Systems and methods evaluating password complexity and strength

US 10,546,116 B2
Filed: 12/16/2016
Issued: 01/28/2020
Est. Priority Date: 12/17/2015
Status: Active Grant

First Claim

Patent Images

1. A computing device-implemented method for evaluating a password, comprising:

receiving a rule set used to create a password for a user, the password consisting of a plurality of characters from an alphabet, the rule set required by an entity requiring the password creation and including one or more rules applicable to creating the password;

identifying a size of a minimum search space equal to the smallest subset of passwords that can be created from the alphabet based on the rule set;

calculating a complexity of the password by determining a size of an adjusted minimum search space based at least in part on an assigned amount of knowledge of the one or more rules in the rule set possessed by a potential attacker attempting to crack the password;

determining a strength of the password based on at least an attacker'"'"'s resources, a protection function used to store the password and a time available to crack the password with respect to the adjusted minimum search space;

generating an evaluation of the password based on the calculated complexity and determined strength; and

providing the evaluation to a designated individual.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A password evaluation engine used to evaluate a user'"'"'s password that redefines the concepts of password complexity and password strength is discussed. Password complexity may be calculated by the evaluation engine so as to take into account the amount of knowledge possessed by a potential attacker, seeking to crack the password, of the rules corresponding to a rule set used for generating the password. A determination of password strength by the evaluation engine may consider a potential attacker'"'"'s computational resources, the protection function used to protect/store a password and the amount of time available to the attacker to crack the password with respect to an identified search space based on the attacker'"'"'s knowledge. Embodiments also enable a password strength estimator to be evaluated and policy recommendations to be generated for an entity'"'"'s password policy requirements.

31 Citations

View as Search Results

27 Claims

1. A computing device-implemented method for evaluating a password, comprising:
- receiving a rule set used to create a password for a user, the password consisting of a plurality of characters from an alphabet, the rule set required by an entity requiring the password creation and including one or more rules applicable to creating the password;
  
  identifying a size of a minimum search space equal to the smallest subset of passwords that can be created from the alphabet based on the rule set;
  
  calculating a complexity of the password by determining a size of an adjusted minimum search space based at least in part on an assigned amount of knowledge of the one or more rules in the rule set possessed by a potential attacker attempting to crack the password;
  
  determining a strength of the password based on at least an attacker'"'"'s resources, a protection function used to store the password and a time available to crack the password with respect to the adjusted minimum search space;
  
  generating an evaluation of the password based on the calculated complexity and determined strength; and
  
  providing the evaluation to a designated individual.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - receiving a specified order of a search space exploration for a plurality of different types of attacks employed by an attacker; and
      
      performing at least one of calculating the complexity of the password and determining the strength of the password based at least in part on the specified order of search space exploration with respect to the adjusted minimum search space.
  - 3. The method of claim 1, further comprising:
    - parsing the password to extract a plurality of patterns;
      
      comparing the extracted patterns with at least one of the rules used to create the password; and
      
      identifying the minimum search space based at least in part on the comparing.
  - 4. The method of claim 1 wherein the attacker'"'"'s resources include at least one of a computational power of an attacker and an amount of parallel processing being used by an attacker.
  - 5. The method of claim 1 wherein the determining of the strength of the password is based at least in part on knowledge of the attacker of the protection function.
  - 6. The method of claim 1 wherein the determined strength of the password is expressed in terms of a length of time needed by an attacker to crack the password.
  - 7. The method of claim 1, further comprising:
    - monitoring one or more social media platforms on which the user has a presence;
      
      extracting data related to the user from the one or more social media platforms; and
      
      adjusting the amount of assigned knowledge possessed by the potential attacker based on the extracted data.
  - 8. The method of claim 7, further comprising:
    - providing a programmatically generated alert based on the adjusting of the amount of assigned knowledge, the programmatically generated alert provided to at least one of a user and an entity associated with the password.
  - 9. The method of claim 1, further comprising:
    - receiving a password strength estimate for the password from an entity using a password strength estimator;
      
      comparing the determined strength to the password strength estimate received from the password strength estimator; and
      
      generating an evaluation of the accuracy of the password strength estimator based on the comparing.

10. A computing device-implemented method for evaluating a password policy, comprising:
- receiving an existing rule set used to create passwords for an entity, the passwords consisting of a plurality of characters from an alphabet, the rule set required by the entity and including one or more rules applicable to creating the passwords;
  
  identifying a size of a minimum search space equal to the smallest subset of passwords that can be created from the alphabet based on the rule set;
  
  calculating a complexity of a password by determining a size of an adjusted minimum search space based at least in part on an assigned amount of knowledge of the one or more rules in the rule set possessed by a potential attacker attempting to crack the passwords;
  
  determining a first strength of the password, the determining of the first strength based on at least an attacker'"'"'s resources, a protection function used to store the password and a time available to crack the password with respect to the adjusted minimum search space;
  
  generating a recommendation for the password policy based on the determined first strength; and
  
  providing the recommendation to a designated individual associated with the entity.
- View Dependent Claims (11, 12)
- - 11. The method of claim 10, further comprising:
    - adjusting at least one of the rules in the rule set;
      
      identifying a size of a second minimum search space equal to the smallest subset of passwords that can be created from the alphabet based on the rule set with the adjusted at least one rule;
      
      determining a size of a second adjusted minimum search space based on an assigned amount of knowledge of the one or more rules containing the adjusted at least one rule that is possessed by a potential attacker attempting to crack the passwords;
      
      determining a second strength of the password, the determining of the second strength based on at least an attacker'"'"'s resources, a protection function used to store the password and a time available to crack the password with respect to the second adjusted minimum search space; and
      
      providing a password policy recommendation to the entity with respect to the rule set based on a difference between the determined second strength and the determined first strength.
  - 12. The method of claim 10, further comprising:
    - adjusting the assigned amount of knowledge of the potential attacker;
      
      determining a size of a second adjusted minimum search space based on the adjusted assigned amount of knowledge of the one or more rules possessed by the potential attacker;
      
      determining a second strength of the password, the determining of the second strength based on at least an attacker'"'"'s resources, a protection function used to store the password and a time available to crack the password with respect to the second adjusted minimum search space; and
      
      providing a password policy recommendation to the entity based on a difference between the determined second strength and the determined first strength.

13. A non-transitory medium holding computing device-executable instructions for evaluating a password, the instructions when executed causing at least one computing device to:
- receive a rule set used to create a password for a user, the password consisting of a plurality of characters from an alphabet, the rule set required by an entity requiring the password creation and including one or more rules applicable to creating the password;
  
  identify a size of a minimum search space equal to the smallest subset of passwords that can be created from the alphabet based on the rule set;
  
  calculate a complexity of the password by determining a size of an adjusted minimum search space based at least in part on an assigned amount of knowledge of the one or more rules in the rule set possessed by a potential attacker attempting to crack the password;
  
  determine a strength of the password based on at least an attacker'"'"'s resources, a protection function used to store the password and a time available to crack the password with respect to the adjusted minimum search space;
  
  generate an evaluation of the password based on the calculated complexity and determined strength; and
  
  provide the evaluation to a designated individual.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The medium of claim 13 wherein the instructions when executed further cause the at least one computing device to:
    - receive a specified order of a search space exploration for a plurality of different types of attacks employed by an attacker; and
      
      perform at least one of calculating the complexity of the password and determining the strength of the password based at least in part on the specified order of search space exploration with respect to the adjusted minimum search space.
  - 15. The medium of claim 13 wherein the instructions when executed further cause the at least one computing device to:
    - parse the password to extract a plurality of patterns;
      
      compare the extracted patterns with at least one of the rules used to create the password; and
      
      identify the minimum search space based at least in part on the comparing.
  - 16. The medium of claim 13 wherein the attacker'"'"'s resources include at least one of a computational power of an attacker and an amount of parallel processing being used by an attacker.
  - 17. The medium of claim 13 wherein the determining of the strength of the password is based at least in part on knowledge of the attacker of the protection function.
  - 18. The medium of claim 13 wherein the determined strength of the password is expressed in terms of a length of time needed by an attacker to crack the password.
  - 19. The medium of claim 13 wherein the instructions when executed further cause the at least one computing device to:
    - monitor one or more social media platforms on which the user has a presence;
      
      extract data related to the user from the one or more social media platforms; and
      
      adjust the amount of assigned knowledge possessed by the potential attacker based on the extracted data.
  - 20. The medium of claim 19 wherein the instructions when executed further cause the at least one computing device to:
    - provide a programmatically generated alert based on the adjusting of the amount of assigned knowledge, the programmatically generated alert provided to at least one of a user and an entity associated with the password.
  - 21. The medium of claim 13 wherein the instructions when executed further cause the at least one computing device to:
    - receive a password strength estimate for the password from an entity using a password strength estimator;
      
      compare the determined strength to the password strength estimate received from the password strength estimator; and
      
      generate an evaluation of the accuracy of the password strength estimator based on the comparing.

22. A non-transitory medium holding computing device-executable instructions for evaluating a password policy, the instructions when executed causing at least one computing device to:
- receive an existing rule set used to create passwords for an entity, the passwords consisting of a plurality of characters from an alphabet, the rule set required by the entity and including one or more rules applicable to creating the passwords;
  
  identify a size of a minimum search space equal to the smallest subset of passwords that can be created from the alphabet based on the rule set;
  
  calculate a complexity of a password by determining a size of an adjusted minimum search space based at least in part on an assigned amount of knowledge of the one or more rules in the rule set possessed by a potential attacker attempting to crack the passwords;
  
  determine a first strength of the password, the determining of the first strength based on at least an attacker'"'"'s resources, a protection function used to store the password and a time available to crack the password with respect to the adjusted minimum search space;
  
  generating a recommendation for the password policy based on the determined first strength; and
  
  provide the recommendation to a designated individual associated with the entity.
- View Dependent Claims (23, 24)
- - 23. The medium of claim 22 wherein the instructions when executed further cause the at least one computing device to:
    - adjust at least one of the rules in the rule set;
      
      identify a size of a second minimum search space equal to the smallest subset of passwords that can be created from the alphabet based on the rule set with the adjusted at least one rule;
      
      determine a size of a second adjusted minimum search space based on an assigned amount of knowledge of the one or more rules containing the adjusted at least one rule that is possessed by a potential attacker attempting to crack the passwords;
      
      determine a second strength of the password, the determining of the second strength based on at least an attacker'"'"'s resources, a protection function used to store the password and a time available to crack the password with respect to the second adjusted minimum search space; and
      
      provide a password policy recommendation to the entity with respect to the rule set based on a difference between the determined second strength and the determined first strength.
  - 24. The medium of claim 22 wherein the instructions when executed further cause the at least one computing device to:
    - adjust the assigned amount of knowledge of the potential attacker;
      
      determine a size of a second adjusted minimum search space based on the adjusted assigned amount of knowledge of the one or more rules possessed by the potential attacker;
      
      determine a second strength of the password, the determining of the second strength based on at least an attacker'"'"'s resources, a protection function used to store the password and a time available to crack the password with respect to the second adjusted minimum search space; and
      
      provide a password policy recommendation to the entity based on a difference between the determined second strength and the determined first strength.

25. A system for evaluating a password, comprising:
- a computing device equipped with a processor and a network interface and configured to execute an evaluation engine, the evaluation engine when executed;
  
  receiving a rule set used to create a password for a user, the password consisting of a plurality of characters from an alphabet, the rule set required by an entity requiring the password creation and including one or more rules applicable to creating the password;
  
  identifying a size of a minimum search space equal to the smallest subset of passwords that can be created from the alphabet based on the rule set;
  
  calculating a complexity of the password by determining a size of an adjusted minimum search space based at least in part on an assigned amount of knowledge of the one or more rules in the rule set possessed by a potential attacker attempting to crack the password;
  
  determining a strength of the password based on at least an attacker'"'"'s resources, a protection function used to store the password and a time available to crack the password with respect to the adjusted minimum search space;
  
  generating an evaluation of the password based on the calculated complexity and determined strength, andprovide the evaluation to a designated individual; and
  
  a display device communicatively coupled to the computing device and configured to display a user interface generated by the evaluation engine.
- View Dependent Claims (26, 27)
- - 26. The system of claim 25 wherein the computing device is further configured to execute a monitoring module that when executed:
    - monitors one or more social media platforms on which the user has a presence;
      
      extracts data related to the user from the one or more social media platforms; and
      
      provides the extracted data to the evaluation engine in order to adjust the amount of assigned knowledge possessed by the potential attacker based on the extracted data.
  - 27. The system of claim 26, wherein the evaluation engine when executed:
    - provides a programmatically generated alert based on the adjusting of the amount of assigned knowledge, the programmatically generated alert provided to at least one of the user and an entity associated with the password.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Massachusetts Institute of Technology
Original Assignee
Massachusetts Institute of Technology
Inventors
Sahin, Cem S, Lychev, Robert D., Wagner, Neal
Primary Examiner(s)
Parsons, Theodore C
Assistant Examiner(s)
Louie, Howard H.

Application Number

US15/381,493
Publication Number

US 20180012014A1
Time in Patent Office

1,138 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/31   User authentication

G06F 21/46   by designing passwords or c...

G06F 21/55   Detecting local intrusion o...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/604   Tools and structures for ma...

G06F 2221/00   Indexing scheme relating to...

H04L 9/0863   involving passwords or one-...

Systems and methods evaluating password complexity and strength

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

31 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods evaluating password complexity and strength

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links