[go: up one dir, main page]

WO2006107201A1 - Method and system for generating passwords - Google Patents

Method and system for generating passwords Download PDF

Info

Publication number
WO2006107201A1
WO2006107201A1 PCT/NL2006/000185 NL2006000185W WO2006107201A1 WO 2006107201 A1 WO2006107201 A1 WO 2006107201A1 NL 2006000185 W NL2006000185 W NL 2006000185W WO 2006107201 A1 WO2006107201 A1 WO 2006107201A1
Authority
WO
WIPO (PCT)
Prior art keywords
password
generator
code
obtaining
encoding algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/NL2006/000185
Other languages
French (fr)
Inventor
Johannes Gerrit De Graaf
Antonius Franciscus De Boer
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
A & B Edutainment Bv
DELENCE BV
Original Assignee
A & B Edutainment Bv
DELENCE BV
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from NL1028721A external-priority patent/NL1028721C2/en
Application filed by A & B Edutainment Bv, DELENCE BV filed Critical A & B Edutainment Bv
Publication of WO2006107201A1 publication Critical patent/WO2006107201A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords

Definitions

  • the invention relates to a method for reproducibly generating passwords or (access) codes, in particular secure or protected passwords or (access) codes.
  • secure passwords and (access) codes are also understood to mean electronic certificates and similar utilities.
  • Secure passwords and (access) codes are an important prerequisite for the safe operation of electronic transactions and serve, often in combination with a so-called login name, for identification.
  • Secure passwords and (access) codes consist of a combination, having as little logic as possible, of numbers and letters and optionally other characters, such as punctuation marks, currency symbols and so on.
  • secure passwords and (access) codes are preferably sufficiently long.
  • Various software programs are available in the relevant technical field for the purpose of generating secure passwords and (access) codes or certificates. These generate a random combination of characters. A drawback hereof however is that the generated passwords are difficult to remember and, because the combination is random, nor are they usually reproducible. This results in the passwords or (access) codes being written down.
  • the method according to the invention makes use of a generator, preferably but not exclusively in combination with an input device and an output device, wherein the input device can be used to enter a first and a second password to the generator, and wherein the generated secure code, such as an (access) code or a password, is displayed on the output device or the generated electronic certificate is stored, for instance in a memory.
  • the operation of the generator is herein defined and/or set using and on the basis of the first password.
  • the second password is encrypted, coded or otherwise processed by the generator thus set with the first password in order to obtain the desired code, preferably in reproducible manner.
  • the method and the system according to the invention do not display the above described drawbacks of the prior art, or do so at least to a greatly reduced extent.
  • the method consists of first entering a first password via the input device.
  • This can be an expression or word related to the person of the user, as before an (access) code applied universally by the user, such as a name, make of car, PIN code of a bank card, combinations of such components and so on.
  • the generator can thereby be set to an operation based on the first password.
  • a second password is then entered which is preferably simple. Simple here means short, easy to remember and possibly related to the application, service, facility or website and so on to which access is desired and for which the code is required.
  • a preferred embodiment of the method and device according to the invention is therefore that a user can choose the name, or a word or expression related thereto, of for instance the website, optionally supplemented with initials, as simple second password.
  • Another way is to use the login name as simple second password in each case.
  • This modus operandi can easily be remembered and consistently applied by the user as long as he or she also remembers the self-devised designation for the secure application software, web-site etc., and consistently applies it as the second password when later generating the (access) code.
  • the user has a unique and secure (access) code for every application, website and so on.
  • the danger of theft of the (access) code and subsequent attempts at improper use in other applications, websites and so on is hereby effectively prevented.
  • the first and second password can exchange function (the second password for setting the generator and the first for encryption) .
  • the first password can also be given a meaning related to the « y *r i I I H I- s-ww ⁇ / U U U U U
  • the secure application etc., and the second password can be assigned a meaning related to the user.
  • the first password determines the manner and/or sequence of encryption according to the at least one encoding algorithm with which the second password is encrypted by the generator into a secure (access) code.
  • the secure (access) code can finally be shown to the user via the output device. Because the first word determines the manner of encryption, the process for generating the (access) code is reproducible. The same second simple password provides a completely different resulting secure (access) code is the same first password is not used.
  • the PIN code of a bank card can for instance serve as first password, optionally supplemented other letters or numbers, such as for instance name or initials, such as already used by many users as universally applied (access) code.
  • the advantage of using the PIN code of a bank card is that this is generally accepted as being secret information and almost everyone knows it by heart.
  • the second password can hereby be a text and/or number combination that is easy to remember (a so-called "string” also having for instance punctuation marks or other random elements of choice) , possibly with a special significance for the user, which can be related to the secure application, website and so on to which access is desired.
  • the invention is implemented in an embodiment based on computer software, it is then possible for the user to use the same or a similar generator at multiple locations, i.e. on multiple computers.
  • the generator can be used worldwide by means of an external medium (such as an electronic memory) .
  • an external medium such as an electronic memory
  • an embodiment of the invention implemented as software program to "run" remotely from the user and for instance to be accessed, via a preferably secure internet connection, in order to be executed remotely, or downloaded and installed on the computer of the user and executed on demand.
  • the input device can consist of a keyboard, optionally integrated into the generator, which in one embodiment of the invention can comprise an entire computer.
  • Typical examples of output devices are computer monitors or LCD displays.
  • a mobile telephone is an example of a device in which input device, output device and generator can be integrated.
  • External sources can also serve as input device and/or output device. Examples hereof are for instance devices which make use of radio waves (for instance so-called 'Bluetooth'), infrared or specific network protocols (such as for instance in use on the internet and intra-networks) , or even a computer memory connected to for instance the generator.
  • the generated secure code is transmitted to an external source by electronic means, this is in fact an electronic certificate.
  • Digital signatures can also be realized in secure and simple manner using this method. Different generators can be used for the various possible applications of this invention. These encryption units can make use of diverse encryption methods or encoding algorithms, both classical (plain text encryption by shifting or displacing letters) and modern (encryption at file level such as RSA, DES and triple DES) .
  • the first or second password comprises a biometric feature of the user, or such a biometric feature is an addition to the first and second passwords.
  • a biometric feature is an addition to the first and second passwords.
  • An iris scan, fingerprint and/or speech recognition and so on can be envisaged here.
  • An added advantage when using a biometric feature is that it does not have to be remembered by the user, he or she always having the feature on his or her person. Only the first and/or second password need be remembered. This can then, as set forth above, be a password with a meaning related to the secure utilization, application or website to which access is desired, or a password related to the user.
  • a great public security advantage is realized for the providers of electronic services in electronic (internet) communication. Improper use of their services, such as for instance ordering goods via internet in the name of someone else, becomes much more difficult, in that a 'stolen' code only provides opportunities at the secure application or website where it was stolen.
  • a particular embodiment of the invention can comprise a software program, for instance for a personal computer. Such a program can be started as a separate program when there is a need to do so, i.e. when a user wants to log onto a secure website or application. It is emphasized that the present invention can be applied online as well as offline. The present invention can preferably also be integrated into or is integrated into an application, such as a web browser or an application program. An embodiment of the present invention can also regulate access by a user to a part of the operating system, for instance that part with which computer or network settings can be changed, this preferably being reserved for a network administrator, wherein a user can only obtain access to that part of the operating system or network via an (access) code obtainable with the invention. The access to such components can optionally also be regulated by a network administrator via a program as embodiment of the present invention.
  • a software program as possible embodiment of the present invention preferably has priority over all programs running on a computer in the sense that when a program as embodiment of the method according to the invention is started, an input screen is opened over (all) already opened screens. This situation can then preferably only be undone by a user, for instance so as to be able to continue working in an underlying screen, by closing the program or by having the program generate at least one (access) code.
  • the program preferably automatically places a cursor in the box where the first password must be entered.
  • the user types his/her first password using the keyboard, followed by pressing the "Enter” or “Tab” key or clicking in the (next) input field, for instance for the second password. In both cases the user can immediately enter the second password (possibly related to the application or website etc.).
  • the input is now ended once again by pressing the "Enter” key or clicking on the button "Generate Password”.
  • Each character or element of the string from which the first password is formed is subsequently analysed.
  • the relations can be predetermined, for instance in a table corresponding with the ASCII-code. All digits of these numeric values can be placed successively in a sequence corresponding with the string of elements, or in other random sequence. In this example the first password "123aA" thus results in the following row of digits: 123123342.
  • This series of digits determines with which encryption method (s) or encoding algorithm (s ), or with which parameters in a fixed algorithm, the second password is encrypted in order to generate the secure code.
  • a simple example of this method comprises of there being 10 encryption routines (Al to AlO) , wherein each encryption routine performs a different so-called monoalphabetic substitution.
  • each character is substituted by another fixed character, e.g.: a becomes z, b becomes y, c becomes b and so on.
  • This substitution results in an encryption sequence of parameter 1 followed by one with 2 as parameter producing an end result other than when parameter 2 is followed by 1.
  • the second password can now be encrypted by using from left to right the digits in the series extracted from the string of elements of the first password as parameters of a fixed encoding algorithm or as a designation of a selection of one of a number of possible encoding algorithms or a combination of such possibilities.
  • the thus generated (access) code can finally be sent by means of program keystrokes to the application/website to which access is desired and for which the (access) code is required.
  • Program keystrokes are understood to mean: input into the computer not done physically by the user. Other terms for this can be: "software keystrokes” and/or “virtual keystrokes”.
  • the control of a computer does interpret these signals as physical keystrokes, and use can be made for this purpose of the a so-called "SendKeys" command or routine.
  • the user does not then have to enter the generated code with physical keystrokes in an input field of the website or application etc., but a program forming an embodiment of the present invention can provide for the transfer of the generated code to this input field.
  • an "Enter” keystroke can also be sent after the (access) code.
  • the program can be closed automatically, preferably without placing or leaving behind confidential data on the hard disk or in the working memory.
  • a program for implementing the invention can further be embodied with extra security options.
  • the input fields of both the first password and the second password can be provided with so-called "password characters". Whatever character is typed in, the same character then always appears on the screen (typically a "*" or a "@”) .
  • an algorithm regularly producing "virtual" keystrokes can be activated. While the keylog program then captures the input of the passwords or a generated (access) code, it also captures a jumble of other characters without distinction (for instance 20 characters per second) which do not form a part of either of the passwords or of the (access) code. In a log file of such a keylog program it is no longer possible to identify the manually typed characters. If the (access) code is not sent automatically to the receiving application/website, it may be possible for the generated secure (access) code shown on the screen to be copied to the clipboard.
  • the program as embodiment of the invention can then comprise a routine which empties the clipboard after a period of time (for instance after 20 to 30 seconds) so as to prevent third parties with malicious intent being able to acquire the generated (access) code during a (short) absence of the user.
  • a method and/or device according to the invention could also be used in situations wherein two users have to be in agreement in order to log into an application and/or website. This can be implemented in a manner comparable to that customary in the case of a bank vault. Two keys are required here to open the vault. According to the present invention two passwords are then required, for instance if purchases are being considered on an account on a website, wherein for instance a child and a parent together enter their own specific password. The parent and the child can hereby log in jointly, each with their own password, but neither of them individually.
  • Fig. 1 shows a device for implementing the method, both according to the present invention
  • Fig. 2 shows an input screen such as can be shown to a user on a display or random other means for realizing the present invention.
  • Fig. 1 shows a device 12 as possible embodiment of a method, wherein both the method and the device 12 are embodiments of the present invention.
  • Device 12 comprises a generator 1. This latter is supplied via an input device 2 with two passwords, i.e. a first password 4 and a second password 5.
  • one of the first and second passwords 4, 5 can be stored in a memory module 7 which forms part of generator 1, or is at least connected thereto.
  • a number of encoding algorithms Al, A2, ... AlO can be stored in generator 1 for invoking thereof. This can take place with a method corresponding to a subroutine or random algorithm. Parameters can herein be inputted into the separate encoding algorithms Al, A2, ... AlO in order to influence the manner of functioning of these encoding algorithms, wherein these parameters ensue from first password 4.
  • a choice can also be made for one of the encoding algorithms Al, A2, ... AlO present in generator 1 on the basis of a single parameter which can ensue from first password 4.
  • Various permutations of the foregoing are possible in respect of the choice of a specific encoding algorithm, or the setting of parameters to be used specifically in such an encoding algorithm.
  • the second password 5 entered via input device 2 is subjected to the encoding algorithms thus set or selected in generator 1.
  • the outcome obtained from subjecting second password 5 to one or more than one of the encoding algorithms Al, A2, ... AlO on the basis of the setting using parameters obtained from first password 4 is the code 6, which can be sent from generator 1 to an intended application or website 3 to which access is desired.
  • Sending first and second passwords 5 and code 6 can take place wirelessly or via cables. The whole process can also take place in a computer or on a network.
  • fig. 2 The method of inputting the various required components for implementing the present invention is shown in fig. 2.
  • a cursor 8 appears automatically in one of the two input fields.
  • the two input fields for code 1 and code 2 relate respectively to first password 4 and second password 5.
  • first password 4 has already been entered and cursor 8 is at the second position of second password 5.
  • the user can then press the "Enter” button (10) . If the user changes his/her mind before then, or even after finishing input of the two passwords 4, 5, the whole process can be aborted by pressing the "Stop" button
  • the code generated with generator 1 is displayed in the field "code” (6).
  • This can be a readable display or a masked one which shows only for instance "#", "@” or something similar.
  • the code can be sent with a cut-and-paste operation to the application or website, etc. 3 to which access is desired. It is also possible in a specific embodiment of the present invention for the generated code 6 to be sent directly to the application or website 3 for which it is intended.
  • the first password comprises a string of at least one element and that a numeric value can be assigned to each element of the string, wherein each number comprises at least one digit.
  • digits can be placed in predetermined manner in a series, for instance a series of which the sequence corresponds with that of the original string of elements which have each been converted into a digit value.
  • Each number can herein be a designation of an iteration or parameter.
  • the series of digits of the numbers can be added together to produce a single parameter, which can also be an indication of one of a number of possible encoding algorithm, wherein the extracted parameter is therefore a designation for the encoding algorithm to be selected. Many other permutations are also possible.
  • conditions can be set down for the passwords for entering, for instance that a password must have a minimum length. If this requirement is not met, an embodiment of the present invention in the form of a program can however comprise the programmed measure that a password which is too short in respect of the requirements is doubled at least once, for instance by repeating the string of elements of the entered password.
  • An alternative or additional requirement can be that the or each password comprises at least one letter and at least one digit.
  • a further measure can be considered in which a supplement is automatically added to at least one of the first and second passwords.
  • This supplement can be a serial number to be assigned by the inventors or a distributor or a producer to an embodiment of the invention in the form of for instance a program, particularly if the user who wants to be able to work with the invention on a plurality of computers can carry the invention with him/her (for instance on an information carrier such as a diskette, USB stick, etc.).
  • the supplement can contain all kinds of information related to the computer or terminal, such as the serial number of a hard disk, a fixed number in a memory chip and so on.
  • Such a supplement can of course also wholly replace at least one of the first and second password.
  • the generator can be fully implemented in software, firmware or as hardware.
  • the generator can be connected to means for obtaining biometric features of a user as one of the first and second passwords, such as means for reading an iris scan etc.
  • a user then only need remember a password related to the intended access, wherein from his/her iris scan or other biometric feature or from the password to be entered manually by the user the parameters or algorithm selection can be extracted which is necessary in order to subject the biometric feature or the other password to processing by the generator on the basis thereof.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a method for reproducibly generating a code with a generator based on at least one adjustable encoding algorithm. The method comprises of obtaining a first password; setting the encoding algorithm, the operation and/or functioning of the generator on the basis of the first password; obtaining a second password; and coding the second password on the basis of the first password and thus obtaining the code using the generator after adjustment thereof.

Description

METHOD AND SYSTEM FOR GENERATING PASSWORDS
The invention relates to a method for reproducibly generating passwords or (access) codes, in particular secure or protected passwords or (access) codes. In the context of the present invention "secure" passwords and (access) codes are also understood to mean electronic certificates and similar utilities.
People naturally opt for passwords or (access) codes that are easy to remember, usually based on data that can easily be discovered by third parties such as name, date of birth, make of car, name of spouse and children. Due to the large number of places where a password or (access) code has to be used, people also tend to choose the same password or the same (access) code more often or even all the time. Consequently, the danger of improper use by third parties with malicious intent is great.
Secure passwords and (access) codes are an important prerequisite for the safe operation of electronic transactions and serve, often in combination with a so-called login name, for identification. Secure passwords and (access) codes consist of a combination, having as little logic as possible, of numbers and letters and optionally other characters, such as punctuation marks, currency symbols and so on. In addition, secure passwords and (access) codes are preferably sufficiently long. Various software programs are available in the relevant technical field for the purpose of generating secure passwords and (access) codes or certificates. These generate a random combination of characters. A drawback hereof however is that the generated passwords are difficult to remember and, because the combination is random, nor are they usually reproducible. This results in the passwords or (access) codes being written down. This implies a security dilemma, since the written password or the (access) code is visible to anyone who has physical access thereto. Storage in for instance a safe would on the other hand not be practical, because in that case the password or (access) code would have to be retrieved every time it is required.
In order to deal with the problem of safe storage of passwords once they have been generated software programs are available which function as a digital data safe. The passwords or (access) codes or certificates are usually stored in encrypted form and then become available by entering a main password. A drawback hereof however is that this data safe can be hacked by third parties, via for instance a medium such as internet or otherwise. In this case all passwords for all secure applications, websites and so on at once become useless. Another drawback is that the data safe is not always available to the user if he/she works on diverse computers.
The method according to the invention makes use of a generator, preferably but not exclusively in combination with an input device and an output device, wherein the input device can be used to enter a first and a second password to the generator, and wherein the generated secure code, such as an (access) code or a password, is displayed on the output device or the generated electronic certificate is stored, for instance in a memory. The operation of the generator is herein defined and/or set using and on the basis of the first password. The second password is encrypted, coded or otherwise processed by the generator thus set with the first password in order to obtain the desired code, preferably in reproducible manner. The method and the system according to the invention do not display the above described drawbacks of the prior art, or do so at least to a greatly reduced extent. The method consists of first entering a first password via the input device. This can be an expression or word related to the person of the user, as before an (access) code applied universally by the user, such as a name, make of car, PIN code of a bank card, combinations of such components and so on. The generator can thereby be set to an operation based on the first password. A second password is then entered which is preferably simple. Simple here means short, easy to remember and possibly related to the application, service, facility or website and so on to which access is desired and for which the code is required. A preferred embodiment of the method and device according to the invention is therefore that a user can choose the name, or a word or expression related thereto, of for instance the website, optionally supplemented with initials, as simple second password. Another way is to use the login name as simple second password in each case. This modus operandi can easily be remembered and consistently applied by the user as long as he or she also remembers the self-devised designation for the secure application software, web-site etc., and consistently applies it as the second password when later generating the (access) code. As a result of this method the user has a unique and secure (access) code for every application, website and so on. The danger of theft of the (access) code and subsequent attempts at improper use in other applications, websites and so on is hereby effectively prevented. Noted is that it is obvious that the first and second password can exchange function (the second password for setting the generator and the first for encryption) . The first password can also be given a meaning related to the « y*r i I I H I- s-wwω / U U U
secure application etc., and the second password can be assigned a meaning related to the user.
The first password determines the manner and/or sequence of encryption according to the at least one encoding algorithm with which the second password is encrypted by the generator into a secure (access) code. In a preferred embodiment the secure (access) code can finally be shown to the user via the output device. Because the first word determines the manner of encryption, the process for generating the (access) code is reproducible. The same second simple password provides a completely different resulting secure (access) code is the same first password is not used.
The PIN code of a bank card can for instance serve as first password, optionally supplemented other letters or numbers, such as for instance name or initials, such as already used by many users as universally applied (access) code. The advantage of using the PIN code of a bank card is that this is generally accepted as being secret information and almost everyone knows it by heart. The second password can hereby be a text and/or number combination that is easy to remember (a so-called "string" also having for instance punctuation marks or other random elements of choice) , possibly with a special significance for the user, which can be related to the secure application, website and so on to which access is desired.
Preferably no information (at all) is stored in the generator itself. Digital break-in by hackers and/or espionage is hereby impossible.
If the invention is implemented in an embodiment based on computer software, it is then possible for the user to use the same or a similar generator at multiple locations, i.e. on multiple computers. The generator can be used worldwide by means of an external medium (such as an electronic memory) . In accordance with the present state of the art, this could for instance be a diskette, CD-ROM, a DVD-ROM or a so-called USB memory stick. It is also possible for an embodiment of the invention implemented as software program to "run" remotely from the user and for instance to be accessed, via a preferably secure internet connection, in order to be executed remotely, or downloaded and installed on the computer of the user and executed on demand.
The input device can consist of a keyboard, optionally integrated into the generator, which in one embodiment of the invention can comprise an entire computer. Typical examples of output devices are computer monitors or LCD displays. A mobile telephone is an example of a device in which input device, output device and generator can be integrated. External sources can also serve as input device and/or output device. Examples hereof are for instance devices which make use of radio waves (for instance so-called 'Bluetooth'), infrared or specific network protocols (such as for instance in use on the internet and intra-networks) , or even a computer memory connected to for instance the generator.
If the generated secure code is transmitted to an external source by electronic means, this is in fact an electronic certificate. Digital signatures can also be realized in secure and simple manner using this method. Different generators can be used for the various possible applications of this invention. These encryption units can make use of diverse encryption methods or encoding algorithms, both classical (plain text encryption by shifting or displacing letters) and modern (encryption at file level such as RSA, DES and triple DES) .
In a particular embodiment of the invention the first or second password comprises a biometric feature of the user, or such a biometric feature is an addition to the first and second passwords. An iris scan, fingerprint and/or speech recognition and so on can be envisaged here. An added advantage when using a biometric feature is that it does not have to be remembered by the user, he or she always having the feature on his or her person. Only the first and/or second password need be remembered. This can then, as set forth above, be a password with a meaning related to the secure utilization, application or website to which access is desired, or a password related to the user. In addition to the advantages for the actual user, a great public security advantage is realized for the providers of electronic services in electronic (internet) communication. Improper use of their services, such as for instance ordering goods via internet in the name of someone else, becomes much more difficult, in that a 'stolen' code only provides opportunities at the secure application or website where it was stolen.
A particular embodiment of the invention can comprise a software program, for instance for a personal computer. Such a program can be started as a separate program when there is a need to do so, i.e. when a user wants to log onto a secure website or application. It is emphasized that the present invention can be applied online as well as offline. The present invention can preferably also be integrated into or is integrated into an application, such as a web browser or an application program. An embodiment of the present invention can also regulate access by a user to a part of the operating system, for instance that part with which computer or network settings can be changed, this preferably being reserved for a network administrator, wherein a user can only obtain access to that part of the operating system or network via an (access) code obtainable with the invention. The access to such components can optionally also be regulated by a network administrator via a program as embodiment of the present invention.
A software program as possible embodiment of the present invention preferably has priority over all programs running on a computer in the sense that when a program as embodiment of the method according to the invention is started, an input screen is opened over (all) already opened screens. This situation can then preferably only be undone by a user, for instance so as to be able to continue working in an underlying screen, by closing the program or by having the program generate at least one (access) code. The program preferably automatically places a cursor in the box where the first password must be entered. The user types his/her first password using the keyboard, followed by pressing the "Enter" or "Tab" key or clicking in the (next) input field, for instance for the second password. In both cases the user can immediately enter the second password (possibly related to the application or website etc.). The input is now ended once again by pressing the "Enter" key or clicking on the button "Generate Password".
Each character or element of the string from which the first password is formed is subsequently analysed. Each character or element has an associated numeric value, for instance 1 = 1, 2 = 2 etc., a = 123, b = 234, c = 456 etc., A = 342, # = 865 etc. The relations can be predetermined, for instance in a table corresponding with the ASCII-code. All digits of these numeric values can be placed successively in a sequence corresponding with the string of elements, or in other random sequence. In this example the first password "123aA" thus results in the following row of digits: 123123342. This series of digits determines with which encryption method (s) or encoding algorithm (s ), or with which parameters in a fixed algorithm, the second password is encrypted in order to generate the secure code. A simple example of this method comprises of there being 10 encryption routines (Al to AlO) , wherein each encryption routine performs a different so-called monoalphabetic substitution. In a monoalphabetic substitution each character is substituted by another fixed character, e.g.: a becomes z, b becomes y, c becomes b and so on. This substitution results in an encryption sequence of parameter 1 followed by one with 2 as parameter producing an end result other than when parameter 2 is followed by 1. The second password can now be encrypted by using from left to right the digits in the series extracted from the string of elements of the first password as parameters of a fixed encoding algorithm or as a designation of a selection of one of a number of possible encoding algorithms or a combination of such possibilities.
The thus generated (access) code can finally be sent by means of program keystrokes to the application/website to which access is desired and for which the (access) code is required. Program keystrokes are understood to mean: input into the computer not done physically by the user. Other terms for this can be: "software keystrokes" and/or "virtual keystrokes". The control of a computer does interpret these signals as physical keystrokes, and use can be made for this purpose of the a so-called "SendKeys" command or routine. The user does not then have to enter the generated code with physical keystrokes in an input field of the website or application etc., but a program forming an embodiment of the present invention can provide for the transfer of the generated code to this input field. In order to further facilitate logging onto the application/website, an "Enter" keystroke can also be sent after the (access) code. After sending the (access) code the program can be closed automatically, preferably without placing or leaving behind confidential data on the hard disk or in the working memory. A program for implementing the invention can further be embodied with extra security options. In order to prevent "keylogging" the input fields of both the first password and the second password can be provided with so-called "password characters". Whatever character is typed in, the same character then always appears on the screen (typically a "*" or a "@") . In order to prevent recording or storage (capture) of the first password and/or the second password and/or the generated (access) code by for instance a malicious keylog program, an algorithm regularly producing "virtual" keystrokes can be activated. While the keylog program then captures the input of the passwords or a generated (access) code, it also captures a jumble of other characters without distinction (for instance 20 characters per second) which do not form a part of either of the passwords or of the (access) code. In a log file of such a keylog program it is no longer possible to identify the manually typed characters. If the (access) code is not sent automatically to the receiving application/website, it may be possible for the generated secure (access) code shown on the screen to be copied to the clipboard. The program as embodiment of the invention can then comprise a routine which empties the clipboard after a period of time (for instance after 20 to 30 seconds) so as to prevent third parties with malicious intent being able to acquire the generated (access) code during a (short) absence of the user.
A method and/or device according to the invention could also be used in situations wherein two users have to be in agreement in order to log into an application and/or website. This can be implemented in a manner comparable to that customary in the case of a bank vault. Two keys are required here to open the vault. According to the present invention two passwords are then required, for instance if purchases are being considered on an account on a website, wherein for instance a child and a parent together enter their own specific password. The parent and the child can hereby log in jointly, each with their own password, but neither of them individually.
The present invention will be described hereinbelow on the basis of an embodiment thereof shown the accompanying drawings, to which the present invention is not however limited and in which similar or the same reference numerals are used for similar or the same components and elements, and in which:
Fig. 1 shows a device for implementing the method, both according to the present invention; and Fig. 2 shows an input screen such as can be shown to a user on a display or random other means for realizing the present invention.
Fig. 1 shows a device 12 as possible embodiment of a method, wherein both the method and the device 12 are embodiments of the present invention.
Device 12 comprises a generator 1. This latter is supplied via an input device 2 with two passwords, i.e. a first password 4 and a second password 5.
It is noted that one of the first and second passwords 4, 5 can be stored in a memory module 7 which forms part of generator 1, or is at least connected thereto. A number of encoding algorithms Al, A2, ... AlO can be stored in generator 1 for invoking thereof. This can take place with a method corresponding to a subroutine or random algorithm. Parameters can herein be inputted into the separate encoding algorithms Al, A2, ... AlO in order to influence the manner of functioning of these encoding algorithms, wherein these parameters ensue from first password 4. A choice can also be made for one of the encoding algorithms Al, A2, ... AlO present in generator 1 on the basis of a single parameter which can ensue from first password 4. Various permutations of the foregoing are possible in respect of the choice of a specific encoding algorithm, or the setting of parameters to be used specifically in such an encoding algorithm.
The second password 5 entered via input device 2 is subjected to the encoding algorithms thus set or selected in generator 1. The outcome obtained from subjecting second password 5 to one or more than one of the encoding algorithms Al, A2, ... AlO on the basis of the setting using parameters obtained from first password 4 is the code 6, which can be sent from generator 1 to an intended application or website 3 to which access is desired. Sending first and second passwords 5 and code 6 can take place wirelessly or via cables. The whole process can also take place in a computer or on a network.
The method of inputting the various required components for implementing the present invention is shown in fig. 2. Here is shown that when the program is invoked, a cursor 8 appears automatically in one of the two input fields. The two input fields for code 1 and code 2 relate respectively to first password 4 and second password 5. In the view of fig. 2 the first password 4 has already been entered and cursor 8 is at the second position of second password 5. When the user has also finished inputting second password 5 in the field designated with "code 2", the user can then press the "Enter" button (10) . If the user changes his/her mind before then, or even after finishing input of the two passwords 4, 5, the whole process can be aborted by pressing the "Stop" button
(9).
If however the user presses the "Enter" button (10) , the code generated with generator 1 is displayed in the field "code" (6). This can be a readable display or a masked one which shows only for instance "#", "@" or something similar. In an embodiment with a free, open display of the generated code in field 6, the code can be sent with a cut-and-paste operation to the application or website, etc. 3 to which access is desired. It is also possible in a specific embodiment of the present invention for the generated code 6 to be sent directly to the application or website 3 for which it is intended. There are various security options for ensuring that keystrokes are not recorded or are masked in unrecognizable manner in what is for instance known as a "keylog" program, which can track keystrokes. By generating dummy data for the keylog program, reconstruction of the entered first and second passwords 4, 5 can be made unrecognizable in a file in which the keystrokes can be tracked because they are "contaminated" by the dummy data.
The present invention is not limited to that described above with direct reference to the figures. There are in fact diverse other possibilities within the scope of the present invention as according to the appended claims, in particular the main claims, and additional or alternative possibilities are then not embodiments of the present invention only when they depart from the letter or spirit of the present invention according to the appended claims, in particular the independent claims 1, 12. It is thus possible that diverse parameters can be extracted from first password 4 in order to set a single encoding algorithm with one or more than one parameter extracted from first password 4, and diverse iterative processes can be developed, the sequence or parameter settings of which is defined by data which can be extracted from first password 4. It is also possible that the first password comprises a string of at least one element and that a numeric value can be assigned to each element of the string, wherein each number comprises at least one digit. These digits can be placed in predetermined manner in a series, for instance a series of which the sequence corresponds with that of the original string of elements which have each been converted into a digit value. Each number can herein be a designation of an iteration or parameter. In addition, the series of digits of the numbers can be added together to produce a single parameter, which can also be an indication of one of a number of possible encoding algorithm, wherein the extracted parameter is therefore a designation for the encoding algorithm to be selected. Many other permutations are also possible.
Within the scope of the present invention conditions can be set down for the passwords for entering, for instance that a password must have a minimum length. If this requirement is not met, an embodiment of the present invention in the form of a program can however comprise the programmed measure that a password which is too short in respect of the requirements is doubled at least once, for instance by repeating the string of elements of the entered password. An alternative or additional requirement can be that the or each password comprises at least one letter and at least one digit.
For a further improvement of the effectiveness of the invention, a further measure can be considered in which a supplement is automatically added to at least one of the first and second passwords. This supplement can be a serial number to be assigned by the inventors or a distributor or a producer to an embodiment of the invention in the form of for instance a program, particularly if the user who wants to be able to work with the invention on a plurality of computers can carry the invention with him/her (for instance on an information carrier such as a diskette, USB stick, etc.). For more stationary users, who work for instance on only one terminal, the supplement can contain all kinds of information related to the computer or terminal, such as the serial number of a hard disk, a fixed number in a memory chip and so on. Such a supplement can of course also wholly replace at least one of the first and second password.
The generator can be fully implemented in software, firmware or as hardware. The generator can be connected to means for obtaining biometric features of a user as one of the first and second passwords, such as means for reading an iris scan etc. A user then only need remember a password related to the intended access, wherein from his/her iris scan or other biometric feature or from the password to be entered manually by the user the parameters or algorithm selection can be extracted which is necessary in order to subject the biometric feature or the other password to processing by the generator on the basis thereof.

Claims

1. Method for reproducibly generating a code (6) with a generator (1) based on at least one adjustable encoding algorithm, comprising of:
- obtaining a first password (4);
- setting the encoding algorithm, the operation and/or functioning of the generator on the basis of the first password/ - obtaining a second password (5) ; and
- coding the second password on the basis of the first password and thus obtaining the code (6) using the generator after adjustment thereof.
2. Method as claimed in claim 1, wherein the generator (1) co-acts with a memory, which method further comprises of storing one of the first and the second password in the memory.
3. Method as claimed in claim 1 or 2, further comprising of obtaining at least one of the first and the second password via an input device (2) .
4. Method as claimed in claim 1, 2 or 3, further comprising of making the code available to a user.
5. Method as claimed in claim 4, further comprising of releasing the code for a cut-and-paste operation to be carried out with a computer.
6. Method as claimed in at least one of the foregoing claims, further comprising of obtaining a set of instructions or parameters from the first password and adjusting the encoding algorithm, the operation and/or functioning of the generator therewith.
7. Method as claimed in claim 6, wherein the first password comprises a string of at least one element, and the method further comprises of: assigning a number of at least one digit to each element of the string on the basis of a predetermined relation, for instance in a table.
8. Method as claimed in claim 7, further comprising of placing in a series the digits of the numbers in a predetermined sequence, for instance a sequence corresponding with or related to the string, or other sequence .
9. Method as claimed in claim 8, further comprising of extracting from the series at least one parameter for adjusting the encoding algorithm, the operation and/or functioning of the generator, for instance by adding the digits .
10. Method as claimed in claim 8 or 9, further comprising of iterative adjustment of at least one parameter of the encoding algorithm, the operation and/or functioning of the generator in the sequence of the series.
11. Method as claimed in at least one of the foregoing claims, further comprising of generating dummy data for a setting such as a keylog program in order to mask the actual data.
12. Method as claimed in at least one of the claims 1- 11, comprising of obtaining a supplement password as addition or alternative to at least one of the first and second passwords.
13. Method as claimed in claim 12, wherein the supplement is related to at least one of the pieces of information from the group comprising: a serial number of an embodiment of the method; a serial number of a component of a computer or terminal; and so on.
14. Device for reproducibly generating a code (6), comprising a generator (1) based on at least one adjustable encoding algorithm, comprising:
- means for obtaining a first password (4); - means for adjusting the encoding algorithm, the operation and/or functioning of the generator on the basis of the first password;
- means for obtaining a second password (5) ; and - means for coding the second password on the basis of the first password and thus obtaining the code (6) using the generator after adjustment thereof.
15. Device as claimed in claim 14, wherein the generator, the input device and the output device are integrated into at least one physical apparatus, possibly as software or in program form.
16. Device as claimed in claim 14 or 15, further comprising an external source which is or can be connected to the generator, wherein the first or the second password can be read automatically from the external source into the generator.
17. Device as claimed in claim 16, wherein the external source of the first password is connected to the generator via a wireless communication technique.
18. Device as claimed in at least one of the foregoing claims 14-17, further comprising means for entering a biometric feature of a relevant user into the generator.
19. Device as claimed in at least one of the foregoing claims 14-18, further comprising means for sending the generated secure code, preferably automatically, to an external source or destination, such as a secure website or application.
20. Device as claimed in at least one of the foregoing claims 14-19, further comprising means for sending the generated code by means of a wireless communication technique to the receiving external source or destination, such as a secure website or application.
PCT/NL2006/000185 2005-04-08 2006-04-10 Method and system for generating passwords Ceased WO2006107201A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
NL1028721 2005-04-08
NL1028721A NL1028721C2 (en) 2005-04-08 2005-04-08 Code generating method for computer password, involves adjusting encoding algorithm and operation and functioning of generator, obtaining and coding password based on another password for obtaining code using generator
NL1029679 2005-08-04
NL1029679A NL1029679C2 (en) 2005-04-08 2005-08-04 Method and system for generating passwords.

Publications (1)

Publication Number Publication Date
WO2006107201A1 true WO2006107201A1 (en) 2006-10-12

Family

ID=36600712

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/NL2006/000185 Ceased WO2006107201A1 (en) 2005-04-08 2006-04-10 Method and system for generating passwords

Country Status (1)

Country Link
WO (1) WO2006107201A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210064737A1 (en) * 2019-08-28 2021-03-04 Gary William Streuter Hybrid password formed by an online website which programmatically creates a base password and combines said base password with a secondary password or personal identification number (PIN) entered by the account owner, and together said base password and said user entered password or PIN forms said hybrid password, whose total identity is not known to either said online website nor said account owner

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5719941A (en) * 1996-01-12 1998-02-17 Microsoft Corporation Method for changing passwords on a remote computer
US20010000045A1 (en) * 1998-12-09 2001-03-15 Yuan-Pin Yu Web-based, biometric authentication system and method
WO2003088558A1 (en) * 2002-04-05 2003-10-23 Ipass, Inc. Method and system for changing security information in a computer network
WO2004081766A2 (en) * 2003-03-13 2004-09-23 Quard Technology Aps A computer system and an apparatus for use in a computer system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5719941A (en) * 1996-01-12 1998-02-17 Microsoft Corporation Method for changing passwords on a remote computer
US20010000045A1 (en) * 1998-12-09 2001-03-15 Yuan-Pin Yu Web-based, biometric authentication system and method
WO2003088558A1 (en) * 2002-04-05 2003-10-23 Ipass, Inc. Method and system for changing security information in a computer network
WO2004081766A2 (en) * 2003-03-13 2004-09-23 Quard Technology Aps A computer system and an apparatus for use in a computer system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210064737A1 (en) * 2019-08-28 2021-03-04 Gary William Streuter Hybrid password formed by an online website which programmatically creates a base password and combines said base password with a secondary password or personal identification number (PIN) entered by the account owner, and together said base password and said user entered password or PIN forms said hybrid password, whose total identity is not known to either said online website nor said account owner

Similar Documents

Publication Publication Date Title
JP6572461B1 (en) Data management system and data management method
CN102638447B (en) Method and device for system login based on autonomously generated password of user
US20210294887A1 (en) Authentication Methods and Systems
EP2150915B1 (en) Secure login protocol
WO2016069451A1 (en) Computer security system and method to protect against keystroke logging
CN101877636A (en) Equation password encryption method
Nath et al. Issues and challenges in two factor authentication algorithms
US10264450B2 (en) Authentication method using ephemeral and anonymous credentials
KR101392537B1 (en) User memory method using plural one time password
AU2011100338A4 (en) Method and /or device for managing authentication data
WO2006107201A1 (en) Method and system for generating passwords
Argles et al. An improved approach to secure authentication and signing
NL1029679C2 (en) Method and system for generating passwords.
Kumar et al. PassText user authentication using smartcards
KR20010035407A (en) Password security method by verification technique of timing interval.(time signature technique)
HK1235882A1 (en) Computer security system and method to protect against keystroke logging

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

NENP Non-entry into the national phase

Ref country code: RU

122 Ep: pct application non-entry in european phase

Ref document number: 06732992

Country of ref document: EP

Kind code of ref document: A1