Patent Application
20190057210
The present disclosure relates to dynamic password policy changes based on the sensitivity of user information.
In general, most accounts, from online bank accounts to Amazon accounts, are protected by password. Typically, a policy is provided to the user who creates the account with requirements that the password must meet, e.g., the password should have at least 8 characters or the password should have at least 1 number. These policies are static and do not consider the sensitivity of the information stored in the account. A user has to follow a strict policy even when there is less or no sensitive data within the account.
According to an aspect of the present disclosure, a method may include the steps of receiving a first set of information from a user; in response to receiving the first set of information, determining a first sensitivity score; determining whether the first sensitivity score is greater than a baseline sensitivity score, wherein the baseline sensitivity score is based on historic account information from the user and wherein requirements for an historic account password are based on the baseline sensitivity score; and in response to determining that the first sensitivity score is greater than the baseline sensitivity score, prompting the user to modify the historic account password to create a first password, wherein requirements for the first password are based on the first sensitivity score and require increased strength of the first password relative to the historic account password.
According to another aspect of the present disclosure, a non-transitory computer-readable storage medium may have instructions stored thereon that may be executable by a computing system to: receive a first set of information from a user; determine a first sensitivity score; prompt the user to create a first password, wherein requirements for the first password are based on the first sensitivity score; receive a second set of information from the user; in response to receiving the second set of information, determine a second sensitivity score; determine whether the second sensitivity score is greater than the first sensitivity score; and in response to determining that the second sensitivity score is greater than the first sensitivity score, prompt the user to modify the first password to create a second password, wherein requirements for the second password are based on the second sensitivity score and require increased strength of the second password relative to the first password.
According to another aspect of the present disclosure, a computer system may include a server configured to: receive a first set of information from a user; determine a first sensitivity score; prompt the user to create a first password, wherein requirements for the first password are based on the determined first sensitivity score; receive a second set of information from the user; in response to receiving the second set of information, determine a second sensitivity score; determine whether the second sensitivity score is greater than the first sensitivity score; and in response to determining that the second sensitivity score is greater than the first sensitivity score, prompt the user to modify the first password to create a second password, wherein requirements for the second password are based on the second sensitivity score and require increased strength of the second password relative to the first password
Other objects, features, and advantages will be apparent to persons of ordinary skill in the art from the following detailed description and the accompanying drawings.
Aspects of the present disclosure are illustrated by way of example and are not limited by the accompanying figures with like references indicating like elements.
As will be appreciated by one skilled in the art, aspects of the present disclosure may be illustrated and described herein in any of a number of patentable classes or context including any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof. Accordingly, aspects of the present disclosure may be implemented entirely in hardware, entirely in software (including firmware, resident software, micro-code, etc.) or in a combined software and hardware implementation that may all generally be referred to herein as a “circuit,” “module,” “component,” or “system.” Furthermore, aspects of the present disclosure may take the form of a computer program product embodied in one or more computer readable media having computer readable program code embodied thereon.
Any combination of one or more computer readable media may be utilized. The computer readable media may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would comprise the following: a portable computer diskette, a hard disk, a random access memory (“RAM”), a read-only memory (“ROM”), an erasable programmable read-only memory (“EPROM” or Flash memory), an appropriate optical fiber with a repeater, a portable compact disc read-only memory (“CD-ROM”), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium able to contain or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take a variety of forms comprising, but not limited to, electro-magnetic, optical, or a suitable combination thereof. A computer readable signal medium may be a computer readable medium that is not a computer readable storage medium and that is able to communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable signal medium may be transmitted using an appropriate medium, comprising but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present disclosure may be written in a combination of one or more programming languages, comprising an object oriented programming language such as JAVA®, SCALA®, SMALLTALK®, EIFFEL®, JADE®, EMERALD®, C++, C#, VB.NET, PYTHON® or the like, conventional procedural programming languages, such as the “C” programming language, VISUAL BASIC®, FORTRAN® 2003, Perl, COBOL 2002, PHP, ABAP®, dynamic programming languages such as PYTHON®, RUBY® and Groovy, or other programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (“LAN”) or a wide area network (“WAN”), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider) or in a cloud computing environment or offered as a service such as a Software as a Service (“SaaS”).
Aspects of the present disclosure are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatuses (e.g., systems), and computer program products according to embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, may be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable instruction execution apparatus, create a mechanism for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer readable medium that, when executed, may direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions, when stored in the computer readable medium, produce an article of manufacture comprising instructions which, when executed, cause a computer to implement the function/act specified in the flowchart and/or block diagram block or blocks. The computer program instructions may also be loaded onto a computer, other programmable instruction execution apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatuses, or other devices to produce a computer implemented process, such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
While certain example systems and methods disclosed herein may be described with reference to infrastructure management, systems and methods disclosed herein may be related to other areas beyond network infrastructure. Systems and methods disclosed herein may be related to, and used by, any predictive system that utilizes expert learning or other predictive methods. Systems and methods disclosed herein may be applicable to a broad range of applications that, such as, for example, research activities (e.g., research and design, development, collaboration), commercial activities (e.g., sales, advertising, financial evaluation and modeling, inventory control, asset logistics and scheduling), IT systems (e.g., computing systems, cloud computing, network access, security, service provisioning), medicine (e.g., diagnosis or prediction within a particular specialty or sub-specialty), and other activities of importance to a user or organization.
Although static password policies exist for creating strong account passwords, they may not have the capability to detect the sensitivity of the information stored in the account. The failure to detect the sensitivity of the information stored in the account may lead to strict password requirements to protect little to no sensitive information.
In view of the foregoing, a need has arisen for ways to make dynamic policy changes based on user information to provide frictionless logging for users with less sensitive data, but also adding enough friction for users with more sensitive data.
A user may have many accounts, such as an online account to access their bank and an account with Amazon or other online store. Each account may allow a user to store different types of information. Upon registering for or enrolling in an account, a user is generally required to input at least some minimal amount of information. According to the present invention, at an initial stage, when there is less sensitive information stored in the account, users will be allowed to create and keep a very simple password. When the user adds more sensitive data to his account, the user will be asked to increase password strength. Each time the user adds more information or removes information, a sensitivity test may be performed. Based on a sensitivity score, the user may be asked to increase or decrease password strength according to the sensitivity score. Every time when user adds more data or removes data, the password policy will then be checked, and password strength will be increased or decreased, according to the level of sensitivity of the information stored in the account.
An example embodiment of the present invention may include a dynamic flow of password policies for an account, where the policies are dependent upon the level or score of sensitivity of user information. For example, as depicted in
In the case of a dynamic flow password policy, the numerical sensitivity score may not be the only deciding factor because the data elements may also be divided into levels of sensitivity. For example, as depicted in
In another example embodiment, a current or baseline user sensitivity score may be 10. This current or baseline sensitivity score may be based on historic account information input by the user when initially setting up the account. The user may then add credit card details to the account. The credit card details may be assigned a score of 15, bringing the total account score to 25. In the case of a password policy based on numerical value of the sensitivity score, the password policy would still only require a low strength password because the numerical sensitivity score falls within the range of scores for the low password strength band. However, in the example case of a dynamic flow password policy, the password policy requirements may be upgraded to next band or to the band that corresponds to the band or level of the highest sensitive data information present in that account (in the example, the band of the credit card number). Since credit card information may be assigned to the highly sensitive level, as in the above example, the password policy may prompt the user to create a password with high strength requirements. This decision may be left up to the implementer. A dynamic flow may consider score, types of data elements, etc. rather than just one factor in determining the appropriate password policy strength requirements. Adding credit cards details is an example of information that may be added to an account but a user may add any suitable information to the account.
Password strength may be categorized into bands, as depicted in the example of
In an example embodiment, a user may be asked for only bare minimum or baseline data during enrollment or registration for an account. For example, minimum or baseline data may be name, e-mail id, or location. These types of information are generally not very sensitive, and as such the sensitivity score may be lower and initially the password strength may be automatically set to low/weak. In this example, as depicted in
Referring now to
At step 312, the initial and updated sensitivity scores or levels are compared. If the updated sensitivity score or level is greater than the initial sensitivity score, at step 314, the user may be prompted to update the password and may be provided with a password policy which will have more stringent requirements for the password, resulting in increased password strength. A user may also delete or remove information from the account. If the user removes sensitive information from the account, then the updated sensitivity score may be lower than the initial sensitivity score. If the updated sensitivity score is lower than the initial sensitivity score, at step 316, the user may be prompted to update the password and may be provided with a password policy which will have less stringent requirements for the password, resulting in decreased password strength. The addition and removal of information, and subsequent determining and comparing of sensitivity scores, may be repeated multiple times, whenever a user may add or remove information from an account.
Referring now to
At step 412, the first sensitivity score is compared to the second sensitivity score and it may be determined that the second sensitivity score is greater than the first sensitivity score, and brings the sensitivity score into a higher band of sensitivity. For example, the second sensitivity score may bring the score into the highest level of sensitivity which requires strong password strength. At step 414, the user is provided with a second password policy with more strict requirements than the initial password policy and the requirements are based on which band the second sensitivity score falls within. A third user input is then received which removes a third set of information from the user's account details at step 416. The third set of information may involve removing one or multiple pieces of information from the user's account. At step 418, a third sensitivity score is determined based on the information remaining in the user's account after the third set of information was removed. At step 420, the second and third sensitivity scores are compared and it may be determined that the third sensitivity score is lower than the second sensitivity score. The third sensitivity score may be enough lower than the second sensitivity score to bring the score down into a lower band. For example, removing the third set of information may result in the score moving from the highest sensitivity band into the medium/moderate sensitivity band. The user is provided with a third, less strict password policy where the requirements are based on the password strength band which the third sensitivity score falls within, at step 422.
Referring now to
At step 506, the user may be prompted to create a password and the requirements for that password would correspond to the maximum sensitivity level of the first set of information. For example, if the maximum sensitivity level is low, then the password policy would require a weak strength password. At step 508, a second set of information is received from the user. The second set of information may include one or multiple pieces of information. At step 510, a maximum sensitivity level of information within the second set of information may be determined. The maximum sensitivity level of the first set of information and the maximum sensitivity level of the second set of information may be compared at step 512. At step 514, it may be determined that the second set of information has a higher maximum sensitivity level than the first set of information. The user may be prompted to create an updated password with requirements that correspond to the maximum sensitivity level of the second set of information at step 516. For example, if the first set of information had a maximum sensitivity level of low and the second set of information had a maximum sensitivity level of medium, the user would be provided with password requirements in accordance with a password strength of moderate which corresponds to the medium sensitivity level. This type of maximum sensitivity level determination may trump numerical sensitivity score depending on the settings/preferences of the account.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various aspects of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The terminology used herein is for the purpose of describing particular aspects only and is not intended to be limiting of the disclosure. As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” and/or “comprising,” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
The corresponding structures, materials, acts, and equivalents of any means or step plus function elements in the claims below are intended to include any disclosed structure, material, or act for performing the function in combination with other claimed elements as specifically claimed. The description of the present disclosure has been presented for purposes of illustration and description, but is not intended to be exhaustive or limited to the disclosure in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the disclosure. The aspects of the disclosure herein were chosen and described in order to best explain the principles of the disclosure and the practical application, and to enable others of ordinary skill in the art to understand the disclosure with various modifications as are suited to the particular use contemplated.
