Cormac Herley

Cormac Herley       D. Florencio, C. Herley and P.C. van Oorschot, "An Administrator's Guide to Internet Password Research", Proc. Usenix LISA, 2014

·       D. Florencio, C. Herley and P.C. van Oorschot, "Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts", Proc. Usenix Security, 2014

·        S. Komanduri, R. Shay, L. Cranor, C. Herley and S. Schechter, "Telepathwords: preventing weak passwords by reading users' minds", Proc. Usenix Security 2014

·       S. Egelman, A. Sotirakopoulos, I. Muslukhov, K. Beznosov and C. Herley, "Does My Password Go up to Eleven? The Impact of Password Meters on Password Selection" Proc. ACM CHI 2013

·       J. Bonneau, C. Herley, P.C. van Oorschot and F. Stajano, “The quest to replace passwords: a framework for comparative evaluation of web authentication schemes,” IEEE Symposium on Security and Privacy 2012.

·       D. Florencio and C. Herley, "Where Do Security Policies Come From?" Symp. On Usable Privacy and Security, 2010.

·       S. Schechter, C. Herley and M. Mitzenmacher, "Popularity is Everything: a new approach to protecting passwords from statistical-guessing attacks," Proc. HotSEC 2010

·       D. Florencio and C. Herley, "Where Do Security Policies Come From?", SOUPS 2010 [Best paper award at SOUPS]

·       C. Herley, P.C. van Oorschot and A.S. Patrick, "Passwords: If We're So Smart Why Are We Still Using Them?" Financial Crypto 2009

·       C. Herley, "So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users," New Security Paradigms Workshop 2009, Oxford.

·       D. Florencio and C. Herley, “A Large Scale Study of Web Password Habits,” WWW 2007, Banff.

·       Bharambe, C. Herley and V. Padmanabhan,“Analyzing and Improving a BitTorrent Network's Performance Mechanisms,” Proc. IEEE InfoCom 2006.

·       D. Florencio and C. Herley,“KLASSP: Entering Passwords on a Spyware Infected Machine Using a Shared-Secret Proxy,” Proc. ACSAC 2006.

·       D. Florencio and C. Herley, “Password Rescue: A New Approach to Phishing Prevention,” Usenix HotSEC ’06, Vancouver

·       C. Herley and D. Florencio, “How to Login from an Internet Cafe Without Worrying about Keyloggers,” Symp. On Usable Privacy and Security ‘06

·       D. Florencio and C. Herley,“Analysis and Improvement of Anti-Phishing Schemes,” Proc. SEC 2006. 


I am a Principal Researcher at Microsoft Research. I am interested in data analysis and security problems. My current interests include data-mining for fraud and abuse, authentication, safety and data-driven security. I received the PhD from Columbia University, the MSEE from Georgia Tech and the BE from University College Cork, Ireland.

Some of my recent work explains why Nigerian scammers say they’re from Nigeria, why those scary numbers you hear about billions lost to cybercrime are junk, why you’re right to suspect that most security advice is a waste of time, and why security can seem more religion than science.

Here’s a short profile of me done by MSR. Some media coverage of my work: All Things Considered (NPR), the Boston Globe, the NY TimesWiredArs TechnicatheAtlanticBloomberg TVThe Economist, the Wall St Journal. An OpEd I wrote for the NY Times.

Email: firstname at microsoft dot com

Twitter: @cormacherley