Testimonials
What our customers say about Team Password Manager

Team Password Manager Change log

Current Team Password Manager version: 7.73.146

7.73.146 - 20170120

  • Added multilanguage support to the help and eula screens, and other missing strings.
  • Corrected a couple of bugs to make it production ready.

7.72.144 (Beta v7/3) - 20161228

  • Multilanguage support.
  • PHP 7 support.
  • Date and time format parameter.
  • Integrate the two latest patches from the previous version (6.68.138.181 and 6.68.138.182).
  • Increment wmm_options.value length to 1000.
  • Corrected bug with strange characters in titles of passwords and projects.
  • Corrected bug with LDAP import where existing users where not detected.

Patch 6.68.138.182 - 20161103

This patch makes error/exception dumps shorter so that no internal information is exposed.

* IMPORTANT: this patch is only valid for Team Password Manager version 6.68.138. If you have an older version you're encouraged to upgrade to 6.68.138 and apply this patch.

To install this patch unzip it and copy config/config.php to wmm/config/, replacing the current config.php file. Please do not confuse this config.php file with the main configuration file in the root of the software. The one in this patch goes to wmm/config.

Download patch 6.68.138.182 (MD5 Hash: 05cd8993b246c5887671efb723341b1d)


Patch 6.68.138.181 - 20161102

This patch solves a vulnerability found in import (normal and my passwords) in which an attacker could create a remote code execution exploit. We'd like to thank James Ogden from Sky Betting and Gaming for reporting the vulnerability and Daniel Adams from the same company for helping coordinate the testing of the patch.

* IMPORTANT: this patch is only valid for Team Password Manager version 6.68.138. If you have an older version you're encouraged to upgrade to 6.68.138 and apply this patch.

Specifically, this patch:

• Only allows files with .csv extension and validates the mime type.
• Checks the import process and doesn't allow the process to continue if there are format errors (deleting the import file).
• Integrates the import log with the log of the software (before a log file was created). The import log can also be downloaded.
• Deletes the import file afterwards.
• Allows the import folder to be configured in config.php, so that it can be placed outside of webroot. Copy the following code to config.php and uncomment and set the define to your desired path (you don't need to do anything if you want to use the default path):

// Import folder (where imported files are uploaded). You can set it in two ways:
// 1. With an absolute path. Example: /var/www/domain/import/
// 2. With a relative path (relative to index.php). Example: ./import/
// Must be accessible and writable by the web server
// Define with or without trailing slash
// Defaults to ./import/, uncomment the following line to change this default value:
			
// define('IMPORT_FOLDER' , './import/');

How to install the patch: unzip the patch file and upload the files in the folders to the server, wmm folder, replacing the current ones:

wmm/config/mimes.php
wmm/controllers/settings.php
wmm/controllers/mysettings
wmm/models/m_pwd.php
wmm/models/m_mypwd.php
wmm/views/settings/v_import_upload.php
wmm/views/settings/v_import_result.php
wmm/views/mysettings/v_import_upload.php
wmm/views/mysettings/v_import_result.php

Download patch 6.68.138.181 (MD5 Hash: bf9cb8d3e31d831696048b17f1719612)


6.68.138 - 20160226

  • Multiple LDAP servers.
  • LDAP timeout.
  • Proxy settings for the version checker.
  • Inactive users do not take up a license.
  • Modal screen to select the manager in project and password security.
  • Integrate patch 6.63.136.81 (security issue).

Patch 6.63.136.81 - 20160111

This patch corrects a privilege escalation vulnerability when editing the user or user information. Thanks to Holly Grace from Sec-1 Ltd (@HollyGraceful) for reporting this vulnerability.

* IMPORTANT: It's only valid for Team Password Manager v. 6.63.136. Users with lower versions are encouraged to upgrade to v. 6.63.136 before applying the patch.

To install: copy user_info.php and users.php to wmm/controllers, replacing the existing ones.

Download patch 6.63.136.81 (MD5 Hash: 64d20ce1b43b63b3b861056a7364ac3d)


6.63.136 - 20151217

  • New subproject: "Inherit from parent" by default (grant all users).
  • API only user.
  • Edit notes only button in passwords.
  • LDAP import: option to save configuration data to the database.
  • LDAP import: debug mode.
  • Copy to clipboard: also in access, username, email, notes and all data of the password.
  • Copy to clipboard: default JS/HTML5.
  • Copy to clipboard: new COPY_TO_CLIPBOARD option to set technology or disable.
  • Disable personal passwords (option in config.php: ALLOW_PERSONAL_PASSWORDS).
  • Do not close editing modals by clicking outside of them.
  • Search includes tags by default.
  • Search matches words in string regardless of position.
  • Auto select Root for new projects.
  • Bug in editing my account, user account and group: if the username or group was incorrect, the error message could allow XSS and iframe injection.
  • Project selector (new pwd/new prj): placeholder text in "Filter tree" input box so that the input box is not confused with the name of the new password or project.
  • Form autocomplete off in login, 2fa and reset pwd forms.
  • Edit file notes larger area.
  • Link to LDAP auth doc in website from settings.
  • Help text in protocol version in LDAP settings.
  • Note for FreeBSD in install.txt.
  • Location of config.php in settings overview.
  • Visual bug: remove the "encrypted" icon in access, username and email in Edit My Password.
  • Note in export that locked passwords are not exported.
  • Bug: corrected custom fields notes beginning with url (not shown correctly).
  • Bug: API projects.edit_security and passwords.edit_security maintained current permissions on users/groups not specified (patch 6.56.118.20150922).

Patch 6.56.118.20150922 - 20150922

This patch corrects API v4 permission assignment in projects (PUT /projects/ID/security.json) and passwords (PUT /passwords/ID/security.json) where users/groups kept their previous permission if they weren't assigned any permission, instead of deleting their permissions (thus setting them to "Not set").

* IMPORTANT: It's only valid for Team Password Manager v. 6.56.118.

To install copy api_prj.php and api_pwd.php to wmm/controllers/api_v4, replacing the current ones.

Download patch 6.56.118.20150922


6.56.118 - 20150828

  • Subprojects (or project hierarchy).
  • New permissions system.
  • External sharing of passwords.
  • Full screen, Passwords+Projects section merged into one (Home), tree instead of tabs, ajax.
  • Moved the locked icon to the right, next to the favorite icon.
  • Linkify files notes.
  • New event: "View file".
  • Bug: corrected bug that did that some characters were replaced by equal sign (=) in notification emails.
  • LDAP: allow to import more than 1000 users in one batch.
  • LDAP: set DN field length to 255 in entry fields (test, user, etc.). Check that users with long DN's can be imported and that they can sign in. Internally there is no limit.
  • Bug: API: show a password for users with role "Read only" returned an internal error (Patch 4.50.100.20150625).
  • Bug: API: when an LDAP user listed projects, only the first 5 where listed (Patch 4.50.100.20150701).
  • API: new API v4, v3 deprecated and v1/v2 disabled. See the API changelog.
  • New parameter in config: SUBPROJECT_NAME_SINGULAR/SUBPROJECT_NAME_PLURAL.
  • Location of the config.php file is shown in Settings | Encrypt DB Config screen.
  • Automatic blocking notification email appeared with strange characters, and also made it HTML.
  • In install/upgrade, if PHP >= 5.6, checks that always_populate_raw_post_data=-1.
  • Log creation of imported projects and passwords (individually for each project and password).
  • Log export of passwords (individually for each password).
  • Export: locked passwords are only exported the name and project name.
  • Import: select a parent project.
  • New parameter in config: ALLOW_EXPORT/ALLOW_IMPORT.

Patch 4.50.100.20150701 - 20150701

This patch fixes:

  • API (v2/v3): Internal Server Error when users with role "Read only" show a password.
  • API (general): listing projects by LDAP users returns only the first 5.

* IMPORTANT: this patch is only valid for version 4.50.100. If you have a lower version, first upgrade to 4.50.100 and then apply this patch.

How to apply:

  1. Unzip the patch file (4.50.100.20150701.zip).
  2. Copy controllers/api_v2/api_pwd.php from the unzipped file to wmm/controllers/api_v2 in your installation (replacing the file).
  3. Copy controllers/api_v3/api_pwd.php from the unzipped file to wmm/controllers/api_v3 in your installation (replacing the file).
  4. Copy models/m_ldap.php from the unzipped file to wmm/models in your installation (replacing the file).
Download patch 4.50.100.20150701


4.50.100 - 20150315

  • Search also done on access, username and e-mail fields of passwords and "my passwords".
  • Advanced search operators for passwords and "my passwords" and advanced search form. Advanced search help.
  • Additional logs: to syslog or file.
  • API v3:
    • GET /version.json => get version, release date and api version.
    • GET /version/check_latest.json => get version, release date and api version and checks latest version, returning it (returns 200 if ok). If the version can't be checked, '' is returned. This request can only be made by IT or admin users.
    • GET /users/me.json => get information about the user making the call.
    • GET /passwords/ID.json => additional returned field that indicates what permission has the current user on the password: "user_permission" can be read/manage.
    • GET /projects/ID.json => additional returned field that indicates what permission has the current user on the project: "user_permission" can be read/manage.
    • GET /projects/ID.json => additional returned field that indicates if the user can create passwords on the project: "user_can_create_passwords" (true/false).
    • API access to My Passwords.
  • Export/import My Passwords, with help.
  • Delete all my passwords.
  • Export didn't show custom3 title and didn't export \ correctly (as \\).
  • When showing a password, set font to courier. This is done to better differentiate characters, specially i/1/l, if copying to the clipboard isn't possible (because where the password is to be entered won't admit pasting, or because entering it on a different computer).
  • Applied patches 4.47.94.20141215 and 4.47.94.20150206.
  • If the session has finished and the user clicks on show or copy to clipboard, the sign in screen appears ok, not overlaid on the current page.
  • Lots of minor improvements.

Patch 4.47.94.20150206 - 20150206

This patch fixes incorrect encoding of numeric strings as numbers in API responses.
* IMPORTANT: this patch is only valid for version 4.47.94. If you have a lower version, first upgrade to 4.47.94 and then apply this patch.
How to apply: Replace the MY_Controller.php file in the following folder: wmm/core.

Download patch 4.47.94.20150206


Patch 4.47.94.20141215 - 20141215

This patch corrects incorrect removal of some control characters when entering data.
* IMPORTANT: this patch is only valid for version 4.47.94. If you have a lower version, first upgrade to 4.47.94 and then apply this patch.
How to apply: Replace the Input.php file in the following folder: system/core.

Download patch 4.47.94.20141215


4.47.94 - 20141203

  • PHP 5.6 compatibility.
  • Search passwords inside project.
  • Setting in config.php to control the number of items in lists: NUM_ITEMS_LISTS.
  • The sorting field in lists is maintained between sessions (for each user).
  • 2FA verification has now a 1 minute margin by default.
  • Parameter in config.php to set the number of 30 second windows of margin for 2FA verification: NUM_2FA_WINDOWS.
  • Handle https connections from load balancers/proxies automatically if using SSL Termination (if detecting header "X-Forwarded-Proto: https" or header "Front-End-Https: on").
  • Parameter in config.php to set a base url: TPM_BASE_URL.
  • Allow one user with role Admin/IT to be exempt from 2FA enforcement.
  • Bug: if the QR code cannot be generated (due to GD not installed), show a message instead of a broken image (or nothing).
  • Bugs (visual) in group / user management when the user is an IT user.
  • Bug in import: in some cases the project name and password name was imported blank.
  • Other minor bugs and changes.

4.41.83 - 20141030

  • Global custom field templates. Global default template.
  • Project custom field templates.
  • New option in config.php to be able to replace the words "project/projects" with other terms on all the screens. Example: "category/categories".
  • Password expiration, with email notifications.
  • Password locking (enter reason to unlock), with email notifications.
  • API v2 to support password expiration and locking.
  • Automatically add a link in http/https URLs in notes fields (in passwords and projects).
  • Support (validate) email addresses with new TLDs (Example: user@domain.services)
  • When creating new passwords with the new password button, show intermediate screen to select project. This screen is not shown when creating passwords from a project.
  • Add "New password after saving" checkbox next to the Save button when adding a password.
  • Copy/move my password to a project.
  • JS code to prevent double form submissions.
  • Bug: without JS enabled: error with tags when creating a project.
  • Avoid "open_basedir restriction in effect. File(/dev/urandom) is not within the allowed path(s)" error when installing/upgrading or creating users.
  • Bug: in My Account | 2FA tab, the QR code was incorrect.
  • Show Account Name when enabling 2FA and in the 2FA tab in "My Account".
  • Favicon with higher resolution.
  • Bug: in tags filter inside project (didn't show passwords when a password tag being filtered was deleted).
  • Workaround so that Chrome in windows doesn't automatically (and incorrectly) fill in the password fields when editing passwords, when its option to save passwords is enabled.
  • Bug in API v1 (also corrected in API v2): did not check email custom fields for a valid email address.
  • Bug in file uploads: if no file was provided and in some cases where the file size was greater than the maximum, the upload button remained hidden.
  • Small square bullet icon in filter labels in password and project lists.

4.32.68 - 20140724

  • New: API V1.
  • Username: removed 6 chars minimum limitation.
  • When deleting a password offer to return to the project of the password (in addition to the passwords list).
  • Remove autocomplete=off from username/password in login screens so that some browsers can store the password.
  • Bug: could assign a read only user as password manager (although this user could do nothing).
  • Bug: update password updated_by/on when editing password security.
  • Check if mysqli extension is installed (at login, install and upgrade).
  • Upgrade: username or email label depending on which version is upgrading (< 3.32.60 => email, >= 3.32.60 username).
  • New obfuscation option to remove some warnings in the PHP log.
  • Other minor bugs and changes.

3.32.60 - 20140604

  • Responsive.
  • Users have now a Username and sign in with the username instead of email. Also, this field is case insensitive (before, the email was case sensitive). Usernames are also imported when doing an LDAP import. Note: LDAP import now does NOT convert email addresses to lowercase (because email is not used to login and username (if email is used) is case insensitive).
  • Users have now tabs that list the passwords and projects that they have access to.
  • Ask for the user's password for editing "My account".
  • Automatic IP Blocking notifications: allow also IT users (before only admin users were allowed to receive notifications).
  • Email settings: hide password, new setting "Use SMTP User as the email sender".
  • A new setting in config.php so that it labels the "Copy to clipboard" icon for screenreaders to read: define('ZEROCLIPBOARD', TRUE);
  • Users with IT role can only "Edit/Delete" and "Add/Delete users to/from a Group" for groups that they belong to. When creating groups they're automatically assigned to them. IT users cannot delete themselves from groups.
  • In config.php: configuration for non-standard ports. Ex: define('CONFIG_PORT', 3307);
  • Bug: in security lists (pwd, prj) if two users had the same name, only one would appear.
  • Bug in My Account log pagination: it didn't show the correct page.
  • Other minor bugs and changes.

2.25.45 - 20140408

  • Duplicate passwords.
  • Encrypt DB configuration in config.php.
  • Quick access to "My Passwords" from the menu, moved help to the footer, "My Account" is now accessed clicking on the user name.
  • Custom CSS for the sign in screen. See the define CUSTOM_SIGNIN_CSS in config.php.
  • Custom fields in passwords (up to 10).
  • Labels when editing a password (Basic data, custom fields, notes) and bigger notes field.
  • Notes icon instead of "Notes:" in the passwords/mypasswords list, also a direct link to the notes tab.
  • Password history.
  • Short timeout for the version checker.
  • The access and custom text fields are made clickable if a URI scheme is detected (and not only http:// or https://).
  • Copy password also copies files now.
  • Now can run on PHP 5.5.

Patch 2.18.35.1 - 20140210

This patch corrects a bug that didn't allow LDAP admin users to upgrade the software.
Do not apply it if you're not using LDAP or if you've already upgraded to 2.18.35.
I'ts only valid for version 2.18.35.
How to apply: copy m_install.php to wmm/models overwriting the current m_install.php file.

Download patch 2.18.35.1 Download a current version of the software


2.18.35 - 20140203

  • Timeout and autologout (if js is active).
  • Tags search (passwords and projects) - only if js is active.
  • Project managers can now assign their own projects to other managers, or can create projects for other managers (Managed by field when editing).
  • The password manager (or owner) can be changed.
  • Changed default security to "Grant access to this project to the following users and/or groups." when creating a new project.
  • Grant access to users/groups (that don't have access to a project) to passwords directly.
  • Version checker.
  • New role: IT: project manager with access to users/groups (except admins), log and settings.
  • New log action: "Password shown" (Show password or Copy password to clipboard): unified action for filtering the log to see who's viewed passwords.
  • Personal passwords.
  • Settings screens: tabs at the left to allow for more options
  • Bug: Email send test: correct message display when error.

2.12.30 - 20140115

  • Changes in password reset:
    • Made it more secure.
    • Bug: do not allow password reset for inactive users.
    • Bug: do not allow password reset if LDAP user (should be done in the LDAP server).
    • If the user has 2FA enabled, ask for the code and not disable 2FA.
  • Changes in the licenses screen.
  • Trial licenses.

2.11.25 - 20131224

  • Query optimization.
  • Minor cosmetic bug: when viewing security in passwords/projects (the granted via column sometimes repeated values).

2.11.24 - 20131216

  • New feature: LDAP authentication. See Doc: LDAP / AD Authentication.
  • Changes when adding/editing a password:
    • Enhancement: when adding/editing a password: show/hide password (hidden by default), generate not required to delete when new, repeat password.
    • Bug: Show password event is logged when editing a password.
    • Enhancement: in the log, "View password" action changed to "View password data".
  • Bug: use mbstring functions in some cases where accents/special chars were not displayed correctly.
  • Bug: when importing, do not allow import of passwords into archived projects.
  • Bug: without Javascript activated, clicking "Show" didn't log "Show password".
  • Enhancement: without Javascript activated "Hide" button after clicking "Show".
  • Many minor bugs corrected.
  • Better error handling.

2.9.18 - 20131123

  • New feature: files in passwords and projects.
  • New feature: password tags in project for filtering inside the project.
  • Enhancement: add a link to the user screen in the log (if the logged in user is admin).
  • Bug: if a user is deactivated, his/her session is now disabled if he/she is logged in.
  • Security bug: could copy passwords even after the session expired.
  • Bug: sometimes the clipboard icon didn't show and also produced an annoying flickering.
  • Bug: include password to the last 5 passwords viewed when copying it to the clipboard.

2.7.13 - 20131104

Minor bug: database error when creating projects with MySQL 5.6+.


2.7.12 - 20130924

Bugs release (in user passwords, password generator incorrectly showed some symbols, minor spelling).


2.7.11 - 20130916

  • New feature: IP detection if behind a reverse proxy (download and see the config.php file)
  • New feature: IP address blocking at the "Sign In" screen. Manual and Automatic.
  • New feature: optionally enforce Two-Factor authentication on all users.
  • New feature: email field in password.
  • New feature: strong passwords generator.
  • New feature: hide password (after clicking "Show"), and changed the color of the "Show" link.
  • New feature: copy password to clipboard (you need to have Flash installed to be able to use this feature).
  • New feature: Namespaces in sessions, which allow to access different instances of TPM in the same server with the same browser.
  • Bug: strings with special characters didn't display correctly in some cases.
  • Bug: some events were not logged: setting/unsetting favorite, email test sent, email configuration changed.
  • Bug: error when filtering by tags that contained a slash (in passwords and projects).
  • Bug: in label (password instead of project): when deleting a password it said that the "project has been deleted".
  • Bug: in help (export/import) documentation: "Projects created by the import process will have 'Grant access to this project to the following users and/or groups.' as their security setting (and no user or group checked)." INSTEAD OF "Projects created by the import process will have 'All users have access to this project' as their security setting."
  • Internal change: do not use persistent db connections and use mysqli instead of mysql.
  • Change: force edge versions in IE because compatibility view generated problems.

2.0.1 - 20130601

Major upgrade:

  • New UI.
  • Tags for passwords and projects.
  • Favorite passwords and projects.
  • Groups of users (and give access to them in projects).
  • Two-factor authentication with Google Authenticator.
  • Bcrypt hashing of users' passwords.
  • Logging (of every action).

1.7.0 - 20121231

  • Export/import password entries.
  • Create password entries editing policy.
  • Copy/move passwords entries between projects.
  • Last accessed label on projects and passwords (on the sidebar).
  • Bigger search box.
  • Sort projects (and archived projects) by name, creation date or manager.
  • Show the number of projects in projects lists.
  • Small boxes in pagination links.
  • Show the number of password entries in password entries lists.
  • Enter key when creating users.
  • Improved encryption and sessions.

1.2.0 - 20110905

  • 2 users for the FREE VERSION.
  • Upgrade system.

1.1.1 - 20110829

  • Minor modifications (logo on Sign in screen, some labels).
  • Project security for only 1 user (everyone has access to the project, or only its manager and admins).

1.1.0 - 20110807

Name change: from WebmasterMGR to Team Password Manager.


1.0.8 - 20110630

First version available to public.