This invention relates to the World Wide Web and more specifically, to a method for providing access to multiple Web-based accounts via a secure common password.
The amount of Internet related services available, such as product and information providers and retailers is ever-expanding. Typically, many of these product/service providers and/or information purveyors will require a user to create and maintain an account to gain access to the products, services or information which is being offered over the Internet. These accounts are usually accessed by the user providing a user identification (ID) and a password to gain access to the account. For example, a user may have multiple user IDs and password for their accounts ranging from one or more electronic commerce sites, primarily content based sites, electronic mail accounts, stock trading and/or research accounts, etc. Consequently, a user is faced with having to remember many different passwords which provide access to each of these different accounts. Theoretically, a user may select and use the same password for all of their different account to facilitate the login process for these multiple accounts However, such a course of action would not be considered prudent since an unauthorized disclosure of the password would compromise the security and integrity of all of the user's accounts.
Currently, a Web-based method to ease and facilitate a user's login procedure is to save user IDs and passwords as cookies at a user's computers. With cookies, the user doesn't have to remember all of their respective user IDs and passwords since they are saved in the cookies. However, cookies are deficient in that the information stored in the cookies is not readily portable. For example, a user will not be able to access his/her account from another computer other than the user's typical computer, whether it may be a home or a work computer, since the cookies are stored only locally on the user's home and/or work computer. In addition, cookies and cookie-like facilities may be vulnerable to some security breaches if these cookies are not properly managed, such as if the user's computer is shared by other third parties. Furthermore, cookies and cookie-like facilities do not guarantee the independence between different passwords since the user may still choose the same user ID and password for many accounts which is undesirable as discussed earlier herein.
Other prior art attempts to provide improved password protection services involve proxy-based services that can automatically generate random passwords for different accounts for users who browse Web via proxies provided by the account service providers. Typically, these services require a user to use a password to authenticate himself to the proxy. When a user re-visits an account protected by a proxy-generated password, the proxy will find the corresponding password from its storage and supplies it to the account automatically. While this proxy method may address some of the portability problem experienced by, for example, cookies and cookie-like facilities, and may guarantee the independence between different passwords, the proxy method has some significant security problems. For example, these prior art methods, proxy based password services do not allow an end-to-end secure connection, such as Secure Socket Layer/Transport Layer Security (SSL/TLS), between the user's computer and the server, which is however desired at the moment when the user is prompted to enter a password. In addition, in the prior art, the proxy is a central repository for all the confidential and sensitive information, i.e., the various user IDs and passwords, for all accounts of all users using this proxy. Thus if the proxy is compromised or “hacked”, the sensitive user information may be accessed by unwanted and unauthorized parties.
Accordingly, a common password method which provides both convenience and security assurance without the deficiencies and drawbacks of the prior art is desirable.