Cormac Herley

Cormac Herley       D. Florencio, C. Herley and P.C. van Oorschot, "An Administrator's Guide to Internet Password Research", Proc. Usenix LISA, 2014

·       D. Florencio, C. Herley and P.C. van Oorschot, "Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts", Proc. Usenix Security, 2014

·        S. Komanduri, R. Shay, L. Cranor, C. Herley and S. Schechter, "Telepathwords: preventing weak passwords by reading users' minds", Proc. Usenix Security 2014

·       S. Egelman, A. Sotirakopoulos, I. Muslukhov, K. Beznosov and C. Herley, "Does My Password Go up to Eleven? The Impact of Password Meters on Password Selection" Proc. ACM CHI 2013

·       J. Bonneau, C. Herley, P.C. van Oorschot and F. Stajano, “The quest to replace passwords: a framework for comparative evaluation of web authentication schemes,” IEEE Symposium on Security and Privacy 2012.

·       D. Florencio and C. Herley, "Where Do Security Policies Come From?" Symp. On Usable Privacy and Security, 2010.

·       S. Schechter, C. Herley and M. Mitzenmacher, "Popularity is Everything: a new approach to protecting passwords from statistical-guessing attacks," Proc. HotSEC 2010

·       D. Florencio and C. Herley, "Where Do Security Policies Come From?", SOUPS 2010 [Best paper award at SOUPS]

·       C. Herley, P.C. van Oorschot and A.S. Patrick, "Passwords: If We're So Smart Why Are We Still Using Them?" Financial Crypto 2009

·       C. Herley, "So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users," New Security Paradigms Workshop 2009, Oxford.

·       D. Florencio and C. Herley, “A Large Scale Study of Web Password Habits,” WWW 2007, Banff.

·       Bharambe, C. Herley and V. Padmanabhan,“Analyzing and Improving a BitTorrent Network's Performance Mechanisms,” Proc. IEEE InfoCom 2006.

·       D. Florencio and C. Herley,“KLASSP: Entering Passwords on a Spyware Infected Machine Using a Shared-Secret Proxy,” Proc. ACSAC 2006.

·       D. Florencio and C. Herley, “Password Rescue: A New Approach to Phishing Prevention,” Usenix HotSEC ’06, Vancouver

·       C. Herley and D. Florencio, “How to Login from an Internet Cafe Without Worrying about Keyloggers,” Symp. On Usable Privacy and Security ‘06

·       D. Florencio and C. Herley,“Analysis and Improvement of Anti-Phishing Schemes,” Proc. SEC 2006. 

Science of Security:

Much in computer security involves recommending defensive measures: telling people how they should choose and maintain passwords, manage their computers, and so on. We show that claims that any measure is necessary for security are empirically unfalsifiable. That is, no possible observation contradicts a claim of the form “if you don’t do X you are not secure.” A consequence is that self-correction operates only in one direction. If we are wrong about a measure being sufficient, a successful attack will demonstrate that fact, but if we are wrong about necessity, no possible observation reveals the error. The fact that claims of necessity are easy to make, but impossible to refute, makes waste inevitable and cumulative.



Password strength: too much and not enough

Users are constantly encouraged to choose stronger passwords, but when does it actually make a difference, and how much is enough? We find that offline guessing is less of a factor than commonly thought, even when the password file is stolen. Further, once a password is strong enough to withstand online guessing, increases in strength that fall short of what's needed to withstand offline guessing are wasted. Passwords in this online-offline chasm waste effort since they do too much for online guessing and not enough for offline.



don't care region




















Why do Nigerian Scammers say they are from Nigeria?

We've all received variants of the Nigerian email scam. A stranger asks for help to rescue a hidden fortune from corrupt officials and wicked in-laws. Who falls for those crazy stories? Who hasn't seen it hundreds of times already? The fabulous tales may be a feature, not a bug. Because of the long odds of finding people who'll go all the way and not back out at some point the scammer needs to identify those who are credulous and who haven't seen it before. "By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor."

The Quest to Replace Passwords:

People have been predicting the death of passwords for a long time, and yet we rely on them more than ever. We examine two decades worth of proposed replacements against usability, deployability and security benefits that an ideal scheme might provide. "Not only does no known scheme come close to providing all desired benefits: none even retains the full set of benefits that legacy passwords already provide."



Sex, Lies and Cyber-crime Surveys:

We show that survey-based estimates of cyber-crime losses have systematic biases; errors are cumulative and directional; a single outlier answer can make a 10x difference in the estimate. This doesn't mean that cyber-crime isn't a big deal, but those eye-popping numbers about billions being made by cyber-criminals are junk. WEIS paper and invited NY Times OpEd.


The Rational Rejection of Security Advice:

"Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual treats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses."


This paper caused quite a stir when it came out: e.g. NPR, Boston Globe, CBS News, slashdot, slashdot [again], techrepublic, internet evolution, NewSchoolScurity, SecurityNow!