PwManager README
================

copyright (C) 2003, 2004 by
	Michael Buesch <mbuesch@freenet.de>
http://passwordmanager.sourceforge.net/
http://www.tuxsoft.de.vu


Did you ever forget a password? I did. :)
Then I started to search a good password-manager,
but I didn't find one, that fit my needings.
So I decided to write a new one from scratch.
So here is it.
Have fun with it.


Requirements:
-------------

You need at least
o  kdelibs 3.1
o  QT 3.1
o  libbzip2
o  libz
to compile and run PwManager.


Features: (incomplete list)
---------------------------

o  Manage passwords the convenient way with the
   support of password categories, five information
   columns and an additional comment field.
o  Locking mechanism to prevent strangers from looking
   at your passwords while you are away and not
   using PwManager.
o  Deep-Locking mechanism to encrypt all security
   critical data, write it to disk and delete it in
   memory. This enables you to enjoy maximum security
   with almost no loss of useability.
o  KWallet emulation
o  A fairly good seaching and sorting mechanism to
   find entries very fast.
o  Chipcard (smartcard) interface. With the chipcard
   you can replace the "master-password" to easily
   access all your passwords with a "key-card".
o  Printing support to easily print out a complete
   list of all your passwords
o  System-Tray (kicker) icon to enable the user to
   access PwManager very fast.
o  GPasman and KPasman interface to import and export
   your data to and from these file formats.
o  PwG (Password Generator) interface to generate new
   secure passwords.

Security note:
--------------
The encryption-algorithms, PwManager uses, are said
to be unbreakable, these days. So if you select a
good masterpassword, nobody should be able to decrypt
the password-list without the password.

But there's another side, that I want to note, too.
A problem of _every_ password-managing and
password-handling software is information-leakage.
Let's explain that.
Given the situation, you loaded a password list,
this list has to be stored unencrypted somewhere
in memory. This is the first information-leakage
point. One second point for a security hole is the
swapping-behaviour of your operating system. If
the operating system pages out exactly this memory
page, the decrypted list is stored in, it is
written unencrypted to the harddisk and might
survive there for some time.
Third point is the printing feature of PwManager.
While printing, the passwords are sent unencrypted to
the printing-system on your computer. The critical
point here is, how the printing system might
handle this information. It may or may not write
it tempoarly somewhere to the harddisk or somewhere
in memory, accessible by every user.
Someone might argue, that using DCOP with a password
manager is braindead. Yea, it might be. :) But for
this reason the DCOP interface is disabled by
default and you must explicitely enable it to use it
(in the configure menu).

These security-notes are not here, to make you
thinking PwManager is unsave. Just the opposite is true,
because these are all very theoretical information-
leakage points.
On normal systems, these points are most times
not relevant and can be ignored.
