This invention relates to provide software security by controlling access to data processing systems, and more particularly to any data processing security system in requiring the user to employ a username and a password to gain access to data.
FIG. 1 is a flow chart illustrating a typical prior art username/password system for gaining access to data stored in a shared data storage device 18 of a data processing system (hereinafter “system”) accessible by multiple users. When a potential user addresses the system as indicated by START block 7 in FIG. 1, the response of the system in username request block 8 is to request a username (e.g. a credit card number, or any equivalent identifier referred to hereinafter as a username.) Then to gain access to shared data in the data storage device 18, the user must enter a username in a username entry block 9 (e.g. by key entry on a keyboard or by stating the username over a telephone or microphone, etc.) Then the username decision block 10 of the system makes a decision as to whether the username is valid (YES) or invalid (NO). If the username entered is invalid, then the system sends a signal (indicated by a username invalid line 11 back to the username request block 8 where the system again asks for a username, which makes it possible for the potential user to enter a correct username in the username entry block 9, if the choice is made to repeat an attempt to gain access to the data in the system.
When the username decision block 10 determines that username entered is valid (YES), the next step by the system is for the password request block 12 to respond by sending a signal (indicated by a username valid line 13) to the password request block 12 requesting entry of a password (which may comprise a Personal Identification Number (PIN), an access code, or the like.) Then the potential user must enter a password as indicated by the password entry block 14. Next, as indicated by the password validity decision block 15, the system decides whether the password that was entered is valid (YES) or invalid (NO.) If the password entered is invalid, the system sends a signal (indicated by the password invalid line 16) back up to the password request block 12 where the system will repeat the request for a password.
If the password entered in the password entry block 14 is valid, the password validity decision block 15 provides a YES signal on the password valid line 17 granting the user access to the data as the system provides access to the data block associated with the username and the password in the shared data storage device 18. This is how all commercially available accounts normally work, e.g. UNIX, email, Windows, etc. For each username there is only one password, which must be entered in block 14. The data stored in the shared data storage device 18 is accessible when the correct username is entered in the username entry block 9 followed by entry of the correct password in the password entry block 14 for the data associated with the username.
Heretofore internet users have often logged into websites that require password identification. Often users need to use public terminals at libraries or airports. Additionally, many users share computers belonging to others when they have no access to their own computers. A security problem exists because the user is usually unaware of what malware, spyware, key loggers, or any other security holes there may be in the system. This makes users uneasy about using a password or such shared machines. Thus there is the problem that businesses lose customers who refuse to visit the sites of shared computers because of such security concerns.
For example, many users or customers perform banking online, but many of such users are hesitant to use a password on a public computer terminal because they fear that an unauthorized person such as a thief, an investigator, or a data collecting agency could or would gain access to all their information. Such access could permit unauthorized actions such as use of the data or the taking of unauthorized control of the data in the system. Such unauthorized actions would include control of the data in the system information including use of private information, control of assets in accounts, dispensing assets via an Automatic Teller Machine (ATM), transfer of assets to other accounts, commission of identity theft, as well as commission of other crimes and transgressions.
For example, if an authorized user were personally unable to gain access to a computer or computer terminal and wanted to check an email account, the authorized user would be required to give another person access to the username and password for that account. That action is undesirable because people frequently use the same password for multiple accounts. Additionally, by revealing the username and password the person receiving that information would have present and future access to the related account without any limitations.
U.S. Pat. No. 6,484,263 of Liu entitled “Security Profile for Web Browser” discloses a security profile for web browsers with a browser receiving a username-password challenge from a Web server. The user does not have to supply the username and password manually once the triple of (URL, username, password) is stored in the user security profile. The browser sends the challenging Web server the username and password that is associated with the matched URL.
U.S. Patent Application Publication No. US2006/0021036 of Chang et al. entitled “Method and System for Network Security Management” describes providing a user database established at a server comprising a plurality of first usernames and a plurality of corresponding first user passwords. The usernames and corresponding passwords are calculated and obtained for generating a plurality of user key values.
Application Publication No. US2006/0112424, of Coley et al. entitled “Method for Authenticating a User Access Request” uses a firewall to authenticate a user access request that employs first password portions sent from the user over a first medium of communication and second password portions sent to the user over a second medium of communication (i.e. a medium other than the first communication medium) responsive to receiving a valid username and first password portion pair from the user. The firewall may also send a password associated with a username to a mobile device for verification.
U.S. Application Publication No. US2006//0085649 of Wong entitled “Method for Accommodating Multiple Verifier Types with Limited Storage Space with the system receiving a username and a password. Following receipt of a username and password the system looks up an associated verifier type and verifier based on a username; with the verifier generated for the user password, and allows a computer system to offer different verifier type to a newly added user.
U.S. Pat. No. 7,114,078 of Carman entitled “Method and Apparatus for Storing Usernames, Passwords Associated Network Addresses In Portable Memory” describes a username and a password associated with a particular URL.
J. Watt et al. “A Shibboleth-Protested Privilege Management Infrastructure for e-Science Education”; Vol. 00, Proceedings of the Sixth IEEE International Symposium on Cluster Computing and the Grid (CCGRID'06) pp 357-364 (2006); ISBN:0-7695-2585-7 describe providing usernames associated with passwords which have varying levels privileges and/or within a privilege management and security infrastructure.
Three articles from the Proceedings of the Second Symposium On Usable Privacy and Security (SOUPS) Jul. 12-14, 2006 Pittsburgh, Pa.; ACM International Conference Proceeding Series, were published, in the ACM International Conference Proceeding Series; Vol. 149; ISBN:1-59593-448-0. The three articles include Ka Ping Yee et al.; “Passpet: Convenient Password Management and Phishing Protection” pp 32-43; Shirley Gaw et al., “Password Management Strategies for Online Accounts” pp 44-55; and Furkan Tari et al., “A Comparison of Perceived and Real Shoulder-surfing Risks between Alphanumeric and Graphical Passwords” pp 56-66. Yee et al. discloses password management and a different password for each account within a browser user interface. Gaw et al. discloses password management for online accounts with users or usernames having three or more passwords relative to a particular environment or need. Furkan Tari et al. discusses the possibility that graphical passwords may offer both a secure and usable solution to network- and Internet-based user authentication.