Portrait of Cormac Herley

Cormac Herley

Principal Researcher


I am a Principal Researcher at Microsoft Research. I am interested in data and signal analysis problems that reduce complexity and remove pain points for users. My current interests include data-mining for fraud and abuse, authentication, safety and data-driven security.




















I received my PhD from Columbia University, my MSEE from Georgia Tech and my BE from University College Cork, Ireland.


  • J. Bonneau, C. Herley, P.C. van Oorschot and F. Stajano, “Passwords and the Evolution of Imperfect Authentication”, Commun. ACM, July 2015
  • D. Florencio, C. Herley and P.C. van Oorschot, “An Administrator’s Guide to Internet Password Research”, Proc. Usenix LISA, 2014
  • D. Florencio, C. Herley and P.C. van Oorschot, “Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts”, Proc. Usenix Security, 2014
  • S. Komanduri, R. Shay, L. Cranor, C. Herley and S. Schechter, “Telepathwords: preventing weak passwords by reading users’ minds”, Proc. Usenix Security 2014.

  • S. Egelman, A. Sotirakopoulos, I. Muslukhov, K. Beznosov and C. Herley, “Does My Password Go up to Eleven? The Impact of Password Meters on Password Selection” Proc. CHI 2013
  • J. Bonneau, C. Herley, P.C. van Oorschot and F. Stajano, The quest to replace passwords: A framework for comparative evaluation of web authentication schemes, IEEE Symp. Security & Privacy 2012.
  • C. Herley and P.C. van Oorschot, A Research Agenda Acknowledging the Persistence of Passwords,”IEEE Security and Privacy magazine, Jan. 2012.
  • S. Schechter, C. Herley and M. Mitzenmacher, “Popularity is Everything: a new approach to protecting passwords from statistical-guessing attacks,” Proc. HotSEC 2010
  • D. Florencio and C. Herley, “Where Do Security Policies Come From?”, SOUPS 2010 [Best paper award at  SOUPS]
  • C. Herley, P.C. van Oorschot and A.S. Patrick, “Passwords: If We’re So Smart Why Are We Still Using Them?” Financial Crypto 2009
  • D. Florencio and C. Herley, “A Large Scale Study of Web Password Habits,” WWW 2007, Banff.
  • D. Florencio, C. Herley and B. Coskun,“Do Strong Web Passwords Accomplish Anything?,” Usenix HotSEC ’07, Boston.

Economics of Cybercrime:

  • M. Javed, C. Herley, M. Peinado, V. Paxson, Measurement and Analysis of Traffic Exchange Services, Proc. Internet Measurement Conf, 2015
  • D. Florencio, C. Herley and A. Shostack, “FUD: a plea for intolerance,” Comm. ACM June 2014.
  • C. Herley, “Security, Cyber-crime and Scale,” Comm. ACM Sept. 2014.
  • C. Herley, “Small World: Collisions among attackers in a finite population”, WEIS 2013
  • C. Herley, “When does Targeting Make Sense for an Attacker?” IEEE Security & Privacy magazine, March 2013.
  • C. Herley,  “Why do Nigerian Scammers say they are from Nigeria?”, Proc. WEIS 2012
  • D. Florencio and C. Herley, “Is Everything We Know About Password Stealing Wrong?” IEEE Security and Privacy magazine, Dec 2012.
  • D. Florencio and C. Herley, “Where Do All the Attacks Go?” WEIS 2011
  • D. Florencio and C. Herley, “Sex, Lies and Cyber-crime Surveys,” WEIS 2011
  • D. Florencio and C. Herley, Phishing and Money Mules, Proc WIFS, 2010
  • C. Herley, “The Plight of the Targeted Attacker in a World of Scale,” WEIS 2010
  • C. Herley and D. Florencio, “Economics and the Underground Economy,” Black Hat 2009

  • C. Herley and D. Florencio, “Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy,” WEIS 2009, London
  • C. Herley and D. Florencio, A Profitless Endeavor: Phishing as a Tragedy of the Commons,” NSPW 2008, Lake Tahoe, CA

Safety and Security:

  • G. Wang, J. Stokes, C. Herley and D. Felstead, “Detecting Landing Pages in Malware Distribution Networks: A Comparisoon of Rule and Cklassifier-based Methods,” IEEE DSN 2013
  • Z. Mao, D. Florencio and C. Herley, “Painless Migration to Two-factor Authentication,” Proc. WIFS 2011.
  • D. Florencio and C. Herley, One-time Password Access to Any Server Without Changing the Server,”ISC 2008, Taipei
  • B. Coskun and C. Herley, Can Something-You-Know be Saved?” ISC 2008, Taipei
  • C. Herley and D. Florencio, “Protecting Financial Institutions from Brute-Force Attacks,” SEC 2008, Milan
  • D. Florencio and C. Herley, Evaluating Password Re-Use for Phishing Prevention,” APWG eCrime ’07 Pittsburgh.
  • D. Florencio and C. Herley,KLASSP: Entering Passwords on a Spyware Infected Machine Using a Shared-Secret Proxy,” Proc. ACSAC 2006.
  • D. Florencio and C. Herley, Password Rescue: A New Approach to Phishing Prevention,” Usenix HotSEC ’06, Vancouver.
  • C. Herley and D. Florencio, How to Login from an Internet Cafe Without Worrying about Keyloggers,” Symp. On Usable Privacy and Security ‘06 [poster] [Note: please don’t rely on this. It was a cute idea in 2006, but offers very little protection in 2010]
  • D. Florencio and C. Herley,Analysis and Improvement of Anti-Phishing Schemes,” Proc SEC 2006.
  • D. Florencio and C. Herley,Stopping a Phishing Attack, Even when the Victims Ignore Warnings,”MSR-TR-2005-142.

P2P and Networking:

  • Z. Mao and C. Herley, “A Robust Link-Translating Proxy Mirroring the Whole Web”, Proc. ACM SAC 2010
  • A. Bharambe, C. Herley and V. Padmanabhan,Analyzing and Improving a BitTorrent Network’s Performance Mechanisms,” Proc. InfoComm 2006. [Download the simulator]
  • A. Bharambe, C. Herley and V. Padmanabhan, Some Observations on BitTorrent,” Proc. ACM SigMetrics 2005 [poster].


  • C. Herley, ARGOS: Automatically extracting Repeating Objects from multimedia Streams”, IEEE Trans, Multimedia, Feb. 2006.
  • R. Ragno, C. J. C. Burges and C. Herley, Inferring Similarity Between Music Objects with Application to Playlist Generation,” Proc. ACM Workshop Multimedia Information Retrieval, 2005.
  • C. Herley, Accurate Repeat Finding and Object Skipping Using Fingerprints,” Proc. ACM Multimedia 2005
  • C. Herley,Why Watermarking is Nonsense”, Signal Processing Magazine, Sept. 2002.

Image Processing:

  • C. Herley, Occlusion Removal with Minimum Number of Images,” Proc ICIP 2005.
  • C. Herley, Efficient Inscribing of Noisy Rectangular Objects in Scanned Images,” Proc. ICIP 2004.
  • C. Herley, P. Vora and S. Yang, “Detection and Deterrence of Counterfeiting of Valuable Documents,”Proc. ICIP 2004.
  • C. Herley, Extracting Repeats from Media Streams”, ICASSP 2004, Montreal.
  • C. Herley, “Recursive Method to Detect and Segment Multiple Rectangular Objects in Scanned Images”, MSR TR.
  • C. Herley, “Recursive Method to Extract Rectangular Objects from Scans”, Proc ICIP 2003
  • C. Herley, “Document Capture Using a Digital Camera”, Proc. Int Conf. Image Proc., Thessaloniki, Greece, Oct 2001.
  • C. Herley, “Protecting Images Online: a Security Mechanism that does not involve Watermarking,”Proc. Int. Conf. Image Proc., Vancouver, BC, Sept. 2000

Press Coverage and Other Stuff

People worth following:

  • NewSchoolSecurity: provocative thinking from some of the smartest people in the field.

Favorite things to do around Seattle: