Today, most web services have used an ID/password scheme to identify and authenticate accessing users. In the case of requiring a high level of security such as Internet banking, user authentication may be made using a certificate which is specifically stored on a hard disk or a USB disk, but a scheme for performing user authentication by allowing a user to directly input a password through a keyboard relying on his/her memory has been mainly used.
Since the ID/password scheme may be easily implemented by service providers and may make it difficult for other persons to find out a user password until the user password stored somewhere is exposed or the user directly gives other persons his/her password, the ID/password scheme has been recognized as a convenient, safe authentication scheme. Further, most devices such as a personal computer and a smart phone which may access a web page include a keyboard, and therefore users may input alphabetical characters and figures without any difficulty to very conveniently use these devices. Thanks to the advantages, nearly all web services have currently performed the user authentication using the ID/password scheme.
However, a threat of brute force attack is increased with the development of computer performance and a dictionary (a set of words which are highly likely to be used as a password) accumulated by hackers is increasingly elaborate as time goes by, and as a result, attackers may find out passwords which are simple or frequently used within a short period of time. Therefore, service providers adopting the ID/password scheme are trying to prohibit users from setting too simple passwords and recommend matters to be observed to users or force users to observe the recommended matters. The main matters are as follows.
{circle around (1)} Combine alphabetical characters with figures. In some cases, include special characters (characters, such as !, @ and #, other than alphabetical characters and FIGS.
{circle around (2)} Make a length of a password long
{circle around (3)} Periodically change a password
Forcing users to combine alphabetical characters and figures is to prohibit users from using general words as a password. A password needs to satisfy a conflicting condition that a combination of words or figures may be hardly found out by other persons but may be always easily memorized by users. Therefore, users need to generate a plurality of combinations of words or figures which may be easily memorized by them so as to create a password. However, when creating a password using an English sentence combination, users frequently select a single English word. According to old research results, a password which is the most frequently used around the world is ‘password’. Although not significantly changed toady, a password which is the most frequently used is ‘password1’. A figure also is the same as the English sentence combination. When using only the figure, users often set their own birthday or anniversary using a password, and therefore other persons are highly likely to estimate the password. The above problems may be solved to some extent by combining alphabetical characters with figures.
The length of a password is to cope with the brute force attack. Through inputting all the figures from 0000 to 9999, a four digit PIN may be exposed someday. When combining alphabetical characters with figures and classifying capital and small letters, 62 candidates per one letter are generated. As a result, this scheme has better security than the PIN using only the figure but when a length is too short, is still vulnerable to the brute force attack. More than six letters have been generally used in the past, but the number of letters is inclined to be gradually increased. Today, services requiring a password formed of more than 8 digits have also been increased.
There are services that demand a password to be periodically changed. In this case, it is normal to demand a change of a password every three months or six months. However, an operation to create a safe, new password for security is a significant burden on users. To meet the policy, most users generally use two or three passwords by turns, and therefore it is difficult to obtain a desired effect.
For this reason, current web services force users to set a password formed of a considerably difficult combination. Usability which is the largest merit of the ID/password scheme is reduced as much. As the length of ID is long, the user has difficulty in typing and does not perform visual feedback to prevent peeking. Generally, a user may not know what characters he/she inputs due to the use of characters such as * or ●, and therefore may not conveniently perform the input.
An operation to create and memorize passwords with a difficult combination is fairly inconvenient for users, and thus the users may often use the same password on other web sites. Therefore, when one service exposes a password due to carelessness of server management, an attacker may easily login in other services in the user name using obtained information.
Users often directly input a password through a keyboard, and as a result an arising threat may also be present. Attackers secretly install a malignant code in users' devices to intercept and peek a keyboard input. Even though users create a password satisfying a high level of security, accurately memorize the created password, and accurately input the password without the visual feedback, when the password is exposed during an authentication process, all users' efforts which are performed before become invalidated.
That is, since the ID/password scheme has excellent convenience, users have no complaints about the ID/password scheme and since the service providers may easily implement the ID/password scheme, the ID/password scheme has been widely used. However, security requirements are continuously reinforced to cope with security accidents which frequently occur recently and therefore service providers request more powerful passwords of users. However, a memory of a user has a limitation, and therefore the password does not satisfy the security requirements.