1. Field of the Invention
This invention relates to a password strength checking method and apparatus and a program and recording medium thereof; a password creation assisting method and a program thereof; and a password creating method and a program thereof In particular, the present invention relates to a password strength checking method and apparatus for checking strength of a password; a password strength checking program used for realizing the password strength checking method and a recording medium having the program recorded thereon; a password creation assisting method for assisting creation of a strong password by analyzing and outputting which portions of the password are strong and which portions thereof are weak; a password creation assisting program used for realizing the password creation assisting method; a password creating method for allowing a password with a guaranteed strength to be created; and a password creating program used for realizing the password creating method.
2. Description of the Related Art
When a user utilizes a system operating on a computer, whether the user is the person authenticated to use the system is determined by having the user input the same password that has been registered with the computer in advance.
Because there is a possibility that a password registered with a computer may be stolen, the password is encrypted. When a user inputs a plaintext password for utilizing a system, it is encrypted. By determining whether the encrypted password matches the registered encrypted password, it is determined whether or not the user is the person authenticated to use the system.
A password registered with a computer is usually encrypted using a one-way cryptography (a cryptography in which it is difficult to restore ciphertext to plaintext) in order to assure security. Accordingly, when a malicious user obtains an encrypted password registered with a computer, he executes an attack called brute force using a password guessing tool such as “John the Ripper” to steal a plaintext password associated with the encrypted password (see Non-patent Document 1, for example). The Non-patent Document 1 is “‘strong Password’ to Win Brute Force”, Mishima et al., Nikkei Network Security, Vol. 2, pp. 36-47 (2002), for example.
Specifically, as shown in FIG. 31, an attack called brute force is executed, in which all possible characters to be used as a password are combined to generate plaintext password candidates and determination is repeatedly made about whether or not each of the encrypted (hashed) plaintext password candidates matches the encrypted password registered with the computer. This allows the plaintext password associated with the encrypted password to be stolen. The brute force may be also executed to obtain a password when a user forgets the password.
It is essential to set a strong password to assure security. However, there is no clear criterion for a strong password at present. Accordingly, it is the actual condition that users do not know well what password should be set. Though they may be advised to “use a long password” or “mix alphanumerical characters and symbols to make a password”, they actually do not know what password should be set.
In order to prevent a password from being stolen by a malicious user, it is necessary to prevent a plaintext password from being obtained by a brute force attack in a short time.
It is, therefore, conceivable to measure a duration of time, which would be required until a password was stolen after a brute force attack using a password guessing tool, and use the duration of time as the password strength.
Though such a password strength defined in this way is suitable because it indicates the level of security, it is practically impossible to adopt the method. This is because the number of possible combinations of characters to be used as a password, in a brute force attack using a password guessing tool, will be an astronomical value and furthermore the combinations must be encrypted, and therefore several months may be required to determine the password strength. Thus, the prior-art technology does not provide a numerical representation of a password strength and, therefore, a user can only set a password that he believes to be strong.
With the above-mentioned background, we propose a novel password strength checking technique that enables calculation of a numerically represented password strength within a practical duration of time. In this new password strength checking technology, a password strength is obtained by measuring a time length during which the password can endure a brute force attack against it.
As a password guessing tool used for such a brute force attack, there is recently used a password guessing tool, such as “John the Ripper”, for generating password candidates based on statistical information of appearance frequency of characters to execute an efficient brute force attack (see the above-mentioned Non-patent Document 1).
In the above-mentioned new password strength checking technology, on the assumption of a password guessing tool, such as “John the Ripper”, for generating password candidates based on statistical information of appearance frequency of characters, strength of a password to be checked is measured by identifying how many times password generation is made by the password guessing tool to obtain the password to be checked (corresponding to a time length during which it endures a brute force attack).
In this measurement, in the above-mentioned new password strength checking technology, password candidates before encryption that are generated by a password guessing tool are checked with the plaintext password to be checked to measure strength of the password to be checked, thereby aiming at realizing measurement of the strength of the password to be checked within a practical duration of time.
A numerically represented password strength can be certainly calculated within a practical duration of time according to the above-mentioned new password strength checking technology.
In the above-mentioned new password strength checking technology, however, though the overall strength of a password can be numerically grasped, it is impossible to grasp which portions of the password are strong and which portions thereof are weak. There is left room for improvement.
A password created by a human being is apt to present some regularity, thereby tending to be a weak password. Accordingly, a password which is automatically generated by a password generating tool is traditionally set when a strong password is required.
Prior-art password generating tools, however, use a method of generating a password simply based on randomness and, therefore, a generated password is not always strong. In other words, when using a prior-art password generating tool, which uses the method of generating a password simply based on randomness, regularity is not presented unlike the case of a password created by a human being, while a generated password may not be necessarily strong.
In the present invention, focusing attention on the point that a password strength obtained by the above-mentioned new password strength checking technology can be associated with a generation rank of a password candidate generated by a password guessing tool, a user is made to input such a password strength, and a generation rank associated with the strength of the inputted password is determined. And then, a password is created using a password guessing tool based on the generation rank.
Furthermore, in the present invention, focusing attention on the point that a password strength obtained by the above-mentioned new password strength checking technology can be associated with a generation rank of a password candidate generated by a password guessing tool, a user is made to input such generation rank information of a password candidate. And then, a password is created using a password guessing tool based on the inputted generation rank.