Systems and methods evaluating password complexity and strength
First Claim
1. A computing device-implemented method for evaluating a password, comprising:
- receiving a rule set used to create a password for a user, the password consisting of a plurality of characters from an alphabet, the rule set required by an entity requiring the password creation and including one or more rules applicable to creating the password;
identifying a size of a minimum search space equal to the smallest subset of passwords that can be created from the alphabet based on the rule set;
calculating a complexity of the password by determining a size of an adjusted minimum search space based at least in part on an assigned amount of knowledge of the one or more rules in the rule set possessed by a potential attacker attempting to crack the password;
determining a strength of the password based on at least an attacker'"'"'s resources, a protection function used to store the password and a time available to crack the password with respect to the adjusted minimum search space;
generating an evaluation of the password based on the calculated complexity and determined strength; and
providing the evaluation to a designated individual.
2 Assignments
0 Petitions
Accused Products
Abstract
A password evaluation engine used to evaluate a user'"'"'s password that redefines the concepts of password complexity and password strength is discussed. Password complexity may be calculated by the evaluation engine so as to take into account the amount of knowledge possessed by a potential attacker, seeking to crack the password, of the rules corresponding to a rule set used for generating the password. A determination of password strength by the evaluation engine may consider a potential attacker'"'"'s computational resources, the protection function used to protect/store a password and the amount of time available to the attacker to crack the password with respect to an identified search space based on the attacker'"'"'s knowledge. Embodiments also enable a password strength estimator to be evaluated and policy recommendations to be generated for an entity'"'"'s password policy requirements.
-
Citations
27 Claims
-
1. A computing device-implemented method for evaluating a password, comprising:
-
receiving a rule set used to create a password for a user, the password consisting of a plurality of characters from an alphabet, the rule set required by an entity requiring the password creation and including one or more rules applicable to creating the password; identifying a size of a minimum search space equal to the smallest subset of passwords that can be created from the alphabet based on the rule set; calculating a complexity of the password by determining a size of an adjusted minimum search space based at least in part on an assigned amount of knowledge of the one or more rules in the rule set possessed by a potential attacker attempting to crack the password; determining a strength of the password based on at least an attacker'"'"'s resources, a protection function used to store the password and a time available to crack the password with respect to the adjusted minimum search space; generating an evaluation of the password based on the calculated complexity and determined strength; and providing the evaluation to a designated individual. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computing device-implemented method for evaluating a password policy, comprising:
-
receiving an existing rule set used to create passwords for an entity, the passwords consisting of a plurality of characters from an alphabet, the rule set required by the entity and including one or more rules applicable to creating the passwords; identifying a size of a minimum search space equal to the smallest subset of passwords that can be created from the alphabet based on the rule set; calculating a complexity of a password by determining a size of an adjusted minimum search space based at least in part on an assigned amount of knowledge of the one or more rules in the rule set possessed by a potential attacker attempting to crack the passwords; determining a first strength of the password, the determining of the first strength based on at least an attacker'"'"'s resources, a protection function used to store the password and a time available to crack the password with respect to the adjusted minimum search space; generating a recommendation for the password policy based on the determined first strength; and providing the recommendation to a designated individual associated with the entity. - View Dependent Claims (11, 12)
-
-
13. A non-transitory medium holding computing device-executable instructions for evaluating a password, the instructions when executed causing at least one computing device to:
-
receive a rule set used to create a password for a user, the password consisting of a plurality of characters from an alphabet, the rule set required by an entity requiring the password creation and including one or more rules applicable to creating the password; identify a size of a minimum search space equal to the smallest subset of passwords that can be created from the alphabet based on the rule set; calculate a complexity of the password by determining a size of an adjusted minimum search space based at least in part on an assigned amount of knowledge of the one or more rules in the rule set possessed by a potential attacker attempting to crack the password; determine a strength of the password based on at least an attacker'"'"'s resources, a protection function used to store the password and a time available to crack the password with respect to the adjusted minimum search space; generate an evaluation of the password based on the calculated complexity and determined strength; and provide the evaluation to a designated individual. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A non-transitory medium holding computing device-executable instructions for evaluating a password policy, the instructions when executed causing at least one computing device to:
-
receive an existing rule set used to create passwords for an entity, the passwords consisting of a plurality of characters from an alphabet, the rule set required by the entity and including one or more rules applicable to creating the passwords; identify a size of a minimum search space equal to the smallest subset of passwords that can be created from the alphabet based on the rule set; calculate a complexity of a password by determining a size of an adjusted minimum search space based at least in part on an assigned amount of knowledge of the one or more rules in the rule set possessed by a potential attacker attempting to crack the passwords; determine a first strength of the password, the determining of the first strength based on at least an attacker'"'"'s resources, a protection function used to store the password and a time available to crack the password with respect to the adjusted minimum search space; generating a recommendation for the password policy based on the determined first strength; and provide the recommendation to a designated individual associated with the entity. - View Dependent Claims (23, 24)
-
-
25. A system for evaluating a password, comprising:
-
a computing device equipped with a processor and a network interface and configured to execute an evaluation engine, the evaluation engine when executed; receiving a rule set used to create a password for a user, the password consisting of a plurality of characters from an alphabet, the rule set required by an entity requiring the password creation and including one or more rules applicable to creating the password; identifying a size of a minimum search space equal to the smallest subset of passwords that can be created from the alphabet based on the rule set; calculating a complexity of the password by determining a size of an adjusted minimum search space based at least in part on an assigned amount of knowledge of the one or more rules in the rule set possessed by a potential attacker attempting to crack the password; determining a strength of the password based on at least an attacker'"'"'s resources, a protection function used to store the password and a time available to crack the password with respect to the adjusted minimum search space; generating an evaluation of the password based on the calculated complexity and determined strength, and provide the evaluation to a designated individual; and a display device communicatively coupled to the computing device and configured to display a user interface generated by the evaluation engine. - View Dependent Claims (26, 27)
-
Specification