1. Technical Field
The present invention relates generally to computer system security, and more particularly to a system and method to check user password validity when accessing computer system resources.
2. Related Art
Prompting a user password controls access of a user to many different types of computer resources. Entry of a password may be required to log-on to a network or a host, to open a standalone application, or to access certain data. Entry of a correct password may be sufficient to grant a user access to a data processing system. Alternatively, the user may be known to the data processing system by a unique userid (ID) and that unique userid may have a unique password associated with it. To gain access to the data processing system, the user first enters the user's userid and then enters the user's password. A scenario for specifying a userid and a password is shown in FIG. 1, in accordance with the prior art.
A user 101 interacts with a computer system 100 comprising an output device 102 (typically, a display), an input device 103 (typically, a keyboard and/or a pointing mouse), a local software program called ‘agent’ 104 to handle the password exchange between the input device 103 or the output device 102 and an application to be accessed, and a software program called ‘application’ 105 that the user requests to access.
In a first step 110, the user 101 issues a registration request towards the application 105 via the input device 103, and relayed by the agent 104.
In a second step 111, the application 105 prompts the user 101 for providing an identifier (denoted ID) and an associated password. This prompt is relayed by the agent 104 before being posted on the output device 102.
In a third step 112, the user 101 provides the required ID and password, still relying on the input device 103 and agent 104.
In a fourth step 113, the application 105 validates the received ID and password; e.g., through a reference table look-up.
In a fifth step 114, the application 105 grants registration to the user 101. This granting is relayed by the agent 104 before being posted on the output device 102.
Afterwards, a trusted user/application transaction 115 may follow this registration procedure.
In this scenario, the human-machine interaction 120 takes place between the user 101 and either the output device 102 (when the user is receiving information) or the input device 103 (when the user is providing information). In the later case, the retrieval of the data 121 specified by the user is done under the control of the agent 104 through the input device 103. Information retrieved by the agent 104 can afterwards be shared with the application 105, regardless of the fact that the agent and the application are proximate or not. In the typical case where the application is remote from the agent, security 122 is exposed between the agent 104 and the application 105, as eyes droppers may try to tap the agent-application information exchange.
A problem in the previous scenario, and more precisely at step 112, is that the exchange of the sensitive information (ID and password) from the agent 104 to the application 105 does not depend on the way the information has been retrieved by the agent 104, but only on the value of this information. Moreover, the verification 113 of the specified information is solely done by the application 105.
A consequence is that some password related information is not used to further validate the correctness of the ID and password and that the information validation is done after the information exchange, which is subject to security risks.
Thus, there is a need for improving security associated with the validation of passwords.