E-ZeePass: A web-based username and password hashCadrian Chan, [email protected] and Liwen Zhang, [email protected] (A project report writtenunder the guidance of Prof. Raj Jain)DownloadAbstractInternet users use different login passwords to prevent against the vulnerability of having one password for all existing accounts. Managing multiplepasswords is often troublesome and even insecure for users who do not handle their passwords well. E-ZeePass is a web based username and password hashservice. It facilitates users by requiring them to remember a single master password, which generates different secure passwords for different login accountsby secure hashing algorithms. Passwords generated for different web addresses will be unique, while the ones generated within same domain will beidentical for each login site. The goal of this project is to provide a convenient password management system for users even when they are communicatingacross public networks. Users can be assured of the security of our website by the Secure Sockets Layer (SSL) cryptographic protocol.KeywordsPassword management, hash, encryption, security, MD5, SHA, web application, toolsDescription A web based password management system facilitating users by requiring them to remember a single master password, which generates different securepasswords for different login accounts by secure hashing algorithms.Table of Contents1 Introduction1.1 Theory1.2 Hash Algorithm1.3 Project Features1.4 Password Concepts2 Project Organization2.1 Software Process Model2.2 Environment and Tools3 Project Management Plan3.1 Tasks3.2 Milestone3.3 Resource Needed3.4 Users' Concerns and Solutions3.5 Timeline4 User Manual4.1 User Requirements4.2 Procedures5 Summary and Future Improvements5.1 Summary5.2 Future Improvements5.3 Related ProductsReferencesUser Manual and Source CodeAcronyms1 IntroductionInternet users often have different login passwords to prevent against the vulnerability of having one password for all existing accounts. This isrecommended because when a user's password from a less secured site is compromised, other accounts will be in danger of being compromised as well if allthe login passwords are the same. However, writing down your passwords (let alone different usernames) or encrypting them in some "secure" files is notvery secure, and people try to recite the passwords in their minds and forget about them later. Some open new accounts every time they revisit the site thuswasting resources. Putting a file of passwords in a computer is also inconvenient when you are using public computers away from your own machine. As asolution, we provide you with E-ZeePass, a web based username and password hash. A user only needs to remember one single password, and paste theaddress of the login page to our program. We provide a hashed password from the two inputs, and the hashed value is different every time with differentlogin addresses. Passwords generated for the same domain will be identical for each login site. In addition, users have the capability to choose the length ofE-ZeePass: A web-based username and password hashhttp://www.cse.wustl.edu/~jain/cse571-09/ftp/ezpass/index.html 1 of 11the passwords they desire. The goal of this project is to provide a convenient password management system for users even when they are using publiccomputers.Figure 1 Logging in user account using E-ZeePass1.1 TheoryThe main propellant of our project is the secure hash algorithms that are used to generate our hashed passwords and user names. We have implemented 7hash algorithms, including 2 which are our own, and 5 which are modified from industry standards: Message-Digest algorithm 5 (MD5), Secure HashAlgorithm (SHA-1, SHA-256, SHA-384, SHA-512). In this class project, we have decided to use four of these algorithms, two for both the hashedpasswords and hashed usernames. They are MD5, SHA-1, SHA-384 and SHA-512. The four chosen algorithms are all industry standards, so users can restassured the provided hashed outputs are safe and non-reversible.There are two inputs to each hash algorithm: the desired login address and the master password. We concatenate these two inputs, which gets fed into thechosen algorithm. The output is a non-reversible hashed value. From this value, we extract the output hash for the user according to their desired length ofpassword characters. As we mentioned above, the user can choose their desired hash algorithm, and the hashed password will be available to the user withan extra option of a hashed user name.E-ZeePass: A web-based username and password hashhttp://www.cse.wustl.edu/~jain/cse571-09/ftp/ezpass/index.html 2 of 11Figure 2 Flow diagram of hashed password generationIn addition, for the user's convenience, we have a function which lets a user navigate to his desired login website within our iframe. This is made possiblebecause the domain name of the web address input is recorded while the user enters his desired login address.1.2 Hash AlgorithmsA hash algorithm is a function that takes inputs and converts them into a fix sized bit string, which is called the cryptographic hash value or message digest.There are several properties of hash algorithms which make it ideal to use with our service [Kaufmann02]:1) It is easy to compute the hash value from any given inputs.2) It is a one-way function which is not practical to figure out what input corresponds to a given output.3) It is computationally infeasible to find a message that has a given pre-specified message digest.4) It is computationally infeasible to find two messages that have the same message digest.The four hash algorithms chosen for implementation in our website are all industry standards, and are cryptographically secure. In addition, through the useof hash algorithms, the output hash passwords generated are random enough for security concerns.1.3 Project FeaturesThe project will be implemented using Microsoft Active Server Pages .NET (ASP.NET) technology with the Visual Basic .NET (VB.NET) language.Basic Functionalities- User remembers one master password for logging into different websites using different hashed passwords.- The per-website password is the output of a secure hash algorithm, using the master password and the web address as inputs.- Passwords generated for the same domain will be identical for each login site.- Portability: web based service allows users to access our service on-the-go.-