Patent Issued for System And Method For Improving The Security Of Stored Passwords For An Organization (USPTO 10,956,560)
2021 APR 07 (NewsRx) -- By a
Patent number 10,956,560 is assigned to
The following quote was obtained by the news editors from the background information supplied by the inventors: “A primary risk of storing user passwords is unauthorized access. For example, an attacker may gain unauthorized access to a password database or repository of an organization and/or an organization’s customers and intentionally reveal (i.e., leak) and/or misuse the information. Password information may leak due to negligence or programming error. Such leaks have the potential to severely damage an organization’s reputation and/or credibility, and may lead to legal liability, including criminal penalties. Therefore, there is a need for strategies for protecting password information so that the information is resistant to misuse and/or exploitation, even if the information leaks.
“In all password-based authentication systems, users’ authentic passwords must be available to the method and/or system (e.g., application) performing the authentication and hashing operations, in some form. This necessity implies that if a password-based authentication system is compromised, then the authentic user passwords are also compromised, in some form. The only practical difference between compromised systems may be in the amount of work required by an attacker to convert the given form to the original password. If the passwords in a compromised system are stored in plain text, then no work is required, i.e., an attacker may immediately use them in further illicit activity (e.g., in ‘credential stuffing’ wherein a user’s stolen credentials are used to target the user’s accounts in other computer systems). On the other hand, various techniques have been devised to add work to hashing, to make using stolen credentials more difficult.
“Password hashing is one way that plain text passwords are protected from misuse. In general, hashing functions map input parameters of any size to unique outputs of a fixed size. A hash function’s output may also be referred to as a hash or hash value. Hash functions are used to create hashes of passwords by passing the password as a parameter to the hash function and receiving from the hash function a fixed size hash. Obfuscation is one benefit of password hashing, i.e., hashes may appear to the naked eye as random strings of letters and/or digits that are not immediately recognizable as corresponding to any particular input string. Thus, in the event of a security breach, an attacker cannot immediately use hashed password in attacks against other targets.
“However, it should be understood that various techniques have been developed for ‘reversing’ hashed passwords. These techniques may include brute force attacks, in which all possible combinations in a space (e.g., 7-character strings) are tested, and pre-computation attacks. In pre-computation attacks, a table of hashes for common passwords is computed in advance, and then the table is searched for stolen hashes. If a match is found, then the attacker has ‘reversed’ the stolen hash and discovered the corresponding password. More complete descriptions of these techniques are described below.”
In addition to the background information obtained for this patent, NewsRx journalists also obtained the inventor’s summary information for this patent: “In various applications, a need exists to create and store passwords and/or other authenticating secret keys in a way that is resistant to brute force and/or pre-computation attacks. Passwords may be typically textual strings of characters, symbols, and/or digits. Authentication of users may be performed by checking a provided password against a stored password that may or may not have been hashed using any of a variety of different hashing functions. For example, in the simplest and most insecure instance, a user’s plain text password is stored along with a user identifier (e.g., a username and/or other identifier) such that the identifier and password are associated. The user identifier and associated password may be stored in an electronic database or other suitable location. When the user desires to authenticate, the user may provide a user identifier (e.g., such as the username) and a password that are compared (e.g., by an application) to the stored identifier and password. If the provided and stored identifiers and passwords match, then the user is authenticated.
“Techniques to frustrate pre-computed hashes may exist, such as salting and peppering. Both are described in more detail below, but neither approach, alone or in combination, may provide sufficient resistance to known attacks, especially if an attacker is determined, clever, and/or has access to large amounts of hardware, in particular computers used for parallel processing. The highly sensitive nature of the data protected by passwords demands techniques that are robust and resistant to brute force and other attacks designed by determined attackers, while avoiding the introduction of unacceptable latency and/or cumbersome steps into the authentication process.
“In one aspect, a computer-implemented method for creating a hashed fried password may be provided. The method may include (1) receiving, in a computing device, a password value of a user; (2) receiving, in the computing device, a salt value; (3) receiving, in the computing device, a pepper value; (4) generating, by a computer processor accessing a random number generator, a temporary, random fry value; (5) generating a fried password by a computer processor combining the password value, the salt value, the pepper value, and/or the temporary, random fry value (such as modifying or appending the password value with the salt, pepper, and/or temporary, random fry values); and/or (6) generating a hashed fried password, by a computer processor applying a hashing function to the fried password to facilitate maintaining password secrecy and secure communications. The temporary, random fry value may not be not saved or otherwise permanently stored in a local or remote memory unit to facilitate preventing attacker learning the value of the fry value. The method may include additional, less, or alternate actions, including those discussed elsewhere herein.
“In another aspect, a computer-implemented method for creating a hashed fried password may be provided. The method may include (1) receiving, in a computing device, a password value of a user; (2) receiving or retrieving, in the computing device, a salt value; (3) receiving or retrieving, in the computing device, a pepper value; (4) generating, by a computer processor, a temporary, random fry value; (5) generating a fried password by a computer processor combining the password value, the salt value, the pepper value, and the temporary, random fry value; and/or (6) generating a hashed fried password, by a computer processor applying a hashing function to the fried password, to facilitate password secrecy and secure communications. The method may include additional, less, or alternative actions, including those discussed elsewhere herein.
“In another aspect, a computer configured to create and use hashed fried passwords may be provided. The computer system may include one or more processors; and/or one or more memories storing instructions that, when executed by the one or more processors, cause the computing system to (1) receive, in a computing device, a password value of a user; (2) receive or retrieve, in the computing device, a salt value; (3) receive or retrieve, in the computing device, a pepper value; (4) generate, by a computer processor, a temporary, random fry value; (5) generate a fried password by a computer processor combining the password value, the salt value, the pepper value, and the temporary, random fry value; and/or (6) generate a hashed fried password, by a computer processor applying a hashing function to the fried password, to facilitate password secrecy and secure communications. The computer system may include additional, less, or alternate functionality, including that discussed elsewhere herein.
“In another aspect, a computer-implemented method for creating a hashed fried password may be provided. The method may include receiving, in a computing device, a password value of a user, a pepper value, and a set of fry values. The method may include generating, by a computer processor accessing a random number generator, a salt value and selecting at least one fry value from the set of fry values. The method may include generating a fried password by a computer processor combining the password value, the salt value, the pepper value, and the at least one fry value, and generating a hashed fried password, by a computer processor applying a hashing function to the fried password. The method may include additional, less, or alternate actions, including those discussed elsewhere herein.
“In another aspect, a computing system comprising one or more processors and one or more memories storing instructions may be provided. When the instructions are executed by the one or more processors, they may cause the computing system to receive, in a computing device, a password value of a user, a pepper value, and a set of fry values. The instructions may cause the computing system to generate, by the one or more processors accessing a random number generator, a salt value and to select at least one fry value from the set of fry values. The instructions may further cause the computing system to generate a fried password by a computer processor combining the password value, the salt value, the pepper value, and the at least one fry value, and to generate a hashed fried password, by the one or more computer processors applying a hashing function to the fried password. The system may include additional, less, or alternate functionality, including that discussed elsewhere herein.
“Advantages will become more apparent to those skilled in the art from the following description of the preferred embodiments which have been shown and described by way of illustration. As will be realized, the present embodiments may be capable of other and different embodiments, and their details are capable of modification in various respects. Accordingly, the drawings and description are to be regarded as illustrative in nature and not as restrictive.”
The claims supplied by the inventors are:
“What is claimed:
“1. A computer-implemented method for creating a hashed fried password, the method comprising: receiving, in a computing device, a password value of a user; receiving, in the computing device, a global pepper value; receiving, in the computing device, a set of fry values; generating, by a computer processor accessing a random number generator, a salt value; selecting at least one fry value from the set of fry values; generating a fried password by a computer processor combining the password value, the salt value, the global pepper value, and the at least one fry value; and generating a hashed fried password, by a computer processor applying a hashing function to the fried password to facilitate authentication including determining whether or not the hashed fried password value appears within a set of candidate hashes.
“2. The computer-implemented method of claim 1, further comprising: storing, in an electronic database, a record associating both of (i) the hashed fried password and (ii) the salt value with the user.
“3. The computer-implemented method of claim 1, wherein applying a hashing function to the fried password comprises specifying an adjustable work factor as a parameter of the hashing function.
“4. The computer-implemented method of claim 1, wherein the hashing function is selected from a plurality of hashing functions.
“5. The computer-implemented method of claim 1, wherein the hashing function is a cryptographic hash function.
“6. A computer-implemented method for authenticating a hashed fried password, the method comprising: receiving, in a computing device, a password value of a user; receiving, in the computing device, a global pepper value; receiving, in the computing device, a set of fry values; receiving, from a remote computing device, a hashed fried password value and salt value associated with the user; generating a set of candidate hashes, by one or more computer processors applying a hashing function to the password value, salt value, global pepper value, and each of the set of fry values; and determining, by a computer processor, whether or not the hashed fried password value appears within the set of candidate hashes to facilitate authentication.
“7. The computer-implemented method of claim 6, further comprising: sending, to the remote computing device, an indication of whether or not the hashed fried password value appears within the set of candidate hashes.
“8. The computer-implemented method of claim 6, wherein the remote computing device is a mobile computing device of a user.
“9. The computer-implemented method of claim 6, wherein generating a set of candidate hashes by one or more computer processors applying a hashing function to the password value, global pepper value, and each of the respective fry values comprises generating a portion of the set of candidate hashes in parallel using one or both of (i) an application-specific integrated circuit (ASIC), and (ii) a graphics processing unit (GPU).
“10. The computer-implemented method of claim 6, further comprising: selecting an updated fry value from the set of fry values; generating an updated fried password by a computer processor combining the password value, the salt value, the global pepper value, and the updated fry value; and generating an updated hashed fried password, by a computer processor applying a hashing function to the updated fried password; and storing, in an electronic database, a record associating both of (i) the updated hashed fried password and (ii) the salt value with the user.
“11. The computer-implemented method of claim 10, wherein generating an updated hashed fried password, by a computer processor applying a hashing function to the updated fried password comprises applying a cryptographic hash function.
“12. The computer-implemented method of claim 6, wherein receiving, in a computing device, a password value of a user comprises accessing the password value in an HTML form.
“13. The computer-implemented method of claim 6, wherein receiving, in a computing device, a password value of a user comprises validating the password value.
“14. A computing system comprising: one or more processors; and one or more memories storing instructions that, when executed by the one or more processors, cause the computing system to receive, in a computing device, a password value of a user; receive, in the computing device, a global pepper value; receive, in the computing device, a set of fry values; receive, from a remote computing device, a hashed fried password value and salt value associated with the user; generate a set of candidate hashes, by one or more computer processors applying a hashing function to the password value, salt value, global pepper value, and each of the set of fry values; and determine, by a computer processor, whether or not the hashed fried password value appears within the set of candidate hashes to facilitate authentication.
“15. The computing system of claim 14, wherein the instructions further cause the computing system to: send, to the remote computing device, an indication of whether or not the hashed fried password value appears within the set of candidate hashes.
“16. The computing system of claim 14, wherein the remote computing device is a mobile computing device of a user.
“17. The computing system of claim 14, wherein the instructions further cause the computing system to generate a portion of the set of candidate hashes in parallel using one or both of (i) a graphics processing unit (GPU), and (ii) an application-specific integrated circuit (ASIC).
“18. The computing system of claim 14, wherein the instructions further cause the computing system to: select an updated fry value from the set of fry values; generate an updated fried password by a computer processor combining the password value, the salt value, the global pepper value, and the updated fry value; and generate an updated hashed fried password, by a computer processor applying a hashing function to the updated fried password; and store, in an electronic database, a record associating both of (i) the updated hashed fried password and (ii) the salt value with the user.
“19. The computing system of claim 18, wherein the instructions further cause the computing system to generate an updated hashed fried password by applying a cryptographic hashing function.
“20. The computing system of claim 14, wherein receiving, in a computing device, a password value of a user comprises accessing the password value in an HTML form.
“21. A method of authenticating a user, the computer-implemented method comprising: receiving, in a computing device, a first password value of the user; transmitting, to a remote computing device, the first password value of the user; receiving, in the computing device, a fry value; storing, in the computing device, the fry value, wherein the fry value is securely stored; receiving, in the computing device, a second password value of the user; transmitting, to the remote computing device, the second password value of the user, a pepper value, a salt value, and the securely-stored fry value; receiving, in the computing device, authentication information; and generating a hashed fried password, by a computer processor applying a hashing function to a password value including the second password value, the pepper value, the salt value and the securely-stored fry value to facilitate authentication by determining whether or not the hashed fried password value appears within a set of candidate hashes.”
URL and more information on this patent, see: Sanchez, Kenneth J. System And Method For Improving
(Our reports deliver fact-based news of research and discoveries from around the world.)
Automotive Usage-Based Insurance Market to Grow by 46.50 Million Units |Key Vendor Insights and Forecasts |Technavio
Architect and Engineering Services for Letter of Map Revision/MT-2 Support Services For Risk Management Division–'s Risk Map Program
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News