With the increasing concern over the security of sensitive data contained in their network systems, large corporations and the United States military have sought numerous techniques to combat the proliferation of network "hacking" and "cracking" which has plagued the networking community. Occasionally, hacking has caused damage to these entities resulting from the usurpation of highly confidential information, as well as the pilferation of money. While there are certain software and hardware "firewalls" that may be employed to prevent hackers from it obtaining access to computer networks from the outside, it is estimated that approximately 85% of such unauthorized tampering occurs from individuals on the corporate side of the "firewall," i.e., an individual with insider privileges.
Conventionally, passwords have been employed as the primary and often only defense against such unauthorized intrusion into a computer network. A password is a string of any combination of alphanumeric characters, with the maximum length of such password string being determined by the particular network system. Common network standards generally provide for passwords being at least eight characters in length and containing a mixture of lower and upper case letters and numbers. An authorized user of a given computer network system will not obtain access to such system until the user confirms his or her identity by entering a password that corresponds to that user's account identification (user ID), which is generally based on the name of the individual.
Although passwords generally provide adequate protection against breaches of network security, such protection may be compromised in several circumstances. First, if a hacker or an insider knows or steals an authorized user's account ID and password, no easily attainable level of network security could prevent access to the network in such a situation. This might occur when, for example, an authorized user, who has difficulty in remembering a complex, lengthy or otherwise random password (i.e., secure password), writes the password down somewhere, which is then intercepted or observed by an individual. This individual can then gain unauthorized access to the system.
Another example is when an authorized user selects a familiar or memorable password (e.g., a father's first name or significant word) which the user can easily remember. The problem with choosing such memorable passwords ("insecure passwords"), however, is that a hacker can easily obtain access to a system network by performing a standard "dictionary attack" on the system network. A "dictionary attack" involves utilizing a computer program to logon to the system with every word, phrase or name found in the dictionary until the proper password is found. These computer programs are easy to generate and are readily available from the Internet.
Such "dictionary attacks," however, can be effectively thwarted by choosing secure passwords (e.g., alphanumeric strings not present in any dictionary), which makes it very difficult, if not virtually impossible, for hackers to discover. An example of a secure password is one that is randomly generated, i.e., each individual character of the password is chosen, e.g., from among 62 possibilities (52 upper and lower case letters of the alphabet plus the 10 decimal numbers). Such secure passwords (i.e, randomly generated), however, are harder to remember, which ultimately results in a user choosing a memorable password that is readily ascertainable by an unscrupulous hacker. Further, notwithstanding that most security-conscious networks perform their own dictionary lookup before validating a new password and reject memorable passwords over secure passwords, users that are required to use secure passwords are inclined to write them down, which ultimately results in a potentially less secure network system than merely allowing users to utilize memorable passwords. The difficulty is compounded on systems that require passwords to be changed periodically, which results in a user having to frequently memorize a new secure password.
Accordingly, there is a strong need in the networking industry to provide a method and system that enables access to a computer network by utilizing a memorable password, but which method and system also provides the level of protection against unauthorized access to such networks afforded by a secure passwords (e.g., random and complex).