SECURE OFF-LINE PASSWORD GENERATION AND RECALL DEVICE

摘要

The invention provides a physical device which enables generation and recall of unique, secure authentication tokens (passwords) for a plurality of computer accounts for a single identity (user or group). Furthermore, an algorithm and method for producing any number of such physical devices, each unique to a user or group, is provided. The device typically consists of a printed card with a keying identifier composed of an issuing authority, user identity and issue number, which is used to generate the unique-per-device random data set, which is arranged into a tabular form beneath a heading which consists of all common characters (letters, digits and common punctuation) which may occur in the name or location of computer account. The heading is consulted based upon some subset of the characters consisting of the computer account which is to be accessed (for example, but not restricted to, the initial 2 characters of the account, being the domain name of a web site, the name of a company or a company's internal network/domain name); characters are read in a downward columnar sequence from the chosen header columns, yielding a sequence of characters; which when combined with a user-memorized passphrase or word(s), further yields a unique per-user, per-device password for the account in question. To derive passwords which update or rotate sequentially in time (such as a bi-monthly password change mandated by a company's security policies), the aforementioned procedure is combined with the further step of encoding the current month, as a two-digit number with a leading zero ranging from 01 (January to 12 (December), or abbreviation (jan/feb/mar/ etc.) or other scheme, and using this encoding as a lookup into the aforementioned header to take additional characters, again read in a downward columnar sequence, to create a time-dependent password suffix. The aforementioned keying identifier printed on the device allows re-issue of a duplicate card in the case of loss, or in the case of theft, generation of a new card with a differing random data set, accomplished by either changing the user identity or incrementing the issue number portion of said keying identifier.