Method for changing passwords on a remote computer

US 5,719,941 A
Filed: 01/12/1996
Issued: 02/17/1998
Est. Priority Date: 01/12/1996
Status: Expired due to Term

First Claim

Patent Images

1. A method for registering a new password for an account with a server via a client coupled to the server in a network, the server maintaining an accounts database including account identifications and corresponding passwords, the method comprising the steps of:

computing, by the client, a first message by encrypting a first data sequence including at least a new clear text password using an authenticating value as an encryption key, a form of the authenticating value being previously stored at the server for verifying the authenticity of a source of the new clear text password;

computing, by the client, a second message by encrypting a second data sequence including at least the authenticating value using a one-way hash of the new clear text password as an encryption key;

transmitting the first message to the server;

transmitting the second message to the server;

computing, by the server, the new clear text password from the first message, including at least the sub-step of decrypting the first message using the authenticating value, a form of which is maintained by the server, as a decryption key;

computing, by the server, the authenticating value from the second message, including at least the sub-step of decrypting the second message using a one-way hash of the new clear text password obtained from the first message as a decryption key;

verifying, by the server, the new password, the verifying step including at least the sub-step of determining that the authenticating value from the second message is the same as a server provided authenticating value that is based upon the form of the authenticating value previously stored at the server; and

conditionally registering a form of the new clear text password in the accounts database based upon the results of the verifying step.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for changing an account password stored at a physically remote location is provided. After initiating a password change sequence, a user submits both an old and a new password to its client machine. Thereafter, the client computes two message values to be transmitted to the server. The first message is computed by encrypting at least the new password using a one-way hash of the old password as an encryption key. The second message is computed by encrypting the one-way hash of the old password using a one-way hash of the new clear text password as the encryption key. The server receives both messages and computes a first decrypted value by decrypting the first message using the one-way hash of the old password, previously stored at the server, as the decryption key. The server computes a second decrypted value by decrypting the second message using a one-way hash of the first decrypted value as the decryption key. The server compares the decrypted one-way hashed value, transmitted in encrypted form in the second message, to the pre-stored hashed old password. If the two values are equal, then the server replaces the old password by the new password.

Citations

18 Claims

1. A method for registering a new password for an account with a server via a client coupled to the server in a network, the server maintaining an accounts database including account identifications and corresponding passwords, the method comprising the steps of:
- computing, by the client, a first message by encrypting a first data sequence including at least a new clear text password using an authenticating value as an encryption key, a form of the authenticating value being previously stored at the server for verifying the authenticity of a source of the new clear text password;
  
  computing, by the client, a second message by encrypting a second data sequence including at least the authenticating value using a one-way hash of the new clear text password as an encryption key;
  
  transmitting the first message to the server;
  
  transmitting the second message to the server;
  
  computing, by the server, the new clear text password from the first message, including at least the sub-step of decrypting the first message using the authenticating value, a form of which is maintained by the server, as a decryption key;
  
  computing, by the server, the authenticating value from the second message, including at least the sub-step of decrypting the second message using a one-way hash of the new clear text password obtained from the first message as a decryption key;
  
  verifying, by the server, the new password, the verifying step including at least the sub-step of determining that the authenticating value from the second message is the same as a server provided authenticating value that is based upon the form of the authenticating value previously stored at the server; and
  
  conditionally registering a form of the new clear text password in the accounts database based upon the results of the verifying step.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the authenticating value is a form of an old clear text password for the account.
  - 3. The method of claim 2 wherein the authenticating value is a one-way hash of the old clear text password for the account.
  - 4. The method of claim 1 wherein the authenticating value is based upon a password submitted by a network administrator, thereby providing access to a password set function for setting the account password.
  - 5. The method of claim 1 wherein the first data sequence comprises a password buffer including, in addition to the new clear text password, a set of random filler data, and a length field enabling a receiver of the first message to identify a portion of the password buffer occupied by the new clear text password.
  - 6. The method of claim 5 wherein the random filler data occupies a lead portion of the password buffer.
  - 7. The method of claim 5 wherein the computing the new clear text password from the first message further comprises the sub-step of extracting the new clear text password from the first data sequence obtained from the sub-step of decrypting the first message.
  - 8. The method of claim 1 wherein the verifying step further comprises applying, by the server, at least one password selection protocol in order to ensure that the new clear text password for the account does not correspond to any prohibited password.
  - 9. The method of claim 1 further comprising the step of registering the new password for the account with at least an additional independent provider, the account using a same password to logon to both the server and the additional provider, the registering step comprising the sub-steps of:
    - identifying the additional independent provider;
      
      calling a subroutine associated with the additional provider, and passing the new clear text password and an account identification as operands; and
      
      communicating the new password to the independent provider via the subroutine.

10. In a network system having at least one client and at least one server disposed for bi-directional communication, the server having a resource and the client having password-protected access to the resource, a method for changing an old password to a new password for an account comprising the steps of:
- establishing a communication link between the client and the server;
  
  computing a first value by encrypting a first message containing the new password with a one-way hash of the old password as an encryption key;
  
  computing a second value by encrypting a second message containing a one-way hash of the old password with a one-way hash of the new password as an encryption key;
  
  transmitting the first value and the second value from the client to the server;
  
  retrieving at the server a copy of the one-way hash of the old password;
  
  computing a third value by decrypting the first value with the copy of the one-way hash of the old password;
  
  computing a fourth value by decrypting the second value with a one-way hash of the third value; and
  
  verifying that the copy of the one-way hash of the old password is the same as the computed fourth value.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method according to claim 10, wherein the new password contained within the first message is in clear text form.
  - 12. The method according to claim 10, further including the step of encrypting the new password before encrypting the entire first message.
  - 13. The method according to claim 10, further including the step of including random data adjacent the new password within the first message.
  - 14. The method according to claim 13, wherein the first message includes a portion indicative of the character length of the new password.

15. In a network system having a plurality of nodes including at least one client node, a server node and at least one provider node, the nodes being interconnected for bi-directional communication, the server and provider nodes each having a resource, and a first account having password-protected access to the resources of the server and provider nodes, a method for synchronizing a changed account password of the first account at the server node with a provider node comprising the steps of:
- identifying a provider node at which the first account has password-protected access;
  
  transmitting an identification for the first account and a new value for the changed account password in clear text form to a function residing on the server node; and
  
  transmitting to the provider node, via the function, a message for updating a password entry, on the provider node corresponding to the first account, to correspond to the new value for the changed account password.

16. In a network system having at least one client and at least one server disposed for bi-directional communication, the server maintaining an accounts database including account identifications and corresponding passwords, a method for changing an old account password to a new account password comprising the steps of:
- receiving an encryption of the new account password with a one-way hash of the old account password as an encryption key;
  
  receiving an encryption of a one-way hash of the old account password with a one-way hash of the new account password as an encryption key;
  
  decrypting the received, encrypted new account password;
  
  decrypting the received, encrypted one-way hash of the old account password;
  
  verifying the validity of the new account password;
  
  determining that the decrypted, encrypted one-way hash of the old account password is the same as a one-way hash of a previously stored old account password, and in response, replacing a value corresponding to the old account password by a new value corresponding to the new account password in the accounts database.

17. A method for transmitting a new password within an encrypted message to an accounts server via a client coupled to the accounts server such that the network accounts server may retrieve a clear text password from the encrypted message, the accounts server maintaining an accounts database including account identifications and corresponding passwords, the method comprising the steps of:
- computing, by the client, a first message by encrypting a first data sequence including at least a new clear text password using an authenticating value as an encryption key, a form of the authenticating value being previously stored at the accounts server for verifying the authenticity of the source of the new clear text password;
  
  computing, by the client, a second message by encrypting a second data sequence including at least the authenticating value using a one-way hash of the new clear text password as an encryption key;
  
  transmitting the first message to the accounts server; and
  
  transmitting the second message to the accounts server.

18. A method for obtaining by an accounts server, a new password for an account from an encrypted password message containing a new clear text password, the server maintaining an accounts database including account identifications and corresponding passwords, the method comprising the steps of:
- receiving a first message, the first message having been computed by encrypting a first data sequence including at least the new clear text password using an authenticating value as an encryption key, a form of the authenticating value having been previously stored at the accounts server for verifying the authenticity of a source of the new clear text password;
  
  receiving a second message, the second message having been computed by encrypting a second data sequence including at least the authenticating value using a one-way hash of the new clear text password as an encryption key;
  
  first computing the new clear text password from the first message, the first computing step including at least the sub-step of decrypting the first message using the authenticating value, a form of which is maintained by the accounts server, as a decryption key;
  
  second computing the authenticating value from the second message, the second computing step including at least the sub-step of decrypting the second message using a one-way hash of the new clear text password, obtained from the first message during the first computing step, as a decryption key;
  
  verifying the new password, the verifying step including at least the sub-step of determining that the authenticating value from the second message is the same as a server provided authenticating value that is based upon the form of the authenticating value previously stored at the server; and
  
  conditionally registering a form of the new clear text password in the accounts database based upon the results of the verifying step.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Misra, Pradyumna Kumar, Van Dyke, Clifford P., Swift, Michael M.
Primary Examiner(s)
Gregory, Bernarr E.

Application Number

US08/587,886
Time in Patent Office

767 Days
Field of Search

380/4, 380/9, 380/23, 380/25, 380/28, 380/29, 380/49, 380/50, 380/21, 380/44, 380/46, 340/825.31, 340/825.34, 395/188.01, 395/491
US Class Current

713/155
CPC Class Codes

G06F 21/31   User authentication

G06F 2211/007   Encryption, En-/decode, En-...

G06Q 20/4012   Verifying personal identifi...

H04L 63/0428   wherein the data content is...

H04L 63/083   using passwords cryptograph...

Method for changing passwords on a remote computer

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method for changing passwords on a remote computer

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links