zeruniverse / password-manager Goto Github PK

I make a backup, do the restore routine and save the file raw_pass.txt - all in version 8.01.
When I reimport this file into the new version I get

aes.js:10 Uncaught Error: Malformed UTF-8
 dataw.Utf8.stringify @ aes.js:10
 decryptchar @ password.js:93
 process @ password.php:344

if I try again in the same window I additionally get

one of account or password empty! will continue to process other accounts, check back after this finished

and afterwards the same error.

In document.ready we set it up so that on every resize the DataTable gets reinitiated:

$( window ).resize(function() {
  if(datatablestatus!=null){
      datatablestatus.destroy();
      datatablestatus=$("#pwdlist").DataTable({ordering:false, info:true, "lengthMenu": [ [10, 25, 50, 100, 200, -1], [10, 25, 50, 100, 200, "All"] ] });
  }
});

Is this necessary? I just deleted it on my test installation and everything worked fine when resizing, even hiding the tags when there isn't enough space works.
If there is a reason maybe datatablestatus.draw() is enough?

Displays like this...

1. Implement PBKDF2.
2. Confused algorithm -> do not totally rely on AES.
3. Split user password into 2 parts.
4. Part1 + AES +username -> encrypted username.
5. Part2 + PBKDF2 + username signiture + PBKDF2 -> confusion alphabet
6. account password + confusion alphabet -> temp password
7. temp password + Part1 + AES -> encrypted password

This method ensures that even AES private key leaks, the attacker still can't get the correspondence of the letters (Alphabet needs part2 which has information not in part1).

It would be great if ...

1. Tag cloud filter and search field would be combining each other with and
2. if we could enter more than one word in the search box which are then used also with and when filtering.

May be for login, add security verifying. Pass a random timestamp and ask for sha512(pass,timestamp)

Looing at the password.js the
getpwd function is shown hsers like this:

function getpwd(charlist,plength) {
　　var maxPos = charlist.length;
　　var pwd = '';
var i;
　　for (i = 0; i < parseInt(plength); i++) {
　　　　pwd += charlist.charAt(Math.floor(Math.random() * maxPos));
　　}
　　return pwd;
}

strange....

I think there is need of a upgrade routine(when possible).
If there is more than one user it's not feasible to ask everyone to backup and then reimport their data. Someone would be left behind and loose his data.

What do you think about being able to switch (in the config.php) to an administrative mode.
Then jumpto into the signup process right away if no user is present and give him some sort of admin flag.

Then you could provide some ability to delete or lock users.
Also I think the administrator should be able to forbid the self sign-up and just create accounts manually.

Is there an option to disable all the saved and updated javascript message boxes?
I have to go through 400 account records now and I'd find it much nicer to have a simple
bootstrap message banner below the menu for this kind of messages.

How about moving the export to csv function to recover.php to discourage users from having plain-text backups?

If you want to keep the csv export in the main interface I'd suggest merging it into the backup dialog. Semantically that's the place it should be.

I can see the "Show Tags" button but there's no function behind it.

Maybe it would be better to just leave it always visible (left of the menu button with the mobile view).

For current master branch, sometimes after importing or adding entries, the datatable does not work. Either nothing shows up or a table in bootstrap style shows up (no datatable addons). This happens frequently after importing accounts into password-manager.

I've deployed the current master branch on test website. And I can simply reproduce this bug in Chromium in Linux.

I suspect this bug might be related to datatable operations after importing/adding accounts. An easy fix might be just reverting back to my implementation of datatable on those events (i.e. destroy and reconstruct datatable each time it changes).

See above picture. When window size is slightly larger than (kind of) device size for a phone, the navbar dropdown becomes weird.

Therefore I suggest to add a way to group items by the first tag defined (which would be easy and convenient)

btw. the tag cloud seems to have vanished completely. why is that?

<thead>
    <tr role="row"><th class="sorting_disabled" rowspan="1" colspan="1" style="width: 0px;">Account</th><th class="usercell hidden-xs field">Username</th><th class="sorting_disabled" rowspan="1" colspan="1" style="width: 0px;">Password</th><th class="urlcell hidden field">URL</th><iframe id="tmp_downloadhelper_iframe" style="display: none;"></iframe></tr>
    </thead>

Above is the HTML code from firefox. The 0px width causes problems. Table only took a very small part of space on the left side. I tried it on Chrome, the code is the same. But Chrome is somehow smart enough to recognize it's an error. We definitely need to fix this.

BTW, I didn't see this bug when I first implement DataTables.

I suggest just packing a config_template.php and telling the users to copy/setup a config.php when running for the first time and no config.php is found. This would make updates more easy to handle.

I think this function should be hidden if the device is not trusted.

I created one user and successfully logged in.
Then I created a pin.
Logout
Then I tried to login, but failed (with the password) and there was no obvious way to enter the pin.
After creating several new users there was still no way of logging in.

Implementations of tags and urls,... is sufficiently far to talk about layout.
At the moment it looks like this

Empty columns are being hidden. So if you don't need one type of field you just ignore it.
All Columns but account, username and password are hidden when in mobile mode.

I want to add a button for editing an account and a button for opening the url associated with an account.

What do you think is the most intuitive position for them?
My idea is to open the url when clicking on the account name. Add a little settings button after the account name. But maybe those two "clickables" are to near together for mobile.

I'd further move the regeneration of passwords and the removal of accounts into the editing dialog.

Disable direct push to master branch.

CI-pass required before merging into master

I think to check if the json data is valid it shouldn't be
if(json.status!="RAW_OK")
but
if(json.status!="OK")
at least that's what chrome is showing.

@BenjaminHae

As thanks to your significant contribution to this project, I'll list you as a co-owner of the copyright.

If you insert a linebreak when customizing fields the javascript code can't be executed because there will be a linebreak in a string literal.

I mean for for number of entries shown

After adding one account (entry), the input fields such as account (Item) are not cleared. Since we use ajax instead of reloading, the account name we just inputed will show up if we click add entry again. Don't know if it should be a bug or not.

can be reproduced here. http://phppasswordmanager.sourceforge.net/

Hi @BenjaminHae

I took a look at your new commits and it seems you try to add pagination support (LN 545 in password.php) but there's no pagination yet.

From the first look, I think it's not hard to add pagination but it seems the search / cloud filter features will be undermined if we do this. I think cloud filter and search should be global, and therefore my first thought is to make a big table where you put everything and maintain a attribute (let's say visible-id) for each <tr>. Normally, visible-id will be same as id (1,2,3...). But when a filter / search is enabled, every entry filtered out will have visible-id as -1 and then you sort other entries by their original id, small to big. So you can then show entry with visible-id 1 to N if user wants page 1 or N to 2N if user wants page 2...

Please let me know what you think about this implementation.

... and to close together

Mail adresses may change. So I think It's necessary to let the user change his adress and maybe even his username.

-> Why don't you just use the mailadress for login? Mail adresses are unique - but user names are not. And it would simplify things.

I played around with the info view - I think it's better readable this way.
Hope you like it:

I changed the field type from textbox to 'label' for this:

function showdetail(index){
    var i=parseInt(index);
    var x,s;
    s='<b>'+accountarray[i]["name"]+'</b><br><br>\n';
    s=s+'<table style="width: 100%" font color="#ff0000">';
    s=s+'<col width="90"><col width="auto">';
    for (x in accountarray[i]["other"]) s=s+'<tr><td><font color="#afafaf"><style="font-weight: normal;">'+x+'</td><td><font color="#6d6d6d"><b>'+accountarray[i]["other"][x]+'<b></td></tr>';
    s=s+'</table>';
    $('#details').html(s);
    $("#showdetails").modal("show");
}

Just a tiny visual tweak:

function echofooter()
{
echo '<footer class="footer navbar-fixed-bottom">

I really suggest that the password generation button is only visible if the password field is empty.
It's too easy to accidentially press the button.

I just stumbled upon your little project. Nice !

I'd like to make some suggestions though which seem rather important to me.

1. Every account needs a text field for write down a description.
2. Also I would suggest another text field with a possible http link
3. The password field itself should be multiline. Mostly I have to remember more than just a
   password: like 'loginname', 'customer ID', 'a passwort', 'a pin' and so on.
   So I think a simple multiline text field should be enough to make all that possible.
4. Last but not least I think there should be a switch per account to enable/disable the 'Generate new passwort' option. Accounts can have predefined passwords. Ex: Provider passwords which cannot be changed by the user. You would prevent dire mistakes this way.

What can I change without destroying anything.
I mean wouldn't it be advisable not to let the user play with the taq field.

Being able to add a some custom fields is exactly what I need.
But I don't want to mess things up in an existing database.

We're on a server with limited Mysql databases.

Also it would be great to be able to run the site with just php -S which seems to work perfectly except the current need for mysql. Is it difficult to use Sqlite instead.

I suggest for such a database with only a few tables and few - one tiny sqlite database
per registered user would be very handy solution.

Run in Chrome but fail in IE edge.

SCRIPT1006: Expected ')'

UTF8 encoded CSV file can't open correctly in Microsoft office. It supports ANSI by default. Similarly, ANSI encoded CSV might cause problem in password manager. (Though for English, they are same)

See whether it works correctly. Seems it does not play any role in current version, which is weird

This tool might be useful: https://blog.zhengxianjun.com/online-tool/crypto/aes/

• PIN in trusted computer implementation in README TODO
• search
• fix the new fields feature
  implement recovery
  Implement import function so that it's compatible with previous version. (I.e allow no fields column in JSON)

The button disabled is not re-enabled.

It seems that the login takes considerable more time after we entered 150 accounts.
Is this because the passwords are decrypted when loading?

If so, then I suggest decryption should happen when I need to view a certain password and press the button.

I know I suggested this before, but I'd like to do it anyway :)

My suggestion is to get rid of the mysql database and work purely on flat files. One file for each password entry. At least as an alternative to the current way.

Three advantages:

1. Completely portable even when carrying around on a usb stick. We could even run the whole thing with the simplest PHP internal server. (PHP -S)
2. Moving the whole system and backing up will be extremely easy since we'd only have to zip the complete folder.
3. Many users have a limited amount of mysql databases. It'll give them a chance to use password manager anyway.

Since a typical password database does probably not contain more than few hundred entries speed will be of no concern either.

It seems we've finished pretty much what's planned. It's time to have a long-term stable release and slow down development pace. But we do need to have a system test before such a release

@BenjaminHae could you help with the test? I think you're currently running the HEAD of master branch.

Since the removal of the pin I can't log in anymore.

Steps to reproduce

1. Sign up
2. Try to login

=> Wrong Password Error

What about if there was an option to upload an image additionally to a password entry.
On mobiles this could trigger the 'select photo/make picture' function. (This happens by default for image uploads on newer phones as far as I know.)

Typical usage would be a very quick way to add simple entries for cards with lots of stuff written on it like certain 'membership cards' or even an id card.