Techniques for real-time adaptive password policies
First Claim
Patent Images
1. A machine-implemented method residing and implemented in a non-transitory machine-readable medium for executing on a machine, comprising:
- integrating, by the machine, processing of the method as a supplemental service to an enterprise authentication service that is just invoked by the authentication service when newly presented passwords are being established by the authentication service;
enforcing, by the machine, a first password policy against users of a network service;
dynamically evaluating, by the machine, password patterns being used by the users; and
adapting, by the machine, in real-time to a second password policy in response to evaluation of the password patterns and enforcing the second password policy in place of the first password policy against the users, the first password policy is dynamically altered to adapt to the second password policy and the second password policy evolves based on changing patterns for used passwords, the used passwords stored as regular expressions that define the password patterns without retaining the used passwords, and the first password policy counts a total number of decorations or modifications made to each base pattern identified in the regular expressions and when a predefined threshold of iterative modifications on that base pattern is detected, the second password policy is dynamically enforced without administrative intervention or analysis.
11 Assignments
0 Petitions
Accused Products
Abstract
Techniques real-time adaptive password policies are presented. Patterns for passwords are regularly analyzed along with other factors associated with the patterns to dynamically determine password strength values. The strength values can change over time based on usage statistics. When a strength value falls below an acceptable threshold, passwords associated with that particular pattern can be downgraded or rejected in real-time and existing policy can be adapted to reflect the undesirability of that pattern.
48 Citations
24 Claims
-
1. A machine-implemented method residing and implemented in a non-transitory machine-readable medium for executing on a machine, comprising:
-
integrating, by the machine, processing of the method as a supplemental service to an enterprise authentication service that is just invoked by the authentication service when newly presented passwords are being established by the authentication service; enforcing, by the machine, a first password policy against users of a network service; dynamically evaluating, by the machine, password patterns being used by the users; and adapting, by the machine, in real-time to a second password policy in response to evaluation of the password patterns and enforcing the second password policy in place of the first password policy against the users, the first password policy is dynamically altered to adapt to the second password policy and the second password policy evolves based on changing patterns for used passwords, the used passwords stored as regular expressions that define the password patterns without retaining the used passwords, and the first password policy counts a total number of decorations or modifications made to each base pattern identified in the regular expressions and when a predefined threshold of iterative modifications on that base pattern is detected, the second password policy is dynamically enforced without administrative intervention or analysis. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A machine-implemented method residing and implemented in a non-transitory machine-readable medium for executing on a machine, comprising:
-
integrating, by the machine, processing of the method as a supplemental service to an enterprise authentication service that is just invoked by the authentication service when newly presented passwords are being established by the authentication service; prompting, by the machine, a user to change an existing password; receiving, by the machine, a new password from the user; analyzing, by the machine, past password patterns used by the user in view of a new pattern associated with the new password by at least detecting a total number of modifications made to each unique previous pattern and detecting when a predefined threshold of iterative modifications is reached, the past password patterns and the previous patterns retained as regular expressions and the existing password not retained; dynamically adjusting, by the machine, password strength attributes for the past password patterns and the new pattern in response to a frequency of use for each past password pattern and the new pattern in view of the predefined threshold and without administrative intervention or analysis; and determining, by the machine, in real time whether the new password is to be accepted or denied in response to comparing the strength attribute associated with the new pattern against a threshold strength value. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system comprising:
-
a processing device configured for accessing a password pattern store residing in a non-transitory machine-accessible and computer-readable medium and accessible to a password service that executes on the processing device; the processing device further configured with the password service implemented in a non-transitory machine-accessible and computer-readable medium and the password service executes on the processing device; wherein the password service stores password patterns as regular expressions received from users in the password pattern store without storing particular passwords and the password service mines the password patterns to dynamically alter password strength attribute values associated with each particular password pattern, and wherein the password service dynamically and in real time alters, evolves, and adapts a password policy in response to changing password strength attribute values for the password patterns being used without administrative intervention or analysis based on counting a total number of modifications made to each base pattern identified in the regular expressions and detecting when a predefined threshold of iterative modifications on that base pattern is reached;
the password service integrated as a supplemental service to an enterprise authentication service that is just invoked by the authentication service when newly presented passwords are being established by the authentication service. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
21. A system, comprising:
-
a processing device configured with a password management service implemented in a non-transitory machine-accessible and computer-readable medium and the password management service executes on the processing device; and the processing device or a different processing device from the processing device further configured with an adaptive password policy service implemented in a non-transitory machine-accessible and computer-readable medium and the adaptive password policy service executes on the processing device or the different processing device; wherein the password management service interacts with a user to receive a new password from the user when the user is newly registered or when the user is changing from an existing password to the new password, and wherein the password management service interacts with the adaptive password policy service to receive an indication as to whether the new password is permissible, and wherein the adaptive password policy service dynamically alters an existing policy in response to mining a history of passwords for the user and the new password and informs the password management service to reject the new password in response to the dynamically altered and modified existing policy and the dynamically altered and modified existing policy is evolved by the adaptive password policy based on changing patterns for used passwords without administrative intervention or analysis by counting a total number of modifications made to each base pattern identified in the history of passwords that are stored as regular expressions and by detecting when a predefined threshold of iterative modifications on that base pattern is reached, history passwords in the history of passwords are not retained, rather, the regular expressions are retained in the history of passwords, and wherein the adaptive password management service is integrated as a supplemental service to an enterprise authentication service that is just invoked by the authentication service when newly presented passwords are being established by the authentication service. - View Dependent Claims (22, 23, 24)
-
Specification