read

Cybersecurity — as complex as it sounds — is an essential concept that we all need to be aware of in this day and age. Computers, phones, and smart devices have become an extension of our bodies at this point, which makes their security paramount. From your family photos to your bank details and social media handles, everything lives inside these devices. That’s why a security breach could have potentially life-changing consequences. With viruses and malware getting more advanced than ever, it’s no longer just a programmer’s job to care about cybersecurity. Every user should have at least a basic understanding of it to be able to implement it onto their devices.

But, most of us aren’t too tech-savvy, so we can’t even understand the most basic computer terms. That’s why the first step is to get familiar with cybersecurity jargon so that you can easily grasp and follow tutorials online. In this article, we’re covering some of the most common cybersecurity terms and phrases. We’ve handpicked the most important ones, so read till the end and don’t miss any. Let’s get into it!

Phishing

Phishing is a malicious way to get unsuspecting users to click on shady links or attachments, or get them to reveal sensitive information by posing as a legitimate organization or business. Some attempts can be spotted easier than others depending on how sophisticated the setup is, and the user’s level of awareness.

Trojan

Sometimes, harmful code can be disguised as a legitimate program, application, or file, which is called a Trojan.

Keylogger

A keylogger is a software tool that can monitor and record all keystrokes entered by a user. Through the data gathered by a keylogger, hackers can easily steal sensitive information like login details, credentials, OTPs (one-time passwords), private texts, and much more.

Account hijacking

Account hijacking is where a hacker takes control of a user’s account with malicious intent like stealing sensitive information or sharing problematic content through their platform. You could see it as a form of online identity theft, making it one of the biggest cybersecurity threats faced by celebrities and influential personalities.

DevSecOps

DevSecOps seem like gibberish at first glance, but it’s a combination of the words “development,” “security,” and “operations.”

The combined term refers to a software development approach that integrates security solutions into the development process right from the get-go. It’s ideal because, with cybersecurity threats, prevention really is better than cure.

Digital footprint

As an online user, anything you do online creates a “footprint” consisting of your activities on the internet. For instance, what you post, what you like, the purchases you make, or simply the web pages you browse through. That’s your digital footprint.

Cyber insurance

It’s a type of insurance that helps large organizations cover the risk of financial losses that may occur as a result of data breaches or cyberattacks.

Threat vector

Hackers or cyber attackers use a certain method or path to get into their target device, network, or system, referred to as the “threat vector.”

IP address

An Internet Protocol (IP) address consists of a series of numbers associated with WiFi routers, servers, computers, and just about anything that’s connected to the Internet. Just like your standard home address, an IP address specifies the location of a system or device, letting users find it anywhere on the global network.

Malware

Malware is one of the most common words used within the cybersecurity space. It’s short for “malicious software,” and can be any code that’s meant to cause harm to systems or computers. Depending on how dangerous it is, it can steal, delete, and spy on information, or even destroy a system altogether.

Virus

A computer virus is a specific type of malware that’s designed to corrupt, change, or delete information from a system. Like viral diseases, a computer virus also passes onto other systems through in-built multiplication means like sending out emails with malware as attachments, etc.

Antivirus software

Antivirus software, as the name suggests, is a computer program that’s responsible for preventing, detecting, and getting rid of malware. Getting a strong antivirus service for your Mac or Windows PC is the most important step you can take to reinforce your cybersecurity defenses as an average user.

VPN

Most of us already know or use VPNs, without ever even knowing what it stands for. It’s an acronym for “Virtual Private Network,” whereby the user’s actual IP address gets replaced by the VPN’s — granting them digital anonymity and making a cyber attacker’s life much harder.

Cryptojacking

Cryptojacking is another modern threat for unsuspecting users where hackers can start using your computer’s processing power to mine cryptocurrency in an unauthorized manner. This slows down performance and starts jacking up your utility bills while the user has no clue.

Data encryption

Data encryption is the process of encoding data such that no third party can access it unless they have a decryption key.

Data protection

Data protection is an umbrella term that consists of many different practices designed to prevent private info from getting exposed to the wrong eyes. Data encryption, for instance, is one of the examples of data protection.

DDoS attacks

Distributed Denial of Service (DDoS) is a method used by attackers to render a server or site unusable. It involves overwhelming it with bots or malicious traffic in volumes that are way over the capacity it’s meant to handle.

Worm

A worm is a particularly nasty type of malware that can reproduce itself just to spread to other networks and computers. They can either slow down the computer by compromising its resources or steal data.

Conclusion

Now that you know some of the most commonly used cybersecurity jargon, you can hopefully start to educate yourself on this crucial topic. This vocabulary should allow you to comprehend basic cybersecurity tutorials to perform regular tasks like installing an antivirus program, performing a scan, and quarantining or removing threats from your computer. All the best!

Comprehensive guide: Cybersecurity vocabulary – terms and phrases you need to know

Password security

Jul 24, 2024 — 6 min read

When employees find the standard security measures of their organization frustrating and annoying, the risk of internal threats increases. For example, a recent Gartner report said 69% of employees ignore cybersecurity recommendations within their organization. This doesn’t mean they do it on purpose to spite management. More often, it means they just want to get on with their job without distractions, and see security as a hassle and a waste of time.

Can security be pleasant?

Passwords are a classic example of the clash between cybersecurity and user experience. The average office worker has up to 190 different login and password combinations. Naturally, remembering that many and matching them to the services is impossible.

61% of employees admit to reusing passwords as a way to cope with this. At the same time, most are aware that this is a security risk for the company. So, how can IT departments improve password security in their organizations, when users are already burdened with these digital security measures and have chosen convenience and speed over security?

While many tech giants are promoting passwordless access technologies, unfortunately for most organizations eliminating passwords is not an option. That's why it's super important to choose the best security methods that can provide a pleasant user experience. Below, we'll look at four ways to engage end-users into more responsible password habits in a way they might even enjoy.

Key phrases for strong and memorable password

Hackers use brute force to quickly try many different options in a row to crack a specific account's password. They often combine these methods with dictionaries of known vulnerable passwords, including sequential passwords like "qwerty" or "123456," which users often use. Shorter and less complex passwords are much more vulnerable to this method of attack, so the advice is to create longer and more complex passwords.

Of course, this is a pain for users who now have to remember many long and complex passwords ideally 15 characters and above. One way to simplify this task is to suggest using key phrases instead of traditional passwords.

A key phrase is 3 or more random words strung together, for example, "Pig-Lion-Window-Night." At first glance, this password looks simple and insecure, but it has 19 characters, special characters and capital letters. That’s enough to make brute force attempts take a long time. If a few more special characters or numbers are added, one can confidently say hackers have no chance of success. The main thing is to use words that are not related to the company activities or the personal data of a specific user.

Overall, key phrases are a great way for endpoint users to create longer and more complex passwords without increasing their cognitive load.

Recommendations and feedback

Asking an employee to create a new password makes them feel like all the knowledge has left their head and they will go into a long thought process that can take hours. "What password should I create that is both easy and secure?" the user will think.

It's very important to be in touch with colleagues during this difficult moment: to give clear recommendations and answer questions. No one should feel like they are left to their own devices when taking steps that directly affect the security of the whole organization. Ideally, of course, an exhaustive memo with all recommendations and examples should be created so the password creation process is quick and painless. But even such memos often don't cover all the needs and questions of users.

Providing dynamic feedback during password creation is not only a learning opportunity for the user but also an instant check to see if the password meets the security policy. By consulting with an IT specialist, employees can see in real time if their new password complies with the company policy and if not, why, and quickly correct it.

Password expiration based on length

No one likes it when work is stalled because of the need to change a password. Sometimes this comes too soon and even bothers the most diligent employees who take security very seriously. But using passwords with infinite validity period is simply not acceptable in today's reality, as such passwords open many doors for clever hackers. That's why the regular changing of passwords is so widely used by many organizations.

But why not turn the potentially negative user experience of forced password change into an opportunity?

Password expiration based on its length gives end-users a choice. They can create a simple and easy password that only partially meets the organization's requirements, but they will have to change it again, for example, in 90 days. Or they can extend the length of the password and not touch this issue for as long as possible, for example, the next 180 days.

Instead of all employees facing a forced password reset every 90 days, a flexible validity period based on its length rewards users who create longer and safer passwords. This is the best balance between security and usability.

Continuous monitoring of compromised passwords

The methods discussed above are quite effective in helping end-users create more reliable passwords and provide them with more transparency and understanding of their organization's security policies. But even reliable passwords can be compromised. And it's impossible to be 100% sure that company employees aren't using the same passwords to log in to several services at once. That's why it's necessary to have a way to detect compromised passwords and block potential attack routes.

Many security solutions can periodically check user passwords against leaked lists of compromised credentials, but these solutions are not perfect, as monitoring is not real-time. The optimal solution would be to choose a security solution that continuously scans passwords for leaks and notifies the administrator, or even automatically resets the password to not give hackers a second for potential compromise. The market is full of information security solutions so finding a product with such feature should not be difficult.

Conclusion

Passwords don’t have to be frustrating. As we have seen above, by choosing the right approach between IT and users this problem will disappear on its own.

With Passwork this problem disappears. It helps to organize and store your passwords, making the process more manageable and secure. Key password phrases, feedback during password reset, length-based expiration and continuous scanning for compromised passwords are great solutions that can boost any organization’s security.

Four ways to make users love password security

Releases

Jun 4, 2024 — 4 min read

Passwork 6.4, we have introduced a number of changes which enhance our browser extension security, make user permissions settings more flexible, and improve the logging of settings related changes:

Mandatory extension PIN code
Logging of all changes related to settings
User access to history of actions with passwords
Automatic updating of LDAP group lists

Mandatory extension PIN code

With the new setting ‘Mandatory PIN code in extension’, administrators can set a mandatory browser extension PIN code for all users, minimizing potential unauthorized access. Once enabled, users who have not yet set a PIN code will be prompted to do so upon their next login to the extension. Users will be able to configure their auto-lock timeout and change the PIN code, but they cannot disable these functions.

The ‘Mandatory PIN code in extension’ setting is located in the ‘API, extension and mobile app’ section of the System settings

Now all changes in the Account settings, User management, LDAP settings, SSO settings, License info, and Background tasks are displayed in the Activity log.

All changes related to settings logged in the Activity log in the Settings and users

History of actions with passwords

The new setting ‘Who can view the history of actions with passwords’ makes it possible for vault administrators to let other users view password history, password editions, and receive notifications related to their changes. Previously, these features were available only to vault administrators.

You can customize this feature in the Vaults section of the System settings

Automatic updating of LDAP group lists

Automatic updating of LDAP group lists can now be configured on the Groups tab in the LDAP settings. The update is performed through background tasks with a selected time interval.

To configure LDAP group list updates, select LDAP server, go to the Groups tab, and click the Edit settings button

Other improvements

Added pop-up notifications when exporting data or moving data to the Bin
Improved display of dropdown lists on the Activity log page
Changed time display format of the ‘Automatic logout when inactive’ and ‘Maximum lifetime of the session when inactive’ settings
Changed the Enabled / Disabled dropdown lists on the System settings and LDAP settings pages with toggles
Increased minimum length of generated passwords to six characters

Bug fixes

Fixed an issue in the Password generator where selected characters were sometimes missing in the generated password
Fixed an issue where local users could not independently recover their account password when an LDAP server was enabled
Fixed an issue where local users could not register in Passwork when an LDAP server was enabled
Fixed an issue which occurred after moving a folder with shortcuts to another vault and shortcuts not being displayed in the new vault
Fixed an issue that occurred when trying to move a shortcut found in search results without opening any vaults right after logging into Passwork
Fixed an issue that occurred when trying to copy a password found in search results without opening any vaults right after logging into Passwork
Fixed an issue that occurred when a password was sent to another user and remained on the recipient's Recents and Starred pages after the initial password was moved to the Bin
Fixed the value in the time field for the ‘API key rotation period (in hours)’ setting which was reset to zero after disabling it
Fixed incorrect event logging in the Activity log after changing folder permissions
Fixed incorrect text notification about assigning access rights to a user through a role
Fixed incorrect tooltip text when hovering over the username of a recently created user
Fixed incorrect display of long invitation titles
Removed the local registration page when the LDAP server is enabled

Passwork 6.4

Releases

Feb 14, 2024 — 4 min read

In Passwork 6.3, we have implemented numerous changes that significantly improve organization management efficiency, provide more flexible user permission settings, and increase security:

Administrative rights
Hidden vaults
Improved private vaults
Improved settings interface

Administrative rights

Available with the Advanced license

Now there is no need to make users administrators in order to grant them specific administrative rights. This option is a response to one of the most frequent requests from our customers.

Administrators can grant only those rights or permissions that are necessary for users to fulfill their duties and flexibly customize access to settings sections and manage Passwork. For instance, you can grant employees the right to create and edit new users, view the history of user activity, track settings changes, while restricting access to organization vaults and System settings.

You can configure additional rights on the Administrative rights tab in User management. There are four settings sections to flexibly customize Passwork for your business:

General
In this section, you can grant users access rights to manage all existing and new organization vaults, view the history of actions with settings and users, access license info and upload license keys, view and modify the parameters of SSO settings and Background tasks.

User management
In this section, you can grant users access rights to view and modify User management parameters. This includes performing any necessary actions with users and roles, such as creating, deleting, and editing users, changing their authorization type and sending invitations.

System settings
In this section of settings, you can grant users the right to view and modify specific groups of System settings.

LDAP settings
In this section, you can grant users the right to view and modify LDAP parameters which include adding and deleting servers, registering new users, managing group lists, viewing and configuring synchronization settings.

Activity log
The event of changing user administrative rights has been added to the Activity log. All changes are now recorded in the Activity log, that includes the users who initiated such changes as well as each setting that was modified with its previous and current values.

Interface improvements

Users with additional administrative rights are marked with a special icon next to their user status.

Some items remain unavailable until the necessary settings have been activated. When hovering your cursor over such items, a tooltip with information regarding dependent settings will be displayed.

Hidden vaults

In the previous versions of Passwork only organization administrators were able to hide vaults. Also, only organization vaults could be hidden. In this new version, all users can hide any vaults. Hiding makes vaults invisible only to the users who choose to do it and does not affect others.

Hidden vault management is now carried out in a new window, which is available directly from the list of vaults. You can view the list of all available vaults and customize their visibility there.

Private vault improvements

Displaying private vaults in User management
Besides hiding private vaults, employees with User management access can now see all vaults which they administer (including private vaults). The new feature which makes it possible to add users to private vaults has also been added to User management.

Logging of events in private vaults
Private vault administrators can view all events related to their vaults in the Activity log.

Other changes

Fixed an issue which prevented users from changing their temporary master password
Fixed an issue which prevented users from setting the minimum length for authorization and master passwords
Fixed an issue in User management which made administrator self-deletion possible
Minor improvements to the settings interface

Introducing Passwork 6.3

Releases

Jan 19, 2024 — 4 min read

In Passwork 6.2 we have introduced a range of features aimed at enhancing your security and convenience:

Bin
Protection against accidental removal of vault
Protection against 2FA brute force
Accelerated synchronization with LDAP
Improved API settings
Bug fixes in role management

Bin

Now, when deleting folders and passwords, they will be moved to the Bin. If needed, they can be restored while preserving previously set access permissions. Vaults are deleted without being moved to the Bin — they can only be restored from a backup.

Who can view deleted passwords and folders in the Bin?

Inside the bin users can see the deleted items from those vaults in which they are administrators. For instance, an employee who is not an administrator of organization vaults will only see the deleted passwords and folders from his personal vaults when opening the Bin.

In addition to object names, the Bin also displays the usernames of people who deleted data. You can also see the initial directory name and the deletion date.

Object restoration

Objects from the Bin can be restored to their initial directory if it has not been deleted or moved. Alternatively, you can choose any other directory where you have edit and higher access levels.

When restoring deleted folders to their initial directories, user and role access levels will also be restored exactly as they were previously manually set in these folders. Other access permissions will be set based on the current permissions in the initial directory.

When restoring folders to a directory different from the initial, access levels will always depend on the current permissions in the selected directory.

Additional access to deleted passwords

If passwords have been shared with users, moving them to the Bin will remove them from the “Inbox” section, and any shortcuts or links to these passwords will become nonfunctional.

Restoring additional access

When restoring from the Bin, it is possible to regain additional access levels to passwords. Passwords that were shared with users will reappear in their “Inbox” section, access to passwords through shortcuts will be restored, and links that have not expired will become functional again.

Bin cleanup

You can delete selected items from the Bin or use the "Empty Bin" button to remove all items contained inside.

It's important to note that in the Bin you only see the items which were deleted from the vaults where you are an administrator. Objects from other vaults are not visible, and clearing the Bin will not affect them.

In future, the option to configure automatic Bin cleanup will be added.

Protection against accidental removal of vault

To confirm the deletion of a vault, you now need to enter its name. It will be permanently deleted along with all the data inside. Additionally, if there are passwords or folders from this vault in the Bin, they will also be removed.

Protection against 2FA brute force

Protection against 2FA brute-force attacks has been added. After several incorrect attempts to enter the 2FA code, the user will be temporarily locked. The number of attempts, input intervals, and the lockout time are set in the config.ini file.

Other changes

LDAP synchronization has been accelerated
Descriptions of parameters and minimum allowable values for API token expiration time and API refresh token expiration time have been added to the API settings section
Automatic assignment of "Navigation" to parent folders in role management has been fixed
The issue when a vault administrator could not add roles to a vault and manage its permissions has been fixed
The issue with showing additional access rights to passwords when moved to another vault has been fixed

Passwork 7.2.4 release

Passwork 7.0.6 release

Improvements

Bug fixes

Passwork 7.0.5 release

Introduction

The compliance trap: Why policies fall flat

The real reason employees tune out

Training vs. transformation

Third-party risk: The unseen threat

Password mismanagement: Still the weakest link

Automating GRC without alienation

Leadership role in building security-first culture

Final thoughts

Further reading:

Why do employees ignore cybersecurity policies?

Updated interface

Expanded API functionality

New backend and frontend

User roles

User groups

Updated vault structure

Vault access confirmation

Changing access levels

History of actions and notifications

Using shortcuts

Adding tags to passwords

Changes to 2FA reset flow

Account locking option

Other changes

Upgrading to Passwork 7

Passwork 7 release

The challenge: Finding a secure and user-friendly solution for global teams

The solution: Switching to Passwork for improved security and simplified user access

The implementation: Gradual rollout and building a secure infrastructure

The results: Increasing operational efficiency for cross-border teams

Kindernothilfe: Simplifying global employee collaboration with Passwork

Phishing

Trojan

Keylogger

Account hijacking

DevSecOps

Digital footprint

Cyber insurance

Threat vector

IP address

Malware

Virus

Antivirus software

VPN

Cryptojacking

Data encryption

Data protection

DDoS attacks

Worm

Conclusion

Comprehensive guide: Cybersecurity vocabulary – terms and phrases you need to know

Can security be pleasant?

Key phrases for strong and memorable password

Recommendations and feedback

Password expiration based on length

Continuous monitoring of compromised passwords

Conclusion

Four ways to make users love password security

Mandatory extension PIN code

Logging of all changes related to settings

History of actions with passwords

Automatic updating of LDAP group lists

Other improvements

Bug fixes

Passwork 6.4

Administrative rights

Interface improvements

Hidden vaults

Private vault improvements

Other changes

Introducing Passwork 6.3

Bin

Who can view deleted passwords and folders in the Bin?

Object restoration