1. Field of the Invention
The present invention relates to computer networks and network security, and in particular, to systems and methods for creating and using strong passwords.
2. Related Art
Public networks, such as the Internet, hold tremendous potential for many industries. The public networks provide users with vast amount of data that can be quickly and cost effectively accessed from virtually anywhere. The Internet, for example, allows users to access databases such as web page servers from any computer connected to the Internet.
Along with the emergence of public networks and the content/service providers therein comes an imperative need to preserve the confidentiality of some of the sensitive information supplied by the web page servers. If such measure is not taken, sensitive or private information may be accessed, modified, or intercepted by an unauthorized party. Therefore, web page servers must be able to confirm the identity of their online users or visitors before granting access to private information.
A user identification and password combination has long been used as ways to authenticate a user, and public key cryptographic systems are used to provide digital signatures and encryption. A password often comprises a secret series of characters that enables a user to access a file, computer, or program. On multi-user systems, each user must enter his or her password before the computer will respond to commands. The password essentially helps to determine that a user requesting access to a computer system is really that particular user.
Besides the user identification and password combination, questions and answers combination is also used for authentication and protection purpose. Instead of entering a secret password associated with a user identification, a user is presented with a series of questions and asked to provide answers to the questions. These questions are pre-stored on a remote server, with which the user has previously registered and created the questions and answers corresponding to the questions. Examples of such questions may be inquiries regarding the user's birthday and city of birth. Upon receiving the answers provided by the user, the remote server compares the answers provided by the user with the answers pre-stored on the remote server. If the former answers and the latter answers are the same, the user is granted access to sensitive or private information such as a cryptographic key or private record.
Currently, the market offers implementations of questions and answers to form passwords. However, these questions are released without prior authentication. This allows anyone, including an unauthorized user, to obtain the questions without first being authenticated. The unauthorized person could then do research on the questions to find the answers. Once the unauthorized person obtains the answers to the questions, he/she could use them to impersonate the authorized user and obtain sensitive or private information of the authorized user. For example, one's cryptographic key or private record may be obtained.
Another problem lies in the fact that these present implementations store the actual answers to the questions or the hash of each answer on a remote server that manages access to restricted information. This further exposes the answers from attack within. Therefore, there is a need for a system and method of providing and using strong passwords while avoiding storing actual answers or the hash of each answer in a remote server.