1. Technical Field
The present invention relates in general to data processing and in particular to password protection of data processing systems. Still more particularly, the present invention relates to a method and system for password protection of a data processing system that permit a user-selected password to be recovered.
2. Description of the Related Art
Password protection is commonly utilized to control access to individual computer systems, computer networks, and other data processing resources. Each time a user desires to obtain access to a password protected resource, the user must enter a password. If the password entered by the user is valid, the user is permitted to access the password protected resource; if the entered password is invalid, no access is granted.
The security of protected data processing resources can be enhanced by increasing password complexity, which may entail, for example, enforcing a minimum password length, requiring the user to enter multiple passwords (e.g., a pass phrase), or requiring case-sensitive passwords or passwords containing both letters and numbers. Security is even further enhanced by limiting the duration of password validity. Thus, in very secure systems, passwords may be valid for only a single day or even a single access.
When administering a large collection of data processing resources such as an enterprise, a significant amount of the administrative cost is attributable to implementation of a password protection policy. Because the administrative burden of generating and distributing passwords from a central location to a large number of users is prohibitive, particularly when the passwords have limited durations of validity, it is preferred for users to be able to select and set their own passwords. In addition to lowering the administrative burden, user selection of passwords (as opposed to central assignment) has the additional benefit of increasing the likelihood is that a user will remember his password.
The ability of a user to remember his password(s) is a key concern in systems in which passwords are user-selected. It is highly desirable from a security standpoint that users refrain from writing down or so otherwise recording their passwords. However, relying on users to memorize their passwords requires that some mechanism be available that permits authorized access to a data processing resource protected by a user-selected password in the event that a user forgets his password.
The present invention satisfies the need to permit authorized access to a data processing resource protected by a user-selected password in the event that a user has forgotten the password by enabling the recovery of the password from an encrypted version of the password stored by the protected data processing system resource.
In accordance with the present invention, an access password and an encryption key unique to a protected resource are stored in non-volatile storage at a data processing system, where the encryption key is at least partially derived from unique information associated with the protected resource. In response to receipt of an attempted access password at the data processing system, access to the resource is permitted if the attempted access password matches the stored access password. However, in response to an indication that the access password has been forgotten, an encrypted access password generated at the data processing system from the stored access password utilizing the encryption key is output from the data processing system. The access password can thereafter be recovered from the encrypted access password and the unique information.
All objects, features, and advantages of the present invention will become apparent in the following detailed written description.