Organization-level password management employing user-device password vault

US 10,146,931 B1
Filed: 03/13/2015
Issued: 12/04/2018
Est. Priority Date: 03/13/2015
Status: Active Grant

First Claim

Patent Images

1. A method of operating a management computer to automatically change a password used by a user to authenticate to a service application executing in a service computer system communicatively coupled to the management computer, the service computer system including a service application server and an active directory server, the user having a computerized user device including a vault in which active passwords are stored, the vault being managed by a password management application executing either on the user device or on a password management server coupled to the user device, the method comprising:

monitoring for occurrence of an event signifying that the password is to be changed, the event being a single use of the password for authenticating the user to the service application, andin response to occurrence of the event;

assigning a new password;

generating a first message and sending it to the service computer system, the first message including the new password and an indication that the service application is to begin using the new password to authenticate the user to the service application, the first message being sent via a first interface of the management computer, the first interface coupling the management computer to a first network and the service computer system, the first message being sent to the active directory server to update a user authentication record used by the active directory server in authenticating the user to the service application; and

generating a second message and sending it to the password management application, the second message including the new password and an indication that the new password is to replace a current password in the vault for use in authenticating the user to the service application, the second message being sent via a second interface of the management computer, the second interface coupling the management computer to a second network and the user device used by the user,wherein generating the second message and sending it to the password management application includes communicating with the user device using a vault application programming interface (API) that (i) enables external management of contents of the password vault and of the operation of the password management application, and (ii) causes the new password to be stored in the vault in association with an identification of the service application for use in the authenticating of the user thereto.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system includes a management computer for automatically changing a password used to authenticate a user to a service application. A user device includes a password vault managed by a password management application. The management computer monitors for an event signifying that the password is to be changed, e.g., a predetermined number of uses, etc. A new password is assigned, and a first message is generated and sent to the service application including the new password and an indication that it is to be used for subsequent user authentication. A second message is also generated and sent to the password management application, also including the new password and an indication that it replaces a current password in the vault for user authentication. The new password is automatically used by both the service application and the user device during subsequent authentications until expiration.

46 Citations

View as Search Results

18 Claims

1. A method of operating a management computer to automatically change a password used by a user to authenticate to a service application executing in a service computer system communicatively coupled to the management computer, the service computer system including a service application server and an active directory server, the user having a computerized user device including a vault in which active passwords are stored, the vault being managed by a password management application executing either on the user device or on a password management server coupled to the user device, the method comprising:
- monitoring for occurrence of an event signifying that the password is to be changed, the event being a single use of the password for authenticating the user to the service application, andin response to occurrence of the event;
  
  assigning a new password;
  
  generating a first message and sending it to the service computer system, the first message including the new password and an indication that the service application is to begin using the new password to authenticate the user to the service application, the first message being sent via a first interface of the management computer, the first interface coupling the management computer to a first network and the service computer system, the first message being sent to the active directory server to update a user authentication record used by the active directory server in authenticating the user to the service application; and
  
  generating a second message and sending it to the password management application, the second message including the new password and an indication that the new password is to replace a current password in the vault for use in authenticating the user to the service application, the second message being sent via a second interface of the management computer, the second interface coupling the management computer to a second network and the user device used by the user,wherein generating the second message and sending it to the password management application includes communicating with the user device using a vault application programming interface (API) that (i) enables external management of contents of the password vault and of the operation of the password management application, and (ii) causes the new password to be stored in the vault in association with an identification of the service application for use in the authenticating of the user thereto.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein assigning the new password includes auto-generating the new password at the management computer.
  - 3. The method of claim 2, wherein the auto-generating is according to an organization policy.
  - 4. The method of claim 3, wherein the policy specifies the event signifying that the password is to be changed.
  - 5. The method of claim 3, wherein the policy specifies a construction of the password including minimum length and required usage of types of characters.
  - 6. The method of claim 1, wherein the event signifying that the password is to be changed is specified in an explicit organization policy regarding password usage.
  - 7. The method of claim 1, wherein monitoring for the event includes receiving a notification from either the user device or the service application that a current password was used for an authentication.

8. A management computer, comprising:
- one or more processors;
  
  memory coupled to the processors by a high-speed data bus; and
  
  input/output interface circuitry coupled to the memory and the processors by the high-speed data bus, the input/output interface circuitry coupling the management computer to a service computer system and a computerized user device used by a user, the user device including a vault in which active passwords are stored, the vault being managed by a password management application executing either on the user device or on a password management server coupled to the user device,the memory storing instructions which, when executed by the processors, cause the management computer to operate to automatically change a password used by the user to authenticate to a service application executing in the service computer system, by;
  
  (1) monitoring for occurrence of an event signifying that the password is to be changed, the event being a single use of the password for authenticating the user to the service application, and(2) in response to occurrence of the event;
  
  (a) assigning a new password;
  
  (b) generating a first message and sending it to the service computer system, the first message including the new password and an indication that the service application is to begin using the new password to authenticate the user to the service application; and
  
  (c) generating a second message and sending it to the password management application, the second message including the new password and an indication that the new password is to replace a current password in the vault for use in authenticating the user to the service application,wherein the instructions, when executed by the processors to cause the management computer to generate the second message and send it to the password management application, cause the management computer to communicate with either the user device or password management server via a vault application programming interface (API) that (i) enables external management of contents of the password vault and of the operation of the password management application, and (ii) causes the new password to be stored in the vault in association with an identification of the service application for use in authenticating the user thereto,wherein the input/output interface circuitry includes a first interface to a first network for coupling the management computer to the service computer system, and includes a second interface to a second network for coupling the management computer to the computerized user device used by the user, and wherein (i) the first message is sent to the service computer system via the first interface, and (ii) the second message is sent to the password management application via the second interface,and wherein the service computer system includes a service application server and an active directory server, and the first message is sent to the active directory server to update a user authentication record used by the active directory server in the authenticating of the user to the service application.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The management computer of claim 8, wherein assigning the new password includes auto-generating the new password at the management computer.
  - 10. The management computer of claim 9, wherein the auto-generating is according to an organization policy.
  - 11. The management computer of claim 10, wherein the policy specifies the event signifying that the password is to be changed.
  - 12. The management computer of claim 10, wherein the policy specifies a construction of the password including minimum length and required usage of types of characters.
  - 13. The management computer of claim 8, wherein the event signifying that the password is to be changed is specified in an explicit organization policy regarding password usage.
  - 14. The management computer of claim 8, wherein monitoring for the event includes receiving a notification from either the user device or the service application that a current password was used for an authentication.
  - 15. The management computer of claim 8, wherein:
    - the computerized user device is one of a plurality of computerized user devices used by respective users, each user device including a respective vault managed by a respective password management application executing either on the respective user device or on the password management server, and the input/output interface circuitry couples the management computer to the plurality of computerized user devices; and
      
      the instructions are executed by the processors to cause the management computer to operate to automatically change respective passwords used by respective users by performing steps (1) and (2) for each password change, including;
      
      at step (2)(a), assigning a respective new password for the respective user;
      
      at step (2)(b), generating a respective first message including the respective new password and including an indication that the service application is to begin using the respective new password to authenticate the respective user to the service application; and
      
      at step (2)(c), generating a respective second message and sending it to the respective password management application, the respective second message including the respective new password and an indication that the respective new password is to replace a respective current password in the vault of the respective user device for use in authenticating the respective user to the service application.

16. A computer system, comprising:
- a service computer system executing a service application;
  
  a computerized user device including a vault in which active passwords are stored, the passwords including a password used by a user to authenticate to the service application, the vault being managed by a password management application executing either on the user device or on a password management server coupled to the user device; and
  
  a management computer used to automatically change the password used by the user to authenticate to the service application, the management computer being configured and operative to monitor for occurrence of an event signifying that the password is to be changed, the event being a single use of the password for authenticating the user to the service application, and in response to occurrence of the event (1) assign a new password, (2) generate a first message and send it to the service computer system, the first message including the new password and an indication that the service application is to begin using the new password to authenticate the user to the service application, and (3) generate a second message and send it to the password management application using a vault application programming interface (API), the second message including the new password and an indication that the new password is to replace a current password in the vault for use in authenticating the user to the service application,the password management application being configured and operative, in response to communications from the management server using the vault API, to (i) enable the management server to manage contents of the password vault and operation of the password management application, and (ii) in response to the second message using the vault API, to store the new password in the vault in association with an identification of the service application for subsequent use by the user device in authenticating the user to the service application,wherein the management computer includes a first interface to a first network for coupling the management computer to the service computer system, and includes a second interface to a second network for coupling the management computer to the computerized user device used by the user, and wherein (i) the first message is sent to the service computer system via the first interface, and (ii) the second message is sent to the password management application via the second interface,and wherein the service computer system includes a service application server and an active directory server, and the first message is sent to the active directory server to update a user authentication record used by the active directory server in the authenticating of the user to the service application.
- View Dependent Claims (17, 18)
- - 17. The computer system of claim 16, wherein assigning the new password includes auto-generating the new password at the management computer.
  - 18. The computer system of claim 16, wherein the event signifying that the password is to be changed is specified in an explicit organization policy regarding password usage.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Kronrod, Boris, Friedman, Lawrence N.
Primary Examiner(s)
Pham, Luu T
Assistant Examiner(s)
Wilcox, James J

Application Number

US14/657,286
Time in Patent Office

1,362 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 21/45   Structures or tools for the...

G06F 21/46   by designing passwords or c...

H04L 63/083   using passwords cryptograph...

H04L 63/0846   using time-dependent-passwo...

Organization-level password management employing user-device password vault

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

46 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Organization-level password management employing user-device password vault

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others