Product Ideas Portal

Got an idea for a new feature? Maybe a tweak to make something work even better? Wish there was an integration with another product to make you even more productive? You've come to the right place.

The Product Ideas Portal lets you submit whatever product feedback you have, good, bad, ugly, and anywhere between.

Want to stay anonymous? Don't worry, no email address or name fields are shared on the public portal. You can create an account which lets you vote on other people's ideas and receive updates when your idea's status changes.

To learn more about how an idea becomes a feature, check out this infographic.


36 Vote

Create web plugin to allow credential injection into web sites like Last Pass

Needing to create more sessions from an already recorded session seems redundant.

  • Guest
  • May 9 2019
  • Future consideration
  • Attach files
  • Guest commented
    6 May 08:13am

    The security concern regarding browser session cookie would not be different from what we do today - our users copy\paste passwords from PasswordSafe into the browser on their workstation.

  • Guest commented
    10 Nov, 2020 01:48pm

    Brian, those risks already exist. The user has to log into PBPS, copy the password to their local clipboard (in cleartext) and then paste it into the web form. This opens the password up to interception in many more places. With a browser extension, the user never actually has the password to paste into other places, nor is it accessible in the system clipboard or on the webpage for screen grabbers to intercept.

    The extension would be calling the PBPS APIs, which are all over HTTPS. It might mean that your current model for API access would need tweaks to accommodate the extension, but this could make it easier for a customer to disable the extension if they don't want their users to be able to use it.

    I would consider this closer to the RDP/SSH model, where the user never actually has the ability to see the password.

    Use of something like AutoIT is significantly riskier, to me. We don't use it internally because it has been leveraged in malware and it's impossible to differentiate benign from malicious use. Also, it is limited to working on Windows where a browser extension would be cross platform. And if you develop for the Chrome engine, it will also be usable in Edge (Chromium edition). To me, that's an all-around win for BT and your customers.

  • Guest commented
    10 Nov, 2020 01:03pm

    +1 for this feature. PasswordSafe would be more widely adopted in our organization if there was browser extension which is able to autofill credentials, similar to how retail products like 1Password or LastPass work as the OP mentioned. The security concern regarding browser session cookie would not be different from what we do today - our users copy\paste passwords from PasswordSafe into the browser on their workstation. We currently leverage PSRUN and AUTOIT to automate this process but it is not ideal with Chrome.

  • Admin
    Brian Chappell commented
    10 Nov, 2020 12:47pm

    Thanks for that response.

    That does mean the credential would be transmitted to the user's workstation and from there to the target system opening up opportunities for interception. There would also likely be a session cookie provided to the user giving them access for the duration of the target system's session timeout - regardless of password changes.

    Are these considered acceptable risks?

  • Guest commented
    9 Nov, 2020 02:19pm

    Users browser. Similar to the way that 1Password and other password solutions have browser extensions that enable direct injection of the password into the login form. Then the solution would apply to any situation (RDS, VDI, local browser). The user would authenticate to the PBPS solution (including any requirements for MFA) and the extension would cache that connection the same way that the web page login works (same timing).

  • Admin
    Brian Chappell commented
    9 Nov, 2020 02:14pm

    Is the intent that the plug-in would run on the user's browser or on a browser hosted within an RDS infrastructure?

  • Guest commented
    23 Oct, 2019 01:10pm

    The use of AutoIT to automate injection of passwords into a web form creates an extra layer of complexity, reducing use of the solution.  While we can allow users to copy the password and paste it into the form, that puts the password on to the local users clipboard. 

     

    Use of a browser plugin/extension would enable a direct API integration with PBPS, keeping the password secure and not exposed to the user or any malware/keystroke/clipboard loggers on the local machine.   We will require extra approval to expose the actual password vs. direct login use of an account, so it would also simplify our user experience without compromising security.