The present invention relates to password security systems, and more particularly to a non-disclosing password entry method for an authorized user that reduces the possibility of access by an imposter.
It has long been known that the best way to identify an authorized user at a secure access point, while minimizing the chances of an imposter gaining access, is to base the identification on three basic items: something the authorized user has, something the authorized user is, and something the authorized user knows. The first one, something the authorized user has, is often accomplished by an ID card with electronically readable magnetic strip or, more recently, a Radio Frequency Identification (RFID) chip. The second, something the authorized user is, may be a finger print, retinal scan or some other unique biologic trait of the authorized user. However, biologic ID is still new and not shown to be fully robust in allowing the authorized user access in all conditions. Therefore, these methods are used only where security is paramount. The last, something the authorized user knows, is quite often a password or Personal Identification Number (PIN). This password method is used by virtually everyone and remains the most common method of authentication of identity. The password, or PIN, is something only the authorized user knows and, with today's strong encryption, the password may be transmitted over a network to authenticate the authorized user with little fear of the password being compromised by imposters.
However, although the password may be securely transmitted in the presence of a. imposters by the use of encryption, the password may still be disclosed to an imposter before or during the password entry process. For example, many ATM keypads are visible to people waiting in line where an imposter may observe the keypad selections and obtain the authorized user's PIN simply by looking over the authorized user's shoulder (called “shoulder-surfing”). Alternatively, a secluded imposter may obtain the password by watching with binoculars from a nearby car or building.
With the ubiquitous use of video surveillance the password or PIN entry process may be easily video recorded. Therefore, even methods that obscure the PIN or password entry may disclose the PIN or password when the video tape is played back in slow motion. For example a method disclosed by Volker Roth and Kai Richter in a paper called “How to Fend off Shoulder Surfing”, published in the Journal of Banking & Finance, June 2006, Vol. 30 Issue 6, pgs. 1727-1751, discloses a method of obscuring the disclosure of the PIN from imposters or “shoulder-surfers”. However, by playing back a video tape of the entry process by the “prover” it is quite easy to isolate each number of the PIN in the same way as the ATM terminal or “verifier” isolates the PIN characters to authenticate the authorized user. For example the paper discloses this as follows, “it holds that, if the observer can perfectly record or memorize all input and output then he or she will be able to deduce the prover's PIN in the same fashion as the verifier does it.”
Another limitation of this method is that it requires 4 key-presses for each number of the PIN. For example, 16 key-presses would be required for a simple 4-digit PIN. A further limitation of the method in this paper is it's limitation to numeric keypads. It is not obvious how to extend this to alpha-numeric password entry without requiring a very large number of selections for each element of the password, making it very tedious to use. For example, a 6-digit password selected from a character set of 36 alphanumeric characters would require at least 6 key-presses per character or 36 key-presses in total.
Passwords are also the dominant means of user authentication via the keyboard or mouse of a computer. It may be more difficult for someone to see and memorize the password by watching the authorized user's fingers at the keyboard, or mouse icon position on the screen, than watching an ATM keypad, but it does happen. Also small cameras may be placed and removed to allow all keyboard strokes and mouse display clicks to be recorded for later playback.
Also, the disclosure of passwords is a serious issue with computer keyboard or mouse selection entry of passwords when using a device connected to the internet. For example, a common method of password theft is now being done by a simple spy-ware program that logs keystrokes and/or mouse screen position clicks and sends that log back over the internet without your knowledge. This log can then be filtered to find account numbers and passwords.
Also, there is a growing problem with password theft by the method of presenting a fake or duplicate log in a screen called a “Trojan Horse”. This duplicate looks just like the one normally seen by the authorized user when entering an account number and password, but is a fake to capture the authorized user's vital information. Any method where the characters of the password are indicated, either by key presses or mouse clicks, discloses the password to the Trojan log-in or fake authentication page.
U.S. Pat. No. 5,428,349, entitled “Non-disclosing Password Entry”, issued to Daniel G. Baker on Jun. 27, 1995, teaches a method of securely entering a password to authenticate an authorized user log-in to a secure data service. The method disclosed in the '349 patent is that of selecting the row or column of a randomized (shuffled) matrix of alpha-numeric characters that contains each, in succession, of the characters of the user password. The individual characters of the password are not specifically selected or typed, since only rows or columns of the character matrix are selected. Therefore, the method taught by the '349 patent is resistant to all the aforementioned problems, since it does not explicitly disclose the password by the key press or mouse click entry process. However, the '349 patent requires the authorized user to visually scan through the randomized matrix for each character of the password to identify the row or column. This may take some time, and some authorized users may consider this too tedious.
What is desired is a method that is resistant to all the aforementioned problems, easier to learn, and less tedious to use by reducing the key-presses to no more then one per password character, and that eliminates the need to scan a random arrangement of characters for each character of the password.
Accordingly, the present invention provides a non-disclosing password entry method that is achieved by displaying an ordered arrangement or matrix of characters such that an authorized user's password is predetermined from a subset of these characters. The characters in the display are associated with a randomly ordered set of patterns or colors as, for example, the character background in the display. Additionally there is provided a means for selecting each type of pattern or color. Rather than entering the password directly, the authorized user is authenticated by noting the background pattern or color associated with the first character of the password and then selecting that pattern or color. The process is repeated with each password character in sequence until all the characters have been selected. The authorized user is authenticated by verifying that the selected backgrounds are correct for each of the characters of the password.
The objects, advantages and other novel features of the present invention are apparent from the following detailed description when read in conjunction with the appended claim and attached drawing.
a-2f are plan views of successive screen views illustrating the non-disclosing password entry according to the present invention.
Referring now to
The user uses the entry keys 14 to select the color of the character corresponding to the first character of the PIN—in this case the numeral “1” has a blue background, so the user activates the blue entry key 14b. A new set of background colors is then generated randomly, as shown in
The method is illustrated in more detail by the flowchart view 20 of
Although the characters in the preferred embodiment are associated with background patterns, any color, picture or pattern or other characteristic set may be randomly arranged in the shuffling process and associated with each character in the password matrix 12. Further, the shuffled patterns need not be the background of the character, but may be associated by adjacent special alignment or other possible associations of each pattern to the displayed ordered character matrix 12 (not shown).
The memorization or recording by an imposter of every detail of a correct password entry process, including the entire character matrix with associated background at each step, does not disclose the password. For example, for a 40 character set with five backgrounds, assume the authorized user has a relatively short 6-character password. The imposter sees 8 possible characters for each of the selected 6 background button entries (one for each character of the password). After full observation of the entire display 10 and all button presses for the entire process, this creates a possible set of 86=218 which is 262,144 possible passwords. A longer password, such as an 8 character password, increases the set to over 16 million possible passwords, even after recording every detail of the password entry process.
Further, using passwords that are themselves acronyms makes sorting through this large set of possible passwords for common words even more difficult. For example, using an alpha-numeric set of characters, an authorized user may use the password MHALL! by recalling the simple phrase “Mary Had A Little Lamb!”. Another example is MDN2GL for “My Dog's Not Too Good Looking”.
If an imposter attempts access by randomly pushing buttons, it is possible, with a low probability, to gain access. However, if the imposter does not know the number of characters in the authorized user's password, the chances are zero for any sequence of button pushes that does not equal the number of password characters. As previously described, the password is not disclosed, even if all the button presses are seen by the imposter. But since the imposter may determine the length of the password, the imposter may use this knowledge to attempt access by randomly choosing each button press. For the 5-button example shown in
Alternative configurations that trade off the probability of guessing the password against authentication by random button pressing are evident to one of ordinary skill in the art. For example,
In general, any set of characters of length J that may be factored into the product P×Q has P different types of background patterns and pattern selection buttons with each pattern repeated 0 times in the character set. In the example of
The following source-code is from a Javascript demo program that displays the 36 alpha-numeric characters plus 4 additional symbols for a total of 40 characters. Rather than background patterns, as shown in
Thus the present invention provides a non-disclosing password entry method that uses a standard character matrix with variable backgrounds for each character, each character of the password being entered according to the corresponding background, with the background being shuffled between each password character entry so there is only one keystroke/mouse click per password character. After each password character is identified and the authorized user indicates completion (or the fixed length of a non-variable length password is reached), the authorization algorithm indicates success or failure of login.
This application is a non-provisional application which derives its filing date from provisional application Ser. No. 60/962,016 filed Jul. 24, 2007, which provisional application is expressly abandoned upon the filing of the present application.
Number | Date | Country | |
---|---|---|---|
60962016 | Jul 2007 | US |