Web based password safe with multi-language, multi-user and file upload support. Usernames, passwords and files are stored encrypted in a MySQL/MariaDB database.
- © 2017-2021 Georg Sieber, GPLv2 (see LICENSE.txt)
- using Slim Framework & Twig Template Engine
Store and view your passwords platform-independent with this PHP web application. Passwords are saved AES-encrypted in a MySQL database. You can create multiple vaults with different master passwords, e.g. for different departments in your company. Inside of vaults you can group password entries and search them.
Advantages over conventional password safe applications
- There is no database file which you need to share -for example- with your co-workers - this means that nobody (except the administrator) has access to the encrypted passwords. Attackers can't copy this file and run brute force attacks against it.
- You can safely store files with WebPW.
- It is not necessary to install or deploy any client software.
- You can create multiple vaults for different purposes or persons within one WebPW installation and MySQL database.
To set up this web app you need a database (MySQL, MariaDB) server and a Linux-based apache webserver running PHP 7.
- Set the applications
publicdirectory as your webservers root directory (if necessary, create a virtual host for this application on your webserver).
composer installinside the application root directory to install the dependencies.
- Create an empty database on your MySQL server. Then, edit
config/database.phpand enter your MySQL connection credentials.
- Ensure that
AllowOverride Allis set for your application directory in your apache configuration.
- Open a webbrowser and navigate to your WebPW installation. You will be redirected to
/setup. Follow the instructions on the page to create the database structure.
- Thats it. You can now log in on the "Manage Vaults" page with the management password you haven chosen in the previous step and create a vault. After that, you can open this newly created vault and store your passwords.
- (optional) You can set your preferred language as default language in
Recommendations for hardening your server
- It is highly recommended to use HTTPS instead of HTTP (except you are accessing the site only via localhost). Redirect all HTTP requests to HTTPS.
- Transfer the ownership of the application files to the web server user (www-data) and deny access for all other users.
- Use strong passwords for the linux root user (other users too) and mysql accounts.
- Ensure, that the database server only listens for requests from localhost (and not from other computers inside your network).
fail2banto limit brute force attacks.
- Do not install tools like
- Disable or uninstall the SSH server.
- Keep your server always up to date.
- Use an additional apache authentication for the application directory. If you use WebPW inside a company you can use apache's ldap authentication.
- Limit the access to the IP addresses that really need it.
- Chrome/Chromium, Firefox, Opera (both desktop and mobile)
- IE/Edge not tested yet
Update notes for v0.1.1 users
WebPW now also encrypts username, description and file name of a password record. Therefore, v0.1.1 databases are not compatible to v0.2. Please export your passwords, create a new WebPW v0.2 installation and then re-import your passwords.
GNU General Public License - see LICENSE.txt
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to: Free Software Foundation, Inc. 59 Temple Place - Suite 330 Boston, MA 02111-1307, USA.
This web application uses:
© 2014 Jim Myhrberg (MIT license)
© 2011-2017 Josh Lockhart (MIT license)
Twig template engine
© 2009-2017 the Twig Team (BSD 3-clause)
© Taylor Otwell (MIT license)
Found a bug? Great! Please report it (preferably with a ready-to-use fix for it ;-) ) on GitHub. Questions, ideas and feature requests are also welcome.
ToDo and planned features
Please visit the GitHub page for more information.