Filtering Passwords Based on a Plurality of Criteria

US 20200137038A1
Filed: 10/29/2019
Published: 04/30/2020
Est. Priority Date: 10/31/2018
Status: Active Grant

First Claim

Patent Images

1. A tangible, non-transitory, machine-readable medium storing instructions that when executed by one or more processors effectuate operations comprising:

obtaining, with one or more processors, with a domain controller of a private computer network, a first password, the first password being associated with a first username and serving to afford access to the private computer network;

determining, with one or more processors, with a credential-monitoring application within the private computer network, whether the first password satisfies one or more criteria from among a plurality of criteria, wherein determining whether the first password satisfies a first criterion among the plurality of criteria includes;

comparing, with the credential-monitoring application within the private computer network, the first password to a set of compromised credentials within a database within the private computer network; and

determining whether the first password matches one or more passwords within the database; and

in response to the determination that the first password satisfies the one or more criteria from among the plurality of criteria, causing, with one or more processors, a use of the first password to access the private computer network to be rejected and causing, with one or more processors, a first user associated with the first password to be notified to change the first password.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided is a process, including: obtaining a first password to a private computer network; determining, with a credential-monitoring application within the private computer network, whether the first password satisfies one or more criteria by: comparing the first password to a set of compromised credentials within a database within the private computer network; and determining whether the first password matches one or more passwords within the database; and in response to the determination that the first password satisfies the one or more criteria from among the plurality of criteria, causing a use of the first password to access the private computer network to be rejected and causing a first user associated with the first password to be notified to change the first password.

24 Citations

20 Claims

1. A tangible, non-transitory, machine-readable medium storing instructions that when executed by one or more processors effectuate operations comprising:
- obtaining, with one or more processors, with a domain controller of a private computer network, a first password, the first password being associated with a first username and serving to afford access to the private computer network;
  
  determining, with one or more processors, with a credential-monitoring application within the private computer network, whether the first password satisfies one or more criteria from among a plurality of criteria, wherein determining whether the first password satisfies a first criterion among the plurality of criteria includes;
  
  comparing, with the credential-monitoring application within the private computer network, the first password to a set of compromised credentials within a database within the private computer network; and
  
  determining whether the first password matches one or more passwords within the database; and
  
  in response to the determination that the first password satisfies the one or more criteria from among the plurality of criteria, causing, with one or more processors, a use of the first password to access the private computer network to be rejected and causing, with one or more processors, a first user associated with the first password to be notified to change the first password.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The medium of claim 1, wherein the first criterion is satisfied in response to the one or more passwords matching the first password.
  - 3. The medium of claim 1, wherein determining whether the first password satisfies the first criterion further includes determining whether a number of the one or more passwords that match the first password exceeds a threshold and wherein the first criterion is satisfied in response to the determination that the number of the one or more passwords that match the first password exceeds the threshold, wherein the threshold is one or more.
  - 4. The medium of claim 1, wherein the plurality of criteria includes a second criterion, wherein determining whether the first password satisfies the second criterion includes determining whether the first password includes sequential characters, and wherein the second criterion is satisfied in response to the determination that the first password includes sequential characters.
  - 5. The medium of claim 1, wherein the plurality of criteria includes a second criterion, wherein determining whether the first password satisfies the second criterion includes determining whether the first password includes repetitive characters, and wherein the second criterion is satisfied in response to the determination that the first password includes repetitive characters.
  - 6. The medium of claim 1, wherein the plurality of criteria includes a second criterion, wherein determining whether the first password satisfies the second criterion includes determining whether the first password includes one or more dictionary words included in another database, and wherein the second criterion is satisfied in response to the determination that the first password includes one or more dictionary words.
  - 7. The medium of claim 1, wherein the plurality of criteria includes a second criterion, wherein determining whether the first password satisfies the second criterion includes determining whether the first password includes one or more context-specific words, and wherein the second criterion is satisfied in response to the determination that the first password includes one or more context-specific words.
  - 8. The medium of claim 1, wherein:
    - determining whether the first password satisfies a second criterion among the plurality of criteria includes determining whether the first password includes sequential characters,determining whether the first password satisfies a third criterion among the plurality of criteria includes determining whether the first password includes repetitive characters,determining whether the first password satisfies a fourth criterion among the plurality of criteria includes determining whether the first password includes one or more dictionary words included in another database,determining whether the first password satisfies a fifth criterion among the plurality of criteria includes determining whether the first password includes one or more context-specific words, andthe operations comprise;
      
      in response to the determination that the first password satisfies two or more criteria from among the plurality of criteria, rejecting, with one or more processors, the use of the first password to access the private computer network and causing, with one or more processors, the first user associated with the first password to be notified to change the first password wherein the predetermined number of criteria is at least 1.
  - 9. The medium of claim 1, wherein:
    - determining whether the first password satisfies a second criterion among the plurality of criteria includes determining whether the first password includes sequential characters,determining whether the first password satisfies a third criterion among the plurality of criteria includes determining whether the first password includes repetitive characters,determining whether the first password satisfies a fourth criterion among the plurality of criteria includes determining whether the first password includes one or more dictionary words included in another database,determining whether the first password satisfies a fifth criterion among the plurality of criteria includes determining whether the first password includes one or more context-specific words, andthe operations comprise;
      
      in response to the determination that the first password satisfies three or more criteria from among the plurality of criteria, rejecting, with one or more processors, the use of the first password to access the private computer network and causing, with one or more processors, the first user associated with the first password to be notified to change the first password
  - 10. The medium of claim 1, wherein obtaining, with the domain controller of the private computer network, the first password comprises:
    - obtaining the first password in response to the first user attempting to create the first password associated with the first username or the first user attempting to change a previous password associated with the first username to the first password.
  - 11. The medium of claim 1, wherein the operations comprise:
    - receiving, via a network, a differential update from a remote credential-monitoring system of credentials determined to have been compromised since a previous update of the database; and
      
      writing the differential update to the database resident on the private computer network, wherein determining whether the first password matches one or more passwords within the database includes comparing the first password to updated credentials in the database.
  - 12. The medium of claim 11, wherein the operations comprise:
    - obtaining, with one or more processors, a set of 1,000 or more passwords from another database within the private computer network;
      
      comparing, with one or more processors, the set of 1,000 or more passwords to the updated credentials in the database;
      
      determining, with one or more processors, with the credential-monitoring application with the private computer network, whether one or more passwords of the set of 1,000 or more passwords satisfy the one or more criteria; and
      
      in response to the determination that the one or more passwords of the set of 1,000 or more passwords satisfy the one or more criteria, causing, with one or more processors, a user of the one or more passwords of the set of 1,000 or more passwords to access the private computer network to be rejected and causing, with one or more processors, one or more users associated with the one or more passwords of the set of 1,000 or more passwords to be notified to change the one or more passwords of the set of 1,000 or more passwords.
  - 13. The medium of claim 1, wherein:
    - the match is determined based on a cryptographic hash collision.
  - 14. The medium of claim 1, wherein causing the first user to be notified to change the first password comprises:
    - causing the first user to be notified via a same screen via which the first user is attempting to create the first password associated with the first username or the first user is attempting to change a previous password associated with the first username to the first password.
  - 15. The medium of claim 1, wherein:
    - the set of compromised credentials comprise more than 100 million compromised credentials; and
      
      determining that a second password does not appear in the set of compromised credentials is performed within 5 seconds of obtaining the second password.
  - 16. The medium of claim 15, wherein:
    - the second password is determined to not appear in the set of compromised credentials based on a probabilistic data structure or a content-addressable data structure to which data describing the set of compromised credentials is written.
  - 17. The medium of claim 1, wherein the operations comprise:
    - in response to the determination that the first password does not satisfy the one or more criteria, causing, with one or more processors, a first user account on the private computer network to be accessed using the first username and the first password.
  - 18. The medium of claim 1, wherein the database is continuously updated with additional compromised credentials, and the operations comprise:
    - generating a criterion for the comparison, the criterion for the comparison being generated at least based on whether another comparison identifying the first password has been previously made; and
      
      receiving, from the database, the one or more passwords that matches the first password based on the comparison and the criterion for the comparison.
  - 19. The medium of claim 18, wherein receiving the one or more passwords that matches the first password based on the comparison and the criterion for the comparison comprises:
    - receiving, from a subset of the database, the one or more passwords that matches the first password in response to determining that the other comparison identifying the first password has been previously made.

20. A method, comprising:
- obtaining, with one or more processors, with a domain controller of a private computer network, a first password, the first password being associated with a first username and serving to afford access to the private computer network;
  
  determining, with one or more processors, with a credential-monitoring application within the private computer network, whether the first password satisfies one or more criteria from among a plurality of criteria, wherein determining whether the first password satisfies a first criterion among the plurality of criteria includes;
  
  comparing, with the credential-monitoring application within the private computer network, the first password to a set of compromised credentials within a database within the private computer network; and
  
  determining whether the first password matches one or more passwords within the database; and
  
  in response to the determination that the first password satisfies the one or more criteria from among the plurality of criteria, causing, with one or more processors, a use of the first password to access the private computer network to be rejected and causing, with one or more processors, a first user associated with the first password to be notified to change the first password.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Spycloud, Inc.
Original Assignee
Spycloud, Inc.
Inventors
Endler, David

Granted Patent

US 11,399,021 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/46   by designing passwords or c...

H04L 63/083   using passwords cryptograph...

H04L 63/102   Entity profiles

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1466   Active attacks involving in...

H04L 63/20   for managing network securi...

Filtering Passwords Based on a Plurality of Criteria

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Filtering Passwords Based on a Plurality of Criteria

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links