Databaseless Web Password System

Description

A databaseless web password system is a password system that does not require any storage of user name/password pair at server side. This is possible because the password is derived from the user's user name (hence must be unique, such as email address) and a secret key. Password can hence be verified against a user name by computing it at verification time. Secretness is provided by a secret key that is only visible at server side. MD5 digestion Algorithm is employed.

For example, a game web page can implement a multi-level game. User has to have succeeded at one level before proceeding to the next level. Initially the user is prompted for his email address and an initial password (derived from the level one secret key) is mailed to him/her . Then when the user has passes level one of the game, the game computes (based on the user's email address, and the level two secret key) the level two password and give it to the user. This way, users cannot exchange passwords for skipping game levels (highly unlikely it will work at least).

The password is computed by appending the secret key to the username and run it through the MD5 digest machinism. Password verification is done by appending the secret key to the username, then run it through the MD5 digest machinism, then compared with the user typed in password.

Feature

This distribution includes:

webpass.cpp - provides functions for computing, using MD5, passwords from user name and secret keys, either from C strings or from HTTP queries
httpq.cpp - contains the lHTTPQuery class that parses HTTP query for you
md5.c - MD5 digestion algorithm implementation, copied from RFC 1321 Copyright (C) 1991-2, RSA Data Security, Inc. See file for further copyright notice
asspass.cpp - sample usage for webpass functions to assign user a password
verfpass.cpp - sample usage for verifying web passwords

Where To Get

Click here to get.

Click here to return to Mark Ng's home page.