When the COVID-19 pandemic started in March last year, companies and individuals moved their world online in unprecedented numbers. As protecting our digital spheres has become even more important, a new online tool, or password “brain” aims to help the public test their own passwords at home without the help of security experts.
The tool works by inserting a password — any combination of characters — into a browser. It tells the user if the combination is secure, or not, and, importantly — how to improve it. Red letters indicate they should be replaced for fear of hackers guessing the password; green characters are considered safe. Because the tool is so simple to use, consumers are empowered to test their passwords at home or without having to rely on consultants or cybersecurity experts selling exclusive services.
“The use of experts is very expensive, very cumbersome — it’s a very long process,” said Giuseppe Ateniese, a professor in computer science at Stevens Institute of Technology in Hoboken, New Jersey, who developed the tool along with Dario Pasquini, a Ph.D. researcher at Sapienza University in Rome. Massimo Bernaschi, the director of technology at the National Research Council of Italy, also collaborated on the project.
The colors (green and red) encode the probability assigned to each character, added Ateniese. The color-coded feedback mechanism reflects the probability of observing that specific character, knowing the values of the other characters. The result is displayed in a browser, without the need for intermediaries or costly coding experts.
In a different series of works, the same researchers developed novel AI-based techniques for password generation.This new technology is different from old password generators, which offered some level of protection but were easily hacked, said Ateniese. These early, “brute force algorithms,” he added, weren’t more sophisticated than the rules humans came up with.
Based on information gleaned from thousands of passwords leaked on the internet, the researchers came up with models that humans were most likely to use, such as substituting a “0” with a “1,” and other mnemotechnic tricks like including pets’ names, or combinations of spouses’ or children’s names. These techniques, Ateniese says, weren’t more powerful than the total combinatory prowess contained in a dictionary, in the sense that the experts would attack an information system with passwords as if they were generated by a dictionary — using words and symbols from their clients’ native languages until they got it right and cracked the password.
The new tool, or meter, however, relies on a “deep convolutional neural network” to model the probability of a password. The network is capable of learning on its own, using neural connections. To make it smarter, the researchers fed the network people’s passwords mined from data leaks online. The more passwords we fed to the network, Pasquini said, the more it would learn about the preferences of an individual user. What makes the tool so powerful is that “it is learning along the way.”
Their tool quickly learned all of the rules the experts came up with, reinforcing rules that worked and discarding those that didn’t. “And so we don't need any of the experts,” Ateniese said.
A sense of individual empowerment is what the team of researchers hopes to bestow: They’re encouraging companies and users to use their password tool on their own. “If a company wants to test the passwords of its own dataset during end testing, Pasquini said, “it can use this tool because it’s very fast and very cheap to run.” It’s a foolproof way to check weak passwords before it’s too late, he added.
In a time of ever-increasing attacks online and data breaches at large institutions, helping users understand and enhance their data security online was an important motivation. “My hope is that [the tool] will make systems more secure,” Ateniese said.
Learn more about computer science at Stevens: