Secure transformable password generation

US 9,223,949 B1
Filed: 09/24/2012
Issued: 12/29/2015
Est. Priority Date: 12/18/2008
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for invalidating transformed passwords to protect a user'"'"'s original password, the method comprising:

associating, by one or more server computing devices, a first encryption key having a first value with a third party for use in accessing a user'"'"'s account;

creating, by the one or more server computing devices, a first transformed password by encrypting a user'"'"'s original password using the first value of the associated first encryption key;

providing, by the one or more server computing devices, the first transformed password to the third party for accessing the user'"'"'s account, wherein the third party cannot obtain the user'"'"'s original password;

recognizing, by the one or more server computing devices, a breach associated with the third party or the associated first encryption key;

changing, by the one or more server computing devices, the first value of the associated first encryption key to a new value based upon the breach;

receiving, by the one or more server computing devices from the third party, a request for access including the first transformed password;

using, by the one or more server computing devices, the new value of the first encryption key and the user'"'"'s original password to create a second transformed password;

comparing, by the one or more server computing devices, the received first transformed password to the second transformed password; and

when the comparison indicates that the first transformed password and the second transformed password are different, denying, by the one or more server computing devices, the request for access.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to generating and using secure transformable passwords. In one example, a user grants a third party access to an online account at a host server, and the user requests a transformed password from the host server. The host server associates an encryption key with the third party and generates a transformed password using the user'"'"'s online account password and the encryption key. The user transmits the transformed password to the third party which may use the transformed password to access the online account. The host server generates a second transformed password and compares it to the password information received from the third party. If the received password information and the second transformed password are identical, access is granted. The invention also includes methods for invalidating the transformed passwords by changing the encryption keys to an invalid state.

11 Citations

View as Search Results

20 Claims

1. A computer implemented method for invalidating transformed passwords to protect a user'"'"'s original password, the method comprising:
- associating, by one or more server computing devices, a first encryption key having a first value with a third party for use in accessing a user'"'"'s account;
  
  creating, by the one or more server computing devices, a first transformed password by encrypting a user'"'"'s original password using the first value of the associated first encryption key;
  
  providing, by the one or more server computing devices, the first transformed password to the third party for accessing the user'"'"'s account, wherein the third party cannot obtain the user'"'"'s original password;
  
  recognizing, by the one or more server computing devices, a breach associated with the third party or the associated first encryption key;
  
  changing, by the one or more server computing devices, the first value of the associated first encryption key to a new value based upon the breach;
  
  receiving, by the one or more server computing devices from the third party, a request for access including the first transformed password;
  
  using, by the one or more server computing devices, the new value of the first encryption key and the user'"'"'s original password to create a second transformed password;
  
  comparing, by the one or more server computing devices, the received first transformed password to the second transformed password; and
  
  when the comparison indicates that the first transformed password and the second transformed password are different, denying, by the one or more server computing devices, the request for access.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - generating a third transformed password using the first value of the associated first encryption key and the user'"'"'s original password;
      
      storing the third transformed password at the host server;
      
      upon recognizing the breach,deleting the stored third transformed password; and
      
      storing the second transformed password at the host server, wherein creating the second transformed password is performed upon recognizing the breach.
  - 3. The method of claim 2, further comprising;
    - receive password information from the third party;
      
      comparing the received password information and the third transformed password; and
      
      permitting access to the host server when the received password information and the second transformed password are identical.
  - 4. The method of claim 1, wherein the associated first encryption key is a private encryption key stored only at one of the one or more server computing devices.
  - 5. The method of claim 1, further comprising:
    - in response to receiving the request, identifying the third party based on a network address of the third party; and
      
      based on the identification, retrieving the associated first encryption key associated with the third party and the user'"'"'s original password in order to create the second transformed password.
  - 6. The method of claim 1, wherein the second transformed password is created in response to receiving the request for access.
  - 7. The method of claim 1, further comprising:
    - before recognizing the breach, receive a request to access particular information, the request to access the particular information including the first transformed password;
      
      use the first value of the first encryption key and the user'"'"'s original password to create a third transformed password;
      
      comparing the received first transformed password to the third transformed password; and
      
      when the first transformed password and the second transformed password are identical, provide access to the particular information.

8. A system for invalidating transformed passwords to protect a user'"'"'s original password, the system comprising one or more server computing devices having one or more processors configured to:
- associate a first encryption key having a first value with a third party for use in accessing a user'"'"'s account;
  
  create a first transformed password by encrypting a user'"'"'s original password using the first value of the associated first encryption key;
  
  provide the first transformed password to the third party for accessing the user'"'"'s account, wherein the third party cannot obtain the user'"'"'s original password;
  
  recognize a breach associated with the third party or the associated first encryption key;
  
  change the first value of the associated first encryption key to a new value based upon the breach;
  
  receive, from the third party, a request for access including the first transformed password;
  
  use the new value of the first encryption key and the user'"'"'s original password to create a second transformed password;
  
  compare the received first transformed password to the second transformed password; and
  
  when the comparison indicates that the first transformed password and the second transformed password are different, deny the request for access.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the one or more processors are further configured to:
    - generate a third transformed password using the first value of the associated first encryption key and the user'"'"'s original password;
      
      store the third transformed password at the host server;
      
      upon recognizing the breach, delete the stored third transformed password; and
      
      store the second transformed password at the host server, wherein creating the second transformed password is performed upon recognizing the breach.
  - 10. The system of claim 9, wherein the one or more processors are further configured to:
    - receive password information from the third party;
      
      compare the received password information and the third transformed password; and
      
      permit access to the host server when the received password information and the second transformed password are identical.
  - 11. The system of claim 8, wherein the associated first encryption key is a private encryption key stored only at one of the one or more server computing devices.
  - 12. The system of claim 8, wherein the one or more processors are further configured to:
    - in response to receiving the request, identifying the third party based on a network address of the third party; and
      
      based on the identification, retrieving the associated first encryption key associated with the third party and the user'"'"'s original password in order to create the second transformed password.
  - 13. The system of claim 8, wherein the second transformed password is created in response to receiving the request for access.
  - 14. The system of claim 8, wherein the one or more processors are further configured to:
    - before recognizing the breach, receive a request to access particular information, the request to access the particular information including the first transformed password;
      
      use the first value of the first encryption key and the user'"'"'s original password to create a third transformed password;
      
      compare the received first transformed password to the third transformed password; and
      
      when the first transformed password and the second transformed password are identical, provide access to the particular information.

15. A non-transitory, computer readable storage medium on which instructions are stored, the instructions when executed by one or more processors cause the one or more processors to perform a method of invalidating transformed passwords to protect a user'"'"'s original password, the method comprising:
- associating a first encryption key having a first value with a third party for use in accessing a user'"'"'s account;
  
  creating a first transformed password by encrypting a user'"'"'s original password using the first value of the associated first encryption key;
  
  providing the first transformed password to the third party for accessing the user'"'"'s account, wherein the third party cannot obtain the user'"'"'s original password;
  
  recognizing a breach associated with the third party or the associated first encryption key;
  
  changing the first value of the associated first encryption key to a new value based upon the breach;
  
  receiving, from the third party, a request for access including the first transformed password;
  
  using the new value of the first encryption key and the user'"'"'s original password to create a second transformed password;
  
  comparing the received first transformed password to the second transformed password; and
  
  when the comparison indicates that the first transformed password and the second transformed password are different, denying the request for access.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The medium of claim 15, wherein the method further comprises:
    - generating a third transformed password using the first value of the associated first encryption key and the user'"'"'s original password;
      
      storing the third transformed password at the host server;
      
      upon recognizing the breach, deleting the stored third transformed password; and
      
      storing the second transformed password at the host server, wherein creating the second transformed password is performed upon recognizing the breach.
  - 17. The medium of claim 16, wherein the method further comprises:
    - receiving password information from the third party;
      
      comparing the received password information and the third transformed password; and
      
      permitting access to the host server when the received password information and the second transformed password are identical.
  - 18. The medium of claim 15, wherein the associated first encryption key is a private encryption key stored only at one of the one or more server computing devices.
  - 19. The medium of claim 15, wherein the method further comprises:
    - in response to receiving the request, identifying the third party based on a network address of the third party; and
      
      based on the identification, retrieving the associated first encryption key associated with the third party and the user'"'"'s original password in order to create the second transformed password.
  - 20. The medium of claim 15, wherein the method further comprises:
    - before recognizing the breach, receiving a request to access particular information, the request to access the particular information including the first transformed password;
      
      using the first value of the first encryption key and the user'"'"'s original password to create a third transformed password;
      
      comparing the received first transformed password to the third transformed password; and
      
      when the first transformed password and the second transformed password are identical, providing access to the particular information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Juang, Philo
Primary Examiner(s)
Tran, Ellen

Application Number

US13/625,531
Time in Patent Office

1,191 Days
Field of Search

713/184, 726/2, 726/3, 726/4, 726/5
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/46   by designing passwords or c...

H04L 9/3226   using a predetermined code,...

Secure transformable password generation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

11 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure transformable password generation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links