1. Statement of the Technical Field
The present invention relates to applications level security and more particularly to password processing in a computing application.
2. Description of the Related Art
Applications level security has been of paramount concern for applications administrators for decades. While access to an application, its features and data can be of no consequence for the most simple of computing tools such as a word processor or spreadsheet, for many applications, access must be restricted. For example, in financial applications and other such applications processing sensitive data, as well as in computing administration type applications, protecting both confidentiality and access to important and powerful computing functions can be so important so as to require access control.
Generally, applications level security incorporates authentication logic for retrieving or otherwise obtaining unique data such as a pass-phrase, key, PIN, code, biometric data, or other such personally identifying information (collectively referred to as a “password”). Once retrieved, the password along with a user identifier can be compared to a known password for the user. If the comparison can be performed favorably, the password can be validated and access can be granted to the user as requested. In contrast, if the comparison cannot be performed favorably, access to the user can be denied. Moreover, protective measures such as invalid attempt logging can be activated.
Conventional password processing involves the one-way hashing of the known password and the storage of the hash in a data structure. When a user provides a password as part of an attempt to access an application, an application function, or application data, the password can be compared to the hash through a call to logic managing the data structure to determine whether access ought to be granted. Though the encrypted content of the hash can remain safely hidden from prying eyes, one able to access the hash can randomly compare a large number of possible passwords against the hash in what is known as a “dictionary attack”.
To circumvent the possibility of a dictionary attack, several password authentication techniques have been proposed. For instance, some have attempted to secure the password hash itself through a common technique known as “salting”. Salting ultimately results in dictionary attacks becoming substantially more time and computing intensive. Salting, however, does not secure a single password against brute force guessing. Other techniques include introducing real time delays within the authentication logic in reporting failed attempts. Alternatively, the requestor can be locked out of the authentication logic after a predetermined number of failed password guessing attempts.
Finally, some have suggested replacing local authentication logic with a remote procedure call to a trusted server providing the password. In this way, the hash can become inaccessible to an attacker as the actual authentication can be performed remotely based upon a communicated request. Of course, to implement the latter would require all authentication logic within the application itself to be located and rewritten. Accordingly, implementing a remote authentication procedure can disrupt the structure of existing applications and can result in the undesirable breaking of the source code of the application.