Browse Prior Art Database

A system for preventing accidental password disclosure

IP.com Disclosure Number: IPCOM000237466D
Publication Date: 2014-Jun-18
Document File: 2 page(s) / 76K

Publishing Venue

The IP.com Prior Art Database

Abstract

This disclosure proposes a method of detecting when a user has inadvertently disclosed their password, for example during a login sequence, and taking appropriate action so that the password is not stored in the web cache.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 54% of the total text.

Page 01 of 2

A system for preventing accidental password disclosure

Disclosed is a method of preventing accidental disclosure of user passwords during a browser login sequence. The user may accidentally enter their password in a plain text field ( e.g. user name ) and this will be stored in the cached data for that page. This disclosure proposes two solutions to this problem:

Detecting the user has entered text that is not a user name into a user id


1.

field, and not store the details in the web cache


Alternating the normal data entry sequence by swapping the password and


2.

    user name fields. Problem description:

    A simple scenario (may happen to a touch typist who may be monitoring multiple screens):

1. A user is prompted for a login 2. They begin to enter their login details but are not looking at the screen while doing so 3. The user forgets to (mistypes the) hit the tab key between the user name and password fields (or the tab order may not be defined)

4. User continues to enter their credentials but is now adding their password in plain text

5. User hits the enter key. This text is then cached by the browser as the browser assumes it is just a normal text field. The login will fail and the user looks up at the screen, assumes the password has been entered incorrectly and repeats the sequence.


6. Now, when the user enters their user name their password is visible in plain

  text as shown in the figure below 7. User must manually clear out their internet history to remove this text from display

Known Solutions:

The known solutions would be to:


Turn off all browsing history (equivalent to Chrome Incognito mode)

     The application/browser never caches anything entered by the user
Both these have negative side effects as it can be quite useful to store some


Page 02 of 2

session history (URL, usernames etc.). Solution #1

    This solution proposes to keep track of the normal text entered in each field in a form, for example in the screen shot above, 99% of the time the user enters the text "joe@somecompany.com". However on this occasion, the user has entered some additional text alongside the usual text.

The system detects that expected text has not been entered, warns the user

...