News
The Password Is Dead. Long Live the Password.
March 12, 2018
Is the password doomed? And if so, what’s next? NYIT faculty members are uncovering the flaws of using passwords and finding new ways to authenticate users, drawing on everything from a person’s location to their unique swiping style.
luckydog95
Password incorrect. Try again.
lucky!dog95
Incorrect. You have two attempts remaining.
Lucky!Dog!95!
Bingo.
We’ve all been there. With everything from email and social media accounts to banking, utilities, and online retailers requiring logins, the average person has an ever-increasing number of passwords to remember. Keeping tabs on them all is a big reason that one in three people continue to use variations of the same password (including, yes, “password”) for multiple accounts, even though they know they shouldn’t.
According to experts, the majority of user-generated passwords are vulnerable to hacking, even those with at least eight characters and a combination of letters, numbers, and symbols. NYIT Assistant Professor of Computer Sciences Paolo Gasti, Ph.D., is showing why that’s the case. Along with researchers at Stevens Institute of Technology, Gasti utilized Generative adversarial networks (GANs) to improve the rate passwords are guessed over existing methods. Unlike most tools built to crack passwords, the PassGAN system used by the team takes existing information and learns from those patterns to make educated guesses.
Cybersecurity 101
New York Tech experts offer tips for keeping your personal information safe:
Choose passwords wisely. Everyone knows: Don’t reuse passwords. While experts once recommended adding numbers and symbols to your password, Voris says that’s no help if those characters are added to a standard “dictionary word.” He says five or six words added together are a better option: “The added entropy provided by the longer sentence provides more randomness than a shorter password that just has a couple weird characters added in.”
Consider a password manager. “I would suggest a password manager that picks random and very long passwords and doesn’t require anyone to remember them,” says Gasti. “Make sure you have a very strong password for the password manager.” And don’t forget it.
Beware public wifi. When you’re communicating on public wifi, anyone can eavesdrop. Not only that, it’s possible for someone to intercept and alter communication between two parties. “It’s called ‘the-man-in-the-middle attack,’” says Dong. For greatest security, she suggests avoiding public wifi or using a trusted virtual private network (VPN).
That includes WHEN YOU chargE your phone. In any airport, you’ll see dozens of people charging their phones, tablets, and laptops while waiting for a flight. Bad idea, says Gasti, who says such devices are vulnerable to side channel attack. “I can’t say how much is revealed through this side channel, but evidence shows it might not be safe to do that. The safest thing is to turn off your phone before charging.”
Use Decoys. And there are sneakier ways to thwart cybercriminals. Voris suggests downloading multiple banking apps on your phone. That way, if someone steals your phone, they have no way of knowing what accounts are legitimate and what are not. The same strategy can be applied to a home or work desktop computer. “Put ‘high-stakes’ fake files on your computer, such as fake tax returns,” he suggests. “If those files are opened, that raises a red flag.”
For the purpose of testing PassGAN, Gasti and his colleagues started with 70 million leaked passwords. They ran the program for several days and generated 10 billion new passwords from that data. When they input a few million new passwords, Gasti says the machine was able to guess roughly half of them. “We knew passwords weren’t great, but this research was able to quantify how bad they are,” he says of their results. “It’s time to replace passwords or adopt better tools to protect them.”
The need to find a better solution is urgent, thanks to recent breaches of companies like Deloitte, Target, Equifax, and even the IRS, which have exposed sensitive customer information, including millions of user passwords. That has also increased the demand for skilled experts in the field of cybersecurity.
“It is exciting to see the evolution of cybersecurity education and research at NYIT, which began in 2005 by offering one of the first master’s degrees in Information, Network, and Computer Security (INCS) in the U.S.,” says School of Engineering and Computing Sciences Dean Nada Marie Anid, Ph.D. “We are proud to be producers of students who have the right credentials in the high-demand field of cybersecurity, whether in business, government, or education.”
Gasti is one of several NYIT faculty who involves students in his research. In addition to his work with PassGAN, he is actively engaged in research about user authentication, in particular with regards to mobile devices. “Phones and tablets are really where we’re going in terms of computing, and they are also more susceptible to loss or theft, so it makes more sense to focus on those,” says Gasti.
It’s also more difficult to type complex passwords on a phone than a computer keyboard. That’s one reason mobile devices have moved to using biometrics to authenticate users (think fingerprint sensors or the facial recognition feature on the iPhone X). But although those methods are effective, they require a user to stop what they are doing to sign in and they don’t protect the device after the initial login. “Have you ever had anyone take your phone from your hand and start using it?” poses Gasti.
Incidents like this are why engineers are looking into continuous authentication, but developing ways for devices to constantly determine that “you are who you say you are” is tricky. Imagine if your phone showed a pop-up asking for your fingerprint every 30 seconds. “It would be pretty annoying,” says Gasti. “We’re trying to improve authentication frequency and security, but without the annoyance.”
Gasti and School of Engineering and Computing Sciences Associate Professor Kiran Balagani, Ph.D., co-direct NYIT’s Laboratory for Behavioral Authentication, Machine Learning, and Privacy (LAMP), which provides a conduit for research in machine learning and cryptography applied to authentication and privacy. With funding from DARPA (Defense Advanced Research Projects Agency), they are studying hand movement, orientation, and grasp (HMOG) to continuously authenticate smartphone users.
Along with colleagues at the College of William and Mary, Gasti, Balagani, and visiting graduate student Zdenka Sitová conducted a user study to collect a wide array of signals about user behaviors on smartphones.
“Everyone holds and swipes the phone in a slightly different way. We’re measuring how these movements happen and when and how long they last,” explains Gasti. “The goal is to be able to leverage that information to distinguish between the owner and somebody else. [The method for authenticating] would be completely seamless. You don’t even know it’s happening until somebody takes your phone and it locks automatically.”
The challenge with systems that run continuously in the background is that they use a lot of power. “As the industry moves to using biometrics and away from passwords to authenticate a user, technology is needed to recognize users accurately and economically without draining a battery’s life,” says Balagani.
With funding from the National Science Foundation, a second LAMP project is underway to devise new techniques that reduce the energy cost of cryptographic authentication protocols on smartphones. “The goal is to be able to run the authentication with no impact on your battery,” says Gasti.
Ziqian (Cecilia) Dong, Ph.D., associate professor of electrical and computer engineering, focuses on a different aspect of authentication: a user’s location. With location services built into most devices, a person’s phone functions like a tracker. The device is also a sophisticated log of geographic locations a user is likely to visit. If those location patterns are disrupted, it could send an alert that the device or login has been hacked. “It’s called location-based authentication,” Dong says. “My research looks at using network measurement to detect the distance that you could be claiming from where you are.”
It works like this: Every computer or mobile device gives off a location via its IP address. If you ping another computer, there is an expected time measurement based on distance. “So, if there is a huge bias in terms of the norm of what I expect to see in a delay measurement, that should raise a red flag,” says Dong, who likens the process to when a credit card company alerts you that a purchase has been made outside your home country. “This could be added as another means of authentication,” she adds.
And there are more ways that engineers can exploit deviations in normal behavior to verify authentication. Assistant Professor Jonathan Voris, Ph.D., has developed novel techniques for addressing insider threats against both desktop and mobile platforms as part of the DARPA Active Authentication Program. Most people are creatures of habit. Every time they use their computer or their phone, they sequence through the same programs or files in a similar order. “You know what programs you’re going launch when you log in, but someone else using your system for the first time would have to make a really educated guess at your normal workflow,” says Voris. (He is also conducting similar research on driver authentication by how drivers operate their cars through funding from the University Transportation Research Center.) The thought is that even if a user’s sign-in credentials are hacked, the computer can detect deviations from past user behavior. “It doesn’t necessarily mean something malicious has occurred, but it raises a red flag that something potentially suspicious could be happening,” Voris says.
With the increasing use of mobile devices by individuals and cloud-based storage systems by organizations, the importance of strong cybersecurity cannot be overemphasized. It’s one reason NYIT has sponsored a major cybersecurity conference for the past eight years. “There’s been a tremendous increase of personal information stored electronically,” says Dong. “With all of this information in the cloud and all of these portable and wearable devices, there are increasing points of entry for hackers. Security needs to keep up.”
Cybersecurity 101
New York Tech experts offer tips for keeping your personal information safe:
Choose passwords wisely. Everyone knows: Don’t reuse passwords. While experts once recommended adding numbers and symbols to your password, Voris says that’s no help if those characters are added to a standard “dictionary word.” He says five or six words added together are a better option: “The added entropy provided by the longer sentence provides more randomness than a shorter password that just has a couple weird characters added in.”
Consider a password manager. “I would suggest a password manager that picks random and very long passwords and doesn’t require anyone to remember them,” says Gasti. “Make sure you have a very strong password for the password manager.” And don’t forget it.
Beware public wifi. When you’re communicating on public wifi, anyone can eavesdrop. Not only that, it’s possible for someone to intercept and alter communication between two parties. “It’s called ‘the-man-in-the-middle attack,’” says Dong. For greatest security, she suggests avoiding public wifi or using a trusted virtual private network (VPN).
That includes WHEN YOU chargE your phone. In any airport, you’ll see dozens of people charging their phones, tablets, and laptops while waiting for a flight. Bad idea, says Gasti, who says such devices are vulnerable to side channel attack. “I can’t say how much is revealed through this side channel, but evidence shows it might not be safe to do that. The safest thing is to turn off your phone before charging.”
Use Decoys. And there are sneakier ways to thwart cybercriminals. Voris suggests downloading multiple banking apps on your phone. That way, if someone steals your phone, they have no way of knowing what accounts are legitimate and what are not. The same strategy can be applied to a home or work desktop computer. “Put ‘high-stakes’ fake files on your computer, such as fake tax returns,” he suggests. “If those files are opened, that raises a red flag.”
This article originally appeared in the Winter 2018 issue of NYIT Magazine.
