Browse Prior Art Database

A benevolent "man in the middle" to ensure strong passwords

IP.com Disclosure Number: IPCOM000201553D
Publication Date: 2010-Nov-15
Document File: 2 page(s) / 82K

Publishing Venue

The IP.com Prior Art Database

Abstract

The use of various web-based services requires us to maintain an ever-increasing number of "identities". For each web service we use, we typically create an "account" with a username and password for authentication. Given the large number of such accounts, it is unreasonable to expect users to have different "strong" passwords for each service. Typical user behaviour is to use the same (or a very small number of) passwords on multiple sites. This means that when a password is compromised, identity theft can happen on many different web services. An alternative solution that is not very popular, is to use different passwords but store them locally in a password utility of some sort. Whenever a user has to enter a password online, she must first open up the utility (using its own "master" password), find the password for the specific web service, and enter it. This is cumbersome, although it is mitigated to some extent by embedding such a utility in the web browser itself. Automated form-filling utilities also exist, where the user only enters the master password once, and the utility auto-fills passwords in specific web login screens (forms). Again, the implications of losing or compromising the master password are huge. OpenID is yet another proposed solution that has not taken off, because of a lack of "relying parties". In all these cases, users typically end up using the weakest passwords that the service will allow, because they are easier to remember. This article describes a different solution to this problem, which is significantly easier on the end-user while maintaining the security of having different, strong passwords for different web services/sites.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 54% of the total text.

Page 01 of 2

A benevolent "man in the middle" to ensure strong passwords

This solution could be implemented as a browser plugin. Browsers like Firefox for example allow the creation of plugins (using the Netscape Plugin API) that can intercept and modify practically any user interaction with the browser. The plugin lives within the browser itself.

By inspecting a web page loaded into the browser (http://a.b.com/register, in the example below), our plugin can determine that this is a page where the user registers for a new account and creates a username-password based set of credentials.

Account Creation

a.b.com

Browser

URL: http://a.b.com/register

Create account

Username: neeran Password: simple Confirm password: simple

Submit

Cancel

Browser Plugin

(URL, simple sdj@#DSF3)

insert

DB

Web Server

(neeran, sdj@#DSF3)

insert

Accounts

(neeran, sdj@#DSF3)

The user would interact with the web page as usual, entering a new username and password for this specific site (a.b.com)

Our plugin intercepts the form being submitted.

It generates a random password ( sdj@#DSF3 in the picture above) using some combination of letters, numbers and symbols for example.

It inserts in a local database, a tuple consisting of the URL of the site, the username, the user's chosen password ("simple") and the randomly generated password.

It passes on the form to the web site, but with the password field changed to the new, strong password.

The web site stores the username and the strong password in its own accounts database for subsequent authentication.

Subsequently, when the user tries to log into a.b.com, the plugin detects that there is a login form...