Browse Prior Art Database

Method to impede password stealing

IP.com Disclosure Number: IPCOM000237202D
Publication Date: 2014-Jun-08
Document File: 4 page(s) / 37K

Publishing Venue

The IP.com Prior Art Database

Abstract

A method to impede password stealing is disclosed.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 40% of the total text.

Page 01 of 4

Method to impede password stealing

Disclosed is a method to impede password stealing.

The term "password" is used in a broad sense. In addition to the password definition as a secret word or a secret string of characters, a password can also be a secret visible pattern that a use draws on a touch screen device in order to authenticate and unlock the device.

The following are example methods that may be used to steal the passwords:

The visible pattern can be seen as a smudging trail created by the users finger tip, on the surface of the touch screen or keyboard.

Putting imitates or thin foils on top of keyboards and screens.

Using key-logging software.

Eavesdropping the authentication process to record the encrypted password, and cracking the recorded encrypted password.

The secret string or visible pattern may be remembered by someone glancing "behind the back", while user is authenticating.

A "smudge attack" relies on detecting the oily smudges left behind by the user's fingers when operating the device using simple cameras and image processing software. Under proper lighting and camera settings, the finger smudges can be easily detected, and the heaviest smudges can be used to infer the most frequent user input pattern (the password).

The smudge attack may be avoided by asking the user at authentication time to specify certain information in front and/or after and/or in between his password or visible pattern. This may take form of presenting highlighting dots which the user has to connect before and/or after drawing his pattern. Alternatively, the user is asked to press certain keys before and/or after and/or in between entering the password.

These counter measures would impede the password stealing threats. The advantage of these techniques are the end user does not need to memorize longer or more complicated passwords/visible patterns. In addition, there is no need for additional security devices (e.g. for password encryption).

Variations allow for prefixes, postfixes, and infixes. The approach does not need to force a minimum length. Variations for the way a user is informed what actions to take may be supported. For example, the request could take the form of highlighting certain dots of a visible pattern. The request could be made in a textual form. The request could vary for each new password or each new authentication.

Implementation choices would depending on the authentication method, the input device, and the application's security demands. Certain kinds of attacks are more likely and certain variants are more suited to impede password stealing.

1


Page 02 of 4

As examples:
When using arbitrary prefix/postfix/infixes per authentication this would make attacks like "glancing behind the back" and cracking harder, but it would not impact smudging attacks. To counteract smudging attacks it is advisable to generate prefix/postfix/infixes in a way that they create similar smudges each time the correct password/visible patter...