JPH09212458A - Password authenticating method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an authenticating method which can prevent system resources from illegally being used by mechanical password anticipation without giving disadvantages to a legal user. SOLUTION: A password reception part 11 always counts the frequency (a) of password reception per unit time and a threshold value comparison part 14 compares the counted password reception frequency (a) per unit time with a threshold value G. The threshold value G is set suitably on the assumption that the password reception frequency per unit time at the time of mechanical password anticipation by a program, etc., is larger than the password reception frequency per unit time at the time of manual input. When a >G, it is considered that the mechanical password anticipation is performed and respective inputted passwords are invalidated. Consequently, the execution of the mechanical password anticipation is stopped.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a password authentication method belonging to the technical field of computer systems.

[0002]

2. Description of the Related Art In a computer system that requires access authority, a user's authentication confirmation is performed using a finite length character string called a password in order to identify a user who has access authority. In the authentication method using this password, the password input by the user is collated with the password registered in advance, and if both passwords match, the user is given access authority.

However, there is a risk that the password will be guessed by a third party. For example, if a combination of all characters is generated and input in order, it is highly likely that a correct password will be finally found. In addition, the fact that words are often used as passwords is one of the factors that facilitate password guessing.

As a preventive measure against these password guesses, a method of increasing the number of characters in the password, a method of using a character string other than words in the dictionary, and the like are considered as the simplest methods. However, these methods make the password inconvenient for legitimate users and often cannot be accepted by users. It can also be said to be powerless under the guessing of a mechanical password such as a program.

Therefore, as a preventive measure against this mechanical password guessing, a method has been proposed in which when a wrong password is continuously input a fixed number of times, subsequent password input is not accepted. However, in this method, the password cannot be entered even if the password is erroneously entered due to the carelessness of the legitimate user, which causes a trouble.

[0006]

As described above, the conventional password authentication method is particularly vulnerable to mechanical password guessing, and a countermeasure against it has arisen as a strong demand.

The present invention is intended to solve such a problem, and provides a password authentication method capable of preventing unauthorized use of system resources by mechanical password guessing without giving a demerit to an authorized user. To aim.

[0008]

In order to achieve the above object, the password authentication method of the present invention counts the number of passwords input per unit time, and counts the number of input passwords and a preset threshold value. And when the number of input passwords is larger than the threshold value, the input password for the unit time is invalidated.

The present invention is constructed in view of the fact that the number of passwords received per unit time when a mechanical password is guessed by a program is larger than the number of passwords received per unit time when manually inputting. When the number of times is larger than a preset threshold value, the input password is invalidated and execution of mechanical password guessing is blocked.

In the password authentication method of the present invention, the input time interval of each entered password is measured, the measured password input time interval value is compared with a preset threshold value, and the password input time interval is checked. When the value is smaller than the threshold value, each input password is invalidated.

In view of the fact that the password input time interval during mechanical password guessing by a program is shorter than the password input time interval during manual input, the present invention is input when the value of the password input time interval is smaller than the threshold value. Disables each password to prevent performing mechanical password guessing.

Furthermore, the password authentication method of the present invention of the present invention measures the magnitude of the variation of the input time intervals of the respective entered passwords, and the magnitude of the variation of the measured password input time intervals and a preset threshold value. Is compared with each other, and when the variation of the password input time interval is smaller than the threshold value, each input password is invalidated.

According to the present invention, in view of the fact that the variation of the password input time interval when the mechanical password is guessed by the program is shorter than the variation of the password input time interval when the manual input is performed, the variation of the password input time interval is large. If it is smaller than the threshold value, each entered password is invalidated and execution of mechanical password guessing is blocked. Further, the password authentication method of the present invention obtains the similarity between the entered passwords, compares the obtained similarity value with a preset threshold value, and enters each password based on the comparison result. Is characterized in that it is determined whether or not to invalidate. Here, the value of the similarity between each password is
It can be calculated from the number of characters that have the same position at the same position in each password. Mechanical password guessing is often performed, for example, by changing the password for each character. Therefore, when the calculated value of the degree of similarity is larger than the threshold value, it is possible to prevent execution of mechanical password guessing by invalidating each input password.

The value of the degree of similarity between the passwords is also obtained from the number of input n (where n ≧ 2) passwords whose password words are continuously arranged in the dictionary compilation order. be able to. In this case as well, if the calculated similarity value is larger than the threshold value, the input n passwords are invalidated. In mechanical password guessing, it is conceivable to input words in a dictionary in the order of compilation, and the password authentication method of the present invention can detect such mechanical password guessing with extremely high accuracy.

Furthermore, the value of the similarity between the passwords is
It can be obtained from the number of combinations of two passwords in which the character strings completely match among the n (where n ≧ 2) input passwords. The present invention is based on the hypothesis that the same password will not be input in mechanical password guessing. In this case, when the calculated similarity value is smaller than the threshold value, the n passwords input are input. It shall be invalidated.

[0016]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiments of the present invention will be described below.

FIG. 1 shows the configuration of a computer system adopting the password authentication method of this embodiment. In the figure, 1 is a client computer on the user side, and 2 is a server computer for performing an authentication procedure of a password input by the user of the client computer 1. The server computer 2 returns the password authentication result to the client computer 1, and when the password authentication is successful, that is, when the input password matches the registered password, the server computer 2 is granted access authority to system resources such as the database 3 managed by the server computer 2. It is given to the user on the client computer 1.

FIG. 2 is a block diagram showing the configuration of the password authentication mechanism in the server computer 2. 11 is a password receiving unit that receives the password transmitted from the client computer 1, 12 is a password authenticating unit that collates the received password and the registered password, and outputs a password authentication success if the two match, 13 is a mechanical password A threshold calculation unit that sets a threshold for determining the guess, 14 is information about the received password obtained by the password reception unit 11 (the number of password receptions per unit time, the input time interval of each password, the similarity between passwords) Is a threshold comparison unit that detects a mechanical password guess by comparing the measured value of 1 and the threshold.

Next, the first embodiment of the password authentication method in the case where "the number of times of password reception per unit time" is used as the information regarding the received password will be described.

(Embodiment 1-1) FIG. 3 shows Embodiment 1-1.
6 is a flowchart showing the procedure of the password authentication method of FIG. The password receiving unit 11 counts the number of times of password reception a per unit time at any time (step 301).
~ 304). The threshold comparing unit 14 is the password receiving unit 11
The number of passwords received per unit time calculated by
And the threshold G preset by the threshold calculator 13 are compared (step 305). Here, the threshold value G is optimally set based on the assumption that the number of passwords received per unit time when a mechanical password is guessed by a program is larger than the number of passwords received per unit time when manually input. The setting method will be described in detail later.

As a result of the above comparison, if a> G, it is considered that the mechanical password is guessed, and the authentication failure is judged. If a ≦ G, the received password is sent to the password authentication unit 12. If the received password includes a correct password, the password authentication unit 12 determines that the authentication is successful, and gives the user of the client computer 1 the access right of the system resource. If there is no correct password among the received passwords, the password is received again (steps 306 to 309).

In this way, before the password authentication is performed, the number of passwords received per unit time a is compared with the threshold value G to judge that the mechanical password is being guessed. Even if a correct password is accidentally entered, in this case, it is determined that the authentication has failed, and it is possible to prevent the system resource access authority from being given to an unauthorized user.

(Embodiment 1-2) Next, another password authentication method in the case where "the number of times of password reception per unit time" is used as the information regarding the received password will be described.

FIG. 4 is a flow chart showing the procedure of this password authentication method. The password receiving unit 11 counts the number of times a the password is received per unit time, and sends the received password to the password authentication unit 12 for password authentication every time one password is received. If the received password is correct, it is judged that the authentication is successful, and the user of the client computer 1 is given the access right of the system resource. If the received password is incorrect, the password is received again (steps 401 to 405). Password receiver 11
When the correct password is not input within the unit time, sends the counted password reception number a per unit time to the threshold comparing unit 14. The threshold comparison unit 14 compares the number of passwords received per unit time a received from the password reception unit 11 with the threshold G preset by the threshold calculation unit 13 (step 406). It is considered that the password is guessed and the authentication failure is judged.

According to this password authentication method, except for the first unit time, it is possible to judge the authentication failure even if a correct password is accidentally input by mechanical password estimation. It should be noted that the probability that a correct password is accidentally input by mechanical password guessing in the first unit time is extremely low, and there is no problem in practical use. Further, this password authentication method can provide the user with the authentication result of the password without having a delay for a unit time as compared with the above method, and can be said to be a method that does not give the user a feeling of strangeness.

Next, the method of setting the threshold will be described. This threshold value is set based on the assumption that the number of passwords received per unit time at the time of mechanical password guessing by a program is larger than the number of passwords received per unit time at the time of manual input. The specific calculation method will be described below.

From the average value and the standard deviation of the number of times of password input by a human per unit time, the average value + the standard deviation ×
n (n is an arbitrary numerical value) is obtained, and this is used as a threshold.

The average value + standard deviation × n (n is an arbitrary numerical value) is calculated from the average value and the standard deviation of the password input times by the mechanical password guessing per unit time, and this is used as the threshold value.

Any value between the methods and the respective threshold values obtained by the method is used as a threshold value. In this case, the value of n in does not have to be the same as the value of n in.

The threshold value calculated by these methods is fixedly used during at least one password authentication operation (operation period until one authentication result is obtained).

In addition, there is a method in which an appropriate initial value is given as a threshold value first, and thereafter, the threshold value is dynamically changed based on the actually measured number of times of password reception per unit time.

For example, as shown in FIG. 5, by comparing the measured value of the number of times of password reception per unit time with the threshold value, the measured value less than the threshold value, that is, the measured value which can be regarded as manually input is stored. A method is conceivable in which the threshold value is recalculated using these measurement values every time n measurement values (n is an integer of 1 or more) are obtained. In this case,
The average value of the individual measured values is obtained, and the average value + standard deviation × n is set as a new threshold value.

Further, as shown in FIG. 6, by comparing the measured value with the threshold value, the measured value equal to or more than the threshold value, that is, the measured value which can be regarded as due to the mechanical password guess is stored. It is also conceivable that a threshold value is recalculated using these measured values each time an integer of 1 or more) is obtained. In this case, the average value of n measurement values is obtained by the method of, and the average value + standard deviation × n is set as a new threshold value.

Next, a second embodiment of the password authentication method when the "password input time interval" is used as the information regarding the received password will be described. In the case of "password input time interval", specifically, the "average value"
Or "the size of the variation in the input time interval" is the measurement target.

(Embodiment 2-1) First, the case of using the "average value of password input time intervals" will be described.
FIG. 7 is a flowchart showing the password authentication procedure in this case. Each time the password receiving unit 11 receives the password Pi, it stores the password receiving time Ti and measures and stores the time interval Di from the receiving time Ti-1 of the password received immediately before (steps 701 to 70).
6). When the password receiving unit 11 receives the password n (n ≧ 2) times (step 707), the password receiving part 11 obtains the average value a of the stored n−1 password input time intervals (step 708), and the average value a Is sent to the threshold comparison unit 14.

The threshold comparing section 14 compares the average value a of the password input time interval with the threshold G preset by the threshold calculating section 13 (step 709). Where threshold G
Is optimally set based on the hypothesis that the password input time interval during mechanical password guessing by a program is shorter than the password input time interval during manual input. As a specific setting method thereof, the same method as the threshold setting method of “the number of times of password reception per unit time” can be used.

As a result of the comparison, if a ≦ G, it is considered that the mechanical password is being guessed, and the authentication failure is judged. If a> G, the n received passwords are sent to the password authentication unit 12. If there is a correct password in the received passwords, the password authentication unit 12 determines the success of the authentication and gives the user on the client computer 1 the access right of the system resource. If there is no correct password among the received passwords, the password is received again (steps 710 to 713).

Before performing password authentication in this way,
By comparing the average value a of the password input time interval with the threshold G to determine whether or not the mechanical password is guessed, even if a correct password is accidentally entered by the mechanical password guess, the system fails the authentication. It is possible to prevent the access authority of the resource from being accidentally given to an unauthorized user.

(Embodiment 2-2) Next, another password authentication method in the case of using the "average value of password input time intervals" as the information regarding the received password will be described.

FIG. 8 is a flow chart showing the procedure of the password authentication method in this case. Password receiver 11
Each time the password Pi is received, the password reception time Ti is stored, and the received password is sent to the password authentication unit 12 for password authentication. If the received password is correct, it is judged that the authentication is successful and the access right of the system resource is given to the user on the client computer 1. If the received password is not an incorrect password, the time interval Di between the last received password and the reception time Ti-1 is measured and stored (steps 801 to 809). Password receiver 11
When an incorrect password is input n times (n ≧ 2) consecutively, obtains the average value a of the input time intervals of the stored n−1 passwords (steps 810 and 811). a is sent to the threshold comparison unit 14. Threshold comparison unit 14
Compares the average value a of the password input time intervals with a threshold G preset by the threshold calculator 13 (step 812). As a result of the comparison, if a ≦ Ga, it is considered that the mechanical password is being guessed, and the authentication failure is determined. If a> G, the next password is received.

According to this password authentication method, it is possible to judge the authentication failure even if a correct password is accidentally input by mechanical password estimation, except for the first n times of password reception. The probability that a correct password is accidentally input by mechanical password guessing within the first n times is extremely low, and there is no problem in practice. Also,
This password authentication method, when compared with the above method, can provide the user with the password authentication result without delay due to the password reception of n times,
It can be said that this is a method that does not give users a feeling of strangeness.

(Embodiment 2-3) By the way, in the password authentication methods of the above-mentioned Embodiments 2-1, 2-2, the password input time interval at the time of mechanical password guessing by a program or the like is the password input time interval at the time of manual input. Although it is based on the hypothesis that it is shorter, the same password authentication is performed based on the hypothesis that the variation in the password input time interval during mechanical password guessing is smaller than the variation in the password input time interval during manual entry. Is possible.

In this case, as shown in FIGS. 9 and 10,
At steps 908 and 1011, the variance (or standard deviation) of the stored input time intervals Di of the n-1 passwords is obtained as the magnitude a of the variation of the password input time interval, and the password input time interval The magnitude a of variation is compared with the threshold G, and if a ≦ G, it is considered that the mechanical password is guessed,
Determine authentication failure. The contents of the other steps in FIGS. 9 and 10 are the same as those in FIGS. 7 and 8. Thus, even by the password authentication method using this "variation in the time interval of password input", it is possible to detect the mechanical password guess with high precision and prevent the access authority of the system resource from being given to an unauthorized user. .

Next, a third embodiment of the password authentication method using the "similarity between passwords" as the information about the received password will be described.

In this embodiment, the password receiving unit 1
1 stores this password each time it receives a password, compares this password with the password received immediately before, and sends the similarity a between the input passwords, which is the comparison result, to the threshold comparison unit 14. The threshold comparison unit 14
The similarity a between the input passwords is compared with the threshold G preset by the threshold calculator 13, and the mechanical password guess is detected based on the magnitude relationship between them.

Here, "similarity between passwords" means "the number of characters having the same position in common between passwords", "the number of passwords arranged in the order of dictionary compilation", and "the two character strings having the same character string". Number of password combinations ”and so on.

(Embodiment 3-1) "The number of characters having common characters at common positions between passwords" means, specifically, the jth from the beginning (j is two The number of characters in the same position in each character string up to a predetermined number less than the number of characters in the password). For example, the number of the same characters between two passwords "aiueo ...""aikakio" is "a""i""o". In this way, the number of characters in which the characters at the common position between two consecutive passwords are the same is determined for n (n is a predetermined number of 2 or more) consecutive passwords, and the average value is calculated for the two passwords. A value obtained by dividing the number of characters with the smaller number of characters is compared with the threshold G as the similarity a between passwords. And a
If ≧ G, it is considered that the mechanical password is being guessed, and authentication failure is determined. That is, this password authentication is based on the hypothesis that mechanical password guessing is often performed while changing the password little by little (for example, one character at a time).

(Embodiment 3-2) "The number of passwords arranged in the order of dictionary compilation" is specifically, the dictionary compilation order (ascending or Say the number of password words in descending order. The number of consecutive passwords in the dictionary compilation order is compared with a threshold G as the similarity a between passwords, and a
When ≧ G, it is considered that the mechanical password is being guessed, and the authentication failure is determined.

Since the probability that a word will be used as a password is very high, it is conceivable to input the words in the dictionary in the order of compilation in the mechanical password guessing. The password authentication method of the present embodiment can detect such mechanical password guessing with extremely high accuracy.

(Embodiment 3-3) Further, another password authentication method using "similarity between passwords" will be described. The number of combinations of two passwords whose character strings completely match among the n passwords is calculated, and the ratio of the number of combinations of matching passwords to the number of combinations of all passwords is calculated as the similarity a between passwords. Then, this similarity a is compared with the threshold G, and a
In the case of <G, it is considered that the mechanical password is being guessed, and the authentication failure is determined. This method is based on the hypothesis that the same password is often input by humans, but it is unlikely that the same password will be input by password input by mechanical password guessing.

Also in the password authentication methods of the above embodiments 3-1 to 3-3, the password of the password is detected after the mechanical password guess is detected by comparing the calculation result "a" of "similarity between passwords" and the threshold value G. There are a method of authenticating and a method of authenticating the password every time the password is received.

It should be noted that the password authentication methods of the above-described embodiments are effectively used in combination with each other in order to improve accuracy.

[0053]

As described above, according to the password authentication method of the present invention, it is possible to detect a mechanical password with high accuracy without deteriorating the usability of the password for a legitimate user, and the system resources It is possible to prevent giving unauthorized access authority to unauthorized users.

[Brief description of drawings]

FIG. 1 is a diagram showing the configuration of a computer system that employs a password authentication method according to the present invention.

FIG. 2 is a block diagram showing the configuration of a password authentication mechanism in the server computer shown in FIG.

FIG. 3 is a flowchart showing a procedure of a password authentication method according to the embodiment 1-1 of the present invention.

FIG. 4 is a flowchart showing a procedure of a password authentication method according to the embodiment 1-2 of the present invention.

FIG. 5 is a flowchart showing a method of dynamically setting a threshold used in the password authentication method according to the present invention.

FIG. 6 is a flowchart showing a method of dynamically setting a threshold value.

FIG. 7 is a flowchart showing a procedure of a password authentication method according to the embodiment 2-1 of the present invention.

FIG. 8 is a flowchart showing a procedure of a password authentication method according to the embodiment 2-2 of the present invention.

FIG. 9 is a flowchart showing a procedure of a password authentication method according to the embodiment 2-3 of the present invention.

FIG. 10 is a flowchart showing the procedure of another password authentication method according to the embodiment 2-3 of the present invention.

[Explanation of symbols]

 1 ... Client computer 2 ... Server computer 3 ... Database (system resource) 11 ... Password receiving unit 12 ... Password authentication unit 13 ... Threshold calculation unit 14 ... Threshold comparison unit

Claims (7)

[Claims] 1. A password authentication method for collating an input password with a registered password to obtain an authentication result for the input password, counting the number of passwords input per unit time,
A password authentication method characterized by comparing the counted number of input passwords with a preset threshold value, and invalidating the input password for the unit time when the number of input passwords is larger than the threshold value. 2. A password authentication method for collating an input password with a registered password to obtain an authentication result for the input password, measuring an input time interval of each input password, and measuring a value of the measured password input time interval. A password authentication method characterized by comparing a preset threshold value and invalidating each of the entered passwords when the value of the password input time interval is smaller than the threshold value. 3. A password authentication method for collating an input password with a registered password to obtain an authentication result for the input password, measuring the variation in the input time interval of each input password, and inputting the measured password. A password characterized by comparing the magnitude of the variation of the time interval with a preset threshold value, and invalidating each of the entered passwords when the magnitude of the variation of the password input time interval is smaller than the threshold value. Authentication method. 4. In a password authentication method for collating an input password with a registered password to obtain an authentication result for the input password, the similarity between the entered passwords is obtained, and the value of the obtained similarity is preset. The password authentication method is characterized in that whether or not to invalidate each of the input passwords is determined based on the comparison result. 5. The password authentication method according to claim 4, wherein the value of the degree of similarity between the passwords is obtained from the number of characters in common positions between the passwords that match, and the obtained similarity is calculated. A password authentication method characterized in that the entered passwords are invalidated when the degree value is larger than the threshold value. 6. The password authentication method according to claim 4, wherein the value of the similarity between the passwords is a dictionary in which the password words are consecutive among the n (where n ≧ 2) passwords that have been input. A password authentication method, which is obtained from the number of items in the order of compilation, and invalidates the inputted n passwords when the obtained similarity value is larger than the threshold value. 7. The password authentication method according to claim 4, wherein the value of the similarity between the passwords is such that the character strings of the input n (where n ≧ 2) passwords completely match 2 A password authentication method, which is obtained from the number of combinations of two passwords, and invalidates the inputted n passwords when the obtained similarity value is smaller than the threshold value.