Daily life requires the use of a wide variety of information devices, such as mobile phones, personal computers, notebook computers, and tablet computers. The information devices may keep users' personal data and identity data. Due to the prevalence of networks, an increasing number of network functions are performed on-line. In particular, servers have to store users' personal data and identity data in order to provide network services, such as social networking services, webpage/email services, mobile commerce services, banking on-line transaction services, database access services, or content and information provider services. Hence, to ensure security and privacy, the servers usually require that, before accessing the services provided by the servers, users have to follow an authentication procedure for recognizing the users' identity. At present, one of the most common authentication procedures is a password-based challenge authentication procedure whereby a server typically requires that, before accessing its services, users ought to enter a username and a password for identity recognition (or known as “login”), in order to prevent user personal data from being stolen or fraudulently changed.
With network coverage and accessibility increasing rapidly, hackers are becoming more likely to target a user's password with a view to faking the user's identity. Therefore, simple passwords no longer provide adequate protection; in view of this, various mechanisms are put forth to provide better protection. For example, users are required to create a password that meets the requirements of password length, complexity, and unpredictability, such that the strength of the password is sufficient to fend off brute-force search attacks and dictionary attacks. Furthermore, users are required to change their passwords regularly to invalidate old passwords, thereby reducing the chance that their passwords will be cracked. The aforesaid mechanisms enhance security and thus help users protect their accounts.
However, referring to FIG. 1, a client end 100 requests access to different web services and an authentication procedure of a username/password 102 provided by website A 110, website B 120, and website C 130 through a network 140 by means of a challenge 101. In practice, most users usually use different usernames/passwords to log in website A 110, website B 120, and website C 130, respectively. The mechanisms require users to memorize passwords for accessing the web services of different websites, respectively. Furthermore, users usually log in a small number of websites on a daily basis, and thus are unlikely to memorize accurately the passwords of those websites which are seldom visited by them; hence, they have to guess the rarely-used passwords, not to mention that their accounts would be locked out after incorrect password entries.
Therefore, there is a need to assist users in memorizing troublesome passwords while ensuring security. A solution lies in conventional one-time password (OTP) technology. However, OTP technology can provide passwords to users only when additional technology is accessible. In most circumstances, OTP technology requires an electronic device. Chances are the electronic device will get lost, and thus the risk of losing the passwords is always there. Furthermore, it is unlikely for an organization to share its OTP generation mechanism with another organization; hence, to access web services provided by different websites, respectively, a user has to use their respective electronic devices. Therefore, users have to carry multiple portable electronic devices, thereby adding to a loss risk.
Another solution is provided by a password hint mechanism. However, the mechanism works at the cost of undermining password security, because unauthorized persons can also see the password hint and therefore help a hacker crack the password. Furthermore, the mechanism is not effective in giving an appropriate password hint to a complicated password. Therefore, sensitive systems nowadays seldom use the mechanism.
Lots of methods for providing a more secure password-based challenge have been proposed, one of which can be referred to U.S. Pat. No. 7,653,818, which is incorporated herein by its entirety. It disclosed a method of incorporating password with a timing factor, such as time limit of keystrokes, a predetermined length of pause between keystrokes, etc., to enhance security and prevent unauthorized access.