Compromised password detection based on abuse and attempted abuse

US 10,270,801 B2
Filed: 01/25/2016
Issued: 04/23/2019
Est. Priority Date: 01/25/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

obtaining, by a computing device, a list that includes a record generated for each of a plurality of detected failed login attempts, each record including a corresponding account identifier, a corresponding piece of password data, a corresponding location reference, and a corresponding temporal reference associated with one of the plurality of detected failed login attempts;

determining, by the computing device, that a first piece of password data in the list is identical to a second piece of password data in the list, and that a first location reference in the list is different than a second location reference in the list, wherein the first location reference and the second location reference are included in a pair of records in the list and are sequentially-ordered based on two or more temporal references in the list;

based on the determination, accessing, by the computing device, a publicly-available travel resource to identify an average travel time between two physical locations determined based on the first location reference and the second location reference;

modifying, by the computing device, a password blacklist to include the first piece of password data based on a determination that the average travel time exceeds a calculated duration between the two or more temporal references; and

employing, by the computing device, the password blacklist to prevent an association of the first piece of password data with at least one account identifier associated with the password blacklist.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are disclosed for analyzing a plurality of failed login records that correspond to failed login attempts detected by a computing system, to identify suspicious patterns of activity that can facilitate the supplementation of password blacklists for improving account security. To accomplish the foregoing, failed login records that include information associated with failed login attempts are obtained for analysis. The failed login records are analyzed to identify a set of failed login records that show initial characteristics of a suspicious pattern of activity. The information included in the set of failed login records are further analyzed to determine whether a suspicious pattern of activity is actually present. When a suspicious pattern of activity is identified in the set of failed login records, the passwords used in the failed login attempts are stored in password blacklists associated with the account identifier(s) with which the passwords were used.

23 Citations

20 Claims

1. A computer-implemented method, comprising:
- obtaining, by a computing device, a list that includes a record generated for each of a plurality of detected failed login attempts, each record including a corresponding account identifier, a corresponding piece of password data, a corresponding location reference, and a corresponding temporal reference associated with one of the plurality of detected failed login attempts;
  
  determining, by the computing device, that a first piece of password data in the list is identical to a second piece of password data in the list, and that a first location reference in the list is different than a second location reference in the list, wherein the first location reference and the second location reference are included in a pair of records in the list and are sequentially-ordered based on two or more temporal references in the list;
  
  based on the determination, accessing, by the computing device, a publicly-available travel resource to identify an average travel time between two physical locations determined based on the first location reference and the second location reference;
  
  modifying, by the computing device, a password blacklist to include the first piece of password data based on a determination that the average travel time exceeds a calculated duration between the two or more temporal references; and
  
  employing, by the computing device, the password blacklist to prevent an association of the first piece of password data with at least one account identifier associated with the password blacklist.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, comprising selecting the password blacklist from a plurality of password blacklists based on the determination that the average travel time exceeds the calculated duration between the two or more temporal references.
  - 3. The computer-implemented method of claim 1, comprising selecting the password blacklist from a plurality of password blacklists based on a determination that two or more account identifiers in the list are identical.
  - 4. The computer-implemented method of claim 1, comprising:
    - selecting the password blacklist from a plurality of password blacklists based on a defined suspicious pattern of activity type; and
      
      modifying the password blacklist to include a reference to the defined suspicious pattern of activity type.
  - 5. The computer-implemented method of claim 1, wherein each corresponding location reference in the list includes a network address associated with one of the plurality of detected failed login attempts.
  - 6. The computer-implemented method of claim 1, wherein each corresponding temporal reference in the list includes a timestamp associated with one of the plurality of detected failed login attempts.
  - 7. The computer-implemented method of claim 1, wherein each corresponding piece of password data in the list includes a password hash associated with one of the plurality of detected failed login attempts.

8. A non-transitory computer-readable medium storing instructions that, when executed, cause performance of operations comprising:
- obtaining a list that includes a record generated for each of a plurality of detected failed login attempts, each record including a corresponding account identifier, a corresponding piece of password data, a corresponding location reference, and a corresponding temporal reference associated with one of the plurality of detected failed login attempts;
  
  determining that a first piece of password data in the list is identical to a second piece of password data in the list, and that a first location reference in the list is different than a second location reference in the list, wherein the first location reference and the second location reference are included in a pair of records in the list and are sequentially-ordered based on two or more temporal references in the list;
  
  based on the determination, accessing a publicly-available travel resource to identify an average travel time between two physical locations determined based on the first location reference and the second location reference;
  
  modifying a password blacklist to include the first piece of password data based on a determination that the average travel time exceeds a calculated duration between the two or more temporal references; and
  
  employing the password blacklist to prevent an association of the first piece of password data with at least one account identifier associated with the password blacklist.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable medium of claim 8, the operations comprising selecting the password blacklist from a plurality of password blacklists based on the determination that the average travel time exceeds the calculated duration between the two or more temporal references.
  - 10. The non-transitory computer-readable medium of claim 8, the operations comprising selecting the password blacklist from a plurality of password blacklists based on a determination that two or more account identifiers in the list are identical.
  - 11. The non-transitory computer-readable medium of claim 8, the operations comprising:
    - selecting the password blacklist from a plurality of password blacklists based on a defined suspicious pattern of activity type; and
      
      modifying the password blacklist to include a reference to the defined suspicious pattern of activity type.
  - 12. The non-transitory computer-readable medium of claim 8, wherein each corresponding location reference in the list includes a network address associated with one of the plurality of detected failed login attempts.
  - 13. The non-transitory computer-readable medium of claim 8, wherein each corresponding temporal reference in the list includes a timestamp associated with one of the plurality of detected failed login attempts.
  - 14. The non-transitory computer-readable medium of claim 8, wherein each corresponding piece of password data in the list includes a password hash associated with one of the plurality of detected failed login attempts.

15. A system comprising:
- a processor; and
  
  a computer-readable medium storing instructions that, when executed by the processor, cause the processor to;
  
  obtain a list that includes a record generated for each of a plurality of detected failed login attempts, each record including a corresponding account identifier, a corresponding piece of password data, a corresponding location reference, and a corresponding temporal reference associated with one of the plurality of detected failed login attempts;
  
  determine that a first piece of password data in the list is identical to a second piece of password data in the list, and that a first location reference in the list is different than a second location reference in the list, wherein the first location reference and the second location reference are included in a pair of records in the list and are sequentially-ordered based on two or more temporal references in the list;
  
  based on the determination, access a publicly-available travel resource to identify an average travel time between two physical locations determined based on the first location reference and the second location reference;
  
  modify a password blacklist to include the first piece of password data based on a determination that the average travel time exceeds a calculated duration between the two or more temporal references; and
  
  employ the password blacklist to prevent an association of the first piece of password data with at least one account identifier associated with the password blacklist.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, the computer-readable medium storing instructions that, when executed by the processor, cause the processor to select the password blacklist from a plurality of password blacklists based on the determination that the average travel time exceeds the calculated duration between the two or more temporal references.
  - 17. The system of claim 15, the computer-readable medium storing instructions that, when executed by the processor, cause the processor to select the password blacklist from a plurality of password blacklists based on a determination that two or more account identifiers in the list are identical.
  - 18. The system of claim 15, the computer-readable medium storing instructions that, when executed by the processor, cause the processor to:
    - select the password blacklist from a plurality of password blacklists based on a defined suspicious pattern of activity type; and
      
      modify the password blacklist to include a reference to the defined suspicious pattern of activity type.
  - 19. The system of claim 15, wherein each corresponding location reference in the list includes a network address associated with one of the plurality of detected failed login attempts.
  - 20. The system of claim 15, wherein each corresponding piece of password data in the list includes a password hash associated with one of the plurality of detected failed login attempts.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Oath Inc. (Verizon Communications Inc.)
Inventors
Maxwell, Lachlan A., McQueen, Donald J., Wakefield, III, William C.
Primary Examiner(s)
Pham, Luu T
Assistant Examiner(s)
Jackson, Jenise E

Application Number

US15/005,319
Publication Number

US 20170214712A1
Time in Patent Office

1,184 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/46   by designing passwords or c...

H04L 63/083   using passwords cryptograph...

H04L 63/107   wherein the security polici...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Compromised password detection based on abuse and attempted abuse

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Compromised password detection based on abuse and attempted abuse

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links