Highly Secure Online Password Keeper

Thanks for checking out the Online Password Keeper.  The application was created to offer the convenience of storing passwords online for easy access while at the same time keeping it secure.  Web based (PHP + flat file) for easy retrieval. All passwords stored are encrypted and the master (key) password is never saved. Even the user-id (for both master and individual access) are all encrypted.  Click here for demo.

Install

  1. Extract the files to a web directory
  2. Edit wprop.php to change any settings. It is recommended you change the file names.
  3. Although not required take steps to restrict the password files' access

Usage (interface)

  1. Point web browser to install directory
  2. Register --> Login --> Add/Search/Edit/Delete --> Logout

Usage (how to)

The application works by first letting you create a registration. Each user will have his/her own registration to manage the password
list. So the first step for every new user (or group of users sharing this) will be to register with an user-id and password. This user-id and password should be as secure as possible since this is the master user-id and password. Choose a long password and avoid dictionary words. The good thing here is that, strictly the user-id password combination is really the password and the unique registrant. You can actually have two users share the same user-id as long as they (of course) have different passwords!

Once registered you can then login and add individual user-ids and passwords. Add as many as you please but remember only the
URL and description is unencrypted. Everything else including the individual username is encrypted.
 

Security

The goal of this application is to provide utmost security for the user. Today most of us use some form of shared hosting service which we would like to take advantage of. Also you can never be sure if your very own server has been compromised. Worst yet you will be bleeding all your passwords without even realizing it. Considering all of these (and considering that there were nothing out there similar to this) was this project undertaken. Here is how your data is secured. 1. When you register your user-id itself is stored encrypted WITH the master password you supply as "key". The master password is never saved. This ensures that anyone looking at the data file will be able to neither get the user-id nor the password! 2. When you add individual user-ids and passwords these are again saved encrypted using another key. The key for individual user-id and passwords is the combination of master user-id, master password plus a random sequences (pre)associated with the master user-id. The scheme ensures that the passwords are extremely secure. The data files can reside on a public access without issues - although not recommended.

Settings (wprop.php)

Modify the file to:
  1. Change directory and location of: 
    1. Master user-id & password file
    2. Individual user-id & password file
    3. Log file
  2. Turn logging on or off 3. Define a key for salt

Considerations

  1. Once registered there is not an way (at least an easy way) to unregister!
  2. Multiple users can have the same user-id (knowingly or unknowingly) since really the combination of user-id and password is what makes a user unique
  3. Multiple users can have the same user-id (knowingly or unknowingly) since really the combination of user-id and password is what makes a user unique
  4. As the number of registrants increase the registration page slows down. This is not much of an issue since you register once and never have to register again. The application was load tested with 300 registered users which made new registrations take 15 seconds on a Sun Ultra 5 400 MHz single processor with IDE disks (a very humble system!!!) The same was tested with 1000 individual total passwords and the webpage add/search/edit had sub-second responses. The slowness in registration comes at cost of encrypting master user-id as well.
  5. If you forget the master user-id and password (combination) there is no recovery! Security comes at the price of processing and human memory!

Errors

If you get the following error on running the app:

Warning: fopen(protected/resu.txt.lock): failed to open stream: Permission denied in /<somewebpath>/onlinepasswords/flatfile.php on line 186
Warning: flock(): supplied argument is not a valid stream resource in /<somewebpath>/onlinepasswords/flatfile.php on line 187
Warning: fwrite(): supplied argument is not a valid stream resource in /<somewebpath>/onlinepasswords/flatfile.php on line 376
Warning: fclose(): supplied argument is not a valid stream resource in /<somewebpath>/onlinepasswords/flatfile.php on line 377
Warning: flock(): supplied argument is not a valid stream resource in /<somewebpath>/onlinepasswords/flatfile.php on line 199

This means that the web server "protected" directory inside the application main directory does NOT have required privileges for the web server to access.  Change permissions to this directory and also add a htaccess to prevent unauthorized access.  Check the wprop.php settings file to change path or file names.

Credits

The application uses two open source PHP (class) API

PHP Flatfile package (flat file DB class) by Luke Plant

http://lukeplant.me.uk/resources/flatfile/

License: MIT 2.

Class: Secure hash based encryption

Base name: class_hash_crypt by Marc Wvhlken

License: GNU General Public License (GPL)