JP5482614B2 - Information processing system, information processing apparatus, server apparatus, information processing method, and computer program - Google Patents

Description

  The present invention relates to display of a password input screen provided by a web application, and more particularly, to a technique for displaying information related to the complexity of a password registered by the user so that the user can recognize it.

  In recent years, countless websites have been released on the Internet, and each website provides various web services using web applications. For example, web services such as internet banking and online shopping are widely used. When using these web services, the user needs to register as a user for each website, and in that case, it is common to register a password used for authentication.

  Such web services provided by websites are highly convenient and are becoming indispensable for many users. However, users are exposed to various risks such as fraudulent use by impersonation. It also becomes.

  Although there are various countermeasures against unauthorized use, increasing the complexity of passwords used for authentication can be cited as one effective means. For example, when registering a password, it is common to take measures such as setting a password of a predetermined number of characters or more, and making sure that at least one alphabetic and numeric character is used. This can increase the complexity of the password.

  When registering such a password, after the user inputs a character string to be used as the password, the password is transmitted to the web server that provides the web service by accepting an instruction to press the registration button, and the web server receives the password. If it is determined that the character string satisfies the requirements for registration as a password, and if it is determined that the requirements for registration are satisfied, the received character string is registered as a password, and if it is determined that it does not meet the requirements The character string used as the password is input again by the user.

  In addition, when registering a password, it is also exposed to social engineering dangers such as an input operation being stolen from the surroundings. In order to deal with such social engineering, for example, an invention disclosed in Patent Document 1 has been made. The present invention is to prevent the number of characters of the password input by the user from leaking by setting the number of echo characters masking the password characters input by the user to a plurality of characters.

JP 2004-21560 A

  When trying to determine the complexity of a password, in the conventional method, the complexity cannot be judged unless the user once determines the input of the password and the character string to be used. For this reason, if a character string that does not meet the complexity of the password required by the website is entered, the character must be re-entered, which puts you at the risk of social engineering. .

  In addition, if only the complexity of the above-mentioned password limit or the use of both alphabets and numbers is required, it is possible to easily display the password limit for the user, but further complexity is required. In that case, it is difficult to provide all the requirements to the user.

  In this case, it is assumed that the confirmed character string is displayed as a password and the user is notified of the reason why it is determined to be inappropriate. However, if one cause is found to be inappropriate, other than that, It is assumed that appropriate / inappropriate determinations are not made for the above requirements, and information on whether or not these requirements are satisfied is not notified to the user, which eventually causes repeated trial and error.

The present invention provides a mechanism to evaluate on the basis of the risk of a password entered string to the user information, even if the user information after input of a character string is changed, the already input character string dangerous The purpose is to provide a mechanism that can re-evaluate sex .

An information processing system according to the present invention is an information processing system that accepts a character string used as a password, a character string input accepting unit that accepts an input instruction for a character string that is used as a password, and a user who accepts input of user information and input of change An information input receiving unit, an evaluation unit that evaluates a risk that the character string is estimated using the user information received by the user information input receiving unit, and a notification based on the evaluation by the evaluation unit First evaluation means, and the evaluation means is a character string that has already been input by the character string input reception means when the user information input reception means has received an input for changing the user information. Te, the risk of already said string risk valuated is presumed by the evaluation means, is changed by accepting the input of the change The re-evaluated using the user information, the first notification means, and performs the re-notification of the risk of the based on the re-evaluation by the evaluation unit.

The information processing method of the present invention is an information processing method performed by information processing for accepting a character string used as a password, and includes a character string input accepting step for accepting an input instruction for a character string used as a password, and input and change of user information. A user information input receiving step for receiving the input, an evaluation step for evaluating the risk that the character string is estimated using the user information received in the user information input receiving step, and an evaluation by the evaluation step the notification based and a first notification step intends row, said evaluation step, wherein, when accepting the input of changes of said user information in the user information input accepting step, has been already input in the text input receiving step this is a character string, the risk of the character string of the already risk assessment already in the evaluation process is presumed, that accepts the input of the change Using the user information that has changed and re-evaluated by said first notification step, and performing the re-notification of risk based on the re-evaluation by the evaluation step.

The computer program of the present invention is a computer program that can be executed by an information processing system that accepts a character string used as a password, and the information processing system uses a character string input acceptance unit that accepts an input instruction of a character string used as a password; User information input accepting means for accepting input of user information and input of change, and evaluation means for evaluating the risk of guessing the character string using the user information accepted by the user information input accepting means ; made to function notification based on evaluation by the evaluation unit as a first informing means intends row, said evaluation means, wherein when accepting the input of changes of said user information in the user information input accepting means, the character string input there already is already input string at the reception means, the sentence of the already risk assessment already in the evaluation means The risk of the column is presumed, using the user information changed by accepting the input of the change reevaluates, the first informing means, said risk based on the re-evaluation by the evaluation unit The re-notification of sex is performed .

According to the present invention, the mechanism for assessing on the basis of the risk of a password entered string to the user information, even if the user information is changed after the input of the character string already entered string Can be reassessed .

It is a figure which shows an example of the system configuration | structure of the information processing system of this invention. It is a figure which shows an example of the hardware constitutions of the information processing apparatus applicable to each apparatus shown in FIG. It is a figure which shows an example of a function structure of each apparatus shown in FIG. It is a flowchart which shows the user information registration process in the form of 1st Embodiment. It is a flowchart which shows the detail of the password data input reception process of step S411 of FIG. It is a flowchart which shows an example of the password complexity evaluation and registration process in 1st Embodiment. It is a figure which shows an example of a structure of a user information input screen. It is a figure which shows an example of a structure of a password input screen. It is a figure which shows an example of the password complexity information display of a password input screen. It is a flowchart which shows the user information input process in 2nd Embodiment. It is a flowchart which shows the user information registration process in 2nd Embodiment. It is a flowchart which shows an example of the password complexity evaluation and registration process in 2nd Embodiment. It is a figure which shows an example of a structure of the user information input screen in 2nd Embodiment. It is a figure which shows an example of a data structure of a user information table.

  Hereinafter, an example of an embodiment for carrying out the present invention will be described with reference to the drawings.

  FIG. 1 is a diagram illustrating an example of a system configuration of an information processing system according to the present invention. As shown in FIG. 1, an information processing system according to the present invention includes client apparatuses 101-1 to 101-3 (hereinafter collectively referred to as client apparatus 101), a web server 102, an application server (AP server) 103, and a database server. (DB server) 104 is provided.

  The client device 101 is a computer operated by a user who uses a web service provided by the web server 102. The client device 101 accesses the web server 102 via a wide area network such as the Internet 106 and uses the web service. .

  The web server 102 is a server device for providing a web service in response to a request from the client device 101. The AP server 103 is a server device that executes a web application executed by a web service provided by the web server. The AP server 103 executes the web application requested from the web server 102 and notifies the web server 102 of the processing result. . The DB server 104 is a server device that stores various data used by the web server 102 and the AP server 103.

  Reference numeral 105 denotes a LAN (Local Area Network), which is a network for connecting the web server 102, the AP server 103, and the DB server 104 so that they can communicate with each other.

  Next, an example of the hardware configuration of each device (client device 101, web server 102, AP server 103, and DB server 104) shown in FIG. 1 will be described with reference to FIG. FIG. 2 is a diagram illustrating an example of a hardware configuration of an information processing apparatus applicable to each apparatus illustrated in FIG.

  In the figure, a CPU 201 comprehensively controls each device and controller described later connected to a system bus 204. Further, the ROM 203 or the external memory 211 is necessary for causing a BIOS (Basic Input / Output System) and an operating system program (hereinafter referred to as an OS), which are control programs of the CPU 201, and various types of processing described later to be performed by each device. Various programs and data are stored. The RAM 202 functions as a main memory, work area, and the like for the CPU 201.

  The CPU 201 implements various processes to be described later by loading a program or the like necessary for executing the process into the RAM 202 and executing the program. An input controller (input C) 205 controls input from an input device 209 configured with a keyboard, a pointing device, and the like. A video controller (VC) 206 controls display on a display device such as the display device 210. The display device 210 is composed of, for example, a CRT display or a liquid crystal display.

  A memory controller (MC) 207 is a hard disk (HD), floppy disk (registered trademark FD) or PCMCIA card slot for storing boot programs, browser software, various applications, font data, user files, editing files, various data, and the like. Controls access to an external memory 211 such as a compact flash memory connected via an adapter.

  A communication I / F controller (communication I / FC) 208 is connected to and communicates with an external device via a network such as the LAN 105 and the Internet 106 shown in FIG. 1, and executes communication control processing in the network. For example, Internet communication using TCP / IP is possible.

Note that the CPU 201 enables display on the display device 210 by executing outline font rasterization processing on a display information area in the RAM 202, for example. Further, the CPU 201 enables a user instruction with a mouse cursor (not shown) on the display device 210. The above is the description of the hardware configuration, but it is needless to say that the hardware configuration shown in FIG. 2 is not necessarily required as long as each device can execute various processes described later.

  Next, the functional configuration of each device (client device 101, web server 102, AP server 103, DB server 104) shown in FIG. 1 will be described with reference to FIG. FIG. 3 is a diagram illustrating a functional configuration included in each device illustrated in FIG. 1.

  As illustrated in FIG. 3, the client device 101 includes an input reception unit 301, a display control unit 302, and a communication unit 303. The communication unit 303 includes a synchronous communication unit 303-1, and an asynchronous communication unit 303-2.

  The input reception unit 301 receives input of URL information used when connecting to the web server, and various information via a user information input screen 700 and a password input screen 800 described later. The display control unit 302 performs screen display (for example, display of the user information input screen 700 and the password input screen 800) according to the response data received from the web server 102 on the web browser.

  The communication unit 303 performs communication with the web server 102 using HTTP or the like. The synchronous communication unit 303-1 performs synchronous communication with the web server 102. The asynchronous communication unit 303-2 sends an HTTP request to the web server 102 by asynchronous communication using “XMLHttpRequest” which is a JavaScript class library. In addition, response data transmitted from the web server 102 in response to the HTTP request is received using a callback function provided by the asynchronous communication unit 303-2.

  The web server 102 includes an execution request unit 311, a response data generation unit 312, and a communication unit 313. The communication unit 313 includes a synchronous communication unit 313-1 and an asynchronous communication unit 313-2.

  The execution request unit 311 determines whether it is a service execution request by analyzing a request URL included in the HTTP request data received from the client device 101 by the communication unit 313 described later, and determines that the request is a service execution request. In this case, a service execution request is sent to the AP server 103. For example, if the extension of the file included in the request URL is “do”, it is determined that the request is a service execution request.

  The response data generation unit 312 generates response data that is response data to the HTTP request data from the client device 101. The generated response data is passed to the communication unit 313.

  The communication unit 313 is a functional unit for performing communication with the client device 101 using HTTP, the synchronous communication unit 313-1 is the synchronous communication unit 303-1 of the client device 101, and the asynchronous communication unit 313-2 is Communication with the asynchronous communication unit 303-2 of the client apparatus 101 is performed.

  The AP server 103 includes a service execution unit 321 and a data operation unit 322. The service execution unit 321 includes an execution request reception unit 321-1, a specification unit 321-2, and a process execution unit 321-3. 322 includes a data acquisition unit 322-1 and a data registration unit 322-2.

  The service execution unit 321 is a functional unit that executes a service provided by the AP server 103 in response to a request from the web server 102. Examples of services provided by the AP server 103 include a password verification service for performing password complexity evaluation and a user information registration service.

  The execution request reception unit 321-1 is a functional unit that receives a service execution request from the execution request unit 311 of the web server 102. The service specifying unit 321-2 specifies the service to be executed in accordance with the service execution request received by the execution request receiving unit 321-1. The process execution unit 321-3 executes the service specified as the service to be executed by the service specification unit 321-2 and returns the processing result to the execution request unit 311 of the web server 102.

  The data operation unit 322 is a functional unit for operating a database such as a user information table managed by the DB server 104, and the data acquisition unit 322-1 performs various data from the database managed by the DB server 104. It is a functional part that acquires The data registration unit 322-2 is a functional unit that adds data to the database, deletes data from the database, and changes already registered data.

  The DB server 104 includes a storage unit 331, and the storage unit 331 stores various data used in processing to be described later, and various data to be created. The above is the description of the functional configuration of each apparatus illustrated in FIG.

<First Embodiment>
Next, user information registration processing according to the first embodiment of the present invention, which is performed by the CPU 201 of the client device 101, the CPU 201 of the web server 102, and the CPU of the AP server 103, will be described with reference to FIG. The processes shown in steps S401 to S411 in the figure are executed by the CPU 201 of the client apparatus 101, the processes shown in steps S421 to S426 are executed by the CPU 201 of the web server 102, and the processes shown in steps S441 to S444 are executed by the CPU 201 of the AP server 103. It is.

  First, the client apparatus 101 accepts input of URL information for specifying the web server 102 to be accessed in accordance with the operation of the user input apparatus 209 (step S401). Then, request data is transmitted for a screen request to the web server 102 specified by the URL input in step S401 (step S402).

  When the CPU 201 of the web server 102 acquires the request data for the screen request transmitted from the client device 101 (step S421), the response data including the display screen information is sent to the client device 101 that has made the request. Transmit (step S422).

  When receiving the response data including the display screen information transmitted from the web server 102 (step S403), the CPU 201 of the client device 101 performs screen display according to the received display screen information (step S404). Here, for example, a user information input screen 700 shown in FIG. 7 is displayed.

  Here, the configuration of the user information input screen 700 will be described with reference to FIG. FIG. 7 is a diagram showing an example of the configuration of the user information input screen 700.

  As shown in FIG. 7, the user information input screen 700 includes a name input field 701, a name (Roman character) input field 702, a gender input field 703, a date of birth input field 704, an address input field 705, a telephone number input field 706, an occupation. An input field 707, a mail address input field 708, a mail address confirmation input field 709, a login user name input field 710, a next (password input) button 711, and the like are provided.

  The user inputs information related to himself / herself in each input field set in the screen using the input device 209. Then, when input for all input fields for which input is indispensable is accepted, the button 711 is enabled to the next (password input). The login user name input field 710 receives an input of a user name used when the user uses the web service.

  Returning to the description of FIG. The CPU 201 of the client apparatus 101 accepts user information input from the user via the user information input screen 700 displayed in step S404 (step S405). Thereafter, when an input of a registration instruction that is input by an instruction to press the button 711 is received next to the user information input screen 700 (password input) (YES in step S406), the user information input to the user information input screen 700 Is created, and the request data is transmitted to the web server 102 (step S407).

CPU201 of upon receiving the request data for the registration of a transmitted the user information from the client apparatus 101 (step S423), the web server 102, the execution request of a program for the registration of the user information to the AP server 103 (Step S424). At the same time, the user information acquired from the client apparatus 101 is transmitted to the AP server 103.

  When receiving the user registration program execution request from the web server 102 (step S441), the CPU 201 of the AP server 103 executes the user registration program (step S442), and registers the user information in the user information table 1400 provided in the DB server 104. (Step S443). Then, the processing result is transmitted to the AP server 103 (step S444).

  Here, the data configuration of the user information table 1400 managed in the external memory 211 of the DB server 104 will be described with reference to FIG. FIG. 14 is a diagram illustrating an example of a data configuration of the user information table 1400.

  As shown in FIG. 14, the user information table 1400 includes a user ID 1401, name 1402, name (Roman character) 1403, gender 1404, date of birth 1405, address 1406, telephone number 1407, occupation 1408, e-mail address 1409, and login user name 1410. And data items such as a password 1411 and the like.

  Returning to the description of FIG. Upon receiving the processing result from the AP server 103 (step S425), the web server 102 creates response data indicating the user information registration result and transmits it to the client device 101 (step S426). At this time, if the user information registration is successful, the password input screen 800 shown in FIG. 8 is created. If the user information registration is unsuccessful, response data including screen information for displaying an error notification screen (not shown) is created. It is transmitted to the client apparatus 101.

  When the CPU 201 of the client apparatus 101 acquires response data from the web server 102 (step S408), the process proceeds to step S409, and screen display is performed according to the acquired response data. That is, the password input screen 800 or the error notification screen shown in FIG. 8 is displayed according to the registration processing result.

  If registration fails (NO in step S410), the user information input screen 700 is displayed again, and the processing from step S405 is repeated. On the other hand, if the registration is successful (YES in step S410), the process proceeds to step S411, and a password data input acceptance process is performed. Details of this processing will be described with reference to FIG. The above is the description of the user information registration process of FIG.

  In the present invention, the complexity of the password is determined using information such as the name, date of birth, and telephone number input by the user in the user information registration process. For example, if a character string used as a password contains name information or date of birth, there is a problem that it is easy to guess the password from others. The complexity is ensured by not using it.

  Next, with reference to FIG. 5, the details of the password input acceptance process in step S411 of FIG. 4 will be described.

  First, the CPU 201 of the client apparatus 101 starts monitoring user operations on the password input screen 800 displayed on the display apparatus 210 (step S501).

  Here, the screen configuration of the password input screen 800 will be described with reference to FIG. FIG. 8 is a diagram showing an example of the configuration of the password input screen 800.

  As shown in FIG. 8, the password input screen 800 includes a password input field 801 and a registration button 802 when the screen is initially displayed.

  The password input field 801 is a reception field that accepts input of a character string used as a password. In the present invention, every time the information in the password input field 801 is edited, the CPU 201 of the client apparatus 101 transmits the character string information input in this input field to the web server 102 by the asynchronous communication unit 303-2, and then The AP server 103 performs complexity evaluation of the character string. And the display for alert | reporting to a user the result of complexity evaluation will be performed on this screen. Also, the password input field 801 does not accept input of more characters than the maximum number of characters for a password.

  The registration button 802 is a button used to confirm the password input and request the web server 102 to register the password. This registration button is grayed out when the character string input in the password input field 801 is not the predetermined number of characters, or when it is determined that the requirement for registration as a password is not satisfied by the complexity evaluation. It is displayed and controlled so that registration instructions cannot be given. When this registration button is pressed, the CPU 201 of the client apparatus 101 transmits the character string input to the web server 102 by the synchronous communication unit 303-1. The above is the description of the configuration of the password input screen 800 in FIG.

  Returning to the description of FIG. If it is determined that the password has been edited by operating the password input field 801 during user operation monitoring (YES in step S502), the process proceeds to step S503, and the number of characters displayed in the password input field 801 is changed. In the password input field, in order not to understand what character string is input, “*” or the like is used as a mask character instead of the input character. Therefore, in this step S503, processing for changing the display number of “*” is performed. If it is determined that password editing has not been performed (NO in step S502), the process proceeds to step S516.

  Thereafter, it is determined whether or not the number of characters input in the password input field 801 is a predetermined number or more (step S504). If it is determined that the number is not greater than the predetermined number (NO in step S504), the process proceeds to step S505. The registration button 802 is invalidated and grayed out.

  Thereafter, when the password complexity display indicating the password complexity evaluation processing result is displayed on the password input screen 800 for the input character string (YES in step 506), the display is deleted (step S507). .

  If it is determined in the determination process in step S504 that the number of characters input in the password input field 801 is equal to or greater than the predetermined number, the process proceeds to step S508, and request data for a password complexity evaluation request is created and created. The request data is transmitted to the web server 102 using the asynchronous communication function (step S509). At this time, there is no need to give an explicit instruction by the user, and if the CPU 201 of the client apparatus 101 determines that the input content in the password input field has been changed, this processing is automatically performed.

  After that, it waits for reception of response data that is response data to the request data in step S509. In the meantime, the CPU 201 can execute other processes. If it is determined that the response data transmitted using the asynchronous communication function of the web server 102 has been received (YES in step S510), the process proceeds to step S511, and password complexity information included in the response data is acquired. Then, according to the password complexity information, a complexity display indicating the password complexity information is displayed on the password input screen displayed on the display device 210 (step S512). At this time, instead of refreshing the display information of the entire password input screen, only the display that needs to be changed is updated.

  Then, in accordance with the password complexity information acquired in step S511, it is determined whether the currently entered password can be registered. If it is determined that the password registration requirements can be satisfied and registered (YES in step S513). The registration button is validated (step S514). On the other hand, if it is determined that the password registration requirement is not satisfied (NO in step S513), the registration button is disabled (step S515). Then, the process proceeds to step S501.

  If it is determined in step S502 that the operation received from the user is not a password editing operation (NO in step S502), the process proceeds to step S516, and the CPU 201 issues an instruction to press the registration button 802. It is determined whether a pressing instruction has been accepted. If the CPU 201 determines that an instruction to press the registration button 802 has been received (YES in step S516), it creates request data for a password registration request including the password character string including the password character string (step S517). The requested data is transmitted to the web server 102 by synchronous communication (step S518). Then, the response data from the web server is received (step S519), the screen corresponding to the response data is displayed, and this process is terminated. .

  If it is determined in step S516 that an instruction to press the registration button has not been received (NO in step S516), it is determined whether an end instruction has been received (step S520). If it is determined in step S520 that an end instruction has been received (YES in step S520), the process ends without performing the password registration process. On the other hand, if neither a registration button press instruction nor an end instruction has been received, the process proceeds to step S501, and the subsequent processes are repeated. The details of the password data input acceptance process performed by the client apparatus 101 have been described above.

  Next, the password complexity evaluation / registration process performed by the web server 102 and the AP server 103 in accordance with the password data input acceptance process in the client apparatus 101 will be described with reference to FIG.

  First, when the CPU 201 of the web server 102 receives request data from the client apparatus 101 (step S601), the CPU 201 transfers the received request data to the AP server 103 (step S602). The request data that the web server 102 receives from the client device 101 in step S601 includes the request data (asynchronous communication) of the password complexity evaluation request transmitted in step S509 in FIG. 5, and the password transmitted in step S518 in FIG. Request data (synchronous communication) for registration requests.

  When the request data is transferred from the web server 102 (step S621), the CPU 201 of the AP server 103 specifies the type of the transferred request data. The AP server 103 identifies the service to be executed according to the identified type of request data (step S622).

  If it is determined that the request data transferred from the web server 102 is request data for a password registration request (“registration” in step S623), a service for registering a password is executed (step S624), and the DB server The password is additionally registered in the user information table 1400 stored in 104 (step S625). Then, the processing result is received from the DB server 104 (step S626) and transmitted to the web server 102 (step S627).

  On the other hand, if it is determined in step S623 that the request data is a password complexity evaluation request, the password verification service is executed (step S628), and the user information managed by the DB server is managed by the DB server. Obtained from the information table 1400 (step S629). Then, password verification is performed using the character string information being input included in the request data of the complexity evaluation request and the user information acquired in step S629 (step S630). In the present invention, since password verification can be verified using user information, password verification as shown below can be performed.

• Does the password include the user's date of birth?
-Is the password part of the user's name included?
• Is the user's phone number included in the password?
-Is the password the same as the user's email address account?

  In addition to password verification using user information, the following password verification can also be performed.

・ Does the password contain alphabets and numbers respectively?
・ Does the password contain anything other than alphanumeric characters (for example,%, @, etc.)?

  In step S630, the character string information included in the request data received in step S621 is checked for each of the plurality of check items as described above, and an evaluation value indicating the degree of complexity of the password according to the result. Will be calculated. For example, if the password includes the date of birth of the user, -30, if the password includes part of the name, -20, if the password includes both alphabets and numbers, For example, a value may be set for each check item, such as +20, and an evaluation value may be calculated by summing them.

  Thereafter, password complexity information is created according to the evaluation value calculated by the complexity evaluation in step S630 (step S631), and the created password complexity information is transmitted to the web server 102 (step S632).

  When the CPU 201 of the web server 102 receives the password registration processing result transmitted in step S627 from the AP server 103 (step S603), it creates response data including the registration processing result (step S604), and creates the created response data. It transmits to the client apparatus 101 by synchronous communication (step S605).

  When the CPU 201 of the web server 102 receives the password complexity information transmitted in step S632 from the AP server 103 (step S606), the CPU 201 creates response data including the password complexity information (step S607), and sends the response data. It transmits to the client apparatus 101 by asynchronous communication (step S608). The above is the password complexity evaluation / registration process performed by the web server 102 and the AP server 103 in accordance with the password input process of the client apparatus 101.

  Here, with reference to FIG. 9, an example of the password complexity display on the password input screen 800 displayed while the password data input acceptance process shown in FIG. 5 is performed will be described.

  (1) of FIG. 9 shows an example of a password complexity display when a character string that cannot be registered is input as a password. As shown in (1) of FIG. 9, when a character string that cannot be registered as a password is input, it is different from the normal display, for example, by changing the background color of the password input field, and any prohibited conditions are set. Whether it matches is displayed on the message display section 902-1. As a result, the user can recognize the danger level of the password and which prohibition conditions are met.

  On the other hand, when a character string that can be registered as a password is input, a message indicating that it can be registered as a password is displayed on the message display section 902-2 as shown in (2) of FIG.

  Further, according to the present invention, the background display of the password input unit is switched based on an evaluation value indicating whether the password is appropriate, as well as whether the password can be registered.

For example, it is assumed that a password can be registered under the following conditions.
・ Last name and first name are not included in the password.
・ Birth date is not included in the password.
・ Password must be between 8 and 16 characters.
・ The password must contain at least one letter or number.

  Under these conditions, if Taro Yamada, who was born on May 9, 1980, wants to register a password and entered "12345ABC", "1qaz2wsx", "yama0001", etc., these can be registered. Judge that there is.

  However, “1234ABCD” is an input of 4 characters in order from the first character in both numbers and letters, and because of the law of input, it cannot be said that it is necessarily suitable as a password.

  In addition, “1qaz2wsx” does not seem to have a regularity at first glance, but since only the characters set in the left two columns of the keyboard layout are sequentially input, this character string also has a certain regularity. It can be said that there is.

  Also, when a character string such as “yama0001” is entered, the entire surname is not included, but a part (yama) is used, so it can be guessed by others. It can be said that the property is higher than the character string without the law property.

  As mentioned above, it can be said that character strings that use legality or part of personal information have a higher risk of being guessed by others than character strings that do not have legality. When the character string is input, the user can be notified that the password can be registered as a password but has a high risk. In order to be able to do this, the password verification service also performs such a rule check.

  Therefore, for example, in the case of a character string for which password registration is impossible, display control is performed so that the registration button is grayed out and the background color is red to allow the user to recognize that password registration cannot be performed.

When a character string having a rule is input, an evaluation value indicating the degree of risk is calculated according to a preset rule, and the user is made to recognize the degree of risk. For example, etc. that contains the part of the personal information, if the very crisis Kendo fit is likely to be high "orange", etc. there is a law of the input string, a relatively degree of risk is high In this case, the degree of danger may be notified by changing the background color of the password input field such as “yellow” or “green” or “blue” depending on the degree of danger.

  In the present invention, the password complexity information for notifying the user of the degree of danger of the password is displayed before the password character string is confirmed by pressing the registration button. The password can be set while confirming the password.

<Second Embodiment>
The user information input process (FIG. 10) and user information registration process (FIG. 11) in the second embodiment of the present invention performed by the CPU 201 of the client apparatus 101 will be described below with reference to FIGS. . The processing performed by the web server 102 and the AP server 103 according to this processing will be described separately with reference to FIG.

  In the user information registration process according to the first embodiment, a screen for inputting user information (user information input screen 700) and a screen for inputting password information (password input screen 800) are provided on different screens. In the second embodiment, a case where input is performed on the same screen will be described.

  First, the CPU 201 displays a user information input screen 1300 shown in FIG. 13 on the display device 210 (step S1001). The HTML data used for displaying this screen is stored in the web server 102, and the client apparatus 101 requests the web server 102 for information for displaying this screen.

  Here, a user information input screen according to the second embodiment will be described with reference to FIG. FIG. 13 is a diagram showing an example of the configuration of the user information input screen.

  As shown in FIG. 13, a user information input screen 1300 includes a name input field 1301, a name (Roman character) input field 1302, a gender input field 1303, a date of birth input field 1304, an address input field 1305, a telephone number input field 1306, an occupation. An input field 1307, an e-mail address input field 1308, an e-mail address confirmation input field 1309, a login user name input field 1310, a password input field 1311, a registration button 1312, and the like are configured.

    The user inputs user attribute information related to himself / herself in each input field set on the screen using the input device 209. Of these input items, a plurality of items (for example, name, date of birth, mail address, etc.) are set as items used for password complexity evaluation. In the HTML data that displays this screen, when the edit processing for the items set as items used for complexity evaluation and the edit processing for the password input field are performed, they are input to those input fields by asynchronous communication. A script for transmitting information to the web server 102 is defined. When the input information is transmitted, the complexity of the password is evaluated.

  Returning to the description of FIG. After the user information input screen 1300 is displayed on the display device, the user's operation via the input device 209 for various input fields set on the screen is monitored (step S1002).

  Then, it is determined whether an instruction to edit user information (including password) has been received (step S1003). If it is determined that an instruction to edit user information has been received (YES in step S1003), the process proceeds to step S1004. If it is determined that an instruction other than an information editing instruction has been received (NO in step S1003), the process proceeds to step S1101 in FIG.

  In step S1004, it is determined whether an edit instruction for the password input field has been issued. If it is determined that an edit instruction for the password input field has been issued (YES in step S1004), the process proceeds to step S1007. On the other hand, if it is determined that an editing instruction for an input field other than the password has been issued (NO in step S1004), the process proceeds to step S1005, and the display of the input field that accepted the editing instruction is updated.

Then, after the processing of step S1005, when it is determined that accepts the editing process to the attribute information used to password complexity evaluation (YES in step S1006), the processing to step S1008, whereas, for accepting the editing process If it is determined that the attribute item is not used for complexity evaluation (NO in step S1006), the process returns to step S1002.

  If it is determined in the determination process of step S1004 that an editing instruction has been received for the password input field (YES in step S1004), the display of the password input field is updated (step S1007).

  Then, after the process of step S1007 is completed, or when YES is determined in step S1006, it is determined whether the number of characters input in the password input field 1311 is equal to or greater than a predetermined number of characters (minimum number of characters in the password) ( If it is determined in step S1008) that the number of characters is equal to or greater than the predetermined number of characters (YES in step S1008), the password information input in the password input field 1311 and the user attributes set as attributes used for password complexity evaluation Is obtained from the user information input screen (step S1009), and then request data for a password complexity evaluation request including various information acquired in step S1009 is created (step S1010), and the asynchronous communication unit 303-2. To create the request data Send to the server 102 (step S1011). The web server 102 performs a password complexity evaluation process according to the request data. This process will be described later with reference to FIG.

  When the asynchronous communication unit 303-2 receives response data that is response data to the request data transmitted in step S1011 from the web server 102 after the request data is transmitted (YES in step S1012), the client apparatus 101 advances the process to step S1013. The password complexity display corresponding to the password complexity information included in the response data is performed (step S1013).

  If it is determined in step S1008 that the number of characters is less than the predetermined number (NO), the process proceeds to step S1014 to determine whether the password complexity display has already been performed. If the password complexity display is performed, the complexity of the password information accompanying the editing has not been performed, and the process proceeds to step S1015, and the password complexity display as the previous evaluation result is deleted. . Then, after the process of step S1013 or step S1015 is completed, the process returns to step S1002, and the subsequent processes are repeated.

  If it is determined in step S1003 in FIG. 10 that the operation received from the user is not a user information editing process (NO), the process proceeds to step S1101 in FIG.

  In step S1101, the CPU 201 of the client apparatus 101 determines whether a pressing instruction for the registration button 1312 of FIG. 13 has been received from the user (step S1101). If it is determined that an instruction to press the registration button has been accepted (YES), the process proceeds to step S1102, and if it is determined not to be accepted (NO), the process proceeds to step S1110.

  In step S <b> 1102, the CPU 201 of the client apparatus 101 determines whether input has been performed for all items that are required to be input on the user information input screen 1300. In this process, a script to be executed when an instruction to press the registration button 1312 is set in the HTML data used to display the user information input screen 1300, and the determination process is performed by executing the script. become. With this script, a process is performed to determine whether each piece of attribute information that is an input-required item is not blank.

  If it is determined that all entries have been made in the input field for inputting attribute information that is regarded as an input-required item (YES), it is determined that there is an input-required item that has not been input in step S1103. In the case, the process proceeds to step S1109.

  In step S1103, it is determined according to the password complexity information received from the web server 102 whether the password information input in the password input field 1311 can be registered. If it is determined that the password can be registered (YES), the process proceeds to step S1104. If it is determined that the password cannot be registered (NO), the process proceeds to step S1109.

  If YES is determined in step S1103, the CPU 201 of the client apparatus 101 acquires information input to various input units of the user information input screen 1300 (step S1104), and receives a user information registration request including the acquired input information. Request data is created (step S1105), and the request data is transmitted from the synchronous communication unit 303-1 to the web server 102 (step S1106). Processing performed by the web server 102 in response to the request data will be described with reference to FIG.

  Then, when response data transmitted from the web server 102 is acquired as a result of performing processing according to the request data transmitted to the web server 102 in step S1106 (step S1107), the registration processing result is displayed according to the response data. It is displayed on 210 (step S1108).

  If NO is determined in steps S1102 and S1103, the process proceeds to step S1109, and a warning message is displayed. If NO is determined in step S1102, a warning message indicating that the input for the essential input item has not been input is displayed. If NO is determined in step S1103, the character string input in the password input field 1311 is displayed. Displays a warning message indicating that it cannot be registered as a password.

  If it is determined in step S1101 that an instruction to press the registration button has not been received, the process proceeds to step S1110 to determine whether an end instruction has been received. If it is determined that an end instruction has not been received, the process proceeds to step S1002 in FIG. On the other hand, when an end instruction is accepted, this process ends.

  Next, referring to FIG. 12, the password complexity performed by the web server 102 and the AP server 103 in accordance with the user information input process (FIG. 10) and the user information registration process (FIG. 11) performed by the client apparatus 101. The evaluation / registration process will be described.

  First, when the CPU 201 of the web server 102 receives the request data from the client device 101 (step S1201), the CPU 201 transfers the received request data to the AP server 103 (step S1202). The request data that the web server 102 receives from the client device 101 in step S1201 includes the request data (asynchronous communication) of the password complexity evaluation request transmitted in step S1011 in FIG. 10, and the password transmitted in step S1106 in FIG. Request data for registration requests.

  When the request data is transferred from the web server 102 (step S1221), the CPU 201 of the AP server 103 specifies the type of the transferred request data. The AP server 103 specifies the service to be executed according to the specified type of request data (step S1222).

  If it is determined that the request data transferred from the web server 102 is request data for a password registration request (registered in step S1223), a service for registering a password is executed (step S1224), and the DB server 104 A password is additionally registered in the stored user information table 1400 (step S1225). Then, the processing result is received from the DB server (step S1226) and transmitted to the web server 102 (step S1227).

  On the other hand, if it is determined in step S1223 that the request data is a password complexity evaluation request, a password verification service is executed (step S1228).

  Since the character string and user attribute information to be set as a password necessary for password verification are included in the request data received from the web server 102 in step S1221, the CPU 201 of the AP server 103 determines the password complexity from the request data. Various data necessary for sex evaluation are acquired (step S1229). Then, the complexity of the password is evaluated using the character string to be set as the password acquired in step S1229 and the user attribute information (step S1230). Also in the second embodiment, the password for determining the complexity of the password, including verification that the user attribute information is not included in the character string to be set in the password, as in the first embodiment. Complexity evaluation is possible, and the user is notified of the complexity of the password that the user is trying to set by notifying the user of the result.

  In step S1230, the character string information included in the request data received in step S1221 is checked for each of a plurality of preset check items, and an evaluation value indicating the degree of password security according to the result. Will be calculated.

  Thereafter, password complexity information is created according to the check result for each check item by the complexity evaluation in step S1230 and the evaluation value calculated as a result (step S1231), and the created password complexity information is stored in the web server 102. (Step S1232).

  When the CPU 201 of the web server 102 receives the password registration processing result transmitted in step S1227 from the AP server 103 (step S1203), the CPU 201 creates response data including the registration processing result (step S1204), and uses the created response data as the client. It transmits to the apparatus 101 by synchronous communication (step S1205).

  When the CPU 201 of the web server 102 receives the password complexity information transmitted in step S1232 from the AP server 103 (step S1206), the CPU 201 creates response data including the password complexity information (step S1207). It transmits to the client apparatus 101 by asynchronous communication (step S1208). The above is the password complexity evaluation / registration process performed by the web server 102 and the AP server 103 in accordance with the password input process of the client apparatus 101.

  In the second embodiment, the complexity of the password that is input when the user information input screen 1300 in which the password character string input field and the user attribute input field are composed of the same screen is used is evaluated. An example was described. In this way, when the password character string and the user attribute for evaluating the complexity of the password character string are input using the same screen, the password character string is input first, and then the user attribute information is input and edited May be performed.

  Therefore, in the second embodiment, asynchronous communication with the web server 102 is performed not only when the password input field is edited but also when user information used for password complexity evaluation is edited. Configured to perform password complexity assessment. As a result, the user can grasp the complexity before password confirmation, that is, during password entry, and does not need to repeat password entry and confirmation.

<Other embodiments>
The object of the present invention is achieved by the following. That is, a storage medium (or recording medium) in which a program code of software that realizes the functions of the above-described embodiments is recorded is supplied to the system or apparatus. Then, the central processing means (CPU or MPU) of the system or apparatus reads and executes the program code stored in the storage medium. In this case, the program code itself read from the storage medium realizes the functions of the above-described embodiment, and the storage medium recording the program code constitutes the present invention.

  In addition, by executing the program code read by the central processing means of the system or apparatus, an operating system (OS) or the like operating on the system or apparatus performs actual processing based on the instruction of the program code. Do some or all. The case where the function of the above-described embodiment is realized by the processing is also included.

  Further, it is assumed that the program code read from the storage medium is written in a memory provided in a function expansion card inserted into the system or apparatus or a function expansion unit connected thereto. After that, based on the instruction of the program code, the CPU of the function expansion card or function expansion unit performs part or all of the actual processing, and the function of the above-described embodiment is realized by the processing. It is.

101-1, 101-2, 101-3 Client device 102 Web server 103 Application (AP) server 104 Database (DB) server 105 LAN
106 Internet 201 CPU
202 RAM
203 ROM
204 System Bus 205 Input Controller 206 Video Controller 207 Memory Controller 208 Communication Interface (I / F) Controller 209 Input Device 210 Display Device 211 External Memory

Claims (23)

An information processing system that accepts a character string used as a password,
A character string input receiving means for receiving an input instruction of a character string used as a password;
User information input receiving means for receiving input of user information and input of change;
Using the user information received by the user information input receiving means, an evaluation means for evaluating the risk that the character string is estimated;
First notification means for performing notification based on the evaluation by the evaluation means,
The evaluation unit is a character string that has already been input by the character string input reception unit when the user information input reception unit has received an input for changing the user information, and the evaluation unit has already performed a risk evaluation. Re-evaluate the risk that the completed character string is estimated using the user information changed by accepting the input of the change,
The information processing system according to claim 1, wherein the first notification unit performs re-notification of the danger based on the re-evaluation by the evaluation unit. The evaluation means is a character string that has already been input by the character string input reception means each time the user information input reception means receives an input of change of the user information, and has already been risk-evaluated by the evaluation means. Re-evaluate the risk of guessing the character string using the user information changed by accepting the input of the change,
It said first notification means, each time before SL user information input accepting means accepts an input of changes of said user information, and performing the re-notification of risk based on the re-evaluation by the evaluation unit The information processing system according to claim 1.   The evaluation means is used for evaluation of the character string received by the user information input accepting means on the same screen as the screen accepting the character string input instruction by the character string input accepting means. 3. The information processing system according to claim 1, wherein the user information set accordingly is used to re-evaluate the risk that the character string already risk-evaluated by the evaluation unit is estimated. First storage means for storing conditions for determining whether or not a password can be registered;
A specifying unit for specifying a condition that is a factor that prevents a character string edited in accordance with the input instruction received by the character string input receiving unit from being registered as a password;
Second notifying means for notifying the user of the condition specified by the specifying means;
The information processing system according to claim 1, further comprising: A determination means for determining whether the number of characters of the character string changed by the character string input receiving means receiving a character string input instruction is greater than or equal to a predetermined number of characters set in advance;
5. The method according to claim 1, wherein when the determination unit determines that the number of characters is equal to or greater than a predetermined number of characters, the evaluation unit evaluates a risk that the character string is estimated. Information processing system. When it is determined by the determining means that the number of characters of the character string changed by the character string input receiving means receiving a character string input instruction is not greater than or equal to a predetermined number of characters,
The information processing system according to claim 5, wherein the first notifying unit does not notify the danger. The information processing system according to claim 1, wherein the evaluation unit evaluates a risk that the character string is estimated using a character type included in the character string. . The first notification means displays the background color of the input column of the character string used as the password in accordance with the evaluation by the evaluation means, thereby risking the user to guess the character string The information processing system according to any one of claims 1 to 7, characterized in that: Third accepting means for accepting a confirmation instruction for confirming the character string as a password;
Registration means for registering the character string input at the time of reception by the third reception means as a password;
The information processing system according to claim 1, further comprising: An information processing apparatus that accepts a character string used as a password,
A character string input receiving means for receiving an input instruction of a character string used as a password;
User information input receiving means for receiving input of user information and input of change;
Requesting means for requesting the server device to evaluate the risk that the character string is estimated using the user information received by the user information input accepting means;
Notification means for performing notification according to the risk evaluation performed by the server device in response to a request for evaluation by the request means;
With
When the request information is received by the user information input accepting means, the request means is a character string that has already been entered by the character string input accepting means, and has already been evaluated by the server device. Requesting the server device to re-evaluate the user information that has been changed by accepting the input of the change, the risk of the estimated character string being inferred,
The information processing apparatus characterized in that the notification means performs re-notification of the danger performed by a server apparatus in response to the request for the re-evaluation by the request means. Whenever the request information is received by the user information input accepting means, the character string input accepting instruction is accepted by the character string input accepting means, and the already evaluated risk character string is estimated. Requesting the server device to re-evaluate using the user information changed by accepting the input of the change,
Before SL paper known means, characterized in that each time before SL user information input accepting means accepts an input of changes of said user information, wherein in response to a request of re-evaluation by the request means, performs re-notification of the risk The information processing apparatus according to claim 10 . Said request means, according to claim 10, characterized in that said asynchronous communication to the server apparatus, and requests already re-evaluation of risk of the string of risk assessment already is inferred in the server device Information processing device. A determination means for determining whether the number of characters of the character string changed by the character string input receiving means receiving a character string input instruction is greater than or equal to a predetermined number of characters set in advance;
When the determination unit determines that the number of characters is equal to or greater than a predetermined number of characters, the request unit requests the re-evaluation to the server device, and the determination unit determines that the number of characters is equal to or greater than the predetermined number of characters. The information processing apparatus according to any one of claims 10 to 12 , wherein when it is determined that the risk is not, the notifying unit does not perform re-notification of the danger. A character string used as a password, and a server device communicably connected to an information processing device that accepts input and change of user information,
An evaluation means for evaluating a risk that the character string is estimated using user information received from a user;
Transmission means for transmitting notification information used for the information processing apparatus to perform danger notification according to the evaluation by the evaluation means to the information processing apparatus;
With
The evaluation unit is a character string that has already been input in response to an input of a change in the user information from a user, and the risk that the character string that has already been risk-evaluated by the evaluation unit is estimated. Re-evaluate using the user information changed in response to the change input,
The transmission unit transmits the notification information used for the information processing device to perform the re-notification of the danger according to the reevaluation by the evaluation unit to the information processing device. apparatus. The transmission unit, before SL sent asynchronous communication from the information processing apparatus, in accordance with the previously required reevaluation of risk the strings risk valuated is presumed, according to re-evaluation by the evaluation unit The server apparatus according to claim 14 , wherein notification information used for the information processing apparatus to perform notification of a risk is transmitted to the information processing apparatus by asynchronous communication. First storage means for storing conditions for determining whether or not a password can be registered;
A specifying means for specifying a condition that is a factor that the character string edited in accordance with the input operation received by the information processing apparatus cannot be registered as a password;
Further comprising
The transmission unit, the server device according to claim 14 or 15, characterized in that the transmission of certain conditions by the specifying unit the information processing apparatus further information used for notifying the user. When the number of characters of the character string changed by receiving a character string input instruction is greater than or equal to a predetermined number of characters set in advance, the information processing device
The server apparatus according to any one of claims 14 to 16 , wherein a re-evaluation of a risk that the character string that has already been subjected to a risk evaluation is estimated is requested. An information processing method performed by an information processing system that accepts a character string used as a password,
A character string input accepting step for accepting an input instruction of a character string used as a password;
A user information input accepting step for accepting input of user information and an input of change; an evaluation step for evaluating the risk that the character string is estimated using the user information accepted in the user information input accepting step;
A first notification step for performing notification based on the evaluation by the evaluation step,
The evaluation step is a character string that has already been input in the character string input reception step when a change in the user information is received in the user information input reception step, and a risk evaluation has already been performed in the evaluation step. Re-evaluate the risk that the completed character string is estimated using the user information changed by accepting the input of the change,
In the information processing method, the first notification step performs re-notification of the danger based on the re-evaluation in the evaluation step. An information processing method performed by an information processing apparatus that accepts a character string used as a password,
A character string input accepting step for accepting an input instruction of a character string used as a password;
A user information input receiving step for receiving user information input and change input;
Using the user information received in the user information input reception step, a request step for requesting the server device to evaluate the risk that the character string is estimated;
A notification step for performing notification according to a risk evaluation performed by the server device in response to a request for evaluation by the request step;
Including
Said request step, when said accepting the input of changes of said user information in the user information input accepting step, the a character string input receiving step already strings already entered, already risk assessment by the server device Requesting the server device to re-evaluate the user information that has been changed by accepting the input of the change, the risk of the estimated character string being inferred,
The information processing method, wherein the notification step performs re-notification of the danger performed by a server device in response to the request for the re-evaluation in the request step. An information processing method performed by a server device communicably connected to a character string used as a password and an information processing device that accepts input of user information and input of change,
An evaluation step for evaluating a risk that the character string is estimated using user information received from a user;
A transmission step of transmitting, to the information processing device, notification information used for the information processing device to notify the danger according to the evaluation in the evaluation step;
Including
The evaluation step is a character string that has already been input in response to an input of a change in the user information from a user, and the risk that the character string that has already been evaluated for risk in the evaluation step is estimated. Re-evaluate using the user information changed in response to the change input,
The transmitting step transmits to the information processing device notification information used for the information processing device to perform re-notification of the danger according to the re-evaluation in the evaluation step. Processing method. A computer program executable by an information processing system that accepts a character string used as a password,
The information processing system;
A character string input receiving means for receiving an input instruction of a character string used as a password;
User information input accepting means for accepting input of user information and input of change, and evaluation means for evaluating the risk of guessing the character string using the user information accepted by the user information input accepting means;
Function as first notification means for performing notification based on the evaluation by the evaluation means;
The evaluation unit is a character string that has already been input by the character string input reception unit when the user information input reception unit has received an input for changing the user information, and the evaluation unit has already performed a risk evaluation. Re-evaluate the risk that the completed character string is estimated using the user information changed by accepting the input of the change,
The computer program according to claim 1, wherein the first notifying unit re-notifies the danger based on the re-evaluation by the evaluating unit. An information processing device that accepts a character string used as a password
A character string input receiving means for receiving an input instruction of a character string used as a password;
User information input receiving means for receiving input of user information and input of change;
Requesting means for requesting the server device to evaluate the risk that the character string is estimated using the user information received by the user information input accepting means;
In response to a request for evaluation by the request means, function as a notification means for performing notification according to the risk evaluation performed by the server device,
When the request information is received by the user information input accepting means, the request means is a character string that has already been entered by the character string input accepting means, and has already been evaluated by the server device. Requesting the server device to re-evaluate the user information that has been changed by accepting the input of the change, the risk of the estimated character string being inferred,
The computer program according to claim 1 , wherein the notification means performs re-notification of the danger performed by a server device in response to the re-evaluation request by the request means. A server device that is communicably connected to an information processing device that accepts a character string used as a password and an input and change of user information,
An evaluation means for evaluating a risk that the character string is estimated using user information received from a user;
Functioning as transmission means for transmitting to the information processing apparatus notification information used for the information processing apparatus to notify the danger according to the evaluation by the evaluation means;
The evaluation unit is a character string that has already been input in response to an input of a change in the user information from a user, and the risk that the character string that has already been risk-evaluated by the evaluation unit is estimated. Re-evaluate using the user information changed in response to the change input,
The computer, wherein the information is transmitted to the information processing apparatus for the information processing apparatus to re-notify the danger according to the re-evaluation by the evaluation means. program.

Images