webpwman
webpwman is an online password manager that reads from secruity questions and passwords from json files. It comes with an import script which can parse KDE pwmanager files. It's released under the Affero GPL v3
Download using svn: svn co https://www.maniacmartin.com/svn/webpwman
Alternatively, you can browse the repository and get an up-to-date tarball
I made webpwman as I wanted to retrieve my passwords whilst on public terminals. If the terminal has snooping proxy servers or malware, the bad guys should only be able to get those passwords I retrieved during that session.
It is built on CherryPy and uses json for storage, so no database is needed.
Similar to many online banking sites, webpwman asks 3 security questions, and rotates these questions on successful login. It is designed to run behind Apache or another http daemon >that utilises SSL.
webpwman will ask for a master password on login. This is the key it uses to decrypt the actual passwords in its json files.
webpwman is a single-user application only, as I don't believe it is a good idea to let third parties know all of
your passwords.
Disclaimer
By using webpwman, you do so at your own risk. If there is a chance that your server might be compromised, then it is not my problem. Nor do I guarantee that my application has no security holes.
To the fullest extent permitted by law, I take no responsibility for data compromises.
That said, passwords are AES encrypted, and questions' answers SHA hashed in the json files. If you do discover a security hole, I would really appreciate it if you emailed martin@maniacmartin.com so I can fix it in later versions.
Installation
1. Install dependancies. webpwman depends on Cherrypy , python-json and python-crypto Debian's repos have Cherrypy 2.2.1 which is too old, so do:sudo aptitude install python-setuptools python-json python-crypto
sudo easy_install cherrypy Ubuntu is fine though:sudo aptitude install python-cherrypy python-json python-crypto I'm afraid I can't help with other distros.2. Check out the latest version of webpwman Then cd to a folder outside of your www root folder, and: svn co https://www.maniacmartin.com/svn/webpwman webpwman3. Generate security questions cd webpwmanpython importer.py --questions Note that you will need to reload Apache/restart webpwman if you regenerate questions later, as the application caches them.4. Copy KDE pwmanager passwords Since you might do this often, webpwman does not cache this file. In KDE pwmanager, File > Export > as csv Then copy the csv to your server, e.g.scp passwords.csv user@server:/home/user/webpwman/ Then import to jsonwebpwman passwords.csv The CSV is NOT encrypted, so swipe it!rm passwords.csv You might also consider doing the conversion to encrypted json on your local machine for security reasons.5. Edit your httpd conf Accessing directly via http://hostname:8051/ is a bad idea, as theres no SSL The various ways are described at http://tools.cherrypy.org/wiki/BehindApacheWhen I wrote this documentation, I used fastcgi with lighttpd, and found the instructions a bit unclear, so I'll post an extract from my /etc/lighttpd/conf-enabled/webpwman.conf:
$HTTP["host"] =~ "passwords\.maniacmartin\.com" {
fastcgi.server = (
"/" => (
"script.fcgi" => (
"bin-path" => "/home/martin/webpwman/webpwman.py --fastcgi",
"socket" => "/tmp/webpwman.sock",
"check-local" => "disable",
"disable-time" => 1,
"min-procs" => 1,
"max-procs" => 1, # adjust as needed
),
),
)
}6. Reload your httpd (and start webpwman if you're using mod_rewrite on Apache) If using lighttpd with fastcgi on Debian/Ubuntu, type:sudo /etc/init.d/lighttpd restart Lighttpd will start webpwman as a subprocess automatically, and kill it when you stop lighttpd.7 If necessary, make DNS entries
