I have been searching for a decent password manager for ages. Ideally I’d love to be able to use Network password manager as from using that in work I know that it’s a really small and fast application that integrates with active directory easily and provides some really nice search functionality. I was looking for something that would accept authentication from multiple users and would also store license files. Network password manager is really the best option. The problem is, it’s far too expensive to justify the cost.
When I couldn’t find a decent installable application that I could access from any windows PC that will access passwords from a central location I started to look for web based applications. There are some great applications out there but none of them were secure enough or provided the right level of encryption. Passwords even if their just for websites are probably your most important asset when your online a lot.
After a bit of digging I found PHPPasswordManager. and USB password manager . I was almost willing to consider having to bring a pen drive everywhere with the USB password manager on it but knew that at some stage I wouldn’t have it with me when I needed it most. PHPPasswordManager seemed to be the best bet. It didn’t have everything I wanted but it was simple, lightweight and fast and it wouldn’t take all that long to get running.
In the end, I decided to go with PHP Password Manager as it encripts passwords before sending them to or from the server and the user interface is very clean. It required a bit of work though.
I have customized this web application extensively in a very short time so that the interface provides the information I want at the top, the help information at the end of every page is hidden and only shown if or when I want it and I’ve replaced some of the buttons such as configure and add with links to make it easier to jump to them very quickly.
Most importantly, after installing the PHPPasswordManager, I found that its authentication wasn’t as good as I thought it was going to be. When a user visited the url they could see all of the accounts that had passwords associated with them. This isn’t all that bad. With some cryptic names it could be hard to determine what systems the passwords were for and of course, the passwords can only be unlocked with the master password however this was still a concern. So, I have password protected the directory that this site is in and I only accept log ins from one account. These details are sent using Digest authentication to add more security.
The following summarises the steps I used to install PHPPasswordManager
- Download the .gz archive to your Linux box by visiting the URL:
- Extract the archive using
Tar xzvf phppassmanager*
when in the directory containing the downloaded file.
- Navigate to the install directory:
- Create the database:
echo “create database passwordmanagement” | mysql -u username –password=password
Replace the username and password with one with the required privlidges to add databases.
- Add the tables into the database:
mysql -u username –password=password phppassmanager < tables.sql
Again, replace the username and password.
- Using PHPMyadmin, create a new account and give it access to the database we have just created.
- Edit config.php and change the username, password and database to provide the information you have just added.
Create a new virtual directory for this. You can most likely past the following into /etc/apache2/sites-available/default
Alias /passwords “/home/web/phppassmanager/”
Options Indexes MultiViews FollowSymLinks
AllowOverride AuthConfig Order allow,deny
allow from all
Obviously, it goes without saying that you will need to change the paths etc in this to reflect the structure of your file system.
Now reload your Apache2 config.
Navigate to yourdomain/passwords in your browser.
The password manager should be shown.
Now, lets harden the configuration a little bit.
- Within /home/web/phppassmanager or where ever you have left this directory, you will see a directory called install Rename this to TMPinstall. This can be deleted at a later date. Leave it there for the moment in case you need it in the upcoming days.
- Now, lets password protect the directory.
htpasswd -c /etc/apache-passwords YourUsername
Replace YourUsername with what ever name you want to log in with.
You will be asked to enter your password twice.
- Enable the Auth_digest module:
- Restart Apache2.
- Use nano or your favourite text editor to create a .htaccess file:
Remember to change the path to reflect your own set up.
- Paste the following lines. Take care to change the path to the password file and change the username as well.
AuthName “Restricted Files”
Require user YourUsername
That’s all there is too it.
Go to the configure button and start making groups.
It’s all very easy after that.
This set up has a major limitation. It doesn’t allow for multi-user environments but for what I need right now, it will do… Just about.