Kindernothilfe (KNH) is a German non-profit organization dedicated to supporting vulnerable children in impoverished and underprivileged regions worldwide. Founded in 1959, it has made significant contributions as one of Europe’s largest charities dedicated to child aid. Operating in over 30 countries, Kindernothilfe emphasizes the importance of ensuring children’s rights and providing access to education, healthcare, child protection, and community development initiatives, all aimed at enhancing children’s living conditions and eradicating poverty.

The challenge: Finding a secure and user-friendly solution for global teams

Before choosing Passwork, Kindernothilfe relied on KeePass, a solution that limited scalability and lacked user-friendly features essential for a globally operating organization. With over 300 employees across more than 30 countries, the organization required a secure, scalable, and intuitive password management solution.

Doing so was crucial to meet the growing demands of its international team, especially for enhancing password sharing and access management capabilities for remote employees.

The solution: Switching to Passwork for improved security and simplified user access

Kindernothilfe opted for Passwork for its robust self-hosting capabilities, ensuring optimal data control and security. The seamless integration with SAML2 for Single Sign-On (SSO) streamlined access management across multiple platforms.

Furthermore, Passwork’s intuitive interface, along with its mobile app and browser extension, made it possible to manage passwords effortlessly from any device. The secure password-sharing features enhanced team collaboration, significantly reducing human error and improving overall security protocols.

The implementation: Gradual rollout and building a secure infrastructure

The implementation process took approximately two months. It was primarily focused on establishing and thoroughly testing the infrastructure to ensure Passwork met Kindernothilfe’s security requirements. The integration of SAML2 for Single Sign-On (SSO) was smooth and completed within a short timeframe.

To facilitate the successful implementation of Passwork, Kindernothilfe opted for a phased rollout rather than deploying the password management solution organization-wide all at once. They began with a smaller group of employees to showcase the benefits of the system and gradually promoted its use.

While organizing various promotional and educational activities, such as “Lunch and Learn” events, the organization encouraged employees to engage with Passwork. The goal was to achieve the point where at least 50% of the staff actively used Passwork before expanding the system to the entire organization.

The results: Increasing operational efficiency for cross-border teams

Currently, approximately 50% of the staff are actively using Passwork—a centralized, secure, and user-friendly solution for password sharing. This incremental approach not only ensured higher user engagement but also significantly strengthened security protocols across the organization.

By improving password management processes, Kindernothilfe increased its overall operational efficiency, especially for cross-border teams. Educational initiatives, such as “Lunch and Learn” sessions, were instrumental in raising awareness about Passwork and facilitating its successful adoption throughout the organization.

Passwork 6.4, we have introduced a number of changes which enhance our browser extension security, make user permissions settings more flexible, and improve the logging of settings related changes:

• Mandatory extension PIN code
• Logging of all changes related to settings
• User access to history of actions with passwords
• Automatic updating of LDAP group lists

Mandatory extension PIN code

With the new setting ‘Mandatory PIN code in extension’, administrators can set a mandatory browser extension PIN code for all users, minimizing potential unauthorized access. Once enabled, users who have not yet set a PIN code will be prompted to do so upon their next login to the extension. Users will be able to configure their auto-lock timeout and change the PIN code, but they cannot disable these functions.

Logging of all changes related to settings

Now all changes in the Account settings, User management, LDAP settings, SSO settings, License info, and Background tasks are displayed in the Activity log.

History of actions with passwords

The new setting ‘Who can view the history of actions with passwords’ makes it possible for vault administrators to let other users view password history, password editions, and receive notifications related to their changes. Previously, these features were available only to vault administrators.

Automatic updating of LDAP group lists

Automatic updating of LDAP group lists can now be configured on the Groups tab in the LDAP settings. The update is performed through background tasks with a selected time interval.

Other improvements

• Added pop-up notifications when exporting data or moving data to the Bin
• Improved display of dropdown lists on the Activity log page
• Changed time display format of the ‘Automatic logout when inactive’ and ‘Maximum lifetime of the session when inactive’ settings
• Changed the Enabled / Disabled dropdown lists on the System settings and LDAP settings pages with toggles
• Increased minimum length of generated passwords to six characters

Bug fixes

• Fixed an issue in the Password generator where selected characters were sometimes missing in the generated password
• Fixed an issue where local users could not independently recover their account password when an LDAP server was enabled
• Fixed an issue where local users could not register in Passwork when an LDAP server was enabled
• Fixed an issue which occurred after moving a folder with shortcuts to another vault and shortcuts not being displayed in the new vault
• Fixed an issue that occurred when trying to move a shortcut found in search results without opening any vaults right after logging into Passwork
• Fixed an issue that occurred when trying to copy a password found in search results without opening any vaults right after logging into Passwork
• Fixed an issue that occurred when a password was sent to another user and remained on the recipient's Recents and Starred pages after the initial password was moved to the Bin
• Fixed the value in the time field for the ‘API key rotation period (in hours)’ setting which was reset to zero after disabling it
• Fixed incorrect event logging in the Activity log after changing folder permissions
• Fixed incorrect text notification about assigning access rights to a user through a role
• Fixed incorrect tooltip text when hovering over the username of a recently created user
• Fixed incorrect display of long invitation titles
• Removed the local registration page when the LDAP server is enabled

In Passwork 6.3, we have implemented numerous changes that significantly improve organization management efficiency, provide more flexible user permission settings, and increase security:

• Administrative rights
• Hidden vaults
• Improved private vaults
• Improved settings interface

Administrative rights

Available with the Advanced license

Now there is no need to make users administrators in order to grant them specific administrative rights. This option is a response to one of the most frequent requests from our customers.

Administrators can grant only those rights or permissions that are necessary for users to fulfill their duties and flexibly customize access to settings sections and manage Passwork. For instance, you can grant employees the right to create and edit new users, view the history of user activity, track settings changes, while restricting access to organization vaults and System settings.

You can configure additional rights on the Administrative rights tab in User management. There are four settings sections to flexibly customize Passwork for your business:

General

In this section, you can grant users access rights to manage all existing and new organization vaults, view the history of actions with settings and users, access license info and upload license keys, view and modify the parameters of SSO settings and Background tasks.

User management

In this section, you can grant users access rights to view and modify User management parameters. This includes performing any necessary actions with users and roles, such as creating, deleting, and editing users, changing their authorization type and sending invitations.

System settings

In this section of settings, you can grant users the right to view and modify specific groups of System settings.

LDAP settings

In this section, you can grant users the right to view and modify LDAP parameters which include adding and deleting servers, registering new users, managing group lists, viewing and configuring synchronization settings.

Activity log

The event of changing user administrative rights has been added to the Activity log. All changes are now recorded in the Activity log, that includes the users who initiated such changes as well as each setting that was modified with its previous and current values.

Interface improvements

Users with additional administrative rights are marked with a special icon next to their user status.

Some items remain unavailable until the necessary settings have been activated. When hovering your cursor over such items, a tooltip with information regarding dependent settings will be displayed.

Hidden vaults

In the previous versions of Passwork only organization administrators were able to hide vaults. Also, only organization vaults could be hidden. In this new version, all users can hide any vaults. Hiding makes vaults invisible only to the users who choose to do it and does not affect others.

Hidden vault management is now carried out in a new window, which is available directly from the list of vaults. You can view the list of all available vaults and customize their visibility there.

Private vault improvements

Displaying private vaults in User management

Besides hiding private vaults, employees with User management access can now see all vaults which they administer (including private vaults). The new feature which makes it possible to add users to private vaults has also been added to User management.

Logging of events in private vaults

Private vault administrators can view all events related to their vaults in the Activity log.

Other changes

• Fixed an issue which prevented users from changing their temporary master password
• Fixed an issue which prevented users from setting the minimum length for authorization and master passwords
• Fixed an issue in User management which made administrator self-deletion possible
• Minor improvements to the settings interface

In Passwork 6.2 we have introduced a range of features aimed at enhancing your security and convenience:

• Bin
• Protection against accidental removal of vault
• Protection against 2FA brute force
• Accelerated synchronization with LDAP
• Improved API settings
• Bug fixes in role management

Bin

Now, when deleting folders and passwords, they will be moved to the Bin. If needed, they can be restored while preserving previously set access permissions. Vaults are deleted without being moved to the Bin — they can only be restored from a backup.

Who can view deleted passwords and folders in the Bin?

Inside the bin users can see the deleted items from those vaults in which they are administrators. For instance, an employee who is not an administrator of organization vaults will only see the deleted passwords and folders from his personal vaults when opening the Bin.

In addition to object names, the Bin also displays the usernames of people who deleted data. You can also see the initial directory name and the deletion date.

Object restoration

Objects from the Bin can be restored to their initial directory if it has not been deleted or moved. Alternatively, you can choose any other directory where you have edit and higher access levels.

When restoring deleted folders to their initial directories, user and role access levels will also be restored exactly as they were previously manually set in these folders. Other access permissions will be set based on the current permissions in the initial directory.

When restoring folders to a directory different from the initial, access levels will always depend on the current permissions in the selected directory.

Additional access to deleted passwords

If passwords have been shared with users, moving them to the Bin will remove them from the “Inbox” section, and any shortcuts or links to these passwords will become nonfunctional.

Restoring additional access

When restoring from the Bin, it is possible to regain additional access levels to passwords. Passwords that were shared with users will reappear in their “Inbox” section, access to passwords through shortcuts will be restored, and links that have not expired will become functional again.

Bin cleanup

You can delete selected items from the Bin or use the "Empty Bin" button to remove all items contained inside.

It's important to note that in the Bin you only see the items which were deleted from the vaults where you are an administrator. Objects from other vaults are not visible, and clearing the Bin will not affect them.

In future, the option to configure automatic Bin cleanup will be added.

Protection against accidental removal of vault

To confirm the deletion of a vault, you now need to enter its name. It will be permanently deleted along with all the data inside. Additionally, if there are passwords or folders from this vault in the Bin, they will also be removed.

Protection against 2FA brute force

Protection against 2FA brute-force attacks has been added. After several incorrect attempts to enter the 2FA code, the user will be temporarily locked. The number of attempts, input intervals, and the lockout time are set in the config.ini file.

Other changes

• LDAP synchronization has been accelerated
• Descriptions of parameters and minimum allowable values for API token expiration time and API refresh token expiration time have been added to the API settings section
• Automatic assignment of "Navigation" to parent folders in role management has been fixed
• The issue when a vault administrator could not add roles to a vault and manage its permissions has been fixed
• The issue with showing additional access rights to passwords when moved to another vault has been fixed

Upgrade Instructions — How to update Passwork
More information about features and prices — on the Passwork website

This latest update demonstrates our focus on refining user experience and enhancing collaborative password management.

No longer will you need to create password copies in various vaults — we've introduced shortcuts. With these handy labels, you can easily organize access to passwords from different directories.

The new enhanced settings provide administrators with more control over configurations and user rights, and all changes require approvals, preventing any unintentional actions.

LDAP user management has now become simpler with its cleaner interface and background data updates.

In addition to that, Passwork 6.0 brings new notifications and interface improvements. All these enhancements contribute to a more comfortable user experience while ensuring the security of passwords and sensitive data.

Shortcuts

Shortcuts are a new way to share passwords, enhancing collaboration flexibility. There's no need for creating password duplicates in different vaults — instead, create multiple shortcuts in required directories. All changes to original passwords are reflected in shortcuts, keeping your team up to date. Users can view or edit data via shortcuts according to their access rights.

Sending passwords without granting partial access to vaults

Previous versions of Passwork encrypt passwords at the vault level. This type of encryption gives users partial access to vaults even when a single password is shared with them. Now, when users access passwords via their "Inbox" or a shortcut, they receive keys to specific passwords, but not their vaults.

Administrators can clearly see who has vault access rights, and who can only work with specific passwords.

LDAP

The LDAP interface is now cleaner and more intuitive, with a reimagined user management logic. Adding new LDAP users is simpler and safer, especially with the client-side encryption enabled.

Previously, admins had to add an employee and provide a master password. Now, users set their master passwords upon the first login, and admins confirm them afterwards.

The "Users" tab shows registered users, and there is a separate window for adding new ones. LDAP user data updates take place in the background, allowing admins to navigate elsewhere without waiting for data refresh.

Passwork now provides more detailed security group information. The groups that are linked to roles are marked with special tags, and the groups which were not loaded from LDAP during the last update are marked as "Deleted", alerting admins to adjust the search settings or remove such groups. Also, you can now see the members of each security group.

Improved settings

We've redesigned all settings sections for a unified visual style and enhanced functionality, reimagined the logics of some settings.

Rights for links, tags, and password sharing. Previously, these settings were applied individually to each user. Now, they are applied to everyone with a certain level of vault access. For example, anyone with the “Edit” access rights or higher can create hyperlinks to passwords. These parameters are located in the system settings under the “Global” tab.

Change confirmation. We've added “Save” and “Cancel changes” buttons in system settings. Now, any changes to settings must be confirmed — this helps to prevent accidental actions.

Custom auto-logout time. Users can now set these parameters individually, and admins specify the maximum inactivity time period before automatic logout.

Language selection. In the new version of Passwork, admins can allow employees to choose their interface language.

Interface enhancements

Improved drag and drop. Now, when dragging and dropping passwords and folders into desired directories, Passwork displays selectable actions — move, copy, or create a shortcut.

Other improvements

Separate windows for access to the safe and additional access. Vault access info is now split into two easy-to-read windows. One window shows users who has access to a specific vault, and the other displays alternative ways passwords from this vault can be accessed — shortcuts, hyperlinks, or shared passwords.

Redesigned password action buttons. On the password panel, we've added the "Edit" button and grouped together all actions for additional password access via shortcuts, links, or direct user sharing.

Additional fields for password import and export. Passwork 6.0 supports the use of custom fields, that means you can transfer not only login and password but also additional information stored within password cards.

New notifications. Administrators will receive notifications about new unconfirmed users, and employees will be notified of new passwords in the "Incoming" section.

In the new version of Passwork, we have completely redesigned the System settings. They are now divided into three sections:

1. Global — organization settings that determine the operations of most of the Passwork functions
2. Default — the values of the settings that will be used if no other custom settings are specified
3. Custom — settings that can be set for individual users and roles

Now you can set up different interface languages, configure authorization methods, and enable mandatory two-factor authentication for individual users and roles.

To do this, click "Create a new settings group" in Сustom settings, add users or roles and select your desired settings. The newly created group will be added to the top of the list and will get the highest priority.

The following settings are now available:

• Ability to create organization vaults and private vaults
• Ability to create links to passwords
• Mandatory 2FA
• Time of automatic logout when inactive
• Authorization method (by local password, LDAP password or SSO)
• API usage
• Interface language

We're already working to add new settings.

If you are already using Passwork — update your Passwork
Or request a free demo at passwork.pro

Running tasks in the background

A new mechanism for handling tasks allows you to run them in the background. For example, you can run an LDAP synchronization task and still work in Passwork. Your synchronization task will run in the background.

You can see scheduled and completed tasks on the “Tasks” page. Here you can also find the configuration instructions for your operating system.

Display a favicon in the password list

The Passwork interface has become even more user friendly and convenient. If a password has a URL, a website icon will be displayed next to its name.

Automatic favicon loading can be set up by administrators on the “Company settings” page. In this case background tasks should be set up.

Other changes:

• Automatic session termination in the mobile app and Passwork extension when API key is changed
• Removed white background in the dark theme when loading pages
• Fixed bug displaying the results of an outdated search query
• Improved validation of TOTP keys
• Fixed empty messages in Syslog
• Added login validation with UTF-8 encoding
• Added automatic LDAP host swap :\\ → ://
• Fixed errors in LDAP code related to the migration to PHP 8
• Redesigned login and registration forms

If you are already using Passwork, update your version — How to update Passwork
Or request a free demo at passwork.pro

Migration to PHP 8

The new version of Passwork now runs on PHP 8. Previous versions of PHP are no longer supported.

New access rights window

The window with access settings for vaults and folders has been completely redesigned. All users and roles having access to a vault or folder are now collected here as well as links and sent passwords.

The rights can now be edited on each tab by selecting multiple objects at once. All modified and deleted objects are marked by an indicator until you save changes. Search filters allow you to display all objects with a certain access right.

Ability to quickly view who accessed vaults and folders

When hovering over an icon next to the name of a vault or folder you can see some brief information about the number of users, roles, links and sent passwords.

Clicking on a list opens up the window for access rights management inside a given vault or folder.

Granting access to individual passwords without adding users to a vault

In previous versions of Passwork, it was possible to send a password copy to users. In the new version, users will see the original password in the Inbox, which will be updated when the original vault changes.

That means you can now give access directly to a password without adding users to a vault or folder.

You can send a password and enable users to edit it, then when a user changes this password, it will be updated for you as well.

Ability to add TOTP keys and then generate 2FA codes

When adding and editing a password, you can add a TOTP field and enter a secret code to generate 2FA codes. The generated code is updated every 30 seconds.

The "Password" field is now optional, so you can keep 2FA codes separate from main passwords.

Adding TOTP keys and generating 2FA codes is available in the web version, browser extension, and mobile app.

Failed login attempts are now displayed in the action history

The action history displays all failed user authorization attempts. This allows you to better track unauthorized access attempts and the actions of blocked users.

You can see all failed login attempts on the Activity Log page by enabling a filter in the Action column.

Ability to enable priority authorization using SSO

The new version of Passwork now allows you to enable SSO priority authorization for all users. You can enable it in the "SSO settings" section.

With this option enabled, only the "Sign in via SSO" button is displayed on the authorization page, the login and password fields appear only when switching to the standard authorization.

Optimized work with a large number of users

Passwork has been tested and optimized for 20,000+ users.

Improved LDAP integration

• Test mode for LDAP roles and groups linking
• Saving LDAP logs to a CSV file
• Updating user attributes during synchronization with LDAP directory

Mobile app update

• Passwork 5 support
• Ability to copy passwords on long press
• New home screen view with separating by type of vault
• Inbox passwords
• Improved search mechanism
• Debug mode

If you are already using Passwork, update your version
How to upgrade Passwork 4→5 version.

Or request a free demo at passwork.pro.