Browse Prior Art Database

Recalling a [new] password under a trusted, controlled and forgiving environment

IP.com Disclosure Number: IPCOM000186396D
Original Publication Date: 2009-Aug-18
Included in the Prior Art Database: 2009-Aug-18
Document File: 3 page(s) / 31K

Publishing Venue

IBM

Abstract

Recalling a [new] password under a trusted, controlled and forgiving environment

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 43% of the total text.

Page 1 of 3

Recalling a [new] password under a trusted, controlled and forgiving environment

Rigorous password rules and good security policies require the user to change their password at frequent intervals. This policy, however, is responsible for many help desk calls, especially at the time immediately following the changing of a password. The resetting of a password is time consuming, expensive and creates an opportunity to hack the account using social engineering.

Too often people tend to forget their new passwords, especially with systems that require one immediately. Most systems are relatively conservative, for fear of a brute-force attack, and tend to disable/lock the user's account after a small number of failed log-on attempts. This requires expensive password renewal/resetting. It is very possible that the user can recall the new password out of the assortment of passwords she has, if given enough trials. But the user has only a few attempts before the account is locked.

This disclosure caters to the user's need without exposing the system to the brute-force attacks and, yet does not require the user to solicit any help from the system administrator's support force.

Our disclosure doesn't change the existing behavior of the systems. Instead it provides an auxiliary means through a new method and system to help one cope with the difficulties facing the majority of the users when they have to recall their passwords from an assortment of passwords they normally use.

(For brevity, the invention described herein will be referred to as the recallMyPassword program.)

The idea is to employ a good-neighbor policy. This can be analogous to giving the next door neighbor a spare key, in case the user loses theirs. The trusted neighbor hosts a copy of the hash-values of the user's passwords (in case of a single user/application environment) . The user can try to recall their password under a friendly environment where she can try a number of possible passwords before actually trying to log into her actual account.

Potential intruders may of course access the same program. However, damage may be limited by placing a configurable limit on the number of allowed trials, or by sending a notification note to one or more people that their password is being guessed.

Saving the password 'hash' under a neighbor account and "running" the recallMyPassword program under the neighbor account and supervision, guarantees that the access to the account is secured through the existing security policy and as such it doesn't pose a higher threat than before. Once the guest-user is allowed onto the system through the neighbor account, she can try assortment of passwords against the respective HASH, till she finds the right one. The friendly environment could enable one to recall the password without resorting to the existing reset procedure. That

1

Page 2 of 3

environment doesn't enforce a time limit on logging attempts an...