Web based password safe with multi-language, multi-user and file upload support. Usernames, passwords and files are stored encrypted in a MySQL/MariaDB database.
- © 2017-2021 Georg Sieber, GPLv2 (see LICENSE.txt)
- using Slim Framework & Twig Template Engine
- https://github.com/schorschii/webpw
Store and view your passwords platform-independent with this PHP web application. Passwords are saved AES-encrypted in a MySQL database. You can create multiple vaults with different master passwords, e.g. for different departments in your company. Inside of vaults you can group password entries and search them.
- There is no database file which you need to share -for example- with your co-workers - this means that nobody (except the administrator) has access to the encrypted passwords. Attackers can't copy this file and run brute force attacks against it.
- You can safely store files with WebPW.
- It is not necessary to install or deploy any client software.
- You can create multiple vaults for different purposes or persons within one WebPW installation and MySQL database.
To set up this web app you need a database (MySQL, MariaDB) server and a Linux-based apache webserver running PHP 7.
- Set the applications
public
directory as your webservers root directory (if necessary, create a virtual host for this application on your webserver). - Run
composer install
inside the application root directory to install the dependencies. - Create an empty database on your MySQL server. Then, edit
config/database.php
and enter your MySQL connection credentials. - Ensure that
AllowOverride All
is set for your application directory in your apache configuration. - Open a webbrowser and navigate to your WebPW installation. You will be redirected to
/setup
. Follow the instructions on the page to create the database structure. - Thats it. You can now log in on the "Manage Vaults" page with the management password you haven chosen in the previous step and create a vault. After that, you can open this newly created vault and store your passwords.
- (optional) You can set your preferred language as default language in
config/general.php
file.
- It is highly recommended to use HTTPS instead of HTTP (except you are accessing the site only via localhost). Redirect all HTTP requests to HTTPS.
- Transfer the ownership of the application files to the web server user (www-data) and deny access for all other users.
- Use strong passwords for the linux root user (other users too) and mysql accounts.
- Ensure, that the database server only listens for requests from localhost (and not from other computers inside your network).
- Install
fail2ban
to limit brute force attacks. - Do not install tools like
phpmyadmin
. - Disable or uninstall the SSH server.
- Keep your server always up to date.
- Use an additional apache authentication for the application directory. If you use WebPW inside a company you can use apache's ldap authentication.
- Limit the access to the IP addresses that really need it.
- Chrome/Chromium, Firefox, Opera (both desktop and mobile)
- IE/Edge not tested yet
- works without JavaScript, but then some features are disabled (search)
WebPW now also encrypts username, description and file name of a password record. Therefore, v0.1.1 databases are not compatible to v0.2. Please export your passwords, create a new WebPW v0.2 installation and then re-import your passwords.
GNU General Public License - see LICENSE.txt
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to: Free Software Foundation, Inc. 59 Temple Place - Suite 330 Boston, MA 02111-1307, USA.
This web application uses:
parseCSV library
© 2014 Jim Myhrberg (MIT license)
Slim framework
© 2011-2017 Josh Lockhart (MIT license)
Twig template engine
© 2009-2017 the Twig Team (BSD 3-clause)
illuminate/database toolkit
© Taylor Otwell (MIT license)
Found a bug? Great! Please report it (preferably with a ready-to-use fix for it ;-) ) on GitHub. Questions, ideas and feature requests are also welcome.
Please visit the GitHub page for more information.