Claims:WE CLAIM:

1. A method comprising:
obtaining, by one or more processors, an initial password;
associating, by the one or more processors, each letter of the initial password with a distinct node selected from a plurality of nodes;
generating a revised password, by the one or more processors, wherein the revised password is a variant of possible permutation variants of the initial password, the permutation variants being based on a letter associated with a starting node from the plurality of nodes sequentially followed by letters associated with remaining nodes from the plurality of nodes in a pre-defined manner; and
encoding the revised password, by the one or more processors, based on the starting node and the pre-defined manner.

2. The method of claim 1, wherein the initial password conforms to one or more pre-defined password composition policies.

3. The method of claim 1, wherein the number of plurality of nodes is equal to number of letters in the initial password.

4. The method of claim 1, wherein the plurality of nodes are arranged in a cyclic manner.

5. The method of claim 1, wherein the pre-defined manner facilitates generation of the permutation variants by one of:
(i) reading the remaining nodes in a clockwise or anti-clockwise manner, wherein the plurality of nodes are arranged in a closed loop;
(ii) reading the remaining nodes in left to right and around or right to left and around manner to simulate the clockwise or anti-clockwise manner, wherein the plurality of nodes are arranged in a linear manner; and
(iii) reading at least certain nodes among the remaining nodes in a pre-defined order.

6. The method of claim 1, wherein generating a revised password further comprises scoring the possible permutation variants of the initial password based on strength evaluation and identifying a permutation variant having highest score as the revised password.

7. The method of claim 1 further comprising:
verifying whether a user generated variant based on the starting node and the pre-defined manner matches the revised password; and
storing the revised password.

8. A system comprising:
one or more processors;
one or more data storage devices operatively coupled to the one or more processors and configured to store instructions configured for execution by the one or more processors to:
obtain an initial password;
associate each letter of the initial password with a distinct node selected from a plurality of nodes;
generate a revised password, wherein the revised password is a variant of possible permutation variants of the initial password, the permutation variants being based on a letter associated with a starting node from the plurality of nodes sequentially followed by letters associated with remaining nodes from the plurality of nodes in a pre-defined manner; and
encode the revised password, by the one or more processors, based on the starting node and the pre-defined manner.

9. The system of claim 8, wherein the initial password conforms to one or more pre-defined password composition policies.

10. The system of claim 8, wherein the number of plurality of nodes is equal to number of letters in the initial password.

11. The system of claim 8, wherein the plurality of nodes are arranged in a cyclic manner.

12. The system of claim 8, wherein the pre-defined manner facilitates generation of the permutation variants by one of:
(i) reading the remaining nodes in a clockwise or anti-clockwise manner, wherein the plurality of nodes are arranged in a closed loop;
(ii) reading the remaining nodes in left to right and around or right to left and around manner to simulate the clockwise or anti-clockwise manner, wherein the plurality of nodes are arranged in a linear manner; And
(iii) reading at least certain nodes among the remaining nodes in a pre-defined order.

13. The system of claim 8, wherein the one or more processors are further configured to generate a revised password further comprises scoring the possible permutation variants of the initial password based on strength evaluation and identifying a permutation variant having highest score as the revised password.

14. The system of claim 8, wherein the one or more processors are further configured to:
verify whether a user generated variant based on the starting node and the pre-defined manner matches the revised password; and
store the revised password. , Description:FORM 2

THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENT RULES, 2003

COMPLETE SPECIFICATION
(See Section 10 and Rule 13)

Title of invention:
SYSTEMS AND METHODS FOR GENERATING PERMUTATION BASED PASSWORDS

Applicant:
Tata Consultancy Services Limited
A company Incorporated in India under the Companies Act, 1956
Having address:
Nirmal Building, 9th floor,
Nariman point, Mumbai 400021,
Maharashtra, India

The following specification particularly describes the embodiments and the manner in which it is to be performed.
TECHNICAL FIELD

[0001] The embodiments herein generally relate to information security, and more particularly to systems and methods for resisting guessing attacks.

BACKGROUND

[0002] There are 95n different possibilities for choosing an n length password, but real world password data obtained from breached databases and research surveys indicate that humans have a tendency to compose passwords using lowercase letter or digits only. Moreover, these passwords are mostly English words, names, and birthdates. Thus, despite a huge theoretical search space (95n), the utilized search space remains very small which makes human generated text passwords vulnerable to statistical guessing attacks. Broadly, guessing attacks are divided into two categories, online attack and offline attack. In online attacks, attackers attempt to break into legitimate user accounts by trying different password guesses on target accounts on any given website. These attacks are countered by implementing lock-out policies which restrict number of guesses (at most 3 attempts) that can be attempted for any particular account on the target website. However, this countermeasure is ineffective against a category of online attacks commonly known as trawling attacks. Trawling attacks exploit the fact that some passwords are very popular which are then used to target large number of accounts on a particular website. The popular passwords are mainly learnt from publicly available password data from breached databases. This attack strategy drastically improves chances of account compromise with just few most probable (popular) guesses. Offline attackers on the other hand are more powerful because the attackers steal the entire password database comprising passwords of all registered users of the website. To make offline attacks difficult (computation and memory intensive), websites do not store passwords in plain-text and protect them using one-way hash function. To counter this, attackers generate a password guess, apply one-way hash functions and then compare the hashed guess with a hashed password in the stolen database. This process is generally known as cracking. Since attackers are in possession of the entire password database, they can generate potentially unlimited guesses to crack the protected passwords. As offline attackers can generate large number of guesses for any particular account, offline guessing attack is more dangerous than online guessing attack. Memorizing complex passwords and generating passwords that can be well distributed in the available password search is a challenge that needs to be addressed.

SUMMARY

[0003] The following presents a simplified summary of some embodiments of the disclosure in order to provide a basic understanding of the embodiments. This summary is not an extensive overview of the embodiments. It is not intended to identify key/critical elements of the embodiments or to delineate the scope of the embodiments. Its sole purpose is to present some embodiments in a simplified form as a prelude to the more detailed description that is presented below.
[0004] Systems and methods of the present disclosure enable creating secure passwords based on utilizing password search space to the maximum extent possible. Systems and methods of the present disclosure also enable user to be associated with such secure passwords without adding on to the cognitive load that may have been otherwise required to remember such secure passwords.
[0005] In an aspect, there is provided a method comprising: obtaining, by one or more processors, an initial password; associating, by the one or more processors, each letter of the initial password with a distinct node selected from a plurality of nodes; generating a revised password, by the one or more processors, wherein the revised password is a variant of possible permutation variants of the initial password, the permutation variants being based on a letter associated with a starting node from the plurality of nodes sequentially followed by letters associated with remaining nodes from the plurality of nodes in a pre-defined manner; and encoding the revised password, by the one or more processors, based on the starting node and the pre-defined manner.
[0006] In another aspect, there is provided a system comprising one or more processors; one or more data storage devices operatively coupled to the one or more processors and configured to store instructions configured for execution by the one or more processors to: obtain an initial password; associate each letter of the initial password with a distinct node selected from a plurality of nodes; generate a revised password, wherein the revised password is a variant of possible permutation variants of the initial password, the permutation variants being based on a letter associated with a starting node from the plurality of nodes sequentially followed by letters associated with remaining nodes from the plurality of nodes in a pre-defined manner; and encode the revised password, by the one or more processors, based on the starting node and the pre-defined manner.
[0007] In yet another aspect, there is provided a computer program product comprising a non-transitory computer readable medium having a computer readable program embodied therein, wherein the computer readable program, when executed on a computing device, causes the computing device to: obtain an initial password; associate each letter of the initial password with a distinct node selected from a plurality of nodes; generate a revised password, wherein the revised password is a variant of possible permutation variants of the initial password, the permutation variants being based on a letter associated with a starting node from the plurality of nodes sequentially followed by letters associated with remaining nodes from the plurality of nodes in a pre-defined manner; and encode the revised password, by the one or more processors, based on the starting node and the pre-defined manner.
[0008] In an embodiment, the initial password conforms to one or more pre-defined password composition policies.
[0009] In an embodiment, the number of plurality of nodes is equal to number of letters in the initial password.
[0010] In an embodiment, the plurality of nodes are arranged in a cyclic manner.
[0011] In an embodiment, the pre-defined manner facilitates generation of the permutation variants by one of: reading the remaining nodes in a clockwise or anti-clockwise manner, wherein the plurality of nodes are arranged in a closed loop; reading the remaining nodes in left to right and around or right to left and around manner to simulate the clockwise or anti-clockwise manner, wherein the plurality of nodes are arranged in a linear manner; and reading at least certain nodes among the remaining nodes in a pre-defined order.
[0012] In an embodiment, generating a revised password further comprises scoring the possible permutation variants of the initial password based on strength evaluation and identifying a permutation variant having highest score as the revised password.
[0013] In an embodiment, the method described herein above further comprises verifying whether a user generated variant based on the starting node and the pre-defined manner matches the revised password; and storing the revised password.

BRIEF DESCRIPTION OF THE DRAWINGS

[0014] The embodiments herein will be better understood from the following detailed description with reference to the drawings, in which:
[0015] FIG.1A illustrates a password search space and its division into password structures as known in the art;
[0016] FIG.1B illustrates a utilized password search space as known in the art;
[0017] FIG.2 illustrates an exemplary block diagram of a system for generating permutation based passwords in accordance with an embodiment of the present disclosure;
[0018] FIG.3 illustrates an exemplary block diagram of a system for generating permutation based passwords in accordance with another embodiment of the present disclosure;
[0019] FIG.4 illustrates an exemplary flow diagram of a method for generating permutation based passwords in accordance with an embodiment of the present disclosure;
[0020] FIG.5A through 5C illustrate exemplary user interfaces that facilitate the method for generating permutation based passwords, in accordance with an embodiment of the present disclosure, wherein plurality of nodes are arranged in a closed loop;
[0021] FIG.6A through 6C illustrate exemplary user interfaces that facilitate the method for generating permutation based passwords, in accordance with another embodiment of the present disclosure, wherein plurality of nodes are arranged in a linear manner;
[0022] FIG.7A and 7B illustrate exemplary user interfaces, in accordance with an embodiment of the present disclosure, wherein exemplary starting nodes and exemplary alternative pre-defined manners are shown for generating a revised password; and
[0023] FIG.8 illustrates a utilized password search space, in accordance with an embodiment of the present disclosure.
[0024] It should be appreciated by those skilled in the art that any block diagram herein represent conceptual views of illustrative systems embodying the principles of the present subject matter. Similarly, it will be appreciated that any flow charts, flow diagrams, state transition diagrams, pseudo code, and the like represent various processes which may be substantially represented in computer readable medium and so executed by a computing device or processor, whether or not such computing device or processor is explicitly shown.

DETAILED DESCRIPTION

[0025] The embodiments herein and the various features and advantageous details thereof are explained more fully with reference to the non-limiting embodiments that are illustrated in the accompanying drawings and detailed in the following description. The examples used herein are intended merely to facilitate an understanding of ways in which the embodiments herein may be practiced and to further enable those of skill in the art to practice the embodiments herein. Accordingly, the examples should not be construed as limiting the scope of the embodiments herein.
[0026] The words "comprising," "having," "containing," and "including," and other forms thereof, are intended to be equivalent in meaning and be open ended in that an item or items following any one of these words is not meant to be an exhaustive listing of such item or items, or meant to be limited to only the listed item or items.
[0027] It must also be noted that as used herein and in the appended claims, the singular forms "a," "an," and "the" include plural references unless the context clearly dictates otherwise. Although any systems and methods similar or equivalent to those described herein can be used in the practice or testing of embodiments of the present disclosure, the preferred, systems and methods are now described.
[0028] Some embodiments of this disclosure, illustrating all its features, will now be discussed in detail. The disclosed embodiments are merely exemplary of the disclosure, which may be embodied in various forms.
[0029] Before setting forth the detailed explanation, it is noted that all of the discussion below, regardless of the particular implementation being described, is exemplary in nature, rather than limiting.
[0030] Referring now to the drawings, and more particularly to FIGS. 1 through 7, where similar reference characters denote corresponding features consistently throughout the figures, there are shown preferred embodiments and these embodiments are described in the context of the following exemplary system and method.
[0031] The expression “user” in the context of the present disclosure refers to a user registered with a computer system or website to access software.
[0032] The expression “password” in the context of the present disclosure refers to a secret string of characters for authenticating access to a service hosted on a computer system.
[0033] The expression “guessing attacks” and “attackers” as referred to in the present disclosure refers to both online and offline attacks wherein attackers attempt to guess user identifier/password combinations.
[0034] The expression “password search space” refers to the number of n length passwords that can be derived using 95 characters (26 lowercase, 26 uppercase, 10 digits and 33 special characters) i.e. 95n.
[0035] The expression “password structure” as referred to in the present disclosure refers to representation of a password in terms of at least 1 alphabet from available 4 character classes, namely, L, U, D and S, wherein L represents the set of 26 lowercase letters [a-z], U represents the set of 26 uppercase letters [A-Z], D represents the set of 10 digits [0-9] and S represents the set of 33 special characters [!@#$%^&()….].For instance, a password “princess” composed of 8 lowercase letters is represented by L8 password structure while a password “monkey12” composed of 6 lowercase letters followed by 2 digits is represented by L6D2 password structure.
[0036] FIG. 1A illustrates a password search space 100 and its division into password structures 110, wherein
L = lower case letter in English {a,….z}, |L| = 26,
U = upper case letters in English {A,…Z}, |U| = 26,
D = digits {0,….9}, |D| = 10, and
S = special character, |S| = 33.
For a password of length n, when n = 2, there are 4n = 42 = 16 password structures as illustrated in FIG.1A. Each password structure represents a class of passwords. Password structures may be classified into two types, simple and complex. The password structures composed of a single character class are simple while the password structures composed of at least 2 character classes are complex. For instance L8, D8, U8 are simple password structures while L7D1, U1L6D1, U1L6S1D1 are complex password structures. In FIG.1A, LL represents simple passwords composed of 2 lowercase letters while LD represents complex passwords composed of a lower case letter followed by a digit.
[0037] It may be noted by a person skilled in the art that the number of n length passwords that can be derived using 95 characters (26 lowercase, 26 uppercase, 10 digits and 33 special characters) is 95n which is very huge. However, an analysis of passwords collected from publicly available breached databases and studies reveals that users create passwords predominantly using either lowercase letters or digits. For instance, out of 32 million passwords breached from Rockyou website, nearly 55% passwords were composed using only 10 password structures. Further, most of the password structures were simple i.e. composed of only a single character class. Just as online attacks exploit the popularity of some passwords, offline attacks can exploit the popularity of some password structures. The number of possible password structures are 4n which is also huge. However, only a tiny fraction (10/4n) of password structures contains 55% of passwords as illustrated in Table 1 below resulting in under-utilization of available password search space making the password search space vulnerable to an offline attacker.

Table 1: Top 10 password structures in the breached Rockyou database
Top 10
Rockyou
Structures Password structure description Count Percent %
L6 6 lowercase letters 3,987,911 12.27
L7 7 lowercase letters 2,738,042 8.42
L8 8 lowercase letters 2,469,702 7.60
D6 6 digits 2,278,924 7.01
L9 9 lowercase letters 1,382,188 4.25
L5 5 lowercase letters 943,207 2.90
L6D2 6 lowercase letters followed by 2 digits 923,989 2.84
L10 10 lowercase letters 869,673 2.67
D8 8 digits 817,579 2.51
L5D2 5 lowercase letters followed by 2 digits 751,551 2.31
Total 17,162,766 55.05%

[0038] In the absence of composition policies, passwords are composed using only simple password structures i.e. lowercase letters and digits which benefits offline attackers. To thwart these attacks, websites force users to choose their passwords from a larger password search space, so that offline attacks becomes infeasible. Most websites typically enforce a password composition policy that requires minimum 8 length in addition to use of at least one lowercase (a-z), uppercase (A-Z), digit (0-9) and special character (!,@,#, etc.) for creating passwords. Since there are 26 lowercase letters, 26 uppercase letters, 10 digits and 33 special characters, the password search space for the offline attacker is at least 958. However, enforcing the same composition policy on all users might cause password structures like U1L6S1D1 (password starting with 1 uppercase followed by 6 lowercase then 1 symbol and 1 digit) or U1L6S1D2 (password starting with 1 uppercase followed by 6 lowercase then 1 symbol and 2 digits) to become more popular. Offline attackers can again target only utilized popular password structures and break large number of passwords.
[0039] Theoretical size of a password search space is 95n. However, despite presence or absence of composition policies, the utilized search space remains very small which reduces the effort of offline attackers considerably as explained herein above. FIG.1B illustrates a hypothetical utilized password search space 100. It can be seen that 10 partitions of the search space are not used. All passwords (26 in the illustration) are confined to remaining 6 partitions. Less dense partitions 112 and more dense partitions 114 are illustrative utilized partitions. The password search space is huge (16 partitions) but the utilized search space is small (6 partitions) which clearly shows a gap between available password search space and utilized password search space. The attacker can skip search of unused partitions and utilize available computing resource to explore only the utilized partitions.
[0040] The present disclosure provides simple and intuitive systems and methods that not only improve password distribution within a password search space but also facilitate password creation from different password structures with minimal cognitive load. While users are allowed to create any password of their choice as an initial password, systems and methods of the present disclosure function in such a way that a secure password is generated without a need for the user to remember the same. In an embodiment, after user selects the initial password, the system randomly permutates (rotates in an exemplary embodiment) the initial password to generate a revised password which is then assigned to the user. The revised password is basically obtained by choosing a random starting point r, where 1 = r = n (n is length of the initial password) and reading the password from rth letter in either clockwise or anticlockwise direction. There are n different possibilities for choosing the starting point and 2 different possibilities for choosing the direction, which results in 2*n different rotational variations of the initial n length password.
[0041] For instance, in an exemplary embodiment, say the user selects an initial password ‘science 7’. Since the length of the initial password ‘science7’ is 8, there are 8 different possibilities for a starting point. In an embodiment, for every starting point, the password can be read either in clockwise or anticlockwise direction (2 directions in the exemplary embodiment). Thus, there are 8*2=16 different permutation variants or rotational variants, in this instance, of the initial password ‘science7’ as provided in Table 1 herein below:
Table 1: 16 different rotational variations of user chosen initial password ‘science7’.
Starting point Clockwise Anti-Clockwise
1 science7
L7D1 s7ecneic
L1D1L6
2 cience7s
L6D1L1 cs7ecnei
L2D1L5
3 ience7sc
L5D1L2 ics7ecne
L3D1L4
4 ence7sci
L4D1L3 eics7ecn
L4D1L3
5 nce7scie
L3D1L4 neics7ec
L5D1L2
6 ce7scien
L2D1L5 cneics7e
L6D1L1
7 e7scienc
L1D1L6 ecneics7
L7D1
8 7science
D1L7 7ecneics
D1L7

[0042] In an embodiment, the system of the present disclosure picks one of the variants and assigns it to the user as the revised password. In general if n denotes the password length then there are n*2 different variations of user chosen initial password in this exemplary embodiment having 2 types of permutations. The system of the present disclosure picks a number between 1 and 8 (password length n = 8 in this case) uniformly at random which serves as a new starting point for the password ‘science7’. It also picks a rotation direction (clockwise or anticlockwise). For instance, if the system of the present disclosure picks starting point r = 4 and clockwise direction, the initial password ‘science7’ is read starting from the letter ‘e’ which is at the 4th position in clockwise direction. The initial password ‘science7’ is thus revised to ‘ence7sci’ and is assigned to the user as the revised passwords. The system of the present disclosure thus generates all rotational variants of the password ‘science7’ and randomly assigns ‘ence7sci’ to the user as the revised password. The password ‘ence7sci’ is obtained by reading the initial password ‘science7’ from the starting point 4 (letter ‘e’) in clockwise direction. Rotating the password also distributes the popularity of original password among its variants which increases resistance against online attacks. Therefore, a theoretical improvement in security is -
LOG2(n*2) = LOG2(n) + LOG2(2) = 1 + LOG2(n) bits.
[0043] To reduce cognitive load of the users in remembering the revised password (based on a starting point and read direction), the present disclosure provides a user friendly interface that projects the user chosen initial password in a 2 Dimensional (2D) space. In an embodiment, the user interface may be as illustrated in FIG.5A through FIG.5C. In an alternative embodiment the user interface may be as illustrated in FIG.6A through FIG.6C. In the user interface of FIG.5A through FIG.5C, the user chosen initial password is arranged in a closed loop in a circular manner. The closed loop in alternative embodiments may be convex shapes such as ellipse, polygon, and the like. In the user interface of FIG.6A through FIG.6C the user chosen initial password is arranged in a linear manner in a straight line. In alternative embodiments, the linear arrangement may be a curve.
[0044] In an embodiment, when a user chosen initial password is entered into the system of the present disclosure, each letter of the initial password is associated with a distinct node from a group of nodes. In an embodiment, the nodes may be generated on the fly. In the embodiment illustrated in FIG.5A through 5C, the nodes are arranged in a closed loop in a circular manner. Such an arrangement facilitates the user to generate the revised password by entering an initial password and then clicking on the starting point and dragging (dialing) it in clockwise or anticlockwise manner as assigned by the system of the present disclosure. Performing the clicking and dragging action generates the revised password and hence user is not required to remember the revised password.
[0045] In an embodiment, a user enters the initial password, say, ‘science7’ which is arranged in circular manner using the system as shown in FIG.5A. By default, the password is masked and not visible unless the user clicks on the eye button displayed in the center. After clicking on the eye button the initial password is displayed as depicted in FIG.5B. The initial password is read in clockwise direction from the default starting point which is always the first letter of the password which is ‘s’ in the case of the initial password ‘science7’. Say the system assigns the revised password ‘ence7sci’ to the user. The revised password is assigned in terms of the starting node 4 (letter “e”) and clockwise direction to the user. The user is required to click on the starting node 4 (letter “e”) and then drag (dial) the wheel in clockwise direction to get the revised password ‘ence7sci’ (FIG.5C). Clicking on an rth starting node and moving it in clockwise direction (as done in a dial phone) instructs the system to read the password from rth letter in clockwise direction. If the direction assigned to the user in the exemplary embodiment of FIG.5A through FIG.5C is anti-clockwise, the user clicks on the assigned starting node 4 and moves it in anti-clockwise direction to get the revised password as ‘eics7ecn’.
[0046] Similarly, in the embodiment illustrated in FIG.6A through FIG.6C, as a user enters the letters of the user chosen initial password, the letters are placed in nodes arranged in a linear manner in a straight line on the fly as illustrated in FIG.6A. Such an arrangement facilitates generation of the revised password by entering the initial password and then clicking on the starting point and sliding it in either left or right direction as assigned by the system of the present disclosure. Sliding the node in right direction instructs the system to read the initial password in clockwise cyclic manner and sliding it in left direction instructs the system to read the initial password in anti-clockwise cyclic manner. Users are not required to remember the revised permutated password or rotated password in this instance. The content in the nodes and revised password field is masked/hidden and made visible only if user clicks on the eye button displayed in the center as illustrated in FIG.6B and FIG.6C. By default, the starting point is the first letter 's' of the initial password as indicated by the pointed arrow in FIG.6A. The system of the present disclosure picks one of the 16 rotational variants of ‘science7’ at random. Say, the system picks a permutation variant ‘ence7sci’ which is obtained by choosing node 4 from the 8 nodes as the starting node and choosing a right slide direction. As shown in FIG.6C, the user can obtain the revised password ‘ence7sci’ by clicking on node 4 (letter e) and dragging (sliding) the node in right direction. Thus, the user is required to remember the initial password, the starting node and direction of rotation only.
[0047] In accordance with the present disclosure, the revised password is generated based on the letter associated with the starting node and a pre-defined manner in which the remaining nodes are required to be read. In the exemplary embodiments of FIG.5A through 5C, the pre-defined manner in which the letters are required to be read after the starting node are clockwise or anti-clockwise based on the dragging or sliding by the user. Likewise, in the exemplary embodiment of FIG.6A through 6C, the pre-defined manner in which the letters are required to be read after the starting node are left to right and around or right to left and around simulating a clockwise or anti-clockwise direction. In alternate embodiments, the pre-defined manner may include selection of at least certain nodes from the plurality of nodes in a pre-determined order. FIG.7A and 7B illustrate exemplary user interfaces, in accordance with an embodiment of the present disclosure, wherein exemplary starting nodes and alternative pre-defined manners are shown for generating a revised password. In FIG.7A, the starting node illustrated is node 1 associated with letter ‘s’ and the pre-defined manner includes reading nodes 2, 7 and 8 associated with letters ‘c’, ‘e’ and ‘7’ respectively after the letter ‘s’ for generating the revised password. In an embodiment, the letters associated with the remaining nodes may be read in any pre-defined manner by the system of the disclosure. For instance, in the exemplary embodiment of FIG.7A, the revised password generated must necessarily include ‘sce7’ followed by the other letters in a system defined manner. In the instant case, it is read in clockwise direction to generate the revised password ‘sce7ienc’. Likewise, FIG.7B illustrates another exemplary pre-defined manner of reading letters associated with certain nodes after the starting node. In FIG.7B, the pre-defined manner includes necessarily reading the starting letter ‘e’ followed by ‘ce7’ as identified by the user clicks and followed by reading the remaining letters in a system defined manner. In the instance case, it is read in clockwise direction to generate the revised password ‘ece7scin’.
[0048] In accordance with the present disclosure, say, a password structure Y is obtained by permutating a password structure X using the system of the present disclosure. For instance, L2D1, L1D1L1 and D1L2 are 3 possible rotational variants of a password structure L2D1. The number of possible rotational variants of any given password structure depends upon the number of character classes used in its composition. If the password structure is composed entirely of exactly one character class for instance, Ln, Dn, Un or Sn, there is only one rotational variant namely the original password structure itself. If the password structure is composed of any 2 alphabets then the password structures obtained by reading the password in clockwise direction results in the same set of password structures obtained by reading the password in anti-clockwise direction. Thus there are total n different rotational variants of such password structures. For instance, the password ‘science7’ with password structure L7D1, is composed of two character classes, namely lowercase L and digit D. As seen in Table 1, there are 8 different rotational variants of the password structure L7D1. The set of password structures obtained by rotating the password ‘science7’ in clockwise direction is same as that of the set obtained by rotating the password in anti-clockwise manner. The system of the present disclosure makes every rotational variant of the password structure equally likely. In conventional systems, offline attackers could crack most Rockyou passwords by exploring the L7D1 password structure only. Due to permutations (rotations) introduced by the system of the present disclosure, all 8 rotational variants of the password structure L7D1 are equally likely and therefore offline attackers have to explore all these rotational variants of L7D1. Conventionally, most passwords were concentrated in few password structures; but usage of the system of the present disclosure to create permutation based secure passwords improves the number of password structures as shown in Table 2 herein below. As a result, the effort of offline attackers increases drastically.
Table 2:

Structure Original Rockyou Count Revised Count due to system of the present disclosure
L7D1 568,672 (82.48%) 86,178 (12.50%)
D1L7 44,585 (6.47%) 86,178 (12.50%)
L3D1L4 20,981 (3.04%) 86,178 (12.50%)
L4D1L3 17,387 (2.52%) 86,178 (12.50%)
L5D1L2 11,733 (1.70%) 86,178 (12.50%)
L6D1L1 10,169 (1.47%) 86,178 (12.50%)
L2D1L5 8,764 (1.27%) 86,178 (12.50%)
L1D1L6 7,139 (1.05%) 86,178 (12.50%)
Total 689,430 689,430

[0049] Finally, if the password structure is composed of more than 2 character classes then reading the password either in clockwise or anti-clockwise manner result in different password structures and hence there 2*n rotational variants of it. For instance, the password ‘Science70’ with the password structure U1L7D2 is composed of 3 character classes, namely Uppercase U, lowercase L and Digit D. As seen from Table 3 herein below, there are 18 different rotational variants of U1L7D2, 9 obtained by reading password from different starting points in clockwise manner and 9 obtained by reading password in anti-clockwise manner.
Table 3:
Starting point Clockwise Anti-Clockwise
1 Science70
U1L7D2 S07ecneic
U1L1D2L6
2 cience70S
L6D2U1 cS07ecnei
L1U1D2L5
3 ience70Sc
L5D2U1L1 icS07ecne
L2U1D2L4
4 ence70Sci
L4D2U1L2 eicS07ecn
L3U1D2L3
5 nce70Scie
L3D2U1L3 neicS07ec
L4U1D2L2
6 ce70Scien
L2D2U1L4 cneicS07e
L5U1D2L1
7 e70Scienc
L1D2U1L5 ecneicS07
L6U1D2
8 70Science
D2U1L7 7ecneicS0
D1L6U1D1
9 0Science7
D1U1L7D1 07ecneicS
D¬2L6S1

[0050] Similarly, an initial password, say, ‘Science$70’ with password structure U1L7S1D2 has 20 different password structure rotational variants as shown in Table 4 herein below:
Table 4:
Starting point Clockwise Anti-Clockwise
1 Science$70
U1L6S1D2 S07$ecneic
U1D2S1L6
2 cience$70S
L6S1D2U1 cS07$ecn L1U1D2S1L5
3 ience$70Sc
L5S1D2U1L1 icS07$ecne
L2U1D2S1L4
4 ence$70Sci
L4S1D2U1L2 eicS07$ecn
L3U1D2S1L3
5 nce$70Scie
L3S1D2U1L3 neicS07$ec
L4U1D2S1L2
6 ce$70Scien
L2S1D2U1L4 cneicS07$e
L5U1D2S1L1
7 e$70Scienc
L1S1D2U1L5 ecneicS07$
L6U1D2S1
8 $70Science
S1D2U1L6 $ecneicS07
S1L6U1D2
9 70Science$
D2U1L6S1 7$ecneicS0
D1S1L6U1D1
10 0Science$7
D1U1L6S1D1 07$ecneicS
D2S1L6U1

[0051] In the past, online attackers could comprise 59,462 Rockyou accounts by trying only one guess ‘password’. Due to rotations introduced by the system of the present disclosure, all 16 rotational variants (8 different starting points and 2 directions) of ‘password’ become equally likely. As shown in Table 5 herein below, attackers could compromise only 3,807 accounts by trying the guess ‘password’ which is a small fraction 0.064 of the original count. In the original Rockyou dataset, most of the rotational variants of ‘password’ never occurred (entries with 0 count). The random rotations essentially distribute the popularity of a password among its rotational variants which essentially improves the utilized search space and increases resistance against online trawling attacks.
Table 5:

Starting
Point (Direction) Rotational
Variant
Original Rockyou Count Revised Count due to system of the present disclosure

1(Clockwise) password 59,462 (97.62%) 3,807 (6.25%)
2(Clockwise) asswordp 4 (0.00%) 3,807 (6.25%)
3(Clockwise) sswordpa 0 (0.00%) 3,807 (6.25%)
4(Clockwise) swordpas 662 (1.09%) 3,807 (6.25%)
5(Clockwise) wordpass 0 (0.00%) 3,807 (6.25%)
6(Clockwise) ordpassw 0 (0.00%) 3,807 (6.25%)
7(Clockwise) rdpasswo 0 (0.00%) 3,807 (6.25%)
8(Clockwise) dpasswor 0 (0.00%) 3,807 (6.25%)
1(Anti-Clockwise) pdrowssa 0 (0.00%) 3,807 (6.25%)
2(Anti-Clockwise) apdrowss 0 (0.00%) 3,807 (6.25%)
3(Anti-Clockwise) sapdrows 0 (0.00%) 3,807 (6.25%)
4(Anti-Clockwise) ssapdrow 4 (1.09%) 3,807 (6.25%)
5(Anti-Clockwise) wssapdro 0 (0.00%) 3,807 (6.25%)
6(Anti-Clockwise) owssapdr 0 (0.00%) 3,807 (6.25%)
7(Anti-Clockwise) rowssapd 0 (0.00%) 3,807 (6.25%)
8(Anti-Clockwise) drowssap 779 (1.28%) 3,807 (6.25%)
TOTAL 60,911 (100%) 60,911 (100%)

[0052] Thus using systems of the present disclosure, the passwords become more distinct which increases the resistance to online attacks. Also, the improved number of password structures increase the resistance to offline attacks. As illustrated in FIG.8, the search space is more utilized (increased to 9) compared to FIG.1B wherein only 6 password structures were used. Also, the popularity of password structures has diminished as the passwords are spread by the system of the present disclosure into different password structures.
[0053] FIG.2 and FIG.3 illustrate exemplary block diagrams of a system 200 and a system 300 respectively for generating permutation based passwords in accordance with two embodiments of the present disclosure and FIG.4 illustrates an exemplary flow diagram of a method 400 for generating permutation based passwords using the system of FIG.2 or FIG.3 in accordance with an embodiment of the present disclosure. In an embodiment, the system 200 and the system 300 include one or more processors (not shown), communication interface or input/output (I/O) interface (not shown), and memory or one or more internal data storage devices (not shown) operatively coupled to the one or more processors. The one or more processors, being hardware processors, can be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, and/or any devices that manipulate signals based on operational instructions. Among other capabilities, the processor(s) is configured to fetch and execute computer-readable instructions stored in the memory. In an embodiment, the system 200 can be implemented on a server or in a variety of computing systems, such as a laptop computer, a desktop computer, a notebook, a workstation, a mainframe computer, a server, a network server, cloud, hand-held device and the like. In an embodiment, the system 300 can be implemented as a two-tier architecture operating in a distributed manner with at least one client 302 and a server 304.
[0054] The I/O interface can include a variety of software and hardware interfaces, for example, a web interface, a graphical user interface, and the like and can facilitate multiple communications within a wide variety of networks and protocol types, including wired networks, for example, LAN, cable, etc., and wireless networks, such as WLAN, cellular, or satellite. In an embodiment, the I/O interface can include one or more ports for connecting a number of devices to one another or to another server.
[0055] The memory may include any computer-readable medium known in the art including, for example, volatile memory, such as static random access memory (SRAM) and dynamic random access memory (DRAM), and/or non-volatile memory, such as read only memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and magnetic tapes. In an embodiment, the various modules of the system 400 can be stored in the memory.
[0056] The steps of the method 400 of the present disclosure will now be explained with reference to the components of the system 200 as depicted in FIG.2 or the system 300 as depicted in FIG.3. In an embodiment, password wheel 210 is configured to receive a user chosen initial password, at step 402 and associate each letter of the initial password, at step 404, with a distinct node selected from a plurality of nodes on a user interface, wherein the plurality of nodes may be arranged in a cyclic manner. In an embodiment, the plurality of nodes may be arranged in a closed loop as illustrated in FIG.5A through FIG.5C or in a linear manner as illustrated in FIG.6A through FIG.6C. The cyclic manner facilitates generation of permutation variants either in a clockwise or anti-clockwise manner for the plurality of nodes arranged in a closed loop and left to right and around or right to left and around that simulates clockwise and anti-clockwise manner respectively for the plurality of nodes arranged in a linear manner. At step 406, a password reviser 212 is configured to generate a revised password as a variant of all possible permutation variants of the initial password based on a letter associated with a starting node from the plurality of nodes and sequentially followed by letters associated with the remaining nodes from the plurality of nodes in a pre-defined manner. At step 408, a password encoder 214 is configured to encode the revised password based on the starting node and the pre-defined manner.
[0057] In an embodiment, a password verifier 214 is configured to verify if the permutation variant generated by the user by clicking and dialing matches the revised password generated by the password reviser 212 and store the permutation variant or the revised password using standard secure practices such as applying salt and hash.
[0058] In accordance with the present disclosure, the initial password may conform to one or more pre-defined password composition policies.
[0059] In an embodiment, the number of plurality of nodes may be equal to number of letters in the initial password.
[0060] In an embodiment, as depicted in the system 300, the password wheel 210 and the password verifier 214 may be part of the client 302 and the password reviser 212 and the password encoder 216 may be part of the server 304 in a two-tier architecture. An authentication method involves a password creation phase wherein a new password is created or existing password for accessing a resource on a local or remote system is changed and a login phase wherein resources on a local or remote system are accessed after the password created during the password creation phase is used to login and authenticate the user. In an embodiment, the password wheel 210 is involved in both the password creation and the login phase of an authentication method, while the password reviser 212, the password encoder 214 and the password verifier 216 are involved during the password creation phase only.
[0061] FIG.3 also illustrates interaction between the various modules (210, 212, 214 and 216) of the system 300 in accordance with an embodiment of the present disclosure. Once a user chooses an initial password of length n, it is displayed by the password wheel 210. At step 1, the initial password is sent to the password reviser 212 for generating the revised password. At step 2, the password reviser 212 generates a list of all possible permutation variants of n length and in an embodiment assigns a permutation variant randomly to the user and sends it to the password encoder 214. At step 3, the password encoder 214 maps the revised password to a starting node and a pre-defined manner of reading which is sent to the password wheel 210. At step 4, the password wheel 210 then instructs the user to click on the starting node and dial or drag in the pre-defined manner of reading. At step 5, the password verifier 216 verifies the user action including the starting node and the pre-defined manner and sends to the server where it is stored using standard secure storage practices such as salt and hash methods.
[0062] In an embodiment, system of the present disclosure enables user to select the starting node and the pre-defined manner.
[0063] In an embodiment, the password reviser 212 is configured to measure strength of all the possible permutation variants of the initial password and identify the permutation variant having highest score as the revised password as against randomly identifying the revised password.
[0064] The user interface rendered by the password wheel 210 facilitates password creation without adding on to the cognitive load of the user. Also, providing random starting node by the password reviser 212 improves password distribution. The main challenge addressed by the systems and methods of the present disclosure was to provide a simplified method for password creation from different password structures and improve security by facilitating a uniform distribution of the passwords in the password search space. The rotation operation explained herein above as an example of the permutation variant is simple and intuitive. Also, the exemplary user interfaces depicted in FIG.5A through FIG.5C and FIG.6A through FIG.6C make user operation easy to perform. Although any method of generating a permutation variant and both convex and concave shaped node arrangement would provide the desired intent of the present disclosure, based on comprehensive studies, a preferred user interface is a closed loop, particularly a circle due to various reason enumerated below.
[0065] Visual Psychology: According to neuro-aesthetics research (the study of how human brain reacts to certain visual design elements) it is noted that rounded shapes are preferred and these shapes cause more activity in the visual cortex. Thus, placing each letter of the initial password in a distinct circular node stimulates users to click and therefore change the starting node of their passwords (FIG.5A through FIG.5C).
[0066] Multiple Cues: To assist users in recalling the starting node of revised passwords during subsequent logins, the system of the present disclosure provides multiple cues. According to psychology research, information can be remembered more reliably with the help of different cues. Projecting password in 2D space and placing each letter of the password in a distinct circular node naturally results in spatial cues. Further, the node numbers (verbal cues) are associated with each letter of the password.
[0067] Dual Coding Theory: According to dual coding theory, human brain has a superior memory for recalling visual information compared to verbal information. Therefore, arranging passwords in a circular manner and allowing users to recall the starting point by clicking on the node (visual recall) minimizes cognitive load.
[0068] Contextual Information: The encoding specificity theory postulates that contextual information plays an important role during recall. According to this theory, recall is better if the information available during encoding is also available during retrieval. The information (cues) available during password creation is also available during login which helps in retrieval of the starting point information from memory.
[0069] Metaphor: The interface is designed with users in mind and aims to simulate human intuition. The design is heavily inspired by the analogue clock. The system of the present disclosure arranges the initial password in a circular manner and in one embodiment reads it in a clockwise direction from the user chosen starting point. Due to the ubiquity of the clock, users with different skill levels may be easily able to interact with the user interface of the present disclosure. Further, users can also relate it to traditional dial type telephones which had a rotating wheel to dial the telephone number.
[0070] Aesthetic: Research suggests that people find curved objects more aesthetic. The proposed design considers this preference by organizing each letter of a password in a distinct circular node. Further, the circular arrangement is more pleasing due to its symmetry along all axes.
[0071] Interactive: To facilitate exploration of different starting points by users, the system of the present disclosure is provided with an interactive user interface. On clicking any node, the interface gives explicit feedback to users in terms of the revised password (displayed in the center of FIG.5A through FIG.5C). The revised password in turn also motivates users to choose a new starting point and to set more complex password. Further, to ensure that security against shoulder surfer remains unaffected, the password is masked/hidden by default and not visible until user clicks on the eye button.
[0072] Screen Space: The circular arrangement of the user interface is also advantageous when the screen size is not ample, for instance in mobile devices. Due to small screen space, the soft keyboard in mobile devices has only 10 keys in a row. Thus, arranging the initial password in a linear manner can fit only 10 nodes on small devices which would cause inconvenience to those users having passwords of length n > 10. On the other hand, 2D circular arrangement utilizes the screen space very well and could potentially fit ?*10˜31 nodes along its circumference.
[0073] The written description describes the subject matter herein to enable any person skilled in the art to make and use the embodiments of the disclosure. The scope of the subject matter embodiments defined here may include other modifications that occur to those skilled in the art. Such other modifications are intended to be within the scope if they have similar elements that do not differ from the literal language of the claims or if they include equivalent elements with insubstantial differences from the literal language.
[0074] It is, however to be understood that the scope of the protection is extended to such a program and in addition to a computer-readable means having a message therein; such computer-readable storage means contain program-code means for implementation of one or more steps of the method, when the program runs on a server or mobile device or any suitable programmable device. The hardware device can be any kind of device which can be programmed including e.g. any kind of computer like a server or a personal computer, or the like, or any combination thereof. The device may also include means which could be e.g. hardware means like e.g. an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a combination of hardware and software means, e.g. an ASIC and an FPGA, or at least one microprocessor and at least one memory with software modules located therein. Thus, the means can include both hardware means and software means. The method embodiments described herein could be implemented in hardware and software. The device may also include software means. Alternatively, the system may be implemented on different hardware devices, e.g. using a plurality of CPUs.
[0075] The embodiments herein can comprise hardware and software elements. The embodiments that are implemented in software include but are not limited to, firmware, resident software, microcode, etc. The functions performed by various modules comprising the system of the present disclosure and described herein may be implemented in other modules or combinations of other modules. For the purposes of this description, a computer-usable or computer readable medium can be any apparatus that can comprise, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. The various modules described herein may be implemented as either software and/or hardware modules and may be stored in any type of non-transitory computer readable medium or other storage device. Some non-limiting examples of non-transitory computer-readable media include CDs, DVDs, BLU-RAY, flash memory, and hard disk drives.
[0076] Further, although process steps, method steps, techniques or the like may be described in a sequential order, such processes, methods and techniques may be configured to work in alternate orders. In other words, any sequence or order of steps that may be described does not necessarily indicate a requirement that the steps be performed in that order. The steps of processes described herein may be performed in any order practical. Further, some steps may be performed simultaneously.
[0077] The preceding description has been presented with reference to various embodiments. Persons having ordinary skill in the art and technology to which this application pertains will appreciate that alterations and changes in the described structures and methods of operation can be practiced without meaningfully departing from the principle, spirit and scope.