Browse Prior Art Database

Method of protection from password disclosure during interrupted/mistaken authentication operation (i.e. by pop up window)

IP.com Disclosure Number: IPCOM000240725D
Publication Date: 2015-Feb-23
Document File: 4 page(s) / 144K

Publishing Venue

The IP.com Prior Art Database

Abstract

The solution described in the article relates to situation when end user of application/web page is requested to authenticate by providing password and as a result of popup-ing windows, changing widows focus or any other instant action which causing the cursor placement change, user is typing-in password in wrong place.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 01 of 4

Method of protection from password disclosure during interrupted / authentication operation (

The solution described in the article relates to situation when end user of application/web page is requested to authenticate by providing password. Said authentication can be requested in order to be able to certify given action or login into particular application/web service profile. The problem which below method is solving, is situation when password is type-in by user in wrong place, and in a result disclosed. The situation when user by mistake is typing in password in wrong place may be caused by popup-ing windows (i.e. text communicator like an Instant Messaging application), changing widows focus or any other instant action which causing the cursor placement change. Submitting the password in wrong place (i.e. by clicking 'Enter' button) can cause that password will be disclosed to other people (i.e. sent to others via text communicator), stored on the disk in not encrypted form (i.e. in the application log) or stored publicly (i.e. in the cloud within browser history, or sent with the URL request via network). The similar problem was discussed here: http://security.stackexchange.com/questions/32003/passwords-being-sent-in-clear-text- due-to-users-mistake-in-typing-it-in-the-use Problem is quite common, and there is no simple approach which address all possible situation which can interrupt the typing-in operation.: One of possible solution which address only subset of the problematic scenarios is to encrypt all messages send via browser to avoid sending password via network in clear text. But the password is still disclosed to web server which is able to decrypt browser messages. Another solution is to turn-off all pop-up windows when password is provided. Main disadvantage is that this will not address human errors like entering pwd in wrong text field.

The method solve the problem by comparing the bitmap neighborhood of the text field

where the password is typed in. Bitmap neighborhood can be relatively small, because usually the location where the password is disclosed is much different then the original password text field. In order to preserve security, password itself and the bitmap neighborhood is encrypted (hashed) before stored in the knowledge base.

The method contains two sub methods:
one which is used to build the knowledge base consumed by the second method second, which is used to prevent password disclosure during typing in password by user

The first sub-method building the k...