The security of computer systems, computer networks, individual computing devices, and data is an important concern for businesses and individuals. Computing systems and networks are often used to transfer confidential and valuable data between corporations, between corporations and individual users, and between individual users (or groups of users). Such data may be generated by system components and individuals as part of economic transactions, transfers of funds, research and development of innovations and new products, registration for benefits, or the collection of information vital to national security. Similarly, such data may be created and stored using individual computing devices or remote devices (such as servers), and stored using local or remote databases or data storage elements. Because of the potential harm that could be caused by an unauthorized access to a device, network, system, or to the data itself, many types of security and access control protocols have been developed for individual devices, systems, and networks.
One of the most common types of security or access control protocols is a password. A password is typically a string of characters that a user is requested to create in response to a prompt, and then is required to respond with at a later time in order to gain access to a computer, a computing system, a computer network, or other device. A password may also be used to control access to a software application, data storage element, account data, file, folder, or other form of data or device. While typically not the only form of access control (or the strongest), a password is often used as an initial challenge to a user in many situations in which the user desires to gain access to a protected element.
A common feature of password based access control methods is that a password is associated with an expiration event, that is a date, time, number of access attempts, etc. beyond which the password is no longer capable of enabling access. This is typically termed a password's time-to-live (TTL). A password TTL may be set by a system administrator to be a number of hours, a number of days, a number of weeks, or almost any other suitable time measure or number of events. The TTL selected often represents a balance between maximizing security (which would be more likely to occur with a relatively short TTL and hence more frequently changing passwords) and reducing the burden on users, who must create and remember each new password (which burden would be more likely to be reduced with a relatively long TTL; however, note that this presumably would lead to a reduction in security because the password would be more likely to be guessed during that time). For example, a typical TTL for a password to a system or network might be 90 days, so that each user is required to submit a new password every 90 days in order to maintain access to the system.
An additional complication that may result from the competing concerns regarding an appropriate password TTL, is that it may impact the complexity of a password chosen by a user. For example, if the password TTL is relatively short, a user may become frustrated with being required to create and remember a new password so frequently. As a result, the user may create more easily remembered (and hence more easily “guessed”) passwords since they are required to create a new one so often. This problem may even arise regardless of the TTL; as long as some users become frustrated with having to create and remember a new password more frequently than they find acceptable, the passwords they create may be less secure than desired by a system administrator. This problem can arise even with the requirement that passwords satisfy one or more criteria (e.g., being of a certain length, including one or more different types of characters, etc.) because a user may continue to use a similar base password to which they add a small variation, or may use a password that is similar to one used previously or in another context. Thus, the very existence of a password TTL may create a disincentive for users to select more complex (and presumably more secure) passwords. In this way a TTL, and particularly a relatively short TTL, may operate to frustrate the very purpose of having a password.
Conventional approaches to determining an appropriate password TTL value have disadvantages that may operate to reduce the security of the device or system for which a password is required. Embodiments of the invention are directed toward solving these and other problems individually and collectively.