CN110247758B

CN110247758B - Password management method and device and password manager

Info

Publication number: CN110247758B
Application number: CN201910461988.4A
Authority: CN
Inventors: 夏修理; 黄伟胜; 梁鹰; 任伟权; 唐晨辉; 潘浩; 李宇光; 仇国祥; 纪柱; 黄靖妍
Original assignee: Tianyi Digital Life Technology Co Ltd
Current assignee: Tianyi Digital Life Technology Co Ltd
Priority date: 2019-05-30
Filing date: 2019-05-30
Publication date: 2023-03-24
Anticipated expiration: 2039-05-30
Also published as: CN110247758A

Abstract

The invention relates to a method and a device for password management, a storage medium and a password manager, belonging to the technical field of information security. The method comprises the following steps: receiving an operation request sent by a client; the operation request comprises a first password to be verified and password operation information; sending a verification request to a block chain platform according to a first password to be verified; the verification request is used for triggering the block chain platform to verify the first password to be verified by using the stored password; if a first message to be verified, returned by the block chain platform, of passing the verification of the password is received, judging that the operation request passes the verification; and operating the corresponding stored password in the block chain platform according to the password operation information in the operation request. By the technical scheme, the problem that the safety of each managed password cannot be guaranteed by the conventional password management method is solved. The validity check is fully carried out before the operation is carried out on the password stored in the block chain platform, so that the safety of the managed password can be effectively ensured.

Description

Password management method and device and password manager

Technical Field

The present invention relates to the field of information security technologies, and in particular, to a method and an apparatus for password management, and a password manager.

Background

Electronic account numbers are identities of the internet world and have significant economic and information value. Ideally, each user has only one account number representing the identity of the internet; however, in practical situations, a plurality of websites and applications are in a administrative mode, so that user information is isolated, and users often have multiple accounts and multiple passwords. The safety problem of multiple accounts and passwords not only deeply puzzles users, but also hinders the rapid popularization of internet services. In addition, with the development of network technology, security accidents such as user information leakage occur frequently, and passwords become more and more complex. Therefore, it is necessary to perform security management on the user's multi-password. The current password management usually stores the password of each application program through a centralized password manager, and a user can acquire the password of each application program after logging in the password manager through a main password, so that the password management can be realized.

In the process of implementing the invention, the inventor finds that at least the following problems exist in the prior art: the user manages the password through the password manager, and the stored password is leaked to a provider of the password manager service, so that the risk of misuse exists; in addition, if the master password of the login password administrator leaks, a plurality of passwords stored in the password administrator leak. Therefore, the current password management method cannot ensure the security of the managed password.

Disclosure of Invention

Based on this, the embodiments of the present invention provide a method and an apparatus for password management, and a password manager, which can effectively ensure the security of managed passwords.

The content of the embodiment of the invention is as follows:

in a first aspect, an embodiment of the present invention provides a method for password management, including the following steps: receiving an operation request sent by a client; the operation request comprises a first password to be verified and password operation information; sending a verification request to a block chain platform according to the first password to be verified; the verification request is used for triggering the blockchain platform to verify the first password to be verified by using the stored password; if the message returned by the blockchain platform and passing the verification of the first password to be verified is received, judging that the operation request passes the verification; and operating the corresponding stored password in the block chain platform according to the password operation information in the operation request.

In one embodiment, before the step of receiving the operation request sent by the client, the method further includes: receiving a login request sent by a client; the login request comprises a second password to be verified; verifying the second password to be verified; and if the second password to be verified passes the verification, returning login success information to the client.

In one embodiment, before the step of receiving the login request sent by the client, the method further includes: receiving a registration request sent by a client; and generating a corresponding second password to be verified according to the registration request, and returning the second password to be verified to the client.

In one embodiment, before the step of receiving the operation request sent by the client, the method further includes: receiving a password storage instruction sent by the client; wherein, the password storage instruction comprises a password to be stored; sending the password to be stored to the block chain platform for recording according to the password storage instruction; the block chain platform comprises a plurality of nodes; the nodes verify the password to be stored, generate a corresponding block for the password to be stored when the password passes the verification, access the generated block into a block chain for recording, and mark the password to be stored as a stored password.

In one embodiment, the operation request includes account identification information; the block chain platform also comprises a plurality of account numbers corresponding to the stored passwords; the operation request comprises a query request and a modification request; the step of operating the corresponding stored password in the blockchain platform according to the password operation information in the operation request includes: determining a corresponding target account from the block chain platform according to the account identification information; determining a stored password corresponding to the target account number as a target stored password; if the operation request is a query request, returning the target account and the target stored password to the client; and if the operation request is a modification request, modifying the target account and the target stored password according to the modification request, controlling each node in the block chain platform to record the modified target account and the target stored password, generating modification completion information, and returning the modification completion information to the client.

In a second aspect, an embodiment of the present invention provides a method for password management, including the following steps: sending an operation request to a server; the operation request comprises a first password to be verified and password operation information; the operation request is used for triggering the server to send a verification request to a block chain platform according to the first password to be verified; the verification request is used for triggering the blockchain platform to verify the first password to be verified by using the stored password; if the message returned by the block chain platform and passing the verification of the first password to be verified is received, judging that the operation request passes the verification; and operating the corresponding stored password in the block chain platform according to the password operation information in the operation request.

In one embodiment, the first password to be authenticated comprises a private key; before the step of sending the operation request to the server, the method further comprises: sending a private key creation instruction to a server; the private key creating instruction is used for triggering the server to generate a private key for the home terminal; receiving a private key returned by the server, and outputting a private key storage prompt message; and the private key storage prompt information is used for prompting a user to store the private key.

In a third aspect, an embodiment of the present invention provides an apparatus for password management, including: the request receiving module is used for receiving an operation request sent by a client; the operation request comprises a first password to be verified and password operation information; the verification module is used for sending a verification request to the block chain platform according to the first password to be verified; the verification request is used for triggering the blockchain platform to verify the first password to be verified by using the stored password; the judging module is used for judging that the operation request passes the verification if receiving the message which is returned by the block chain platform and passes the verification of the first password to be verified; and the operation module is used for operating the corresponding stored password in the block chain platform according to the password operation information in the operation request.

In a fourth aspect, an embodiment of the present invention provides an apparatus for password management, including: the request sending module is used for sending an operation request to the server; the operation request comprises a first password to be verified and password operation information; the operation request is used for triggering the server to send a verification request to a block chain platform according to the first password to be verified; the verification request is used for triggering the blockchain platform to verify the first password to be verified by using the stored password; if the message returned by the blockchain platform and passing the verification of the first password to be verified is received, judging that the operation request passes the verification; and operating the corresponding stored password in the block chain platform according to the password operation information in the operation request.

In a fifth aspect, an embodiment of the present invention provides a password manager, including: the system comprises a client, a server and a block chain platform which are connected through a network; the block chain platform is provided with a plurality of blocks, wherein a plurality of account numbers and a plurality of stored passwords corresponding to the account numbers are recorded in the block chain platform; the client is used for sending an operation request to the server; the operation request comprises a first password to be verified, password operation information and account identification information; the server is used for sending a verification request to a block chain platform according to the first password to be verified; the block chain platform is used for verifying the first password to be verified by utilizing the stored password according to the verification request; the server is further configured to send a password query instruction to the blockchain platform according to the account identification information in the operation request if the message that the first password to be verified returned by the blockchain platform passes verification is received; the block chain platform is further used for determining a corresponding target account number from the block chain platform according to the password query instruction; determining a stored password corresponding to the target account number as a target stored password; the server is further used for receiving the target account and the target stored password sent by the blockchain platform and returning the target account and the target stored password to the client.

One of the above technical solutions has the following advantages or beneficial effects: the password is stored in the block chain platform, the password is stored through the block chain, the password can be ensured not to be tampered, in addition, the first password to be verified is verified through the block chain platform when the password operation is needed, and the corresponding stored password is operated after the first password to be verified is verified. The validity check is fully carried out before the operation is carried out on the password stored in the block chain platform, so that the safety of the managed password can be effectively ensured.

Drawings

FIG. 1 is a diagram of an application environment for a method of password management in one embodiment;

FIG. 2 is a flow diagram that illustrates a method for password management in one embodiment;

FIG. 3 is a flow chart illustrating operation of a blockchain in one embodiment;

FIG. 4 is a flowchart illustrating a method for password management in another embodiment;

FIG. 5 is a block diagram of an apparatus for password management in one embodiment;

FIG. 6 is a block diagram showing the structure of an apparatus for password management in another embodiment;

FIG. 7 is an internal structure of a computer device in one embodiment;

FIG. 8 is an architecture diagram of a password manager in one embodiment;

FIG. 9 is a diagram that illustrates the environment in which the password manager may be implemented, in one embodiment.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.

The method for password management provided by the application can be applied to an application environment as shown in fig. 1. The application environment comprises a client 101, a server 102 and a block chain platform 103 which are connected with each other through a network, and the formed system can be called as a password manager; in addition, one server may connect a plurality of clients (only one client is shown in fig. 1). The client 101 sends an operation request to the server 102, and the server 102 performs verification of the operation request by means of the blockchain platform 103. The client 101 may be, but is not limited to, various personal computers, laptops, smartphones, tablets, and portable wearable devices, meanwhile, various types of applications may be installed on the client 101, and passwords in the applications may be stored in the blockchain platform 103 by the server 102; the server 102 may be implemented as a stand-alone server or a server cluster composed of a plurality of servers; the blockchain platform 103 may include a plurality of nodes therein, which may be implemented by various types of hosts.

The embodiment of the invention provides a password management method and device, computer equipment, a storage medium and a password manager. The following are detailed descriptions.

In one embodiment, as shown in FIG. 2, a method of password management is provided. Taking the application of the method to the server side in fig. 1 as an example for explanation, the method includes the following steps:

s201, receiving an operation request sent by a client; the operation request comprises a first password to be verified and password operation information.

The client refers to a terminal which is required for realizing the password management process and interacts with a user, and can be realized through a mobile phone, a computer and the like, and various types of application programs (such as web applications and mobile applications) can be installed on the client. When a user logs in an application program through a client, a password is often needed, and at the moment, the client can send an operation request to a server, acquire a corresponding password and log in.

Further, the operation request may refer to operations such as querying a password (which may refer to only a password query, or a process of querying a password before logging in an application), modifying, and the like. Since the password often corresponds to the account, the operation request may also include an operation on the corresponding account. The password operation information may refer to operation description information for performing a specific operation on the password, parameters involved therein, and the like.

The first password to be verified refers to a password which needs to be verified before the password is operated, and the process of verifying the first password to be verified can be understood as a verification process which is necessary before accessing the blockchain platform.

S202, sending an authentication request to a block chain platform according to a first password to be authenticated; the verification request is used for triggering the blockchain platform to verify the first password to be verified by using the stored password.

The server can store the password to be stored sent by the client into the block chain according to the request of the client to obtain the stored password. Specifically, the stored password in the blockchain platform may refer to a password required for logging in different Web applications and mobile phone applications. In addition, the stored password may also include a password for password authentication (which may be called an authentication password, and implemented by a public key and a private key), an account number corresponding to the stored password, a website link, and the like. The stored passwords are stored in a decentralized blockchain, so that the passwords are not easy to be tampered, and the privacy of a user is guaranteed.

Further, the block chain platform may store a verification password in advance, when receiving the first password to be verified, each participating node in the block chain platform compares the first password to be verified with the pre-stored verification password, and if each node considers that a consistent verification password exists, it may be determined that the first password to be verified passes verification.

For ease of understanding, the blockchain is described herein: the block chain is originated from the smart bit currency in China, is used as the bottom layer technology of the bit currency, is essentially a decentralized database, is a technical scheme for maintaining a reliable database collectively in a decentralized and trust-removing mode, and has the characteristics of open consensus, transparent transaction, anonymity of two parties, non-tampering, non-traceability and the like. For decentralization, the most important is to adopt a distributed architecture and a point-to-point transmission network mode to solve the interaction between points; for de-trust, the most important are two mechanisms: one is public/private key mechanism and one is consensus mechanism. In addition, the block chain platform in the embodiment of the invention is constructed on a Kubernetes cluster, the Kubernetes cluster can run the whole block chain platform and is responsible for scheduling the docker container (the application runs on the docker container), and if some containers are found to run abnormally, tasks are automatically redeployed on other nodes, so that the automatic deployment, the elastic expansion and contraction capacity, the safety control and the operation and maintenance control of the microservice are realized, and the high availability is realized.

S203, if the first to-be-verified password returned by the block chain platform is verified, the operation request is judged to be verified.

After the first password to be verified passes the verification, it may also be determined whether the operation request passes the verification by combining with other verification information, for example: login information of the client.

And S204, operating the corresponding stored password in the block chain platform according to the password operation information in the operation request.

The step operates the stored password according to the password operation information. The operation of the stored password can also be realized by the block chain platform.

After the operation request passes the verification, the server may determine the stored password corresponding to the operation request from the blockchain platform, and then perform operations such as query and modification on the corresponding stored password, and obtain operation data after the operation is finished. Further, if the operation request is a query request, the operation data may be the queried stored password or "query success" information; if the operation request is a modification operation, the operation data may be "modification completed", and the server may return the operation data to the client.

In this embodiment, the password is stored by using a decentralized block chain, so that the non-tamper property of the stored password can be ensured; the first password to be verified is verified through the block chain platform, the legality of the client side is fully verified before the stored password is operated, and the safety of the managed password can be effectively guaranteed.

In one embodiment, the first password to be authenticated comprises a private key; before S201, the method further includes: receiving a private key creation instruction sent by a client, and generating a private key for the client according to the private key creation instruction; and returning the generated private key to the client and sending the private key to the blockchain platform for storage. After the client receives the private key, the client can inform the user to keep the private key properly. The server in this embodiment generates a private key for the client, and the private key is stored by the user himself. The private key needs to be verified when the stored password in the block chain platform needs to be operated, so that the stored password cannot be read if the user does not import the private key, and the security of the managed password can be effectively ensured.

In one embodiment, S201 further includes before: receiving a login request sent by a client; the login request comprises a second password to be verified; verifying the second password to be verified; and if the second password to be verified passes the verification, returning login success information to the client. The second password to be authenticated may also be referred to as a master password, and may refer to a password for logging in a password manager (which may also be understood as a login server), and may be stored in an encrypted manner by the password manager service provider. The process of verifying the first password to be verified and the second password to be verified can be regarded as a process of authenticating the user.

Further, before the step of receiving the login request sent by the client, the method further includes: receiving a registration request sent by a client; and generating a corresponding second password to be verified according to the registration request, and returning the second password to be verified to the client. After downloading the password manager from the application store, the user clicks the registration control on the client interface, the client can be triggered to send a registration request to the server, registration is completed, and the second password to be verified received by the client is the main password required for logging in the password manager.

The password management method provided by the embodiment authenticates the identity of the user using the client through the authentication of multiple passwords (the first password to be authenticated and the second password to be authenticated), and can effectively ensure the security of the managed passwords.

In one embodiment, S201 further includes before: receiving a password storage instruction sent by a client; the password storage instruction comprises a password to be stored; sending the password to be stored to a block chain platform for recording according to the password storage instruction; the blockchain platform includes a plurality of nodes (the blockchain platform may include a plurality of nodes, where the plurality of nodes may refer to nodes participating in the verification, that is, some nodes of the plurality of nodes); the nodes verify the password to be stored, generate a corresponding block for the password to be stored when the password passes the verification, access the generated block into a block chain for recording, and mark the password to be stored as the stored password.

The basic unit of blockchain storage is a block in a chain structure, i.e. a newly added block records a flag (hash value) of a previous block. The block chain keeps the track of the business generation and can trace back to the root. When a new transaction is added, verification is carried out according to the previous record, so that the account information cannot be tampered, and the safety of the account information is ensured.

Further, after receiving the password to be stored, the blockchain platform broadcasts the password list to be stored to the blockchain whole network, and each participating node verifies the block. And obtaining the verified password information block to be stored, formally accessing the block chain, finishing the storage of the password to be stored, and ensuring that the stored password cannot be tampered.

It should be noted that the addition of the new password to the blockchain platform may be performed at any time after the password manager is built. That is, it is not limited to "before the step of receiving the operation request sent by the client". The term "before the step of receiving the operation request sent by the client" is defined herein to mean that the operation request is directed to a password which is already stored in the blockchain platform, and no password operation is necessary for the password which is not stored.

In the embodiment, the password is stored through the blockchain platform, and each participating node is verified before storage and records the storage information into the blockchain, so that the stored password cannot be tampered, and the password can be safely stored.

In one embodiment, the operation request includes account identification information; the block chain platform also comprises a plurality of account numbers corresponding to the plurality of stored passwords; the operation request comprises a query request and a modification request; according to the password operation information in the operation request, the step of operating the corresponding stored password in the block chain platform comprises the following steps: determining a corresponding target account from the block chain platform according to the account identification information; determining a stored password corresponding to the target account as a target stored password; if the operation request is a query request, returning a target account and a target stored password to the client; and if the operation request is a modification request, modifying the target account and the target stored password according to the modification request, controlling each node in the block chain platform to record the modified target account and the modified target stored password, generating modification completion information, and returning the modification completion information to the client. The account identification information can be stored in a server or a block chain platform; if the account identification information is stored in the server, the blockchain may include a corresponding relationship between the account identification information and the account password, and the blockchain platform may query the corresponding target account and the target stored password through the account identification information and the corresponding relationship.

In some embodiments, the account identification information includes a web address of an application running on the client. Taking an application as facebook as an example, the process of querying the account and the password may be: and the server inquires the facebook account and the password of the corresponding user in the block chain platform according to the website of the facebook, and returns the subsequent result.

According to the embodiment, the target account and the target stored password are searched in the block chain platform, so that the account and the password can be inquired and modified, and the password can be conveniently modified and updated by a user under the condition that the safety of the account and the password is ensured.

Further, in an embodiment, a schematic diagram of adding, modifying and querying an account and a password in a blockchain platform is shown in fig. 3. The blockchain platform of fig. 3 includes a plurality of nodes (e.g., 6 connected hosts in fig. 3) that are capable of communicating with each other. In addition, the membership service may refer to a service in which a password manager performs a master password and private key verification on a client. The method comprises the steps that a client A intends to add a newly added account and a password into a block chain platform, a client B intends to modify the account and the password in the block chain platform, a client C intends to query the account and the password stored in the block chain platform, the three clients send operation requests to a server, the server sends corresponding requests to the block chain platform, the block chain platform completes corresponding operations after receiving the requests sent by the server, a block is generated according to operation data and added into the block chain, the block chain keeps a track generated by a service (namely, the password is operated), the root can be traced all the time, and the condition that the newly added password, the modified password and other information generated in the password operation process cannot be tampered is guaranteed.

In one embodiment, as shown in FIG. 4, a method for managing passwords is provided. Taking the application of the method to the client in fig. 1 as an example for explanation, the method includes the following steps: s401, sending an operation request to a server; the operation request comprises a first password to be verified and password operation information; the operation request is used for triggering the server to send an authentication request to the block chain platform according to the first password to be authenticated; the verification request is used for triggering the block chain platform to verify the first password to be verified by using the stored password; if a first message to be verified which is returned by the block chain platform and passes the verification of the password is received, judging that the operation request passes the verification; and operating the corresponding stored password in the blockchain platform according to the password operation information in the operation request, and also receiving operation data obtained by the server after the operation is finished. In this embodiment, the client sends the operation request to the server, and may receive operation data returned after the server verifies the operation request through the blockchain platform. The validity check is fully carried out before the operation is carried out on the password stored in the block chain platform, so that the safety of the managed password can be effectively ensured.

In one embodiment, the operation request includes account identification information; the block chain platform also comprises a plurality of account numbers corresponding to the plurality of stored passwords; the step of sending an operation request to a server includes: sending a login request to a server; the login request is used for triggering the server to determine a corresponding target account from the block chain platform according to the account identification information; determining a stored password corresponding to the target account as a target stored password; and receiving the target account and the target stored password returned by the server.

The login may refer to the login of a client to a certain application program. When an application program needs to be logged in, the client sends a login request to the server, so that the server acquires a corresponding target stored password from the blockchain platform.

Further, after the step of receiving the target account and the target stored password returned by the server, the method further includes: and filling the target account and the target stored password into a login frame to complete login operation.

On the other hand, the password manager has a service discovery function, can automatically discover an account frame and a password frame of a login page of an application program according to the application program clicked by a user, gives a corresponding prompt when the password needs to be input, and automatically fills the corresponding frames after the account and the password are successfully returned by the block chain platform. The method and the device can avoid fussy and repeated input of account information, improve the efficiency of logging in the application program by the user under the condition of ensuring the safety of the account password, and further realize the quick authentication of the managed account and the quick login of the application program. Meanwhile, the account password is automatically filled without sensing the user, and the user can log in without sensing.

In one embodiment, the first password to be authenticated comprises a private key; before the step of sending the operation request to the server, the method further comprises the following steps: sending a private key creating instruction to a server; the private key creating instruction is used for triggering the server to generate a private key for the home terminal; receiving a private key returned by the server, and outputting a private key storage prompt message; and the private key storage prompt information is used for prompting the user to store the private key.

Further, before the step of sending the operation request to the server, the method further includes: receiving a private key; the private key is led in according to a CTAP protocol; and generating an operation request according to the imported private key.

The CTAP (Client to Authenticator Protocol specification) belongs to FIDO2, and an external Authenticator (e.g., a security key or a mobile phone) locally transmits a strong authentication certificate to an internet access device (a computer or a mobile phone) of a user through a USB, a bluetooth, or an NFC, so that the user can easily and safely verify an online service through a desktop or a mobile device.

In the password management method provided by the above embodiment, in addition to the main password, the user needs to click the private key creation interface to create the private key and properly store the private key. When the stored password needs to be operated, the main password is required to be input, and the private key is required to be led in according to the CTAP protocol, so that the managed account and the password can be inquired and modified, and the security of the managed password can be effectively ensured. In addition, the master password is stored in a centralized data center of the service provider, while the account number and password hosted by the user are stored in a block chain going to the center. Because the private key is only stored by the user, even if the service provider leaks the primary password or a hacker attacks the data center to obtain the primary password, the provider or the hacker still cannot obtain the account and the password hosted by the user, and therefore the account security of the user is guaranteed.

It should be noted that, for the sake of simplicity, the foregoing method embodiments are described as a series of acts or combinations, but those skilled in the art should understand that the present invention is not limited by the described order of acts, as some steps may be performed in other orders or simultaneously according to the present invention.

Based on the same idea as the method of password management in the above-described embodiment, the present invention also provides a device of password management, which can be used to perform the above-described method of password management. For convenience of illustration, the schematic structural diagram of the embodiment of the apparatus for password management only shows a part related to the embodiment of the present invention, and those skilled in the art will understand that the illustrated structure does not constitute a limitation of the apparatus, and may include more or less components than those illustrated, or combine some components, or arrange different components.

As shown in fig. 5, the apparatus for password management includes a request receiving module 501, an authentication module 502, a judgment module 503 and an operation module 504, which are described in detail as follows: a request receiving module 501, configured to receive an operation request sent by a client; the operation request comprises a first password to be verified and password operation information. The verification module 502 is configured to send a verification request to the blockchain platform according to the first password to be verified; the verification request is used for triggering the block chain platform to verify the first password to be verified by using the stored password. The determining module 503 is configured to determine that the operation request is verified if the first message to be verified that the password returned by the blockchain platform passes verification is received. And an operation module 504, configured to operate a corresponding stored password in the blockchain platform according to the password operation information in the operation request. In the embodiment, the validity check is fully performed before the operation is performed on the password stored in the blockchain platform, so that the security of the managed password can be effectively ensured.

In one embodiment, the first password to be authenticated comprises a private key; further comprising: the private key instruction receiving module is used for receiving a private key creating instruction sent by the client and generating a private key for the client according to the private key creating instruction; and the private key returning module is used for returning the generated private key to the client.

In one embodiment, further comprising: the login request receiving module is used for receiving a login request sent by a client; the login request comprises a second password to be verified; the login authentication module is used for authenticating the second password to be authenticated; and if the second password to be verified passes the verification, returning login success information to the client.

In one embodiment, further comprising: a registration request receiving module, configured to receive a registration request sent by a client; and the password generation module is used for generating a corresponding second password to be verified according to the registration request and returning the second password to be verified to the client.

In one embodiment, further comprising: the storage instruction receiving module is used for receiving a password storage instruction sent by the client; the password storage instruction comprises a password to be stored; the password storage module is used for sending the password to be stored to the block chain platform for recording according to the password storage instruction; the block chain platform comprises a plurality of nodes; the nodes verify the password to be stored, generate a corresponding block for the password to be stored when the password passes the verification, access the generated block into a block chain for recording, and mark the password to be stored as the stored password.

In one embodiment, the operation request includes account identification information; the block chain platform also comprises account numbers corresponding to a plurality of stored passwords; the operation request comprises a query request and a modification request; an operation module 504 comprising: the password determining submodule is used for determining a corresponding target account from the block chain platform according to the account identification information; determining a stored password corresponding to the target account as a target stored password; the query submodule is used for returning a target account and a target stored password to the client if the operation request is a query request; and the modification submodule is used for modifying the target account and the target stored password according to the modification request if the operation request is the modification request, controlling each node in the block chain platform to record the modified target account and the target stored password, generating modification completion information and returning the modification completion information to the client.

In one embodiment, the account identification information includes a web address of an application running on the client.

As shown in fig. 6, the apparatus for password management includes a request sending module 601, which is described in detail as follows: a request sending module 601, configured to send an operation request to a server; the operation request comprises a first password to be verified and password operation information; the operation request is used for triggering the server to send an authentication request to the block chain platform according to the first password to be authenticated; the verification request is used for triggering the block chain platform to verify the first password to be verified by using the stored password; if a first message to be verified, returned by the block chain platform, of passing the verification of the password is received, judging that the operation request passes the verification; and operating the corresponding stored password in the block chain platform according to the password operation information in the operation request. In the embodiment, the validity check is fully performed before the operation is performed on the password stored in the blockchain platform, so that the security of the managed password can be effectively ensured.

In one embodiment, the operation request includes account identification information; the block chain platform also comprises a plurality of account numbers corresponding to the plurality of stored passwords; further comprising: the login request sending module is used for sending a login request to the server; the login request is used for triggering the server to determine a corresponding target account from the block chain platform according to the account identification information; determining a stored password corresponding to the target account as a target stored password; and the password receiving module is used for receiving the target account and the target stored password returned by the server.

In one embodiment, further comprising: and the login module is used for filling the target account and the target stored password into a login frame to complete login operation.

In one embodiment, the first password to be authenticated comprises a private key; further comprising: the creation instruction sending module is used for sending a private key creation instruction to the server; the private key creating instruction is used for triggering the server to generate a private key for the home terminal; the private key storage module is used for receiving the private key returned by the server and outputting private key storage prompt information; and the private key storage prompt information is used for prompting the user to store the private key.

In one embodiment, further comprising: the private key receiving module is used for receiving a private key; the private key is led in according to a CTAP protocol; and the operation request generation module is used for generating an operation request according to the imported private key.

It should be noted that, the device for password management of the present invention and the method for password management of the present invention correspond one to one, and the technical features and the advantages thereof described in the embodiments of the method for password management are all applicable to the embodiments of the device for password management, and specific contents may refer to the descriptions in the embodiments of the method for password management, which are not described herein again, and thus are stated herein.

In addition, in the above-mentioned embodiment of the password-managed apparatus, the logical division of the program modules is only an example, and in practical applications, the above-mentioned function distribution may be performed by different program modules according to needs, for example, due to configuration requirements of corresponding hardware or due to convenience of implementation of software, that is, the internal structure of the password-managed apparatus is divided into different program modules to perform all or part of the above-described functions.

The method for password management provided by the application can be applied to the computer equipment shown in FIG. 7. The computer device may be a server or a terminal device, and its internal structure diagram may be as shown in fig. 7. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor is configured to provide computing and control capabilities; the memory includes a non-volatile storage medium storing an operating system, a computer program (which when executed by the processor implements a method of password management), and a database, an internal memory providing an environment for the operating system and the computer program to run in the non-volatile storage medium; the database is used for storing data such as a first password to be verified and a second password to be verified; the network interface is used for communicating with an external terminal through network connection, such as: and the client is connected with the server and used for receiving the operation request sent by the client. Those skilled in the art will appreciate that the architecture shown in fig. 7 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.

In one embodiment, a computer device is provided, comprising a memory storing a computer program and a processor implementing the steps of the above described method embodiments when the processor executes the computer program.

In an embodiment, a computer-readable storage medium is provided, on which a computer program is stored, which computer program, when being executed by a processor, carries out the steps of the respective method embodiment as described above.

It will be understood by those skilled in the art that all or part of the processes of the methods of the above embodiments may be implemented by a computer program, which is stored in a computer readable storage medium and sold or used as a stand-alone product. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Additionally, the computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.

In one embodiment, there is also provided a password manager comprising: a network-connected client (which may be referred to as a password manager client), a server (which may be referred to as a password manager server), and a blockchain platform; the block chain platform is provided with a plurality of account numbers and a plurality of stored passwords corresponding to the account numbers; the client is used for sending an operation request to the server; the operation request comprises a first password to be verified, password operation information and account identification information; the server is used for sending an authentication request to the block chain platform according to the first password to be authenticated; the block chain platform is used for verifying the first password to be verified by utilizing the stored password according to the verification request; the server is also used for sending a password query instruction to the blockchain platform according to the account identification information in the operation request if a first message to be verified that the password passes the verification is received, wherein the message is returned by the blockchain platform; the block chain platform is also used for determining a corresponding target account number from the block chain platform according to the password query instruction; determining a stored password corresponding to the target account as a target stored password; and the server is also used for receiving the target account and the target stored password sent by the block chain platform and returning the target account and the target stored password to the client.

The client displays basic functions of the password manager, such as login and registration, account password hosting, security state monitoring, application setting and the like, and is used for interacting with a user. The request sent by the client terminal reaches the corresponding micro service of the password manager server terminal through the micro service gateway, and various service logics are processed at the server terminal. The server (i.e., the server in the foregoing embodiment) adopts a distributed microservice architecture, and splits the system according to the service, so as to implement characteristics of agile development, rapid evolution, convenient fault tolerance, elastic expansion, and the like. The middleware is a bridge for calling block chain platform service by the password manager server side, and is used for butting various services of the server side in the form of SDK, API and RPC access interfaces. The blockchain platform provides basic functions such as identity and certificate service, blockchain function realization and the like, and also provides core services such as data service, management and management, blockchain gateway service and the like.

Specifically, the architecture of the password manager is shown in fig. 8, and the password manager has a presentation layer, an application layer, a blockchain application middleware layer, and a blockchain platform service layer.

The display layer comprises mobile and Web application clients and provides interfaces for login/registration, account number hosting query management, main password management, account number security state monitoring, connected equipment query, application setting and the like. For the inquiry of the connected equipment, the password manager can be installed on a plurality of mobile phones, tablets or PCs, the connection state of other terminals can be checked when logging in one terminal, the password manager is ensured to be only stored in the proper terminal, and if the password manager is not the own terminal, the main password can be modified, so that the logging state of other terminals is unavailable.

The micro service gateway at the application layer is a core concept of the micro service architecture and is the only entrance of the client. Because of the granularity of the service becoming thin, the service plays a plurality of roles such as security and access authentication. After the requests issued by the crypto-manager client are processed by the micro-service gateway, some are simply proxied/routed to the appropriate service and some are forwarded to a group of services. And the password manager server side in the application layer processes various business logics, such as main password management, public/private key management, encryption service, account security monitoring and the like.

In some embodiments, the cryptographic manager server interfaces the blockchain application middleware through SDK, API, RPC interfaces. Middleware may provide different levels of service in terms of authentication, security, cryptography, processing, management, monitoring, and reporting.

The password manager of the embodiment combines the client, the server and the block chain platform to realize password storage and identity authentication, and can effectively ensure the security of the managed password.

In order to better understand the operation process of the above password manager, an application example of the password manager of the present invention is described in detail below, as shown in fig. 9.

1. The user registers a main password in the password manager, and after logging in the password manager through the main password, the password to be stored is stored through a block chain platform in the password manager to be used as the stored password. If the user needs to log in the password of a certain application program, the user can log in the password manager through the main password, and the password manager runs in the background.

2. After the user opens the mobile or Web application interface, the password manager client is awakened to inquire the account and the password of the mobile or Web application. And the client responds to the event and applies for verifying the main password and the client private key signature to the password manager server. The main password is verified by the password manager server side, and the private key signature is verified by the block chain platform.

3. After the dual authentication of the main password and the private key signature, the client can inquire the account and the password by the block chain platform according to the website of the mobile or Web application. After the blockchain platform successfully returns the account and the password, the password manager client automatically fills in the account information and fills in the result (for example, information such as successful login of the application program) for returning the account information.

Currently, in order to reduce the cost of account authentication and ensure the security of the account, telecommunication operators and internet enterprises are continuously trying new account authentication methods. There are mainly 5 account authentication methods: a. the account password authentication has the defect that multiple accounts and multiple passwords are difficult to remember for users. Some websites require special characters, and the retrieval or reset cost is high. b. The dynamic password authentication has the defects that the verification code is easy to hijack and the verification process is troublesome. c. The third party authorizes login, and the disadvantage is that privacy is actively disclosed to the third party. d. Secret authentication based on the mobile phone number has the defects that gateway authentication of the mobile phone is highly depended on, and the 4G network of the mobile phone used by wifi is required to be turned off; if the mobile phone is lost, the mobile phone number is very troublesome to find back, and potential safety hazards exist. In addition, an internet company is required to enter the mobile phone number authentication service of a telecom operator, and the application range is limited. e. The FIDO authentication is realized by embedding a WebAuthn interface extension in a web browser based on the secret-free authentication of a public key. The disadvantage is that only web applications are supported and in the trial phase, not yet widely used.

Therefore, there is a great demand for centralized management of multiple accounts and multiple passwords. The current common account password centralized management method is analyzed as follows:

1) A small umbrella password steward/password steward app. The password and the note can be safely stored on the mobile phone and the computer, and the method is characterized in that: a. only one master password needs to be remembered. With the master password, the user has access to all other passwords securely stored using military-grade encryption (AES-256). b. Intuitively store passwords and notes: the password is saved while surfing. The user can also create notes, either to comment on specific logins or just to record ideas and access them on all devices. c. Easy login is full-automatic: the tedious and repeated input of login detailed information is avoided, and the small umbrella password manager can automatically fill in all information. d. And creating a password which cannot be shaken. The password manager generates and stores a unique password for the account to prevent identity theft. Such password managers all rely on centralized data to store the user's password, and have the following 2 disadvantages: a. the password stored by the user is leaked to a provider of password housekeeping service, and the risk of misuse exists; b. if the main password is leaked, the leakage of a plurality of account passwords is caused.

2) A Passport password housekeeping. Passport uses advanced encryption techniques to ensure user privacy and securely maintain account passwords and credit card information. Passport can log individual accounts so users can easily use a random password generator to use different usernames and password combinations on different websites. Meanwhile, the password security of the user can be ensured. The use of Passport has no threshold, and a user can unlock the password by using a fingerprint (only on a supported device), and even can directly scan the fingerprint in a webpage to automatically fill the password, which is equivalent to logging in a stored website by using the fingerprint. Passport even without network privileges, permanent material can be backed up to SD cards or cloud synchronization services can be used by installing a free cloud synchronization plug-in. However, the Passport password administrator only supports the mobile terminal, and the synchronization and backup process is complicated.

3) The WebAuthn API of W3C. The method is a standard WebAPI which can be merged into a browser and a related Web platform infrastructure, can provide powerful and unique public key-based credentials for each site, and eliminates the risk that the passwords are stolen from a certain site and then used for other sites. A Web application running in a browser that is loaded onto a device using a FIDO authenticator may be used to provide simpler authentication and stronger authentication for the service provider and user by a cryptographic operation instead of, or in addition to, a password exchange. However, the WebAuthn API only supports Web terminals, does not solve the existing problem of multi-user multi-password, and is still in the experimental stage.

Compared with the existing password manager, the password manager provided by the embodiment of the invention has the advantages that: 1. the privacy security of the user can be effectively ensured. 2. And a WIFI network does not need to be closed, so that the operation is simplified, and the application range is wide. 3. The login interface of the internet application does not need to be changed to support the secret-free authentication of the mobile phone, so that the application range is wider. 4. The account and the password decrypted by the client are automatically filled in a login interface of the mobile or Web application terminal, so that the tedious and repeated input of account information can be avoided. 5. The inquiry and filling processes of the account and the password are all operated in the background, and the user only sees the account information filling result and has no sense on the account and the password filling process. After the managed account and the password are automatically filled, the quick authentication process of each application program can be quickly completed.

It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.

The terms "comprises" and "comprising," and any variations thereof, of embodiments of the present invention are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or (module) elements is not limited to only those steps or elements but may alternatively include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.

The above-described examples merely represent several embodiments of the present invention and should not be construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims

1. A password management method is applied to a server and comprises the following steps:

receiving a login request sent by a client; the login request comprises a second password to be verified; verifying the second password to be verified; if the second password to be verified passes the verification, returning login success information to the client; the second password to be verified is a password of the login password manager;

receiving an operation request sent by the client when the client needs to log in the application program; the operation request comprises a first password to be verified and password operation information, and the operation request also comprises account identification information corresponding to the application program; the first password to be verified is a password which needs to be verified before the operation is carried out on the stored password;

sending a verification request to a block chain platform according to the first password to be verified; the verification request is used for triggering each node in the blockchain platform to compare a first password to be verified with a prestored verification password when the blockchain platform receives the first password to be verified so as to verify the first password to be verified, and if each node considers that the prestored verification password consistent with the first password to be verified exists, the first password to be verified is determined to pass verification;

if the message returned by the blockchain platform and passing the verification of the first password to be verified is received, judging that the operation request passes the verification;

operating the corresponding stored password in the block chain platform according to the password operation information in the operation request;

the operating the corresponding stored password in the blockchain platform comprises:

determining a corresponding target account from the block chain platform according to the account identification information; determining a stored password corresponding to the target account number as a target stored password; returning the target account and the target stored password for the client to fill the target account and the target stored password into an account frame and a password frame of a login page of the application program respectively to complete login operation;

the target account is an account corresponding to the account identification information determined from the blockchain platform by the blockchain platform according to the account identification information, and the target stored password is a stored password corresponding to the target account determined by the blockchain platform.

2. The method of claim 1, wherein the step of receiving the login request sent by the client is preceded by the steps of:

receiving a registration request sent by a client;

and generating a corresponding second password to be verified according to the registration request, and returning the second password to be verified to the client.

3. The method of claim 1, wherein the step of receiving the operation request sent by the client is preceded by:

receiving a password storage instruction sent by the client; wherein, the password storage instruction comprises a password to be stored;

sending the password to be stored to the block chain platform for recording according to the password storage instruction; the block chain platform comprises a plurality of nodes; the nodes verify the password to be stored, generate a corresponding block for the password to be stored when the password passes the verification, access the generated block into a block chain for recording, and mark the password to be stored as a stored password.

4. The method according to claim 3, wherein the operation request includes account identification information; the block chain platform also comprises a plurality of account numbers corresponding to the plurality of stored passwords; the operation request comprises a query request and a modification request;

the step of operating the corresponding stored password in the blockchain platform according to the password operation information in the operation request includes:

determining a corresponding target account from the block chain platform according to the account identification information; determining a stored password corresponding to the target account number as a target stored password;

if the operation request is a query request, returning the target account and the target stored password to the client;

and if the operation request is a modification request, modifying the target account and the target stored password according to the modification request, controlling each node in the block chain platform to record the modified target account and the target stored password, generating modification completion information, and returning the modification completion information to the client.

5. A method of password management, comprising the steps of:

sending a login request of a client to a server; the login request comprises a second password to be verified; verifying the second password to be verified; if the second password to be verified passes the verification, returning login success information to the client; the second password to be verified is a password of the login password manager; sending an operation request of the client when the client needs to log in the application program to the server; the operation request comprises a first password to be verified and password operation information; the operation request also comprises account identification information corresponding to the application program; the first password to be verified is a password which needs to be verified before the operation is carried out on the stored password; the operation request is used for triggering the server to send a verification request to a block chain platform according to the first password to be verified; the verification request is used for triggering each node in the blockchain platform to compare a first password to be verified with a prestored verification password when the blockchain platform receives the first password to be verified so as to verify the first password to be verified, and if each node considers that the prestored verification password consistent with the first password to be verified exists, the first password to be verified is determined to pass verification; if the message returned by the blockchain platform and passing the verification of the first password to be verified is received, judging that the operation request passes the verification; determining a corresponding target account from the block chain platform according to password operation information in the operation request and the account identification information; determining a stored password corresponding to the target account number as a target stored password; returning the target account and the target stored password;

respectively filling the target account and the target stored password into an account frame and a password frame of a login page of the application program to finish login operation; the target account is an account corresponding to the account identification information determined from the blockchain platform by the blockchain platform according to the account identification information, and the target stored password is a stored password corresponding to the target account determined by the blockchain platform.

6. The method of claim 5, wherein the first password to be authenticated comprises a private key;

before the step of sending the operation request to the server, the method further comprises:

sending a private key creating instruction to a server; the private key creating instruction is used for triggering the server to generate a private key for the home terminal;

receiving a private key returned by the server, and outputting a private key storage prompt message; and the private key storage prompt information is used for prompting a user to store the private key.

7. An apparatus for password management, comprising:

the request receiving module is used for receiving a login request sent by a client; the login request comprises a second password to be verified; verifying the second password to be verified; if the second password to be verified passes the verification, returning login success information to the client; the second password to be verified is a password of the login password manager;

the request receiving module is also used for receiving an operation request sent by the client when the client needs to log in the application program; the operation request comprises a first password to be verified and password operation information, and the operation request also comprises account identification information corresponding to the application program; the first password to be verified is a password which needs to be verified before the operation is carried out on the stored password;

the verification module is used for sending a verification request to the block chain platform according to the first password to be verified; the verification request is used for triggering each node in the blockchain platform to compare a first password to be verified with a prestored verification password when the blockchain platform receives the first password to be verified so as to verify the first password to be verified, and if each node considers that the prestored verification password consistent with the first password to be verified exists, the first password to be verified is determined to pass verification;

the judging module is used for judging that the operation request passes the verification if receiving the message which is returned by the block chain platform and passes the verification of the first password to be verified;

the operation module is used for operating the corresponding stored passwords in the block chain platform according to the password operation information in the operation request;

the operation module is specifically configured to:

determining a corresponding target account from the block chain platform according to the account identification information; determining a stored password corresponding to the target account number as a target stored password; returning the target account and the target stored password for the client to fill the target account and the target stored password into an account frame and a password frame of a login page of the application program respectively to complete login operation; the target account is an account corresponding to the account identification information determined from the blockchain platform by the blockchain platform according to the account identification information, and the target stored password is a stored password corresponding to the target account determined by the blockchain platform.

8. An apparatus for password management, comprising:

the request sending module is used for sending a login request to the server; the login request comprises a second password to be verified; the login request is used for verifying the second password to be verified; if the second password to be verified passes the verification, returning login success information to the client; the second password to be verified is a password of the login password manager;

the apparatus is further configured to: sending an operation request of a client when the client needs to log in an application program to a server; the operation request comprises a first password to be verified and password operation information; the first password to be verified is a password which needs to be verified before the operation is carried out on the stored password; the operation request is used for triggering the server to send a verification request to a block chain platform according to the first password to be verified; the verification request is used for triggering each node in the blockchain platform to compare a first password to be verified with a prestored verification password when the blockchain platform receives the first password to be verified so as to verify the first password to be verified, and if each node considers that the prestored verification password consistent with the first password to be verified exists, the first password to be verified is determined to pass verification; if the message returned by the blockchain platform and passing the verification of the first password to be verified is received, judging that the operation request passes the verification; determining a corresponding target account from the block chain platform according to the password operation information and the account identification information in the operation request; determining a stored password corresponding to the target account number as a target stored password; returning the target account and the target stored password;

the apparatus is further configured to: respectively filling the target account and the target stored password into an account frame and a password frame of a login page of the application program to finish login operation; the target account is an account corresponding to the account identification information determined from the blockchain platform by the blockchain platform according to the account identification information, and the target stored password is a stored password corresponding to the target account determined by the blockchain platform.

9. A password manager, comprising: the system comprises a client, a server and a block chain platform which are connected through a network; the block chain platform is provided with a plurality of blocks, wherein a plurality of account numbers and a plurality of stored passwords corresponding to the account numbers are recorded in the block chain platform;

the client is used for sending a login request to the server; the login request comprises a second password to be verified; the second password to be verified is a password of the login password manager;

the server is used for verifying the second password to be verified; if the second password to be verified passes the verification, returning login success information to the client;

the client is used for sending an operation request to the server when the application program needs to be logged in; the operation request comprises a first password to be verified, password operation information and account identification information; the operation request also comprises account identification information corresponding to the application program; the first password to be verified is a password which needs to be verified before the operation is carried out on the stored password;

the server is used for sending an authentication request to a block chain platform according to the first password to be authenticated;

the blockchain platform is used for comparing the first password to be verified with a prestored verification password by each node in the blockchain platform when the first password to be verified is received according to the verification request by using the stored password, so as to verify the first password to be verified, and if each node considers that the prestored verification password consistent with the first password to be verified exists, determining that the first password to be verified passes verification;

the server is further configured to send a password query instruction to the blockchain platform according to the account identification information in the operation request if the message that the first password to be verified returned by the blockchain platform passes verification is received;

the block chain platform is further used for determining a corresponding target account number from the block chain platform according to the password query instruction; determining a stored password corresponding to the target account number as a target stored password;

the server is further used for receiving a target account and a target stored password sent by the blockchain platform and returning the target account and the target stored password to the client;

the block chain platform is further used for determining a corresponding target account from the block chain platform according to the account identification information; determining a stored password corresponding to the target account number, taking the password as the target stored password, and returning the target account number and the target stored password;

and the client is also used for respectively filling the target account and the target stored password into an account frame and a password frame of a login page of the application program to finish login operation.