Cormac Herley at Microsoft Research

Principal Researcher

I am a Principal Researcher at Microsoft Research. I am interested in data and signal analysis problems that reduce complexity and remove pain points for users. My current interests include data-mining for fraud and abuse, authentication, safety and data-driven security. I received my PhD from Columbia University, my MSEE from Georgia Tech and my BE from University College Cork, Ireland.

Some of my recent work explains why Nigerian scammers say they’re from Nigeria, why those scary numbers you hear about billions lost to cybercrime are junk, and why you’re right to suspect that most security advice is a waste of time.

Here’s a short profile of me done by MSR. Some media coverage of my work: All Things Considered (NPR), the Boston Globe, the NY Times, Wired, Ars Technica, theAtlantic, Bloomberg TV, The Economist, the Wall St Journal. An OpEd I wrote for the NY Times.

Recent Papers:

Unfalsifiability of Security Claims, Proc. National Acad. Sciences, May 2016

Pushing on string: the “don’t care” region of password strength, Comm. ACM, Nov 2016
An Administrators Guide to Internet Password Research, Proc. Usenix LISA, 2014

Videos of Recent Talks:

Unfalsifiability of Security Claims, Invited talk at Usenix 2016
Pushing on String: the don’t care regions of password strength, talk at PasswordsCon Las Vegas, August 2015
Passwords: a Guide to the Ruins, talk at CMU October 2014

Press Coverage and Other Stuff

Pushing on String: when password strength makes no difference. Video of my talk at Passwords15
Very nice writeup of my keynote at UK Research Institute of Science of Cyber Security
Video of me giving a talk on passwords at CMU
Administrator’s Guide to passwords: Wired, The Register, NakedSecurity, slashdot
Password Portfolios: Ars Technica, Slashdot, The Register, The Guardian, Independent, Telegraph
Password meters: Ars Technica, Threatpost, slashdot
Why do Nigerian Scammers Say They are from Nigeria: The Economist, Slate, Bloomberg TV, Wall St Journal, Forbes, NPR [On The Media], The New Yorker, The Telegraph, Computerworld Australia, NY Times, BBC and Slashdot.
Some reactions to an NY Times Oped I wrote: theAtlantic, Ars Technica, slashdot, Infoworld,threatpost, P=NP Blog
Everything we Know about Password-stealing is Wrong: threatpost, theregister, slashdot,Freakonomics blog
Video of me giving the keynote at WOOT 2012
Persistence of Passwords: Wired, theRegister, slashdot, Network World, Wall St Journal
Why isn’t Everyone hacked every day? TechRepublic
Cyber-crime surveys: ProPublica, The Economist, theRegister, slashdot, BBC, RiskyBiz, Schneier,threatpost, Technology Review, Sydney Morning Herald, CSO, TheAge, StraightStatistics, The Economist [again]
Where Do Security Policies Come From? NY Times, slashdot, theAtlantic, Schneier.
Password Popularity: Technology Review, slashdot, techrepublic
Economics of targeted attacks: threatpost
Interview with Erik Meijer on MSDN Channel 9.
Users and Security Advice: NPR, Boston Globe, CBS News, slashdot, slashdot [again], darkreading,techrepublic, internet evolution, SC magazine, NewSchoolScurity, SecurityNow!
Video of me speaking at CMU
Underground Economy and IRC channels: DarkReading, ZDnet
Economics of Phishing: slashdot, theRegister, ZDnet, NY Times
Password strength: Newsweek, slashdot, techrepublic, Technology Review, Infoworld
Keylogging advice: Digg coverage, Washington Post
Large scale password study:Folha, Infoworld
US Treasury Secretary Paul O’Neill pretty happy with my work on anti-counterfeiting.

Passwords:

J. Bonneau, C. Herley, P.C. van Oorschot and F. Stajano, “Passwords and the Evolution of Imperfect Authentication”, Commun. ACM, July 2015
D. Florencio, C. Herley and P.C. van Oorschot, “An Administrator’s Guide to Internet Password Research”, Proc. Usenix LISA, 2014
D. Florencio, C. Herley and P.C. van Oorschot, “Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts”, Proc. Usenix Security, 2014
S. Komanduri, R. Shay, L. Cranor, C. Herley and S. Schechter, “Telepathwords: preventing weak passwords by reading users’ minds”, Proc. Usenix Security 2014.
S. Egelman, A. Sotirakopoulos, I. Muslukhov, K. Beznosov and C. Herley, “Does My Password Go up to Eleven? The Impact of Password Meters on Password Selection” Proc. CHI 2013
J. Bonneau, C. Herley, P.C. van Oorschot and F. Stajano, “The quest to replace passwords: A framework for comparative evaluation of web authentication schemes“, IEEE Symp. Security & Privacy 2012.
C. Herley and P.C. van Oorschot, “A Research Agenda Acknowledging the Persistence of Passwords,”IEEE Security and Privacy magazine, Jan. 2012.
S. Schechter, C. Herley and M. Mitzenmacher, “Popularity is Everything: a new approach to protecting passwords from statistical-guessing attacks,” Proc. HotSEC 2010
D. Florencio and C. Herley, “Where Do Security Policies Come From?”, SOUPS 2010 [Best paper award at SOUPS]
C. Herley, P.C. van Oorschot and A.S. Patrick, “Passwords: If We’re So Smart Why Are We Still Using Them?” Financial Crypto 2009
D. Florencio and C. Herley, “A Large Scale Study of Web Password Habits,” WWW 2007, Banff.
D. Florencio, C. Herley and B. Coskun,“Do Strong Web Passwords Accomplish Anything?,” Usenix HotSEC ’07, Boston.

Economics of Cybercrime:

M. Javed, C. Herley, M. Peinado, V. Paxson, Measurement and Analysis of Traffic Exchange Services, Proc. Internet Measurement Conf, 2015
D. Florencio, C. Herley and A. Shostack, “FUD: a plea for intolerance,” Comm. ACM June 2014.
C. Herley, “Security, Cyber-crime and Scale,” Comm. ACM Sept. 2014.
C. Herley, “Small World: Collisions among attackers in a finite population”, WEIS 2013
C. Herley, “When does Targeting Make Sense for an Attacker?” IEEE Security & Privacy magazine, March 2013.
C. Herley, “Why do Nigerian Scammers say they are from Nigeria?”, Proc. WEIS 2012
D. Florencio and C. Herley, “Is Everything We Know About Password Stealing Wrong?” IEEE Security and Privacy magazine, Dec 2012.
D. Florencio and C. Herley, “Where Do All the Attacks Go?” WEIS 2011
D. Florencio and C. Herley, “Sex, Lies and Cyber-crime Surveys,” WEIS 2011
D. Florencio and C. Herley, Phishing and Money Mules, Proc WIFS, 2010
C. Herley, “The Plight of the Targeted Attacker in a World of Scale,” WEIS 2010
C. Herley and D. Florencio, “Economics and the Underground Economy,” Black Hat 2009
C. Herley and D. Florencio, “Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy,” WEIS 2009, London
C. Herley and D. Florencio, “A Profitless Endeavor: Phishing as a Tragedy of the Commons,” NSPW 2008, Lake Tahoe, CA

Safety and Security:

G. Wang, J. Stokes, C. Herley and D. Felstead, “Detecting Landing Pages in Malware Distribution Networks: A Comparisoon of Rule and Cklassifier-based Methods,” IEEE DSN 2013
Z. Mao, D. Florencio and C. Herley, “Painless Migration to Two-factor Authentication,” Proc. WIFS 2011.
D. Florencio and C. Herley, “One-time Password Access to Any Server Without Changing the Server,”ISC 2008, Taipei
B. Coskun and C. Herley, “Can Something-You-Know be Saved?” ISC 2008, Taipei
C. Herley and D. Florencio, “Protecting Financial Institutions from Brute-Force Attacks,” SEC 2008, Milan
D. Florencio and C. Herley, “Evaluating Password Re-Use for Phishing Prevention,” APWG eCrime ’07 Pittsburgh.
D. Florencio and C. Herley,“KLASSP: Entering Passwords on a Spyware Infected Machine Using a Shared-Secret Proxy,” Proc. ACSAC 2006.
D. Florencio and C. Herley, “Password Rescue: A New Approach to Phishing Prevention,” Usenix HotSEC ’06, Vancouver.
C. Herley and D. Florencio, “How to Login from an Internet Cafe Without Worrying about Keyloggers,” Symp. On Usable Privacy and Security ‘06 [poster] [Note: please don’t rely on this. It was a cute idea in 2006, but offers very little protection in 2010]
D. Florencio and C. Herley,“Analysis and Improvement of Anti-Phishing Schemes,” Proc SEC 2006.
D. Florencio and C. Herley,“Stopping a Phishing Attack, Even when the Victims Ignore Warnings,”MSR-TR-2005-142.

P2P and Networking:

Z. Mao and C. Herley, “A Robust Link-Translating Proxy Mirroring the Whole Web”, Proc. ACM SAC 2010
A. Bharambe, C. Herley and V. Padmanabhan,“Analyzing and Improving a BitTorrent Network’s Performance Mechanisms,” Proc. InfoComm 2006. [Download the simulator]
A. Bharambe, C. Herley and V. Padmanabhan, “Some Observations on BitTorrent,” Proc. ACM SigMetrics 2005 [poster].

Multimedia:

C. Herley, “ARGOS: Automatically extracting Repeating Objects from multimedia Streams”, IEEE Trans, Multimedia, Feb. 2006.
R. Ragno, C. J. C. Burges and C. Herley, “Inferring Similarity Between Music Objects with Application to Playlist Generation,” Proc. ACM Workshop Multimedia Information Retrieval, 2005.
C. Herley, “Accurate Repeat Finding and Object Skipping Using Fingerprints,” Proc. ACM Multimedia 2005
C. Herley,”Why Watermarking is Nonsense”, Signal Processing Magazine, Sept. 2002.

Image Processing:

C. Herley, “Occlusion Removal with Minimum Number of Images,” Proc ICIP 2005.
C. Herley, “Efficient Inscribing of Noisy Rectangular Objects in Scanned Images,” Proc. ICIP 2004.
C. Herley, P. Vora and S. Yang, “Detection and Deterrence of Counterfeiting of Valuable Documents,”Proc. ICIP 2004.
C. Herley, “Extracting Repeats from Media Streams”, ICASSP 2004, Montreal.
C. Herley, “Recursive Method to Detect and Segment Multiple Rectangular Objects in Scanned Images”, MSR TR.
C. Herley, “Recursive Method to Extract Rectangular Objects from Scans”, Proc ICIP 2003
C. Herley, “Document Capture Using a Digital Camera”, Proc. Int Conf. Image Proc., Thessaloniki, Greece, Oct 2001.
C. Herley, “Protecting Images Online: a Security Mechanism that does not involve Watermarking,”Proc. Int. Conf. Image Proc., Vancouver, BC, Sept. 2000