System, method and process to provide multiple role, access and privilege-based passwords
Publication Date: 2012-Feb-28
The IP.com Prior Art Database
AbstractAccess to computer systems occurs under a variety of circumstances, for a variety of purposes or services, and from various locations. This creates opportunities for a computer to be accessed in an unauthorized manner. Disclosed is a system and method allowing the different forms of access to be associated with a variety of passwords, each having their own access rights, roles and restrictions.
Page 01 of 3
System, method and process to provide multiple role , access and privilege-based passwords
Executive Summary: Access to computer systems occurs under a variety of circumstances, for a variety of purposes or services, and from various locations. This creates opportunities for a computer to be accessed in an unauthorized manner. Disclosed is a system and method allowing the different forms of access to be associated with a variety of passwords, each having their own access rights, roles and restrictions.
It is widely understood that system attacks happen at times and in manners that are advantageous to the attacker. For example, many computer systems are attacked remotely, using network interfaces, where the user has no awareness of the attacker. Additionally, the exposure of the authentication method over a network connection, and for a variety of differing services, provides opportunities for attackers to either "sniff" the password, or attempt a brute force or dictionary based attack against one subsystem (e-mail, remote file transfer), then use that information gained to compromise the system security.
The disclosed system, method and process breaks the authentication method down into a finer grained collection of rules such that individual passwords may be defined such that each individual password has associated with it specific access rights. This differs from existing fields of art, such as the UNIX* and Windows** operating systems where different user identities have differing rights, or the Kerberos*** authentication method where some additional attribute is added to the user's name and that name/service pair is then associated with a potentially different password.
There are many systems which recognize irregular working-hours and add additional questions and extra authentication procedures to fight off the hackers. Yet, they don't use exclusive access passwords, nor do they permit passwords to be associated with specific services, such as network ports. Thus a password stolen during normal working hours still allows a hacker access to the system, though one has to pass more hurdles before they are authenticated. This approach denies the hacker the very initial entry to the system if they try to use a normal-hours key/password at the off-work hours, or if they use the stolen "telnet" (an insecure network login protocol) or "IMAP" (a potentially secure mail server protocol) passwords to attempt a different login methodology.
(keywords: user authentication network port)
US #6,892,309: This patent addresses user access after the point in time when the user has been authenticated. The disclosed invention associates, amongst other things, a specific password which must be used when the user requests access to the service. That is, for a specific network service, such as electronic mail, the referenced patent would have accepted the user's password, then performed the access check. With the disclosed inv...