On the "Sending anyonymous statistics page", most options are clearly anonymous, such as "number of ...", or whether an option is enabled or not.

However, there are several items which could seem to be very sensitive and revealing, and not at all anonymous. These are:

• Users
• All items
• All shared items (not including personal ones)
• All folders
• All shared folders (not including personal ones)

There are some examples given of usage, producing anonymous statistics, but it is not clear that the original data sent is anonymised or not containing sensitive data. If data is anonymised and not sensitive when being sent, the text should clarify what data fields exactly are being sent.

I want to support the project with anonymous statistics, but I want to feel safe doing so.

Currently whenever you create a new user, you have to define a password for this user.

This is an issue, as the administrator knows the initial password of the user.

A much better solution would be, require the user to reset the password (that initial password in the background gets set by Teampass itself, something randomly generated in the code, with no administrator intervention) before enabling first login.

The API does not appear to allow attached files to be uploaded or downloaded; nor can you access or update custom fields.  This is a big problem when it comes to storing things like Certificate files when you want to have them automatically downloaded and installed by configuration management software.

In some situations it may be useful to have an option to allow any file extensions. I have tried to set the config field "Other extensions allowed" to "*" or to ".*", but in all cases I was unable to upload a file.

Have an API call where you pass the item number and it gives a OTV link

Currently api may be accessed only with generated API key.

I have a program that has to get list of passwords from TP.
Passwords have to be retrieved according to LDAP users.

That is: LDAP user "andrey" has access to "Item1" and "Item2", and NOT to "Item3".

1) I can't create new api key for each user

2) I can't give user the master key to all passwords

The feature request: allow api to authenticate with users+users from LDAP

Currently, by design, the 2FA login (if enabled) does not apply to the Admin account(s).  These authenticate with a local password and no 2FA.

However, this is less secure, particularly since this is an admin account.

I would like to be able to (optionally) enable 2FA for admin accounts as well as for the normal local or LDAP users, so that we can have optimum security.  Thus, once we have 2FA working, I can flip a configuration switch and view the QR code for admin, and then need to use the 2FA for admin logins from that point forwards.

I would like to be able to use Teampass offline only as I do not want my password folders to touch then internet.

Sometimes the session runs out before the time I've set in the login window (GH-Issue #2007), I get a JS-alert "Hacking attempt".

It would be nice if such errors would just throw me back to the login-window and not leave me inside TP since most session-related errors just need a relog.

At this time, when you click delete on a file it is instantly removed. Could it be possible to introduce a confirmation? New users will try out any button and the result is a deleted file.

Also because the file is removed there is no chance to restore it. Could this also be introduced?

We plan to use Teampass as a store for certificates so it must be failsafe.