Pleasant Password Server
Pleasant Password Server™ is a simple and easy-to-use password management system compatible with KeePass and Password Safe. It provides for secure storage and retrieval of multi-user passwords from a central server database, and administrative control over user access to passwords and other secrets stored.
For more information about Password Server see our website: Pleasant Password Server
Have Questions? Contact Us!
A. Install or Upgrade
B. Server Configuration
C. Backup, Export, and Import Passwords
D. User Access Basics
E. Access Levels
F. Best Practices
H. SSO Server (Formerly Proxy Server)
I. LDAP & AD
J. User Administration
K. Language settings
L. Advanced Features
M. Programmatic Access
N. New Features in Version 7
X. Common Issues
W. Purchasing Password Server
Y. End User License Agreement
Z. Release Notes
Where do I download the latest version of Pleasant Password Server?
Download Pleasant Password Server
How do I update to the latest version?
Follow the upgrade instructions.
Do I need to back up any settings between versions?
All application settings are retained between versions, however changes made manually to the installation or configuration files should be saved where noted, for example, Upgrade steps.
Be sure to back up your Database, Connection string, and Encryption keys in case you need to return to an earlier version.
There are multiple ways:
- View the bottom-left corner of the web client (if this default option is enabled), or
- View the Version page in the web client (default location: https://localhost:10001/Version)
- View the version number reported whenever the Password Server service is started in the WebLogs.txt file.
Go to Help > About KeePass > View the Plugin Version for Pleasant Password Server. This version number can be compared in the version compatibility chart.
- The number near the top of this window is the "vanilla" KeePass version on which the KeePass Client is based.
Are there Video Tutorials?
Our website has videos with step-by-step tutorials for some of the major features of PPASS. These use previous versions of the application than the versions available for download now.
With the default installation, your data is encrypted using Advanced Encryption Standard (AES-256) as provided by the SQLite Encryption Extension.
Where is the encryption key stored?
The encryption key is stored with the Connection String in an encrypted Registry key. The actual key can be found at:
- HKLM\SOFTWARE\Pleasant Solutions\PasswordManager\ConnectionString
Since the encryption key is stored in an encrypted registry key, it can only be viewed using the Service Configuration utility.
Where are my passwords stored?
Your passwords are stored in a database. By default, an AES-256 encrypted SQLite database file is used. Additionally, passwords and other secure fields are obfuscated in the database.
Administrators can also configure Password Server to use another database type:
- Microsoft SQL Server 2008+
- PostgreSQL 9+
- Microsoft Azure SQL DB
Where is the database stored?
See the location here.
What is the password lifecycle?
There is no assumed password life cycle, as Pleasant Password Server (PPASS) simply stores your passwords. An expiry date for passwords can be set, but this serves only as documentation - PPASS cannot actually expire passwords for external services because it doesn't control those services.
The Password Expiry Report will show all passwords due to expire as of a specified date, and users with Enterprise or higher licenses can receive email notifications about pending expiries.
When and where are passwords decrypted?
When a password is requested by a client, the server retrieves it from the encrypted database, deobfuscates, and passes it back to the client via secure TLS connection. Passwords are retrieved when requested, they are not actually stored on the end workstation.
What are the active security measures of Password Server?
Any active security measures are implemented at the discretion of the organisation or sysadmin. To start, we recommend hosting on a VM. See Best Practices.
Can private user password lists be kept private from admin?
Yes, using block inheritance users can have private folders.
However, any admin that can access the database could theoretically decrypt the database and extract data. We recommend creating a super admin with full access and somewhat limited sub admin accounts that have less privileges and cannot surpass block inheritance set by users.
When creating a strong and secure password, it is important to choose a longer password or passphrase that will be unique. We recommend generating longer passwords or passphrases of 15 characters or more when possible.
For example, a personal passphrase login password can incorporate the first letters of a memorable sentence, or can include 4 or more unique words.
Just because a password contains multiple character sets (such as uppercase and lowercase alphabet, numbers, and symbol characters) does not make it sufficiently secure. Password hackers are aware of current password trends.
So complexity is of less importance than length, as a password of sufficient length can defeat a password cracker. Whereas complexity adds significant value only when the complexity is random or near-random.
Review this article for some good tips on creating secure passwords:
Can I access my passwords from an external program or a command line script?
Yes, this is possible using our RESTful API. With our API, you can have the same access to your credentials that you would have using either our web client or the KeePass client.
We also have the capability to export audit logs to an external application.
How can I hide the tabs in the web client?
To hide the SSO proxy server tab from users who are not yet logged in, check the "Hide the Proxy Server tab for users who are not logged in" checkbox in the Settings tab.
- To hide the SSO proxy server tab for users who are logged in, ensure that the roles to which the users belong are not granted the "Use Proxy Server" permission. The permissions for each role can be viewed and edited in the Users & Roles > Roles tab.
- You will then need to set the necessary checkboxes from TRUE to FALSE on ALL Access Levels:
To hide the Download Client tab from users who are not yet logged in, check the "Hide the Client Download tab for users who are not logged in" checkbox in the Settings tab.
- To hide the Download Client tab for users who are logged in, ensure that the roles to which the users belong are not granted the "View KeePass Download Instructions" permission. The permissions for each role can be viewed and edited in the Users & Roles > Roles tab.
Does KeePass for Pleasant Password Server use SSL?
Yes, in actuality it uses TLS. Communication is securely encrypted to and from Password Server using the most secure TLS protocols: see Use the Strongest Encryption in your environment.
Can I disable the export feature?
Yes, with the enforced config file feature. Read about Server Enforced Client Settings.
I can't connect using the iOS mobile client
In order to connect using the iOS client, you must install a third-party certificate.
Refer to the guide on Installing a 3rd Party Certificate.
The iOS version of the Password Server mobile client will not accept self-signed SSL certificates, which includes the default SSL certificate packaged with Password Server. This is due to iOS security restrictions.
How do I change the application timeout / session expiry?
The settings can be adjusted in the policy or in KeePass for Pleasant options. Read more details regarding Timeouts.
Have more questions? Contact Us!