• Publications
  • Influence
Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms
TLDR
An efficient distributed method is developed for calculating how effectively several heuristic password-guessing algorithms guess passwords, and the relationship between guess ability, as measured with password-cracking algorithms, and entropy estimates is investigated.
Of passwords and people: measuring the effect of password-composition policies
TLDR
A large-scale study investigates password strength, user behavior, and user sentiment across four password-composition policies, and describes the predictability of passwords by calculating their entropy, finding that a number of commonly held beliefs about password composition and strength are inaccurate.
Encountering stronger password requirements: user attitudes and behaviors
TLDR
An entropy analysis is performed and it is shown that, although most of the users were annoyed by the need to create a complex password, they believe that they are now more secure and can be helpful in designing better password policies.
You Get Where You're Looking for: The Impact of Information Sources on Code Security
TLDR
Analyzing how the use of information resources impacts code security confirms that API documentation is secure but hard to use, while informal documentation such as Stack Overflow is more accessible but often leads to insecurity.
How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation
TLDR
It was found that meters with a variety of visual appearances led users to create longer passwords, however, significant increases in resistance to a password-cracking algorithm were only achieved using meters that scored passwords stringently.
Measuring Real-World Accuracies and Biases in Modeling Password Guessability
TLDR
It is found that semi-automated cracking by professionals outperforms popular fully automated approaches, but can be approximated by combining multiple such approaches, and constitutes the first scientific evidence that automated guessing can often approximate guessing by professionals.
Comparing the Usability of Cryptographic APIs
TLDR
This paper is the first to examine both how and why the design and resulting usability of different cryptographic libraries affects the security of code written with them, with the goal of understanding how to build effective future libraries.
Measuring password guessability for an entire university
TLDR
This work studies the single-sign-on passwords used by over 25,000 faculty, staff, and students at a research university with a complex password policy to find significant correlations between a number of demographic and behavioral factors and password strength.
Security Developer Studies with GitHub Users: Exploring a Convenience Sample
TLDR
An experiment in which 307 active GitHub users were recruited to each complete the same securityrelevant programming tasks, finding differences in performance for both security and functionality related to the participant’s self-reported years of experience, but no statistically significant differences related to their self- reported status as a student, status as an professional developer, or security background.
You are Not Your Developer, Either: A Research Agenda for Usable Security and Privacy Research Beyond End Users
TLDR
A research agenda aimed at developing a high-quality, comprehensive literature for usable security for developers is proposed, including investigating how to conduct reliable research in this context, understanding developers' attitudes, knowledge, and priorities, measuring the status quo, and developing improved tools and interventions in the future.
...
1
2
3
4
5
...