US-12625945-B2 - Password security warning system

Abstract

Various embodiments are directed to a password security warning system. An artificial neural network or other types of models may be used to determine whether a password that is created, input, or proposed by a user via an interface includes one or more predictable or typical transformations or combinations of characters derived from user-specific information. Based on the determination, a warning may be provided to the user.

Inventors

• Reza Farivar
• Anh Truong
• Vincent Pham
• Austin Grant Walters
• Galen Rafferty
• Jeremy Edward Goodsitt

Assignees

• CAPITAL ONE SERVICES, LLC

Dates

Publication Date

20260512

Application Date

20230522

Claims (20)

1. 1 . An apparatus comprising: a memory storing instructions, one or more processors operably coupled to the memory and configured to execute the instructions that, when executed by the one or more processors, cause the one or more processors to: determine one or more patterns associated with a user, the one or more patterns comprising at least one of a user-specific pattern of passwords specific to a user, the user-specific pattern not general to a population of users or combinations of at least: first personal information and second personal information different from the first personal information typical or predictable in weak passwords; process a plurality of lists of blacklisted passwords received from a plurality of service providers, each of the plurality of lists of blacklisted passwords being received from a corresponding service provider of the plurality of service providers, wherein at least one of the plurality of lists of blacklisted passwords is different than other lists of the plurality of lists of blacklisted passwords, wherein at least one of the plurality of service providers is a financial institution; train a neural network based at least in part on: the user-specific pattern, a plurality of typical or predictable password transformations, the one or more patterns of the combinations of at least the first and second personal information and the plurality of lists of blacklisted passwords, the trained neural network configured to output a plurality of possible password strings unique to a user in response to user-specific information associated with the user provided to the neural network; receive a password created by the user; determine whether the password matches at least one possible password string of the plurality of possible password strings based on a threshold match; provide a warning message that the password is unsafe or insecure in response to the password matching the at least one possible password string, wherein the one or more processors are further caused to: allow the warning message to be bypassed and the password to be created in response to the threshold match being below a predetermined threshold.
2. 2 . The apparatus of claim 1 , wherein the user-specific information is provided by the user and comprises one or more of the following: a legal first name, a legal middle name, a legal last name, a nickname, a date of birth, a social security number, a home address, a work address, a telephone number, spousal information, and/or a maiden name.
3. 3 . The apparatus of claim 1 , wherein the instructions, when executed by the one or more processors, further cause the one or more processors to: perform an Internet search on the user and provide one or more results of the Internet search to the neural network as the user-specific information, wherein the one or more results of the Internet search comprise information associated with the user from at least one of a social media account, a professional networking profile, a professional profile webpage, a blog, an online dating profile, a public article, or an image.
4. 4 . The apparatus of claim 1 , wherein the plurality of typical or predictable password transformations comprises at least one replacement of a letter with an associated special character.
5. 5 . The apparatus of claim 1 , wherein the plurality of possible password strings output by the neural network comprises at least one or more typical or predictable transformations of the user-specific information and one or more typical or predictable combinations of the user-specific information.
6. 6 . The apparatus of claim 1 , wherein the user-specific pattern is determined based on an identification of a specific pattern used in previous passwords of the user.
7. 7 . The apparatus of claim 1 , wherein the warning message is output to an interface; and wherein the one or more processors are further caused to: receive at least one compromised password determined to have been cracked or compromised; and add the at least one compromised password to at least one of the plurality of lists of blacklisted passwords for updating the training of the neural network to include cracked and compromised passwords.
8. 8 . An apparatus comprising: at least one memory storing instructions; one or more processors, operably coupled to the at least one memory, operable to execute the instructions that, when executed by the one or more processors, cause the one or more processors to: determine a user-specific pattern of passwords specific to a user, the user-specific pattern not general to a population of users; process a plurality of lists of blacklisted passwords received from a plurality of service providers, each of the plurality of lists of blacklisted passwords being received from a corresponding service provider of the plurality of service providers, wherein at least one of the plurality of lists of blacklisted passwords is different than other lists of the plurality of lists of blacklisted passwords, wherein at least one of the plurality of service providers is a financial institution; train a neural network based at least in part on the user-specific pattern and the plurality of lists of blacklisted passwords, the trained neural network configured to output a plurality of possible password strings unique to the user based, at least in part, on user-specific information associated with the user provided to the neural network; receive a password created by the user; determine whether the password matches at least one possible password string of the plurality of possible password strings based on a threshold match; output a warning message to an interface indicating the password may be unsafe or insecure; and allow the warning message to be bypassed and the password to be created in response to the threshold match being below a predetermined threshold.
9. 9 . The apparatus of claim 8 , wherein the user-specific pattern is determined based on an identification of a specific pattern used in previous passwords of the user.
10. 10 . The apparatus of claim 8 , the instructions, when executed by the one or more processors, further cause the one or more processors to: receive at least one compromised password determined to have been cracked or compromised; and add the at least one compromised password to at least one of the plurality of lists of blacklisted passwords for updating training of the neural network to include cracked and compromised passwords.
11. 11 . The apparatus of claim 8 , wherein the user-specific information is provided by the user and comprises one or more of the following: a legal first name, a legal middle name, a legal last name, a nickname, a date of birth, a social security number, a home address, a work address, a telephone number, spousal information, and/or a maiden name.
12. 12 . The apparatus of claim 8 , wherein the instructions, when executed by the one or more processors, further cause the one or more processors to: perform an Internet search on the user and provide one or more results of the Internet search to the neural network as the user-specific information, wherein the one or more results of the Internet search comprise information associated with the user from at least one of a social media account, a professional networking profile, a professional profile webpage, a blog, an online dating profile, a public article, or an image.
13. 13 . The apparatus of claim 8 , wherein the plurality of possible password strings comprises at least one typical or predictable password transformation, the at least one typical or predictable password transformation comprising at least one replacement of a letter with an associated special character.
14. 14 . The apparatus of claim 8 , wherein the plurality of possible password strings output by the neural network comprises at least one typical or predictable transformation of the user-specific information and at least one typical or predictable combination of the user-specific information.
15. 15 . A computer-implemented method, comprising, via at least one computing device: determining a user-specific pattern of passwords specific to a user, the user-specific pattern not general to a population of users; processing a plurality of lists of blacklisted passwords received from a plurality of service providers, each of the plurality of lists of blacklisted passwords being received from a corresponding service provider of the plurality of service providers, wherein at least one of the plurality of lists of blacklisted passwords is different than other lists of the plurality of lists of blacklisted passwords, wherein at least one of the plurality of service providers is a financial institution; training a neural network based at least in part on the user-specific pattern and the plurality of lists of blacklisted passwords, the trained neural network configured to output a plurality of possible password strings unique to the user based, at least in part, on user-specific information associated with the user provided to the neural network; receiving a password created by the user; and determining whether the password matches at least one possible password string of the plurality of possible password strings based on a threshold match; wherein the method further comprises: outputting a warning message to an interface indicating the password may be unsafe or insecure; and allowing the warning message to be bypassed and the password to be created in response to the threshold match being below a predetermined threshold.
16. 16 . The method of claim 15 , wherein the user-specific pattern is determined based on an identification of a specific pattern used in previous passwords of the user.
17. 17 . The method of claim 15 , further comprising: receiving at least one compromised password determined to have been cracked or compromised; and adding the at least one compromised password to at least one of the plurality of lists of blacklisted passwords for updating training of the neural network to include cracked and compromised passwords.
18. 18 . The method of claim 15 , further comprising: performing an Internet search on the user and provide one or more results of the Internet search to the neural network as the user-specific information, wherein the one or more results of the Internet search comprise information associated with the user from at least one of a social media account, a professional networking profile, a professional profile webpage, a blog, an online dating profile, a public article, or an image.
19. 19 . The method of claim 15 , wherein the plurality of possible password strings comprises at least one typical or predictable password transformation, the at least one typical or predictable password transformation comprising at least one replacement of a letter with an associated special character.
20. 20 . The method of claim 15 , wherein the plurality of possible password strings output by the neural network comprises at least one typical or predictable transformation of the user-specific information and at least one typical or predictable combination of the user-specific information.

Description

RELATED APPLICATIONS This application is a continuation of U.S. patent application Ser. No. 17/153,335 filed on Jan. 20, 2021, which is a continuation of U.S. patent application Ser. No. 16/549,391, titled “PASSWORD SECURITY WARNING SYSTEM” filed on Aug. 23, 2019. The contents of the aforementioned applications are incorporated herein by reference in their entirety. BACKGROUND Password strength may be a measure of the effectiveness of a password against guessing or brute-force attacks. Generally, the strength of a password is a function of length, complexity, and unpredictability. To increase password strength, many password acceptance systems now require that users to incorporate special characters, e.g., @, in their passwords. As a result, many users create passwords having character transformations that are relatively simple and easy to guess. For example, replacing the letter “a” with special character “@.” In addition, users tend to base passwords on a word, a combination of words, and phrases that are personal and easy to guess for them, such as using a child's name, a birth date, social security number, etc. Common password transformations and overall lack of user creativity make it easy for fraudsters to guess the passwords and gain access to associated accounts. Accordingly, there is a need for a password security warning system to at least warn a user when a password that the user has created is easy to guess. SUMMARY Various embodiments are directed to a password security warning system. An artificial neural network, or other types of models, may be used to determine whether a password that is created, input, or proposed by a user via an interface includes one or more predictable or typical transformations or combinations of characters derived from user-specific information. Based on the determination, a warning may be provided to the user, such as a notification indicating that the password is weak or unsafe. In some examples, the password may be prohibited from use when it has been determined that the password has been previously blacklisted or identified as being involved in a security breach. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 illustrates an example password security warning platform in accordance with one or more embodiments. FIG. 2 illustrate example character transformations and combinations and example blacklisted passwords in accordance with one or more embodiments. FIG. 3 illustrates an example output of an artificial neural network in accordance with one or more embodiments. FIG. 4 illustrate example password security warnings in accordance with one or more embodiments. FIG. 5 illustrates example threshold matching in accordance with one or more embodiments. FIG. 6 illustrates an example flow diagram in accordance with one or more embodiments. FIG. 7 illustrates an example computing architecture of a computing device in accordance with one or more embodiments. FIG. 8 illustrates an example communications architecture in accordance with one or more embodiments. DETAILED DESCRIPTION Various embodiments are generally directed to a password security warning system for at least determining that a user-created password contains typical, predictable, or common transformations and warning a user of such password vulnerability. In examples, an artificial neural network may be trained using typical or predictable transformations commonly applied to passwords. For instance, a typical or predictable transformation may be replacing the letter “a” in a password string with special character “@” as will be further described below. Moreover, the artificial neural network may be trained using typical or predictable combinations of personal information commonly found in passwords, such as combining a birthdate and a portion of a name of the user, and further, may also be trained with a set of blacklisted passwords (e.g., commonly cracked or compromised passwords). The blacklisted passwords may be provided by the service provider, such as a financial company, and thus, the blacklisted passwords may be different across different types of service providers. Various types of information specific to a user may be input or fed into the trained artificial neural network. For example, user-specific information may include the user's first, middle, last names, the user's nickname, a birthdate, a social security number, a home address, a work address, telephone numbers (e.g., work, home, mobile), spousal information, maiden name of user's mother, etc., all of which may be directly provided by the user, for example, during an application process. Further, publicly available user-specific information may also be input or fed into the trained artificial neural network, which may include the name of the user's pet, a hobby that the user enjoys, information related to the user's profession, education history of the user (e.g., high school, college or university, graduate school), the user's favorite vacation des