Managing password expiry

US 8,959,618 B2
Filed: 02/05/2008
Issued: 02/17/2015
Est. Priority Date: 02/05/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving one or more attempts to log in from a client device into an account;

monitoring, by a processing device, activities associated with the account in view of a password expiry policy that comprises a plurality of behavior deviations that deviate from a behavior norm associated with the account, wherein the plurality of behavior deviations comprise an attempt to log in from the client device that does not have a client certificate to secure a connection from the client device to the processing device;

in response to determining that a number of occurrences of the plurality of behavior deviations exceeds a determined threshold, expiring a stored password associated with the account;

receiving a next login request to the account from the client device, the login request comprising an input password;

determining whether the client device has the client certificate;

in response to determining that the client device does not have the client certificate, tagging the login request with a flag;

validating the input password with the stored password associated with the account;

in response to determining that the input password matches the stored password,determining whether the stored password is an expired password;

in response to determining that the stored password is expired, causing replacing the expired stored password with a new password so that the new password becomes the stored password associated with the account;

granting access to the account; and

in response to identifying the flag being associated with the login request, expiring the stored password subsequent to granting the access to the account;

each time receiving a subsequent attempt to log in from the client device that does not have the client certificate, the method further comprising;

validating a new input password;

expiring the stored password of the account subsequent to successfully validating the new input password with the stored password associated with the account; and

causing replacing the expired stored password with another new password so that the other new password becomes the stored password associated with the account.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for managing the expiration of a password. In one embodiment, the method comprises determining whether a behavior anomaly associated with an account has occurred. In response to a determination that the behavior anomaly has occurred, the method expires a password associated with the account and forces the password be changed the next time the password is presented for accessing the account.

25 Citations

View as Search Results

17 Claims

1. A method comprising:
- receiving one or more attempts to log in from a client device into an account;
  
  monitoring, by a processing device, activities associated with the account in view of a password expiry policy that comprises a plurality of behavior deviations that deviate from a behavior norm associated with the account, wherein the plurality of behavior deviations comprise an attempt to log in from the client device that does not have a client certificate to secure a connection from the client device to the processing device;
  
  in response to determining that a number of occurrences of the plurality of behavior deviations exceeds a determined threshold, expiring a stored password associated with the account;
  
  receiving a next login request to the account from the client device, the login request comprising an input password;
  
  determining whether the client device has the client certificate;
  
  in response to determining that the client device does not have the client certificate, tagging the login request with a flag;
  
  validating the input password with the stored password associated with the account;
  
  in response to determining that the input password matches the stored password,determining whether the stored password is an expired password;
  
  in response to determining that the stored password is expired, causing replacing the expired stored password with a new password so that the new password becomes the stored password associated with the account;
  
  granting access to the account; and
  
  in response to identifying the flag being associated with the login request, expiring the stored password subsequent to granting the access to the account;
  
  each time receiving a subsequent attempt to log in from the client device that does not have the client certificate, the method further comprising;
  
  validating a new input password;
  
  expiring the stored password of the account subsequent to successfully validating the new input password with the stored password associated with the account; and
  
  causing replacing the expired stored password with another new password so that the other new password becomes the stored password associated with the account.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - receiving a login request that specifies the input password of the account associated; and
      
      detecting the plurality of behavior deviations in view of historical behaviors associated with the account.
  - 3. The method of claim 1, wherein the plurality of behavior deviations comprise a behavior deviation associated with a login request.
  - 4. The method of claim 1, wherein the plurality of behavior deviations comprise an attempt to gain unauthorized access using the input password.
  - 5. The method of claim 1, wherein the plurality of behavior deviations comprise a request sent from an unauthorized system.
  - 6. The method of claim 2, wherein the detecting is in view of the historical behavior of a set of users.

7. A system comprising:
- a memory to store information pertaining to an account; and
  
  a processing device, coupled to the memory, to;
  
  receive one or more attempts to log in from a client device into an account;
  
  monitor activities associated with the account in view of a password expiry policy that comprises a plurality of behavior deviations that deviate from a behavior norm associated with the account, wherein the plurality of behavior deviations comprise an attempt to log in from the client device that does not have a client certificate to secure a connection from the client device to the processing device,in response to determining that a number of occurrences of the plurality of behavior deviations exceeds a determined threshold, expire a stored password associated with the account,receive a next login request to the account from the client device, the login request comprising an input password,determine whether the client device has the client certificate,in response to determining that the client device does not have the client certificate, tag the login request with a flag,validate the input password with the stored password associated with the account,in response to determining that the input password matches the stored password,determine whether the stored password is an expired password,in response to determining that the stored password is expired, cause replacing the expired stored password with a new password so that the new password becomes the stored password associated with the account,grant access to the account, andin response to identifying the flag being associated with the login request, expire the stored password subsequent to granting the access to the account; and
  
  each time receiving a subsequent attempt to log in from the client device that does not have the client certificate, the processing device further to;
  
  validate a new input password,expire the stored password of the account subsequent to successfully validating the new input password with the stored password associated with the account, andcause replacing the expired stored password with another new password so that the other new password becomes the stored password associated with the account.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The system of claim 7 wherein the processing device is to receive a login request that specifies the input password to access the account and detect the plurality of behavior deviations in view of historical behaviors associated with the account.
  - 9. The system of claim 7, wherein the plurality of behavior deviations comprise a behavior deviation associated with a login request.
  - 10. The system of claim 7, wherein the plurality of behavior deviations comprise using the input password to access an unauthorized system.
  - 11. The system of claim 8, wherein the historical behaviors are in view of the historical behaviors of a set of users.

12. A non-transitory computer readable storage medium comprising instructions that, when executed by a processing device, cause the processing device to perform operations comprising:
- receiving one or more attempts to log in from a client device into an account;
  
  monitoring activities associated with the account in view of a password expiry policy that comprises a plurality of behavior deviations that deviate from a behavior norm associated with the account, wherein the plurality of behavior deviations comprise an attempt to log in from the client device that does not have a client certificate to secure a connection from the client device to the processing device;
  
  in response to determining that a number of occurrences of the plurality of behavior deviations exceeds a determined threshold, expiring a stored password associated with the account;
  
  receiving a next login request to the account from the client device, the login request comprising an input password;
  
  determining whether the client device has the client certificate;
  
  in response to determining that the client device does not have the client certificate, tagging the login request with a flag;
  
  validating the input password with the stored password associated with the account;
  
  in response to determining that the input password matches the stored password,determining whether the stored password is an expired password;
  
  in response to determining that the stored password is expired, causing replacing the expired stored password with a new password so that the new password becomes the stored password associated with the account;
  
  granting access to the account; and
  
  in response to identifying the flag being associated with the login request, expiring the stored password subsequent to granting the access to the account;
  
  each time receiving a subsequent attempt to log in from the client device that does not have the client certificate, the operations further comprising;
  
  validating a new input password;
  
  expiring the stored password of the account subsequent to successfully validating the new input password with the stored password associated with the account; and
  
  causing replacing the expired stored password with another new password so that the other new password becomes the stored password associated with the account.
- View Dependent Claims (13, 14, 15, 17)
- - 13. The non-transitory computer readable storage medium of claim 12, wherein the operations comprise:
    - receiving a login request that specifies the input password of the account;
      
      and detecting the plurality of behavior deviations associated with the account,wherein the plurality of behavior deviations comprise a behavior deviation associated with the login request.
  - 14. The non-transitory computer readable storage medium of claim 13, wherein the operations further comprise detecting the behavior deviations associated with the account in view of historical behaviors associated with the account, and wherein the detecting is in view of the historical behaviors of a set of users.
  - 15. The non-transitory computer readable storage medium of claim 12, wherein the plurality of behavior deviations comprise an attempt to gain unauthorized access.
  - 17. The non-transitory computer readable storage medium of claim 13, wherein the detecting comprises:
    - scanning a log file to identify one or more events indicating that the password has been or is likely to be compromised.

16. The non-transitory computer readable storage medium of 12, wherein the plurality of behavior deviations comprise a request sent from an unauthorized system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Schneider, James P.
Primary Examiner(s)
Patel, Nirav B

Application Number

US12/025,954
Publication Number

US 20090199294A1
Time in Patent Office

2,569 Days
Field of Search

726/2, 726 5- 7, 726 17- 20, 726/26, 726/27, 726 22- 25, 713/182
US Class Current

726/18
CPC Class Codes

G06F 21/31   User authentication

G06F 21/316   by observing the pattern of...

G06F 21/33   using certificates

G06F 21/577   Assessing vulnerabilities a...

Managing password expiry

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Managing password expiry

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links