This section is intended to introduce the reader to various aspects of art, which may be related to various aspects of the present invention that are described and/or claimed below. This discussion is believed to be helpful in providing the reader with background information to facilitate a better understanding of the various aspects of the present invention. Accordingly, it should be understood that these statements are to be read in this light, and not as admissions of prior art.
Passwords are ubiquitous in today's computer systems, for example to authenticate a user for log-on. In its generic definition, a password is constituted of a succession of symbols taken within a predefined alphabet (for example: 4 numerical values for PIN code).
In order to create ‘strong’ passwords, it is common to require that a chosen password complies with a predefined policy. Such a policy may for example be that the password should be at least eight characters long and that it should comprise at least one upper-case letter and at least one special character such as &, (and =. US 2004/250139 and US 2009/158406 present solutions for selecting such passwords.
However, even password protected systems using strong passwords can be attacked either by brute force attacks (iteratively trying every possible value) or by dictionary attacks (trying a subset of preferred values). Hereinafter, these attacks will be called “automated attacks”. In order to simplify their implementation, these attacks operate using low-level layers and not the authentication system's user interface. Some of these tools are even available on the Internet, for example the John the Ripper password cracker.
Current authentication systems are incapable of differentiating between automated attacks and user mistakes. By default, some authentication systems implement mechanisms to minimize the risk of automated attacks, either by inserting delays between two successive requests, by limiting the number of unsuccessful tries, or by a combination of the two. In the example of PIN codes, the number of unsuccessful tries is very often fixed to three.
It can therefore be appreciated that there is a need for a solution that can allow an authentication system to detect an automated attack, thereby allowing the system to react to such attacks according to appropriate policies. The present invention provides such a solution.