California State University, Long Beach
Inside CSULB Logo

Does The Perfect Password Exist?

Published: October 15, 2014

In a time when nearly 5 million Gmail usernames and passwords can be leaked on a Russian Internet forum, the importance of cyber-security has never been timelier—particularly since it’s National Cyber Security Awareness Month—but Computer Engineering and Computer Science’s Mehrdad Aliasgari is ready with an answer.

Aliasgari and his students, working in the department’s new security lab in ECS 307, are working to build a better password manager.

“Recently, some people have begun using software called password managers,” said Aliasgari, who joined the university in 2013. “They are digital versions of writing down a password that serve as vaults. The problem is protecting the vault.”

Threats to the password vault abound, even from the password managers themselves who are tempted to sell the information they find for advertising. “What if the storage file is accidentally deleted? What happens if the phone is dropped in the sink? Users employ the password manager to protect more than passwords such as social security numbers or credit cards. That makes the situation even worse. All your work depends on one application. All your work is in danger,” he said.

The worth of password managers is their ability to create stronger passwords. But even a password manager needs a password. “The problem with that is that you are asking a human being to rely on one totally guessable password,” he said. “That password will be very easy to guess. We think we have an interesting solution we call `Sesame’ in honor of the password to Ali Baba’s magic cave.”

Aliasgari challenged his students to implement a solution that is secure, convenient and works on Android and, in the near future, also on iOS. He quickly noted that security and convenience don’t go hand in hand all the time.

“If anything, they are opposites,” he said. “The more you have of one, the less you have of the other. If history has taught us anything, it is that people opt for convenience. That makes it a lot easier for hackers. It is easy to breach security this way.” What his students and he came up with is free and will be available to CSULB for downloading as an application as early as this month.

The application begins with users providing the application a password or allowing the application to generate a password for each website. The application encrypts each password in a way that needs a double-encrypted key. “Each key is unique. No key is re-used. That substantially increases security,” he explained.

Users will be able to speak their way to security. “Every time a user wants to look at passwords to sites such as Facebook, they don’t have to remember anything,” he said. “Their voices grant access to the Facebook password. All the users have to do to launch the application is to say out loud `Facebook’ and their words are confirmed using voice recognition technology. And even if the user loses his or her phone, the application can be attached to multiple devices. We feel our approach helps solve the password problem. Users have convenience because the user doesn’t have to remember much.”

Mehrdad Aliasgari

Biometrics are the key. “As long as users keep their voices the same, and there is a really good chance they will do that, they have full control of their passwords,” he said. “Service providers like Facebook won’t need to make any changes. Users can enjoy the luxury of having a really complicated long password that is hard to guess but they don’t have to memorize. It will be stored in their choice of storage in a provable secure fashion. We know you shouldn’t ask too much of a human being because they always will opt for convenience. All you need to remember now is your own voice.”

Aliasgari earned his bachelor’s degree in electrical engineering from Sharif University of Technology in Iran and his doctorate in computer science and engineering from the University of Notre Dame in 2013.

This new level of password security represents the wave of the future.

“All password security measures begin in frustration,” he explained. “There is plenty of frustration over how passwords have been used up to now. There was a time when a web service needed only one-character passwords. Other passwords could be as simple as 1234. New research shows that the most common password today is ‘iloveyou.’ People are really frustrated. Both in academia and industry, there has been a search for the password alternative. Biometrics are one alternative yet they have their own problems. If the biometric password is lost, it is gone forever. That is why the use of passwords has hung on. As bad as they are, they are better than the alternatives. But the frustration never goes away.”

There is no perfect password. The search for a more robust and yet practical way of authentication will go on.

“This problem is not going away but we can try to improve on it,” Aliasgari concluded. “Cyber-security is an ongoing battle. You just have to stay ahead of the curve. For authentication, passwords are not going anywhere. Their structure is becoming more demanding. Users are being asked to use symbols and weird characters. Biometrics, physical devices and words combine to create authentication. We’ll just have to keep working. You never know what the other guys are up to.”