- Added logging of System settings changes
- Removed external links from email notifications
- Added tooltip in Email service settings indicating that the password has already been saved in the database
- Added tooltip in the hidden vault header indicating that the vault is hidden
- Updated icons in the vault menu
- Fixed issue when nested folders were still visible in the vault list after hiding their parent vault
- Fixed issue when deleted passwords from the hidden vaults did not appear in the Bin
- Fixed issue when hidden vault couldn’t be made visible through the vault menu
- Fixed issue when open password was not closed while being moved to another directory
- Released security patches
In this new version, we have added a feature which makes it possible to grant ordinary users some administrative rights without making them administrators. This option is a response to one of the most frequent requests from our customers. Additionally, we have revamped the hiding of vaults and expanded the features of private vaults.
Administrative rights(Available with the Advanced license)
In this new version, there is no need to make users administrators in order to provide access to specific settings or User management. Now, you can grant users only certain administrative rights and flexibly customize the sections which they can access and modify.
For example, you can allow employees to create new users and view the history of user actions, track settings changes while restricting access to organization vaults and System settings.
In the previous versions of Passwork only organization administrators were able to hide vaults. Also, only organization vaults could be hidden. In this new version, all users can hide any vaults. Hiding makes vaults invisible only for the user who choose to do it and does not affect others.
Private vault improvements
Besides hiding private vaults, employees with User management access can now see all vaults which they administer (including private vaults). Private vault administrators can view all events related to their vaults in the Activity log.
- Added logging of changes in the Administrative rights section
- Fixed an issue which prevented users from changing their temporary master password
- Fixed an issue which prevented users from setting the minimum length for authorization and master passwords
- Fixed an issue in User management which made user self-deletion possible
- Minor improvements to the settings interface
- Added the option which makes it possible to select a type of authorization for new users from LDAP / AD in the synchronization settings
- Added the event of password import to Syslog
- Fixed incorrect display of the LDAP user list on the Users tab when mapping a role to a group and performing synchronization in the test mode
- Fixed an issue with the Angular Tooltip directive
- Fixed an issue where some special characters were not accepted when changing the authorization password
- Improved overall system performance
This new version introduces the Bin – deleted folders and passwords can now be easily restored. Additional protection from accidental vault deletion and brute force attacks on 2FA has been added, LDAP synchronization has been accelerated, API settings have been improved, and role management errors have been fixed.
- In the Bin, users can view only deleted items from those vaults where they are administrators
- When restoring deleted folders to their initial directories, user access rights and roles from those folders will also be restored
- If passwords have been sent to users, they will disappear from their “Inbox” when moved to the Bin, the associated links and shortcuts to these passwords will become invalid
- When restored from the Bin, additional access rights to passwords can be restored as well – they will reappear in the “Inbox” section, all associated links and shortcuts will become valid again
- Vaults are deleted without being moved to the Bin
Protection against accidental removal of vault
Now, to confirm the deletion of a vault, its name must be entered. It will be permanently deleted along with all the data contained in it.
Protection against 2FA brute force
Protection against 2FA brute force has been added – after several attempts of entering incorrect 2FA codes, the user will be temporarily blocked. The number of attempts, input interval, and block time are set in the config.ini file.
- LDAP synchronization has been accelerated
- Descriptions of parameters and minimum allowed values for API token expiration time and API refresh token expiration time have been added to the API settings section
- Automatic assignment of “Navigation” to parent folders in role management has been fixed
- The issue when a vault administrator could not add roles to a vault and manage their permissions has been fixed
- The issue with showing additional access rights to passwords when moved to another vault has been fixed
The new version includes several important changes in system settings, user management, LDAP, and SSO.
- Added setting "Who can create and manage administrators". Now an owner can prohibit organization administrators from managing other administrators. When restricted, administrators cannot create new ones, deactivate, edit, or reset other administrators' passwords
- Added setting "Allow saving master password in browser". It allows configuring the requirement to enter the master password every time a Passwork tab in the browser is refreshed (if the master password mode is enabled)
- Added policies for authorization and master passwords. Now administrators can configure requirements for authorization and master passwords set by users. Configurable options include minimum length, mandatory use of uppercase letters, numbers, and special characters. The password requirements are displayed on registration and password change pages
- Added the choice of authorization type. Administrators can now configure authorization types for each user in the "User Management" section: local password, domain password, and SSO
- Added the ability to exclude users from LDAP synchronization — roles and deactivation won't apply to them
- When an administrator resets the authorization or master password, a temporary password will be generated — users will need to change it upon login
- Increased complexity of temporary passwords
- Added the ability to reset 2FA separately from resetting an authorization password
- When resetting the master password, active user sessions will also be reset
- Changing the status can now only be done from a specific user's page
- Added the ability to mass change authorization type and LDAP synchronization
- Added filters for authorization types and LDAP synchronization
- Added icons for authorization types
- Changed the order of user settings
SSO, LDAP, licensing, and more
- Added support for 2FA during SSO authorization
- Added setting "Log out from IdP when user logs out from Passwork" on the SSO settings page
- Removed global enabling/disabling of LDAP — now it's enough to activate the necessary AD server
- Added an icon indicating LDAP synchronization for servers
- Added Passwork lock to protect data when changing the server master key
- Added automatic cleaning of session collection in the database to limit its size
- Unverified users are no longer counted in the total number of users
Read more about the update — https://docs.passwork.pro/update-passwork-6-1
- TOTP codes now function in password links
- Versions of used client libraries have been updated
- Localization of meta tags has been implemented
- Modified error message when incorrect authorization occurs
- Outdated events have been removed from the “Action” filter in the activity history
- Added “User master password reset” event to the activity history
- The “Password deletion” event now correctly displays the password name in the recent user activity
- Redundant element removed from the “Authorization and 2FA” page for domain users
- Increased the length of authorization and master passwords to 15 characters when creating a new user
- Successful registration notifications are now sent when an administrator adds a new user
- Improved the interface of the import window and hid unnecessary items when there are no vaults in an organization
- Fixed an issue when creating a link through the mobile application added an empty “attached files” field
- Fixed an issue with passwords created via API with an empty cryptedKey field that couldn’t be opened in the web version
In this new version we have added the ability to create shortcuts to passwords, improved integration with LDAP, expanded the list of administrator settings, added support for additional fields when importing and exporting data together with many other useful things.
Shortcuts are a new way to share passwords. No longer do you need to create copies of passwords in different directories. Instead, you can create shortcuts. When your original password is changed, all shortcuts associated with that password are automatically modified as well.
Depending on access rights, users can view or edit passwords via their shortcuts. Moreover, all that can be done without having access to the directory of the original password.
Sending passwords without granting "Partial Access" to vaults
"Partial Access" to vaults used to be automatically granted when sending passwords via "Inbox". Now, this access is directly linked to the sent password alone and no "Partial Access" to vaults is provided.
Administrators can clearly see which employees have access to certain vaults and which staff members have access only to specific passwords.
Redesigned LDAP settings interface and new features
- Enhanced addition of new users
- Independent setting of the master password by users upon their first login to the system
- Background update of user data from LDAP
- Special tags for deleted groups and role-associated groups.
- Now it’s possible to configure permissions for specific access levels for creating links, shortcuts, and sending passwords
- Users can independently set auto-logout time.
- You can set the maximum session lifetime for users during inactivity
- Users can select their preferred interface language.
- We unified the visual style for all settings sections and improved the functionality of various parameters
- "Save" and "Cancel Changes" buttons in the system settings will prevent accidental actions
- Added support for additional fields during password import and export operations
- Enhanced drag and drop functionality - Passwork now offers the options to move, copy, or create a shortcut when dragging passwords and folders
- Notification for administrators about new unconfirmed users
Read more — passwork.pro/v6-release
To upgrade to version 6.0, you must first upgrade to version 5.4, complete the data migration process and confirm it on the Passwork customer portal. Upgrade instructions — passwork.pro/migration-v6-help
Improvements to security and bug fixes:
- increased the number of iterations of the PBKDF algorithm to 300,000
- increased the length of generated master keys for vaults
- implemented Content Security Policies (CSP) in HTML pages for better data protection
- added the feature to use an API refresh token to extend the main API session token
- added the use of an API refresh token in the browser extension and mobile app
- fixed the error related to the changing of the master password in the security panel
- increased overall performance and stability
These changes will be especially relevant if your Passwork uses the client-side encryption mode.
Before updating to Passwork 5.3.0, create a backup of your database to avoid possible data loss.
You can now easily install and update Passwork on Windows Server using our installer.
The installer contains all necessary components for Passwork to work properly, making it suitable for servers without any internet access.
Detailed instructions for using the installer can be found in the “Installation and Updates” section on your portal.
Single-use code login
You can now log in to your portal using a single-use code. You provide your email address → receive a code → enter it → access the portal.
The old method of authorization via magic links is no longer available.
Help center contact
You can now contact our help center directly from the portal.
We have made a number of interface adjustments and added the email display feature for each authorized user.