WO2019184074A1 - Password verification method and system - Google Patents

Password verification method and system Download PDF

Info

Publication number
WO2019184074A1
WO2019184074A1 PCT/CN2018/088413 CN2018088413W WO2019184074A1 WO 2019184074 A1 WO2019184074 A1 WO 2019184074A1 CN 2018088413 W CN2018088413 W CN 2018088413W WO 2019184074 A1 WO2019184074 A1 WO 2019184074A1
Authority
WO
WIPO (PCT)
Prior art keywords
password
password verification
user
verification
account
Prior art date
Application number
PCT/CN2018/088413
Other languages
French (fr)
Chinese (zh)
Inventor
易胜燕
Original Assignee
易胜燕
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 易胜燕 filed Critical 易胜燕
Publication of WO2019184074A1 publication Critical patent/WO2019184074A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Definitions

  • the present invention relates to the field of computers, and in particular, to a password verification method and system.
  • the existing password verification method has a password verification failure, and the user is notified to disable the password verification for a certain period of time.
  • the password verification the user can reset the password by using a mobile phone verification code. For example, if the Alipay login password verification fails for 5 consecutive times, the account will be locked for 3 hours. During the lockout period, the login password can be reset by the mobile phone check code. If the Alipay payment password verification fails for 3 consecutive times, the account will be locked for 3 hours. The payment password is reset by the mobile phone check code + ID number.
  • the disadvantage of the method is that an illegal user can perform password verification for an account for a certain period of time, so that the password verification can be disabled for a period of time, so that the real user of the account needs to wait for a period of time or reset the password by using the mobile phone verification code.
  • the operational complexity If an illegal user attacks a large number of accounts in the above manner, it will increase the operating cost of the system as a bad user experience and sending a large number of text messages. If an illegal user obtains the mobile phone and ID number of an individual user through certain channels, the user's personal information and property will be at risk of loss. That is, illegally destroying low cost, safety and high cost.
  • the existing method only saves the user login success record, such as the login log function of the China Merchants Bank APP.
  • the disadvantage is that the real user cannot know the process when the account is attacked by the illegal user multiple times. It is too late to take the precautionary measures after the real user finds that the illegal user has successfully logged in.
  • the disadvantage of the existing password verification method in the above background art is that an illegal user can disable password verification for a certain period of time by attempting to perform password verification on an account, so that the real user of the account needs to wait for a period of time or pass the mobile phone when performing password verification.
  • Checksum mode resetting the password increases the operational complexity. If an illegal user attacks a large number of accounts in the above manner, it will increase the operating cost of the system as a bad user experience and sending a large number of text messages. If an illegal user obtains the mobile phone and ID number of an individual user through certain channels, the user's personal information and property will be at risk of loss. That is, illegally destroying low cost, safety and high cost.
  • the existing method only saves the user login success record, such as the login log function of the China Merchants Bank APP.
  • the disadvantage is that the real user cannot know the process when the account is attacked by the illegal user multiple times. It is too late to take the precautionary measures after the real user finds that the illegal user has successfully logged in.
  • the present invention provides a method in which the login account allows modification, multiple passwords are simultaneously submitted for verification, the password is deactivated for a period of time triggered by a certain probability, and the password is matched with the real password to match the specified range.
  • a password verification method and system comprising a total of five technologies, wherein any one or more of the combined technologies can constitute a technical solution, and the following five technologies are respectively explained:
  • Account information includes (not limited to) "user account”, "login account”, "first password” field.
  • the User Account field is the user ID. It does not participate in password verification or can only participate in the password verification within the preset consecutive failure times. It can be seen by looking up friends, viewing personal or friend data, and the effect is equivalent to QQ.
  • the "login account” field is the user ID when the user performs password verification, including but not limited to the login scenario. The user can only view and modify his or her login account, and the user can modify it (and detect other users). Whether the login account is duplicated and saved after successful password verification.
  • the field is the password used by the user for password verification, and is equivalent to the "password” or other password-based authentication method (such as mobile phone verification code) in the above "username + password” authentication mode.
  • the value of the above user identity is unique (not repeated).
  • the password verification method is the login account (or user account) + the first password.
  • the first login account is disabled and the second login account is enabled for password verification, and only the second login account is used for password verification.
  • the system can be entered, the first login account is reset and the second login account is disabled. You can also use more login account items to perform password verification, such as the third login account.
  • Technique 4 Enter the password and the real password to match the specified range of characters for a period of time to disable password verification: Set the input password and the real password (you can also add multiple preset "anti-break decoding" f1 with interference effect Participate in matching) When matching the specified number of characters (the number of characters matches between n1 and n2), t1 disables password verification and returns a password verification failure message for a period of time (illegal users cannot know whether password verification is disabled, real users) Can be guessed by entering the correct password) (Note: The above-mentioned "alpha + number” parameters in this technology can be set and generated by the user or system).
  • the beneficial effect of the technology 1 is that the login account can be improved only by the user itself. When an illegal user is found to try to attack the account, the login account can be modified to lose the target, thereby prohibiting the behavior.
  • the beneficial effect of Technology 2 is that the exponential level enhances the difficulty of brute force cracking.
  • the violent cracking refers to the exhaustive method.
  • the formula for calculating the maximum number of attempts for brute force success is: (F ⁇ L) ⁇ P, where ⁇ represents the power; F represents The number of characters (for example, 10 characters from 0 to 9); L represents the number of characters (for example, the password only allows 6 digits); P represents the number of passwords (for example, 2 passwords are required in the above protection mode).
  • the beneficial effect of the technology 3 is that when an illegal user violently cracks an account, it is unclear how many times the password verification is deactivated and deactivated due to the uncertainty of how many attempts to verify the authentication, which causes it to be useless and cannot be cracked in a short time.
  • the brute force action can be invalidated by changing the password (or the login account in the technology 1).
  • the beneficial effect of the technology 4 is that when an illegal user violently cracks an account, since the password is matched with the character of the real password for a certain number of times, the password verification is disabled for a period of time, and the subsequent input of the password is not verified by the password verification. Messages, which greatly reduce the risk of passwords being cracked.
  • the beneficial effect of the technology 5 is that the user can monitor whether the account is attacked and attacked, and take preventive measures to protect the account security in time.
  • FIG. 1 is a flow chart schematically illustrating a password verification method according to a first embodiment of the present invention.
  • FIG. 2 is a flow chart schematically illustrating a password verification method of a plurality of login account replacement rules according to a second embodiment of the present invention.
  • the user inputs a login account [101], and the system detects whether the login account exists [102]. If not, the login account does not have a message [103]; if so, the next step is performed.
  • the system detects whether the login account is in the protection mode [201] and controls the display/hide of the second password input box. If not, the user inputs the first password [202]; if so, the user inputs the first password and the second password [203].
  • the system detects whether the password verification is in the disabled state [3401], and if so, prompts the password verification failure message [3403]; if not, the next step is performed.
  • the system detects whether the password verification fails [204]. If not, the reset password verification failure consecutive count is 0 [2301], and enters the system [205]; if so, records the password verification failure information (mainly including the user account, login account, Password, verification time, after entering the system, you can count and view the record according to time) [501], the password verification failure consecutive count is incremented by 1 [2302], and the next step is performed.
  • the reset password verification failure consecutive count is 0 [2301]
  • the system detects whether the input password matches the real password with a preset range of characters [401], and if so, the system performs the password verification [3402] and the prompt password verification failure message [3403] within a preset time; if not, only the password is prompted Verification failure message [3403].
  • the user inputs a login account [101], and the system detects whether the login account exists [102]. If not, the login account does not have a message [103]; if so, the next step is performed.
  • the system detects whether the login account is disabled [20201], and if so, prompts that the current login account has been deactivated and uses the next login account for password verification message [20202]; if not, the next step is performed.
  • the system detects whether the password verification fails [204]. If not, the reset password verification failure consecutive count is 0 [2301] and the activation/deactivation status of multiple login accounts [20206], and enters the system [205]; if yes, The password verification failure consecutive count is incremented by 1 [2302] and the next step is performed.
  • the system detects whether the current login account is the last one of the multiple login accounts [20203], and if so, prompts the password verification failure message [3403]; if not, performs the next step.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Telephonic Communication Services (AREA)

Abstract

Provided are a password verification method and system, particularly a password verification method and system capable of realizing any one of or multiple combined technologies of ''allowing alteration of a login account, simultaneously submitting multiple passwords for verification, disabling password verification triggered within a period of time based on a certain probability, disabling password verification within a period of time when characters in an input password match characters in a real password within an appointed range, and recording and counting password verification failure information''. The present invention effectively prevents an illegitimate user from hacking account passwords, thereby improving account security.

Description

一种密码验证方法和系统Password verification method and system 技术领域Technical field
本发明涉及计算机领域,尤其涉及一种密码验证方法和系统。The present invention relates to the field of computers, and in particular, to a password verification method and system.
背景技术Background technique
现有密码验证方法有密码验证失败连续几次时通知用户一段时间内停用密码验证,停用密码验证期间用户可以通过手机校验码等方式重置密码。例如支付宝登录密码验证失败连续5次时账户将被锁定3小时,锁定期间可以通过手机校验码方式重置登录密码;支付宝支付密码验证失败连续3次时账户将被锁定3小时,锁定期间可以通过手机校验码+身份证号方式重置支付密码。The existing password verification method has a password verification failure, and the user is notified to disable the password verification for a certain period of time. During the password verification, the user can reset the password by using a mobile phone verification code. For example, if the Alipay login password verification fails for 5 consecutive times, the account will be locked for 3 hours. During the lockout period, the login password can be reset by the mobile phone check code. If the Alipay payment password verification fails for 3 consecutive times, the account will be locked for 3 hours. The payment password is reset by the mobile phone check code + ID number.
其方法缺点是非法用户对某账户尝试几次密码验证就可以使其一段时间内停用密码验证,导致其账户真实用户进行密码验证时需等待一段时间或通过手机校验码方式重置密码提高了操作复杂度。如果非法用户通过上述方式攻击了大量账户,将会对系统照成不好的用户体验和发送大量短信增加了运营成本。如果非法用户通过某些途径获取了个别用户的手机及身份证号,用户个人信息及财产将会面临损失风险。即非法破坏低成本,安全防范高成本。The disadvantage of the method is that an illegal user can perform password verification for an account for a certain period of time, so that the password verification can be disabled for a period of time, so that the real user of the account needs to wait for a period of time or reset the password by using the mobile phone verification code. The operational complexity. If an illegal user attacks a large number of accounts in the above manner, it will increase the operating cost of the system as a bad user experience and sending a large number of text messages. If an illegal user obtains the mobile phone and ID number of an individual user through certain channels, the user's personal information and property will be at risk of loss. That is, illegally destroying low cost, safety and high cost.
另外,现有方法只保存用户登录成功记录,例如招商银行APP的登录日志功能。其缺点是账户被非法用户多次尝试输入密码攻击时真实用户无法获知其过程,等到真实用户发现非法用户登录成功后再采取防范措施为时已晚。In addition, the existing method only saves the user login success record, such as the login log function of the China Merchants Bank APP. The disadvantage is that the real user cannot know the process when the account is attacked by the illegal user multiple times. It is too late to take the precautionary measures after the real user finds that the illegal user has successfully logged in.
技术问题technical problem
上文背景技术中现有密码验证方法缺点是非法用户对某账户尝试几次密码验证就可以使其一段时间内停用密码验证,导致其账户真实用户进行密码验证时需等待一段时间或通过手机校验码方式重置密码提高了操作复杂度。如果非法用户通过上述方式攻击了大量账户,将会对系统照成不好的用户体验和发送大量短信增加了运营成本。如果非法用户通过某些途径获取了个别用户的手机及身份证号,用户个人信息及财产将会面临损失风险。即非法破坏低成本,安全防范高成本。The disadvantage of the existing password verification method in the above background art is that an illegal user can disable password verification for a certain period of time by attempting to perform password verification on an account, so that the real user of the account needs to wait for a period of time or pass the mobile phone when performing password verification. Checksum mode resetting the password increases the operational complexity. If an illegal user attacks a large number of accounts in the above manner, it will increase the operating cost of the system as a bad user experience and sending a large number of text messages. If an illegal user obtains the mobile phone and ID number of an individual user through certain channels, the user's personal information and property will be at risk of loss. That is, illegally destroying low cost, safety and high cost.
另外,现有方法只保存用户登录成功记录,例如招商银行APP的登录日志功能。其缺点是账户被非法用户多次尝试输入密码攻击时真实用户无法获知其过程,等到真实用户发现非法用户登录成功后再采取防范措施为时已晚。In addition, the existing method only saves the user login success record, such as the login log function of the China Merchants Bank APP. The disadvantage is that the real user cannot know the process when the account is attacked by the illegal user multiple times. It is too late to take the precautionary measures after the real user finds that the illegal user has successfully logged in.
问题的解决方案Problem solution
技术解决方案Technical solution
为了克服现有技术中非法用户攻击行为对系统照成不好的用户体验和发送短信带来的运营成本,更为防范因用户手机丢失及身份证号泄露导致个人信息及财产损失风险,和账户被攻击而无法获知过程的情况,本发明提供一种“登录账号允许修改、多个密码同时提交验证、基于一定概率触发的一段时间内停用密码验证、输入密码与真实密码匹配指定范围个数字符时一段时间内停用密码验证、记录及统计密码验证失败信息”中任意一项或多项组合技术的密码验证方法和系统。In order to overcome the user experience of the illegal user attack behavior in the prior art and the operating cost brought by sending the short message, the risk of personal information and property loss caused by the loss of the user's mobile phone and the leakage of the ID number is prevented, and the account is In the case that the process is attacked and the process cannot be known, the present invention provides a method in which the login account allows modification, multiple passwords are simultaneously submitted for verification, the password is deactivated for a period of time triggered by a certain probability, and the password is matched with the real password to match the specified range. A password verification method and system for deactivating any one or more of the combination of password verification, recording, and statistical password verification failure information for a period of time.
本发明解决其技术问题所采用的技术方案是:The technical solution adopted by the present invention to solve the technical problem thereof is:
一种密码验证方法和系统,共包括5项技术,其中任意一项或多项组合技术均可构成一个技术方案,下面分别对5项技术作说明:A password verification method and system, comprising a total of five technologies, wherein any one or more of the combined technologies can constitute a technical solution, and the following five technologies are respectively explained:
技术1(登录账号允许修改):账户信息包括(不限于)“用户账号”、“登录账号”、“第一密码”字段。其中,“用户账号”字段是用户身份标识,不参与密码验证或仅能参与预设连续失败次数内的密码验证,可以通过查找好友、查看个人或好友资料等方式看到,作用等效于QQ号;“登录账号”字段是用户进行密码验证时的用户身份标识,包含但不限于登录场景使用,用户只能查看、修改自己的登录账号,用户可以对其进行修改(及检测与其它用户的登录账号是否重复)并经密码验证成功后保存,下次进行密码验证时将需输入新登录账号,作用等效于“用户名+密码”验证模式中的“用户名”;“第一密码”字段是用户进行密码验证时的密码,作用等效于上述“用户名+密码”验证模式中的“密码”或其它具有密码作用的验证方式(例如手机效验码)。上述用户身份标识的值具有唯一性(不重复)。密码验证方式为登录账号(或用户账号)+第一密码。Technique 1 (login account allows modification): Account information includes (not limited to) "user account", "login account", "first password" field. The User Account field is the user ID. It does not participate in password verification or can only participate in the password verification within the preset consecutive failure times. It can be seen by looking up friends, viewing personal or friend data, and the effect is equivalent to QQ. The "login account" field is the user ID when the user performs password verification, including but not limited to the login scenario. The user can only view and modify his or her login account, and the user can modify it (and detect other users). Whether the login account is duplicated and saved after successful password verification. The next time you perform password verification, you will need to enter a new login account, which is equivalent to the “username” in the “username+password” authentication mode; “first password” The field is the password used by the user for password verification, and is equivalent to the "password" or other password-based authentication method (such as mobile phone verification code) in the above "username + password" authentication mode. The value of the above user identity is unique (not repeated). The password verification method is the login account (or user account) + the first password.
另外,上述登录账号也可以有多个,设定当第一登录账号进行密码验证失败连续多少次后,停用第一登录账号并启用第二登录账号进行密码验证,只有第二 登录账号进行密码验证成功后才能进入系统,重置第一登录账号为启用状态和第二登录账号为停用状态。还可以使用更多的登录账号项参照上述方式进行密码验证,例如第三登录账号。In addition, there may be multiple login accounts, and after the number of consecutive failed login verification attempts, the first login account is disabled and the second login account is enabled for password verification, and only the second login account is used for password verification. After the verification is successful, the system can be entered, the first login account is reset and the second login account is disabled. You can also use more login account items to perform password verification, such as the third login account.
技术2(多个密码同时提交验证):当使用“登录账号”+“第一密码”字段进行密码验证失败连续d1次及以上时,启用保护模式。上述保护模式是指增加一个密码字段,后续使用“登录账号”+“第一密码”+“第二密码”字段同时提交到服务端进行密码验证,只有“第一密码”和“第二密码”都匹配成功时才返回验证成功。登录成功后重置d1计数为0。还可以使用更多的密码字段增强密码验证,例如“第三密码”字段(注意:以上本技术中带有“字母+数字”参数均可由用户或系统设定及生成)。Technique 2 (Multiple passwords are submitted simultaneously for verification): When the password verification fails using the "Login Account" + "First Password" field for consecutive d1 times and above, the protection mode is enabled. The above protection mode refers to adding a password field, and subsequently using the "login account" + "first password" + "second password" field to simultaneously submit to the server for password verification, only "first password" and "second password" The verification is successful only when the matching is successful. Reset d1 count to 0 after successful login. It is also possible to use more password fields to enhance password verification, such as the "third password" field (note: the above-mentioned "alpha + number" parameter can be set and generated by the user or system).
技术3(基于一定概率触发的一段时间内停用密码验证):设定密码验证失败连续d1次及以上时,系统生成一个1至m1(m1为设定的最大数字)之间的随机数s1,当s1=1时,一段时间内t1停用密码验证并返回密码验证失败消息(非法用户无法获知密码验证是否停用,真实用户通过输入正确密码可以猜到)。登录成功后重置d1计数为0(注意:以上本技术中带有“字母+数字”参数均可由用户或系统设定及生成)。Technique 3 (deactivate password verification for a period of time based on a certain probability): When the password verification fails for d1 times or more, the system generates a random number s1 between 1 and m1 (m1 is the set maximum number). When s1=1, t1 disables password verification and returns password verification failure message for a period of time (illegal users cannot know whether password verification is disabled, and the real user can guess by inputting the correct password). After the login is successful, the reset d1 count is 0 (Note: The above-mentioned "alpha + number" parameter can be set and generated by the user or system).
技术4(输入密码与真实密码匹配指定范围个数字符时一段时间内停用密码验证):设定输入密码与真实密码(也可以加入多个预设的具有干扰作用的“防破解码”f1参与匹配)匹配指定范围个数字符(字符匹配个数在n1至n2之间)时,一段时间内t1停用密码验证并返回密码验证失败消息(非法用户无法获知密码验证是否停用,真实用户通过输入正确密码可以猜到)(注意:以上本技术中带有“字母+数字”参数均可由用户或系统设定及生成)。Technique 4 (Enter the password and the real password to match the specified range of characters for a period of time to disable password verification): Set the input password and the real password (you can also add multiple preset "anti-break decoding" f1 with interference effect Participate in matching) When matching the specified number of characters (the number of characters matches between n1 and n2), t1 disables password verification and returns a password verification failure message for a period of time (illegal users cannot know whether password verification is disabled, real users) Can be guessed by entering the correct password) (Note: The above-mentioned "alpha + number" parameters in this technology can be set and generated by the user or system).
技术5(记录及统计密码验证失败信息):每一次密码验证失败信息均会保存在系统内,用户登录系统后可以查看本账户的密码验证失败信息及统计数据,以此来判断账户安全性,并及时采取防范措施。Technology 5 (recording and statistics password verification failure information): Each password verification failure information will be saved in the system. After logging in to the system, users can check the password verification failure information and statistical data of this account to judge account security. And take preventive measures in a timely manner.
需要注意的是:如果一个技术方案包括上文多项技术,上文中带有“字母+数字”参数在各技术中均可以有不同的值。It should be noted that if a technical solution includes the above multiple technologies, the above-mentioned "letter + number" parameters may have different values in each technology.
发明的有益效果Advantageous effects of the invention
有益效果Beneficial effect
技术1的有益效果是登录账号仅用户自己可见可以提高账户的安全性,当发现非法用户尝试攻击账户时,通过修改登录账号便可使其失去目标,从而禁止其行为。The beneficial effect of the technology 1 is that the login account can be improved only by the user itself. When an illegal user is found to try to attack the account, the login account can be modified to lose the target, thereby prohibiting the behavior.
技术2的有益效果是指数级增强了暴力破解难度,暴力破解指穷举法,暴力破解成功的最大尝试次数的计算公式为:(F^L)^P,其中,^代表乘方;F代表字符个数(例如0至9共10个字符);L代表字符位数(例如密码只允许6位数字);P代表密码个数(例如上述保护模式中需输入2个密码)。The beneficial effect of Technology 2 is that the exponential level enhances the difficulty of brute force cracking. The violent cracking refers to the exhaustive method. The formula for calculating the maximum number of attempts for brute force success is: (F^L)^P, where ^ represents the power; F represents The number of characters (for example, 10 characters from 0 to 9); L represents the number of characters (for example, the password only allows 6 digits); P represents the number of passwords (for example, 2 passwords are required in the above protection mode).
技术3的有益效果是当非法用户对某账户进行暴力破解时,由于不确定尝试验证失败多少次时会使密码验证停用及停用多少时间,导致其做无用功和短时间内无法破解。当真实用户发现账户处于密码验证停用时,通过修改密码(或技术1中登录账号)即可使暴力破解行为失效。The beneficial effect of the technology 3 is that when an illegal user violently cracks an account, it is unclear how many times the password verification is deactivated and deactivated due to the uncertainty of how many attempts to verify the authentication, which causes it to be useless and cannot be cracked in a short time. When the real user finds that the account is in the password verification mode, the brute force action can be invalidated by changing the password (or the login account in the technology 1).
技术4的有益效果是当非法用户对某账户进行暴力破解时,由于输入密码与真实密码的字符匹配一定个数时一段时间内密码验证停用,后续输入密码不进行密码验证直接返回密码验证失败消息,从而极大降低了密码被破解的风险。The beneficial effect of the technology 4 is that when an illegal user violently cracks an account, since the password is matched with the character of the real password for a certain number of times, the password verification is disabled for a period of time, and the subsequent input of the password is not verified by the password verification. Messages, which greatly reduce the risk of passwords being cracked.
技术5的有益效果是用户可以监控账户是否被攻击及攻击程度,并及时采取防范措施保护账户安全。The beneficial effect of the technology 5 is that the user can monitor whether the account is attacked and attacked, and take preventive measures to protect the account security in time.
对附图的简要说明Brief description of the drawing
附图说明DRAWINGS
附图说明了本发明的优选实施例,用于对本发明的技术精神进行进一步理解。因此,本发明并非仅限于附图。The drawings illustrate the preferred embodiments of the present invention and are used to further understand the technical spirit of the present invention. Therefore, the invention is not limited to the drawings.
图1为根据本发明的第一实施例的密码验证方法进行示意性说明的流程图。1 is a flow chart schematically illustrating a password verification method according to a first embodiment of the present invention.
图2为根据本发明的第二实施例的多个登录账号更换规则的密码验证方法进行示意性说明的流程图。2 is a flow chart schematically illustrating a password verification method of a plurality of login account replacement rules according to a second embodiment of the present invention.
实施该发明的最佳实施例BEST MODE FOR CARRYING OUT THE INVENTION
本发明的最佳实施方式BEST MODE FOR CARRYING OUT THE INVENTION
下面参照说明书附图对本发明的密码验证方法给出优选的实施例。Preferred embodiments of the cryptographic verification method of the present invention are given below with reference to the accompanying drawings.
实施例1:Example 1:
如图1所示,用户输入登录账号[101],系统检测登录账号是否存在[102],若否,提示登录账号不存在消息[103];若是,执行下一步骤。As shown in FIG. 1, the user inputs a login account [101], and the system detects whether the login account exists [102]. If not, the login account does not have a message [103]; if so, the next step is performed.
系统检测登录账号是否处于保护模式[201]并控制第二密码输入框的显示/隐藏,若否,用户输入第一密码[202];若是,用户输入第一密码和第二密码[203]。The system detects whether the login account is in the protection mode [201] and controls the display/hide of the second password input box. If not, the user inputs the first password [202]; if so, the user inputs the first password and the second password [203].
用户提交后,系统检测密码验证是否处于停用状态[3401],若是,提示密码验证失败消息[3403];若否,执行下一步骤。After the user submits, the system detects whether the password verification is in the disabled state [3401], and if so, prompts the password verification failure message [3403]; if not, the next step is performed.
系统检测密码验证是否失败[204],若否,重置密码验证失败连续次数计数为0[2301],并进入系统[205];若是,记录密码验证失败信息(主要包含用户账号、登录账号、密码、验证时间,以后进入系统后可以按时间统计及查看记录)[501],密码验证失败连续次数计数自增1[2302],并执行下一步骤。The system detects whether the password verification fails [204]. If not, the reset password verification failure consecutive count is 0 [2301], and enters the system [205]; if so, records the password verification failure information (mainly including the user account, login account, Password, verification time, after entering the system, you can count and view the record according to time) [501], the password verification failure consecutive count is incremented by 1 [2302], and the next step is performed.
系统检测密码验证失败连续次数计数是否>=技术2保护模式中预设次数[206],若是,启用保护模式(下次进行密码验证时需输入第一密码和第二密码)[207],并执行下一步骤;若否,直接执行下一步骤。The system detects whether the password verification failure consecutive count is >= the preset number of times in the technology 2 protection mode [206], and if so, enables the protection mode (the first password and the second password are required to be used for the next password verification) [207], and Perform the next step; if not, proceed directly to the next step.
系统检测密码验证失败连续次数计数是否>=技术3中预设次数[301],若是,生成一个1至预设数字之间的随机数[302],若上述随机数=1时[303],系统执行预设时间内停用密码验证[3402]和提示密码验证失败消息[3403],若上述随机数!=1时[303],执行下一步骤;若否,执行下一步骤。The system detects whether the consecutive number of password verification failures is >= the preset number of times in technology 3 [301], and if so, generates a random number [302] between 1 and the preset number, if the above random number = 1 [303], The system executes the password verification [3402] and the prompt password verification failure message [3403] within the preset time, if the above random number! When =1 [303], the next step is performed; if not, the next step is performed.
系统检测输入密码与真实密码是否匹配预设范围个数字符[401],若是,系统执行预设时间内停用密码验证[3402]和提示密码验证失败消息[3403];若否,仅提示密码验证失败消息[3403]。The system detects whether the input password matches the real password with a preset range of characters [401], and if so, the system performs the password verification [3402] and the prompt password verification failure message [3403] within a preset time; if not, only the password is prompted Verification failure message [3403].
实施例2:Example 2:
如图2所示,用户输入登录账号[101],系统检测登录账号是否存在[102],若否,提示登录账号不存在消息[103];若是,执行下一步骤。As shown in FIG. 2, the user inputs a login account [101], and the system detects whether the login account exists [102]. If not, the login account does not have a message [103]; if so, the next step is performed.
系统检测登录账号是否停用[20201],若是,提示当前登录账号已停用和请使用下一登录账号进行密码验证消息[20202];若否,执行下一步骤。The system detects whether the login account is disabled [20201], and if so, prompts that the current login account has been deactivated and uses the next login account for password verification message [20202]; if not, the next step is performed.
系统检测密码验证是否失败[204],若否,重置密码验证失败连续次数计数为0[2301]和多个登录账号的启用/停用状态[20206],并进入系统[205];若是,密码验证失败连续次数计数自增1[2302],并执行下一步骤。The system detects whether the password verification fails [204]. If not, the reset password verification failure consecutive count is 0 [2301] and the activation/deactivation status of multiple login accounts [20206], and enters the system [205]; if yes, The password verification failure consecutive count is incremented by 1 [2302] and the next step is performed.
系统检测当前登录账号是否为多个登录账号中的最后一个[20203],若是,提示密码验证失败消息[3403];若否,执行下一步骤。The system detects whether the current login account is the last one of the multiple login accounts [20203], and if so, prompts the password verification failure message [3403]; if not, performs the next step.
系统检测密码验证失败连续次数计数是否>=预设次数[20204],若否,提示密码验证失败消息[3403];若是,停用当前登录账号并启用下一登录账号[20205],提示当前登录账号已停用和请使用下一登录账号进行密码验证消息[20202]。The system detects whether the password verification failure consecutive count is >= preset number [20204], if not, prompts the password verification failure message [3403]; if yes, disables the current login account and enables the next login account [20205], prompting the current login The account has been deactivated and please use the next login account for password verification message [20202].
为了便于描述,在说明书附图和实施例中将上述5项技术作为一个整体流程的技术方案进行描述。需要注意的是:在实施本发明时可以把任意一项或多项组合技术作为一个技术方案。For convenience of description, the above five technologies are described as a technical solution of an overall process in the drawings and embodiments of the specification. It should be noted that any one or more of the combined technologies may be used as a technical solution in the implementation of the present invention.
上文所列的说明仅仅是针对本发明的可行性实施方式的具体说明,并非用以限制本发明的保护范围,凡未脱离本发明技术精神所作的等效实施方式或变更均应包含在本发明的保护范围之内。The descriptions of the above are merely specific descriptions of the possible embodiments of the present invention, and are not intended to limit the scope of the present invention. Within the scope of protection of the invention.

Claims (7)

  1. 一种密码验证方法,其特征在于,账户信息包括(不限于)用户账号、登录账号、第一密码字段,其中,用户账号是用户身份唯一标识,不参与密码验证或仅能参与预设连续失败次数内的密码验证,对其它用户可见;登录账号是用户进行密码验证时的用户身份唯一标识,用户仅能查看、修改自己的登录账号;第一密码是用户进行密码验证时的密码,密码验证方式为登录账号(或用户账号)+第一密码。A password verification method, characterized in that the account information includes (not limited to) a user account, a login account, and a first password field, wherein the user account is a unique identifier of the user identity, does not participate in password verification, or can only participate in preset default failures. The password verification within the number of times is visible to other users; the login account is a unique identifier of the user when the user performs password verification, and the user can only view and modify his own login account; the first password is the password used by the user for password verification, and the password is verified. The mode is login account (or user account) + first password.
  2. 根据权利要求1所述的密码验证方法,其特征在于,登录账号可以有多个,其中,当前登录账号进行密码验证失败连续预设次数及以上时[20204],停用当前登录账号并启用下一登录账号进行密码验证[20205],只有下一登录账号进行密码验证成功后[204]才能进入系统[205]及重置多个登录账号的启用/停用状态[20206]。The password verification method according to claim 1, wherein there are a plurality of login accounts, wherein when the current login account fails the password verification for a preset number of times and above [20204], the current login account is disabled and enabled. A login account for password verification [20205], only after the next login account is successfully authenticated [204] can enter the system [205] and reset the activation/deactivation status of multiple login accounts [20206].
  3. 一种密码验证方法,其特征在于,密码验证失败连续预设次数及以上时[206],启用保护模式[207],上述保护模式是指增加一个或多个密码项[203]并同时提交到服务端进行密码验证,只有所有密码项都匹配成功时才返回验证成功。A password verification method, characterized in that, when the password verification fails for a preset number of times and above [206], the protection mode [207] is enabled, and the protection mode refers to adding one or more password items [203] and simultaneously submitting to The server performs password verification, and only if all the password items match successfully, the verification succeeds.
  4. 一种密码验证方法,其特征在于,密码验证失败连续预设次数及以上时[301],系统生成一个1至预设数字之间的随机数[302],当随机数=1时[303],预设时间内停用密码验证[3402]并返回密码验证失败消息[3403](非法用户无法获知密码验证是否停用,真实用户通过输入正确密码可以猜到)。A password verification method, characterized in that, when the password verification fails for a preset number of times and above [301], the system generates a random number between 1 and a preset number [302], when the random number = 1 [303] The password verification is disabled within the preset time [3402] and the password verification failure message [3403] is returned (the illegal user cannot know whether the password verification is disabled, and the real user can guess by inputting the correct password).
  5. 一种密码验证方法,其特征在于,输入密码与真实密码(和/或加入多个预设的具有干扰作用的“防破解码”参与匹配)匹配指定范围个数字符时[401],预设时间内停用密码验证[3402]并返回密码验证失败消息[3403](非法用户无法获知密码验证是否停用,真实用户通过输入正确密码可以猜到)。A password verification method, characterized in that the input password matches a real password (and/or joins a plurality of preset "anti-break decoding" with interference effects) when matching a specified number of characters [401], preset The password verification is disabled in time [3402] and the password verification failure message [3403] is returned (illegal users cannot know whether the password verification is disabled or not, and the real user can guess by entering the correct password).
  6. 一种密码验证方法,其特征在于,每一次密码验证失败信息均会 保存在系统内[501],用户登录系统后可以查看本账户的密码验证失败信息及统计数据。A password verification method is characterized in that each password verification failure information is saved in the system [501], and the user can view the password verification failure information and statistics of the account after logging in to the system.
  7. 一种密码验证系统,其特征在于,包括权利要求1至6中任意一项或多项组合的密码验证方法构成的系统。A password verification system characterized by comprising a system comprising a cryptographic verification method according to any one or more of claims 1 to 6.
PCT/CN2018/088413 2018-03-27 2018-05-25 Password verification method and system WO2019184074A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810259171.4 2018-03-27
CN201810259171.4A CN108429758A (en) 2018-03-27 2018-03-27 A kind of method of password authentication and system

Publications (1)

Publication Number Publication Date
WO2019184074A1 true WO2019184074A1 (en) 2019-10-03

Family

ID=63159925

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/088413 WO2019184074A1 (en) 2018-03-27 2018-05-25 Password verification method and system

Country Status (2)

Country Link
CN (1) CN108429758A (en)
WO (1) WO2019184074A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111490973A (en) * 2020-03-08 2020-08-04 苏州浪潮智能科技有限公司 Network account security protection method and device
CN117540433B (en) * 2024-01-09 2024-04-26 山西清众科技股份有限公司 User privacy protection method, server, user terminal and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104468553A (en) * 2014-11-28 2015-03-25 北京奇虎科技有限公司 Method, device and system for login of public account
CN104517217A (en) * 2014-11-24 2015-04-15 形山科技(深圳)有限公司 Data processing method and terminal
WO2015176465A1 (en) * 2014-05-22 2015-11-26 中兴通讯股份有限公司 Account management method and apparatus
CN107347049A (en) * 2016-05-05 2017-11-14 腾讯科技(深圳)有限公司 A kind of account method for authenticating and server

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015176465A1 (en) * 2014-05-22 2015-11-26 中兴通讯股份有限公司 Account management method and apparatus
CN104517217A (en) * 2014-11-24 2015-04-15 形山科技(深圳)有限公司 Data processing method and terminal
CN104468553A (en) * 2014-11-28 2015-03-25 北京奇虎科技有限公司 Method, device and system for login of public account
CN107347049A (en) * 2016-05-05 2017-11-14 腾讯科技(深圳)有限公司 A kind of account method for authenticating and server

Also Published As

Publication number Publication date
CN108429758A (en) 2018-08-21

Similar Documents

Publication Publication Date Title
Juels et al. Honeywords: Making password-cracking detectable
US8214892B2 (en) Password authentication system and methods
Kontaxis et al. Sauth: Protecting user accounts from password database leaks
Almeshekah et al. Ersatzpasswords: Ending password cracking and detecting password leakage
US20100083353A1 (en) Personalized user authentication process
US9654466B1 (en) Methods and systems for electronic transactions using dynamic password authentication
Javed et al. Secure fallback authentication and the trusted friend attack
Papaspirou et al. A novel two-factor honeytoken authentication mechanism
WO2019184074A1 (en) Password verification method and system
AU2021383919A9 (en) Defending multi-factor authentication against phishing
US9754209B1 (en) Managing knowledge-based authentication systems
TW201544983A (en) Data communication method and system, client terminal and server
US10091204B1 (en) Controlling user access to protected resource based on outcome of one-time passcode authentication token and predefined access policy
WO2015062441A1 (en) Cgi web interface multi-session verification code generation and verification method
LeJeune et al. An algorithmic approach to improving cloud security: The MIST and Malachi algorithms
CN111949952A (en) Method for processing verification code request and computer-readable storage medium
CN110086621A (en) Prevent from hitting password authentication method, system, middleware and the storage medium of library attack
TWI656454B (en) Method and system for preventing password file leakage detection
Agrawal et al. Web Security Using User Authentication Methodologies: CAPTCHA, OTP and User Behaviour Authentication
JP5524763B2 (en) Verification device, verification method, and verification program for verifying protocol safety
EP2763346A1 (en) Mutual anti-piracy authentication system in smartphone-type software tokens and in the sms thereof
van Oorschot et al. User Authentication—Passwords, Biometrics and Alternatives
Golla et al. “Will Any Password Do?” Exploring Rate-Limiting on the Web
TWI833918B (en) Method and system for a secure transaction
Erike et al. User-Driven Approach to Preventing Unsanctioned Profile Modifications and Deletions in Cloud-Based Multi-Tenant Infrastructures

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18912804

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 20/01/2021)

122 Ep: pct application non-entry in european phase

Ref document number: 18912804

Country of ref document: EP

Kind code of ref document: A1