Echo Vault

Every password you have ever made follows the same pattern. EchoVault uses machine learning and AI to find that pattern and show you exactly how an attacker would use it against you.

Comment

What It Does

Most cybersecurity tools treat passwords as isolated objects. They check if a single password is strong by looking at length and special characters. But that misses the real problem. People do not reuse the same password, they reuse the same pattern. A pet name, a birth year, a favorite sports team. These habits show up in every password a person creates and they are exactly what attackers look for. EchoVault exposes that gap by analyzing multiple passwords together and showing the psychological fingerprint behind them.

What We Built

EchoVault is a password psychology analyzer. A user enters 2 to 5 of their past passwords and the app finds the patterns behind them using two tools working together.

The first tool is a Random Forest machine learning model trained on 10,000 real world common passwords and 5,000 randomly generated strong passwords. It looks at 13 features of each password like length, entropy, whether it contains a year, keyboard patterns, and symbol substitutions. It gives each password a crackability score from 0 to 100.

The second tool is the Google Gemini API. It receives those scores along with the passwords and generates a plain English summary of the user's password habits, a list of passwords an attacker would specifically try against them, and three tips to help them do better.

It is worth noting that EchoVault is designed to work best on large sets of passwords, such as a leaked credential database or a full password history export. The more passwords it sees from one person, the more accurate the pattern detection becomes. Due to time constraints we built a small frontend to demonstrate the concept, but the core engine is built to scale.

How We Built It

We split the work into three roles over 12 hours. One person handled the Flask backend and Gemini API connection. One person built the frontend in HTML, CSS, and JavaScript. One person built and trained the machine learning model using scikit-learn and the Xato password dataset.

The backend runs the ML model first, then passes those scores into the Gemini prompt so both tools are working from the same information. The results are combined into one response and displayed on a results page with scores, charts, and the AI analysis.

Challenges We Ran Into

The biggest challenge was making the ML model and Gemini work together instead of against each other. Early on they would sometimes disagree on whether a password was weak or strong. We fixed this by passing the ML scores directly into the Gemini prompt and telling it to explain the results rather than come up with its own scores.

Getting Gemini to return clean JSON every time was also tricky. It would sometimes wrap the response in extra formatting even when told not to. We wrote a cleaning function to strip that out before reading the data.

The ML model also had trouble with passwords in the middle range. Since the training data was either very weak or very strong, borderline passwords got pushed toward the weak end. The Gemini layer helps cover that gap with more detailed explanation.

Accomplishments That We Are Proud Of

We are proud that the two core systems actually work together as intended. The ML model scores passwords based on hard data and the Gemini layer explains the human reasoning behind those scores. Getting two completely different AI tools to complement each other rather than conflict took real design decisions and we are happy with how it turned out.

We are also proud that we built a working end to end product in 12 hours as a team of three with no prior API experience going into the day.

What We Learned

Working with the Gemini API taught us how much the wording of a prompt matters. Small changes in how we asked Gemini to respond made a big difference in the quality of the output. We also learned that combining a machine learning model with an AI tool requires a clear plan for which one does what. Without that the results can conflict instead of work together.

What's Next for Echo Vault

The next step would be pointing EchoVault at real scale data. Instead of a manual input form, the tool could ingest a full password history file or a credential dataset and run the same analysis across thousands of entries at once. That is the version of this tool that would have real world security value for organizations doing internal audits or researchers studying password behavior at scale.

Built With

Share this project:

Updates