Our feedback on implementing passbolt

eddie4 · March 5, 2018, 12:58pm

I am the security engineer at medium size hosting company. While looking for a password manager we came across passbolt. I fell in love with it opensource, built on PGP and it’s secure even when the server gets hacked.

While implementing passbolt we came across a few hurdles and I thought i would share them with you.

Medium
• Ability to add people to group while they never created a privatekey. Notify the group admin to share the passwords when they actually create there key pair.
• Resend activation mail button

Low prio
• Compliance would really like it if we could change the requirements for the password strength on the cert.
• Allow a single password to be used in multiple URI’s
• Ability to share multiple private passwords with group on one action.
• Ability to copy the username/email in the main overview.
• The ability to hide/delete shared passwords from personal view

Now I understand that some of these are design choices and might never get implemented but I did want to share them with the passbolt team.

remy · March 5, 2018, 2:07pm

Hi @eddie4,

Thanks for your feedback, it’s really helpful for us to understand where the pain points are. Here are some thoughts bellow.

It’s secure even when the server gets hacked.

This is not exactly correct. If an attacker can modify the user/group data, they can trick somebody into sharing a password. They won’t have access to all passwords in clear right away, but if the attack is sustained for a long period of time potentially they could. We’ll do more to mitigate these type of risk scenario this year (like by introducing signatures to verify users and groups members).

Ability to add people to group while they never created a private key. Notify the group admin to share the passwords when they actually create there key pair.

This is something we want to do and that have been requested by multiple users.

Resend activation mail button

In the v2 we fixed this, you can resend an activation email by going to /recover, you can receive the email even if you didn’t complete the setup.

Compliance would really like it if we could change the requirements for the password strength on the cert.

Could you explain how this would work a little bit more? Like you’d like to see the strength summary of each passwords? You would like to have a minimum password strength based on groups?

Allow a single password to be used in multiple URI’s

This one i’m not understanding, can you explain a bit more?

Ability to share multiple private passwords with group on one action.

This is something we want to do. As a user I want to select multiple records and perform a bulk action these entries

Ability to copy the username/email in the main overview.

This is possible using right click. You mean you want it be one click?

The ability to hide/delete shared passwords from personal view

We were discussing this with @kevin the other day, we’ll update the filters at some point to allow this.

eddie4 · March 8, 2018, 1:19pm

I would like to configure the minimum strength of the password used to secure the privatekey. The password you also enter each time you open the passbolt or open a password.

So lets say you have

All these websites are coupled via active directory and there for have the same username and password. However now when you update you’re password because you are required by your admin. You need to update this record 3 times in passbolt. However if you would only add your username and password once and add just the different URL’s to it you would only have to update it once.

We found that users don’t findout about the right click and want to select the username and copy paste it.

Also a big thanks to the passbolt team you guys are doing awesome work!

remy · March 8, 2018, 1:31pm

Thanks for the feedback it’s clear now!

maartenlubbers1 · March 12, 2018, 9:19am

@eddie4 those features your mentioning are exactly some of the features I also need and came across testing passbolt. Right now we only have some IT admins using it, but I have plans to let the other user in my organisation use it very soon.

One feature you didn’t mention, but could cause some problems in the organisation is the amount of email notifications everyone gets when password are shared with them. Mayby this could be bundeld in 1 notification mail or have the option to turn of notifications.

eddie4 · March 12, 2018, 9:43am

We decided to turn off notifications for password shares.

maartenlubbers1 · March 12, 2018, 10:07am

@eddie4 How did you do that, I haven’t found that option yet.

remy · March 12, 2018, 10:13am

maartenlubbers1 · March 12, 2018, 10:36am

@remy I checked my app.php, but there is nothing in the config file about Email notification. Will this be possible if I add it myself?

remy · March 12, 2018, 10:40am

Hi @maartenlubbers1 it depends of which version you are using, if you are using v2.0.0-RC you can redefine the email settings in config/passbolt.php which is the goto file to use when you want to override the default configuration.

Configuration names have changed with v2 but you can see the defaults in config/default.php

passbolt' => [

        // Authentication & Authorisation.
        'auth' => [
            'tokenExpiry' => env('PASSBOLT_AUTH_TOKEN_EXPIRY', '3 days')
        ],

        // Email notification settings.
        // Email delivery settings such as credentials are in app.php.
        'email' => [
            // Allow to disable displaying the armored secret in the email.
            // WARNING: make sure you have backups in place if you disable these.
            // See. https://www.passbolt.com/help/tech/backup
            'show' => [
                'comment' => filter_var(env('PASSBOLT_EMAIL_SHOW_COMMENT', true), FILTER_VALIDATE_BOOLEAN),
                'description' => filter_var(env('PASSBOLT_EMAIL_SHOW_DESCRIPTION', true), FILTER_VALIDATE_BOOLEAN),
                'secret' => filter_var(env('PASSBOLT_EMAIL_SHOW_SECRET', true), FILTER_VALIDATE_BOOLEAN),
                'uri' => filter_var(env('PASSBOLT_EMAIL_SHOW_URI', true), FILTER_VALIDATE_BOOLEAN),
                'username' => filter_var(env('PASSBOLT_EMAIL_SHOW_USERNAME', true), FILTER_VALIDATE_BOOLEAN),
            ],
            // Choose which emails are sent system wide.
            'send' => [
                'comment' => [
                    'add' => filter_var(env('PASSBOLT_EMAIL_SEND_COMMENT_ADD', true), FILTER_VALIDATE_BOOLEAN)
                ],

As you can see you can also use environment variables to set these settings.

maartenlubbers1 · March 12, 2018, 10:50am

I am still using V1.6.9, because I prefer the stable version for my active passbolt, so I will update that machine when V2.0.0 releases. I think I will create a testing passbolt machine with V2.0.0-RC tot test this out.

pbulteel · March 12, 2018, 2:37pm

+1 for the ability to have one username/password for multiple URIs. We have multiple applications that use LDAP so the username and password would be the same for these. I end up just having it once and just calling it “LDAP” since it’s what all would use. I haven’t yet really found any other password manager that would be able to do this.

eddie4 · March 26, 2018, 12:09pm

We just imported our password database and we ran into performance issues like a brickwall.

We currently are on 2100 passwords and when the whole import is done we will likely be around 4000 passwords. Currently it takes 13 seconds for chrome to load the password overview and 62 seconds for firefox (gives warnings). The server is chilling and not doing much but the clients are on 70% cpu load.

Am thinking that the plugin should perhaps get 50 passwords sorted on favorites and place the others on other pages.

info:
Passbolt version: 1.6.5
Client hardware : i5 7360U 16GB mem 1GBit connection to server
Server hardware: 2 xeon processing cores 4GB mem (600MB in use)

remy · March 26, 2018, 12:14pm

@eddie4 can you open a new issue for this? Also please specify the passbolt version you are using.