Sending, receiving, and retrieving data over networks, to and from secured systems, generates the need to control access and enforce security policies. To control access, secured systems, such as databases and servers, implement login procedures that require authentication by providing the authenticating system with information that will positively identify the target user. This information may take the form of a user account and password. Once a password is assigned to a target user account, the user can login by providing the authenticating system with the matching password.
However, passwords must be known only to the target user if they are to fulfill their purpose of positively authenticating the target user. Maintaining a high level of password security presents a variety of challenges. For example, use of a static, reusable password renders it vulnerable to hijacking. Misappropriation of a password can result in substantial harm to the secured system, for example, where an unauthorized entity obtains privileges and access to data. This danger becomes particularly acute for users with the privilege to access sensitive or highly secured data. To mitigate this risk, users are advised to regularly change their passwords.
A system administrator may be given authority to change user passwords. For example, a system administrator interacts with the authenticating system to configure and set or reset password values for a target user. However, this routine poses an independent security threat. Namely, knowledge of the password by an entity that is not the target user, in this case, by the system administrator. These routines assume that a system administrator can be trusted with this knowledge; however, this assumption compromises security.
Moreover, where access control systems restrict access based on identity, a system administrator (e.g., an information technology engineer in a Help Desk department), having fewer access privileges than a given user, may be authorized to change passwords. This inequality in access privilege creates incentives for the system administrator, or a similarly authorized entity, to misappropriate password information. Such incentives increase as access privileges of the user increase and the corresponding security risk to the secured system is thus compounded.
In view of these vulnerabilities, and in order to reduce the risk of password hijacking, what is needed is an improved way to change passwords.