1. Technical Field
The present invention is directed, in general, to computer security systems. More particularly, and not by way of limitation, the present invention is directed to an apparatus, system, and method for generating and authenticating a password to protect a computer system from unauthorized access.
2. Description of Related Art
Computers and networks are often protected by passwords. In order to gain access to the computer or network, a user must enter a password. The computer or network controller (server) authenticates the password by comparing the password entered by the user with a stored password. If the entered password matches the stored password, the user is given access. If not, the user is denied access.
A major problem with password-protected computer systems is the already large and growing threat from “snoops.” The popular definition of a snoop refers to individuals who intercept messages sent from one computer system to another for the purpose of stealing data or learning passwords that can then be used to gain unauthorized access to networks or confidential information.
A snoop may gain access to an Internet router or access point where the snoop can read data as it is routed from one location to another. Encryption of the data may prevent the snoop from making use of the intercepted data. However, for various reasons, much of the data sent over the Internet is not encrypted. For example, most household computer users do not encrypt data such as passwords when they access online services. Such users may access bank accounts, online brokerage accounts, credit card accounts, and other such accounts containing highly sensitive data. If a snoop intercepts an unencrypted access message intended for a target account, and the message includes the user's password and user ID, the snoop can then access the target account and perform any actions that the user himself may be authorized to perform.
In one existing solution, the user creates a two-factor password whenever the user logs on. The first factor is the user's personal identification number (PIN), which the user enters as the first part of the password. The user obtains the second factor from an electronic token, which displays a 6-digit number. The token is time-synchronized with the authentication server, and the number displayed on the token changes every minute. The user enters the 6-digit number displayed on the token as the second part of the password. Any hacker who has learned the user's PIN cannot gain access because the hacker does not know the second factor, i.e., the 6-digit number from the token.
This two-factor password works well, but has several disadvantages. First, if a user does not have his token with him, he cannot log in. Second, if the token breaks or the battery fails, the user cannot log in. Third, even if everything works as advertised, the user has the burden of having to look at the token and enter a different 6-digit number, in addition to the user's PIN, every time he logs on. If a company has a network that kicks the user off every 5-10 minutes if he doesn't continually use the computer, entering the extra token number every time he logs back on becomes a serious burden.