E ZeePass A web based username and password hash E ZeePass A web based username and password hash Cadrian Chan cadrianchan gmail com and Liwen Zhang lz6 cec wustl edu A project report written under the guidance of Prof Raj Jain Download Abstract Internet users use different login passwords to prevent against the vulnerability of having one password for all existing accounts Managing multiple passwords is often troublesome and even insecure for users who do not handle their passwords well E ZeePass is a web based username and password hash service It facilitates users by requiring them to remember a single master password which generates different secure passwords for different login accounts by secure hashing algorithms Passwords generated for different web addresses will be unique while the ones generated within same domain will be identical for each login site The goal of this project is to provide a convenient password management system for users even when they are communicating across public networks Users can be assured of the security of our website by the Secure Sockets Layer SSL cryptographic protocol Keywords Password management hash encryption security MD5 SHA web application tools Description A web based password management system facilitating users by requiring them to remember a single master password which generates different secure passwords for different login accounts by secure hashing algorithms Table of Contents 1 Introduction 1 1 Theory 1 2 Hash Algorithm 1 3 Project Features 1 4 Password Concepts 2 Project Organization 2 1 Software Process Model 2 2 Environment and Tools 3 Project Management Plan 3 1 Tasks 3 2 Milestone 3 3 Resource Needed 3 4 Users Concerns and Solutions 3 5 Timeline 4 User Manual 4 1 User Requirements 4 2 Procedures 5 Summary and Future Improvements 5 1 Summary 5 2 Future Improvements 5 3 Related Products References User Manual and Source Code Acronyms 1 Introduction Internet users often have different login passwords to prevent against the vulnerability of having one password for all existing accounts This is recommended because when a user s password from a less secured site is compromised other accounts will be in danger of being compromised as well if all the login passwords are the same However writing down your passwords let alone different usernames or encrypting them in some secure files is not very secure and people try to recite the passwords in their minds and forget about them later Some open new accounts every time they revisit the site thus wasting resources Putting a file of passwords in a computer is also inconvenient when you are using public computers away from your own machine As a solution we provide you with E ZeePass a web based username and password hash A user only needs to remember one single password and paste the address of the login page to our program We provide a hashed password from the two inputs and the hashed value is different every time with different login addresses Passwords generated for the same domain will be identical for each login site In addition users have the capability to choose the length of http www cse wustl edu jain cse571 09 ftp ezpass index html 1 of 11 E ZeePass A web based username and password hash the passwords they desire The goal of this project is to provide a convenient password management system for users even when they are using public computers Figure 1 Logging in user account using E ZeePass 1 1 Theory The main propellant of our project is the secure hash algorithms that are used to generate our hashed passwords and user names We have implemented 7 hash algorithms including 2 which are our own and 5 which are modified from industry standards Message Digest algorithm 5 MD5 Secure Hash Algorithm SHA 1 SHA 256 SHA 384 SHA 512 In this class project we have decided to use four of these algorithms two for both the hashed passwords and hashed usernames They are MD5 SHA 1 SHA 384 and SHA 512 The four chosen algorithms are all industry standards so users can rest assured the provided hashed outputs are safe and non reversible There are two inputs to each hash algorithm the desired login address and the master password We concatenate these two inputs which gets fed into the chosen algorithm The output is a non reversible hashed value From this value we extract the output hash for the user according to their desired length of password characters As we mentioned above the user can choose their desired hash algorithm and the hashed password will be available to the user with an extra option of a hashed user name http www cse wustl edu jain cse571 09 ftp ezpass index html 2 of 11 E ZeePass A web based username and password hash Figure 2 Flow diagram of hashed password generation In addition for the user s convenience we have a function which lets a user navigate to his desired login website within our iframe This is made possible because the domain name of the web address input is recorded while the user enters his desired login address 1 2 Hash Algorithms A hash algorithm is a function that takes inputs and converts them into a fix sized bit string which is called the cryptographic hash value or message digest There are several properties of hash algorithms which make it ideal to use with our service Kaufmann02 1 It is easy to compute the hash value from any given inputs 2 It is a one way function which is not practical to figure out what input corresponds to a given output 3 It is computationally infeasible to find a message that has a given pre specified message digest 4 It is computationally infeasible to find two messages that have the same message digest The four hash algorithms chosen for implementation in our website are all industry standards and are cryptographically secure In addition through the use of hash algorithms the output hash passwords generated are random enough for security concerns 1 3 Project Features The project will be implemented using Microsoft Active Server Pages NET ASP NET technology with the Visual Basic NET VB NET language Basic Functionalities User remembers one master password for logging into different websites using different hashed passwords The per website password is the output of a secure hash algorithm using the master password and the web address as inputs Passwords generated for the same domain will be identical for each login site Portability web based service allows users to access our service on the go Variable password length Security