##########################
# Online Password Keeper #
##########################

Thanks for checking out the Online Password Keeper.  The application was 
created to offer the convenience of storing passwords online for easy access 
while at the same time keeping it secure.  Web based (PHP + flat file) for easy
retrieval. All passwords stored are encrypted and the master (key) password is 
never saved. Even the user-id (for both master and individual access) are all 
encrypted.  Go to http://onlinepasswords.sourceforge.net/demo/login.php for
a demo

## Install
  1. Extract the files to a web directory
  2. Edit wprop.php to change any settings. It is recommended you change the
     file names.
  3. Although not required take steps to restrict the password files' access

## Usage (interface)
  1. Point web browser to install directory
  2. Register --> Login --> Add/Search/Edit/Delete --> Logout

## Usage (how to)
The application works by first letting you create a registration. Each user
will have his/her own registration to manage the password
list. So the first step for every new user (or group of users sharing this)
will be to register with an user-id and password. This user-id and password
should be as secure as possible since this is the master user-id and password.
Choose a long password and avoid dictionary words. The good thing here is
that, strictly the user-id password combination is really the password and the
unique registrant. You can actually have two users share the same user-id as
long as they (of course) have different passwords!

Once registered you can then login and add individual user-ids and passwords.
Add as many as you please but remember only the
URL and description is unencrypted. Everything else including the individual
username is encrypted.

## Security
The goal of this application is to provide utmost security for the user. Today
most of us use some form of shared hosting service which we would like to take
advantage of. Also you can never be sure if your very own server has been
compromised. Worst yet you will be bleeding all your passwords without even
realizing it. Considering all of these (and considering that there were
nothing out there similar to this) was this project undertaken. Here is how
your data is secured. 1. When you register your user-id itself is stored
encrypted WITH the master password you supply as "key". The master password is
never saved. This ensures that anyone looking at the data file will be able to
neither get the user-id nor the password! 2. When you add individual user-ids
and passwords these are again saved encrypted using another key. The key for
individual user-id and passwords is the combination of master user-id, master
password plus a random sequences (pre)associated with the master user-id. The
scheme ensures that the passwords are extremely secure. The data files can
reside on a public access without issues - although not recommended.

## Settings (wprop.php)
Modify the file to:
  1. Change directory and location of:
    1. Master user-id & password file
    2. Individual user-id & password file
    3. Log file
  2. Turn logging on or off 3. Define a key for salt

## Considerations
  1. Once registered there is not an way (at least an easy way) to unregister!
  2. Multiple users can have the same user-id (knowingly or unknowingly) since
     really the combination of user-id and password is what makes a user unique
  3. Multiple users can have the same user-id (knowingly or unknowingly) since
     really the combination of user-id and password is what makes a user unique
  4. As the number of registrants increase the registration page slows down.
     This is not much of an issue since you register once and never have to
     register again. The application was load tested with 300 registered users
     which made new registrations take 15 seconds on a Sun Ultra 5 400 MHz single
     processor with IDE disks (a very humble system!!!) The same was tested with
     1000 individual total passwords and the webpage add/search/edit had sub-second
     responses. The slowness in registration comes at cost of encrypting master
     user-id as well.
  5. If you forget the master user-id and password (combination) there is no
     recovery! Security comes at the price of processing and human memory!

## Errors
If you get the following error on running the app:
Warning: fopen(protected/resu.txt.lock): failed to open stream: Permission denied in /<somewebpath>/onlinepasswords/flatfile.php on line 186
Warning: flock(): supplied argument is not a valid stream resource in /<somewebpath>/onlinepasswords/flatfile.php on line 187
Warning: fwrite(): supplied argument is not a valid stream resource in /<somewebpath>/onlinepasswords/flatfile.php on line 376
Warning: fclose(): supplied argument is not a valid stream resource in /<somewebpath>/onlinepasswords/flatfile.php on line 377
Warning: flock(): supplied argument is not a valid stream resource in /<somewebpath>/onlinepasswords/flatfile.php on line 199

This means that the web server "protected" directory inside the application 
main directory does NOT have required privileges for the web server to access.
Change permissions to this directory and also add a htaccess to prevent 
unauthorized access.  Check the wprop.php settings file to change path or 
file names.


## Credits

The application uses two open source PHP (class) API

 PHP Flatfile package (flat file DB class) by Luke Plant
 http://lukeplant.me.uk/resources/flatfile/
 License: MIT 2.

 Class: Secure hash based encryption
 Base name: class_hash_crypt by Marc Wvhlken
 License: GNU General Public License (GPL)

