1. Field of the Invention
The present invention relates to the field of network security and more particularly to compromised password use in a network environment.
2. Description of the Related Art
Applications level security has been of paramount concern for applications administrators for decades. While access to an application, its features and data can be of no consequence for the most simple of computing tools such as a word processor or spreadsheet, for many applications, access must be restricted. For example, in multi-user computing applications such as groupware, financial applications, social networking applications and other such applications processing sensitive data, as well as in computing administration type applications, protecting both confidentiality and access to important and powerful computing functions can be so important so as to require access control.
Generally, applications level security incorporates authentication logic for retrieving or otherwise obtaining unique data such as a pass-phrase, key, PIN, code, biometric data, or other such personally identifying information (collectively referred to as a “password”). Once retrieved, the password along with a user identifier can be compared to a known password for the user. If the comparison can be performed favorably, the password can be validated and access can be granted to the user as requested. In contrast, if the comparison cannot be performed favorably, access to the user can be denied. Moreover, protective measures such as invalid attempt logging can be activated.
Password based authentication to an application inherently requires the creation of a password, oftentimes by the end user to be associated with the password. Simple passwords bear no restrictions in form and commonly result in the end user selecting an easy to remember term or series of digits, such as a birth date, the name of a child, the name of a favorite pet, and the like. Passwords of this nature are referred to as “weak” in that one seeking to guess the password need only know some basic information regarding the end user, or a simple pattern users use to generate passwords, to brute-force identify the password. Accordingly, sophisticated password authentication schemes require the creation of a “strong” password of a minimum length and minimum mix of alphabetical characters and numerical characters to provide a large enough space for guessing that a brute force attack cannot succeed before it is noticed and defensive measures are used (disabling accounts, for example). Strong password schemes also prohibit the reuse of a password once the password expires which generally is required by the strong password scheme after a short period of time.
Notwithstanding, the use of a strong password scheme is not without its limitations. First, in smaller multi-user application environments in which multiple end users interact in a common computing environment, the requirement to frequently change a password can be inconvenient to the end user requiring the end user to continuously re-memorize a new password. Further, the requirement to create a complex password according to password content rules can be frustrating to the end user. Even yet further, the multi-user application may have password rules slightly different from those of the user's business, creating more burden on the user to create even more passwords. In consequence, human factors studies have shown the reluctance of end users to adopt usage of a new application when the password authentication scheme is strong in nature. Yet, to implement only a weak password scheme for an application exposes the application to malicious intrusions and resulting breaches of security and privacy.