Research & Innovation

Stevens Students Launch into the Cybersecurity Space with Password Management System

"Passteroid" is an Easy, Effective Consumer Security Solution

Has your password ever been compromised? According to Grand View Research, more than three billion passwords are stolen each year. By 2021, damages from cybersecurity breaches could exceed six trillion dollars. And research at Stevens Institute of Technology confirms that artificial intelligence technologies can crack even complex passwords in mere minutes.

Three Stevens computer science students are working to change that trajectory with their senior design project: Passteroid, a password management solution that aims to make online security both intuitive and effective while giving users more confidence and control. Their consumer-tier solution will be exhibited at the annual Stevens Innovation Expo—and they are also considering expanding into the business market.

"We were inspired by the substantial risks millions of individuals and enterprises face through increasingly frequent data breaches, and many institutions’ disappointing failure and lack of accountability to ensure the security of their users' information," says project leader Patrick Murray, whose longtime interest in space travel inspired both the project and its name, which merges "password" with "asteroid."

3-2-1 – Blastoff!

"Our Passteroid website uses security best practices to separate a user's online identity from other services, in turn reducing the risk of hacking, phishing and other attacks," Murray explains. "Users tend to use one password for all their accounts, but if one site isn’t properly secured, hackers can use that information to try to infiltrate other sites as well. With Passteroid, users enter account information for sites such as Target, Facebook and Google. Passteroid generates complex passwords for each account. From then on, they can still use one password to log into our site and, using a private authentication key code that only they can access, they will be logged in to all their other accounts on file. A breach on one account might reveal the user's password, but the user's credentials for other services would not be exposed."

Passteroid homepageScreencap of the Passteroid homepage. CREDIT: Team Passteroid

That private encryption key is Passteroid’s secret sauce. Unlike competitors such as LastPass and 1Password, the service doesn’t maintain a copy of the key, so the user maintains sole access to those private credentials.

"Passteroid only stores encrypted passwords, so even if there was a server leak, the information would be useless," adds teammate Ian Porada, a 2018 Stevens valedictorian whose back-end server experience from a summer job with Amazon proved valuable in the project coding. "Without the user’s key, no one can access the stored data. It’s an additional layer of security that helps build trust in us as a provider."

The team also found vulnerability in existing password managers’ autofill functionality so, to protect its users, Passteroid does not automatically redirect to other sites or complete information on other login screens. "Left unchecked, the autofill feature could be tricked to reveal credentials it is not permitted to view," Murray says. "To protect our users, Passteroid is set up to allow users to simply copy their credentials to their clipboard to paste into login forms."

Trust is a critical key to Passteroid’s success. "Our research into alternative password management product offerings revealed a surprisingly widespread lack of transparency," says Matthew LaForgia, the third member of the Passteroid trio, whose self-taught web development expertise helped ensure an intuitive and welcoming user experience. "Passteroid is a more robust, open and documented solution that clearly outlines the underlying mechanisms that protect our users' online identity."

The Passteroid students’ Stevens training served them well. "We followed the agile software development methodology we’ve learned, breaking the project into smaller goals, assigning tasks, and having weekly meetings," Murray explains. "Interestingly, we had originally planned to use a service such as Amazon for our back-end application program interface to make Passteroid as scalable as possible from the start. When we developed the front end, though, we realized that wasn’t the most viable solution, and we had to redo aspects of the project so that it could work for users now and grow as needed later. It was a reminder of the delicate balance between current and future visions in software design."

Passteroid VaultScreencap of the Passteroid password vault. CREDIT: Team Passteroid.

To Infinity and Beyond

Although Passteroid’s creation officially took an academic year, you could say it was really four years in the making.

"We’ve been friends since freshman orientation, and we’ve worked with each other on group projects, although Passteroid is by far the most significant," LaForgia says. "Now that we’re about to go our separate ways, it’s cool to cap out our senior year together and finish where it all began. I am proud and grateful that this wasn’t an assigned idea. We created it and designed it and built it from scratch. It is infused with our blood, sweat and tears, our late nights and coffee and stress. Now that it’s done, it’s like a child we’ve created together. It’s been a great way to smooth our transition from Stevens and prepare us for the real world."

Their stellar dedication and results have not gone unnoticed.

"This is a fantastic project in the exciting area of cybersecurity, and the team has worked well together," praises Aaron Klappholz, Stevens associate professor of computer science, and the Passteroid team’s project advisor. "It’s always especially interesting when a team of senior design students comes up with a startup project of their own. That spirit of innovation and entrepreneurship is what Stevens is all about."

See this project and many others at the 2018 Stevens Innovation Expo on May 2.