Existing software products allow users to remotely access their personal information management (PIM) data such as voice mail from any touch-tone telephone. Securing access to this PIM data is vital and, in keeping with standard voicemail products, the existing software products may be configured to require a personal information number (PIN) for authentication before granting a user permission to hear and/or send information. Advantages of PIN-based authentication include user familiarity with this paradigm and minimal hardware requirements (e.g., a telephone) for the end user.
While convenient, however, PIN-based security has numerous shortcomings. Existing systems do not securely persist PINs for subsequent validation during the logon process. Current locations for storing the PINs have information disclosure problems or are unprotected against owner tampering.
Further, numeric-only PINs carry substantially less cryptographic entropy than alpha-numeric passwords. Numeric-only PINs allow ten choices per position, while alpha-numeric PINs may have seventy or so possible choices. Even PINs of nearly impractical lengths (e.g., ten digits) that are obfuscated by industry standard one-way hash algorithms such as SHA512 can be quickly cracked by a dictionary style attack. In general, the typical one-way hash is only marginally better than no protection at all.