Homework Web Programming: Store secure Passwords

Subject

The students will realize a small PHP project for the course of Web Programming. This project will be realized in groups of two students. If a class contains an odd number of students, one student can find a colleague in another class or make the project alone.
We want to provide a platform for generating and storing passwords in an online tool. The idea is that users need a safe to store all their passwords. They just need to remember one single password and can access to all of them.
Your system will provide a way for a user to log-in the system. The password for the system should be stored hashed and salted inside the database. You will then use this secret password (stored inside the session, but not in the database) to encrypt all other passwords. So that the database administrator has no possiblity to see any of the passwords.

What you have to do

TO DO

You have to write a PHP-program for a user
  • A person can register inside the system as a new user (giving just a username and a password)
  • The system must allow a user to log-in and change his or her password (for your application).
  • A user can see a list of all the accounts he / she has
  • An account can be opened, the password is displayed
  • One can create a new account having at least the following properties: title, web site, username, password. At least the password must be encrypted with the user's password or another secret key.
  • One can edit or remove an existing account
    You have to provide a "password generator" that provides random generated passwords.

NOT TO DO

You do not need to reinvente the wheel, moreover cryptography is quite complicated. So you will use a library for cryptography.
The libray OpenSSL is allready included in Xampp : PHP Manual Open SSL library
Simple example of use (source)
In the previous example, we use the password to encrypt the secret. You can use user's password (for your own application) to encrypt all the other passwords. Be carefull, to change all the passwords, when the user changes his or her own password for your application.

Question Session

The professor will be availlable for question session on tuesday the 29th of April 2014.

Report

You have to give:
  • a small report (max 5 pages) explaining your architecture. You will present the structure of your program (a class diagram if needed), and the interesting points in your work. This report will start from the very general presentation and present more details, it does not need to go deep in details. You have to "sell" your project to the reader.
  • Source code of your project. This code MUST contain comments. The names of variables, classes and methods have to be readable (no $l1, $l2, $a3).
  • I am particularly sensible to the good separation of the layers. HTML/PHP/SQL.
  • An On-Line access to the project for testing. For the ones having no such a server. The day of the deadline ( Tuesday June 3, 2014), the students can bring their laptops and the professor will test all the projects. Students will start the servers on their laptops, open the firewalls, and the professor will connect to the servers using his machine.
  • You must fill-out the information at the top of the following document (your names, the site URL-address plus the usernames and pwds of two users) and handle me together with the report by the day of the deadline. Both documents must be delivered in a paper form.
    Evaluation Form
  • Deadline: Tuesday 3rd June 2014