I am a Principal Researcher at Microsoft Research. I am interested in data and signal analysis problems that reduce complexity and remove pain points for users. My current interests include economics, authentication, safety and data-driven security. There are links to some papers and projects below.
Here's a short profile of me done by MSR. Some media coverage of my work: All Things Considered (NPR), the Boston Globe, the NY Times, Wired, Ars Technica, theAtlantic, Bloomberg TV, The Economist, the Wall St Journal.
My email is my firstname at microsoft dot com. Twitter @cormacherley
- "Passwords and the Evolution of Imperfect Authentication", Commun. ACM, July 2015
- "An Administrator's Guide to Internet Password Research", Usenix LISA
- "Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts", Usenix Security
- "Security, Cyber-crime and Scale", Comm. ACM
- "Is Everything We Know About Password Stealing Wrong?", IEEE Security & Privacy
Users, Security Advice and Avoiding Harm:
- C. Herley, "More is Not the Answer", IEEE Security & Privacy magazine, 2014
- S Egelman, D Molnar, N Christin, A Acquisti, C Herley, S. Krishnamurthi, "Please Continue to Hold: An empirical study on user tolerance of security delays," WEIS 2010
C. Herley, "So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users," NSPW 2009, Oxford
- J. Bonneau, C. Herley, P.C. van Oorschot and F. Stajano, "Passwords and the Evolution of Imperfect Authentication", Commun. ACM, July 2015
- D. Florencio, C. Herley and P.C. van Oorschot, "An Administrator's Guide to Internet Password Research", Proc. Usenix LISA, 2014
- D. Florencio, C. Herley and P.C. van Oorschot, "Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts", Proc. Usenix Security, 2014
S. Komanduri, R. Shay, L. Cranor, C. Herley and S. Schechter, "Telepathwords: preventing weak passwords by reading users' minds", Proc. Usenix Security 2014.
- S. Egelman, A. Sotirakopoulos, I. Muslukhov, K. Beznosov and C. Herley, "Does My Password Go up to Eleven? The Impact of Password Meters on Password Selection" Proc. CHI 2013
- J. Bonneau, C. Herley, P.C. van Oorschot and F. Stajano, "The quest to replace passwords: A framework for comparative evaluation of web authentication schemes", IEEE Symp. Security & Privacy 2012.
- C. Herley and P.C. van Oorschot, "A Research Agenda Acknowledging the Persistence of Passwords," IEEE Security and Privacy magazine, Jan. 2012.
- S. Schechter, C. Herley and M. Mitzenmacher, "Popularity is Everything: a new approach to protecting passwords from statistical-guessing attacks," Proc. HotSEC 2010
- D. Florencio and C. Herley, "Where Do Security Policies Come From?", SOUPS 2010 [Best paper award at SOUPS]
- C. Herley, P.C. van Oorschot and A.S. Patrick, "Passwords: If We're So Smart Why Are We Still Using Them?" Financial Crypto 2009
- D. Florencio and C. Herley, “A Large Scale Study of Web Password Habits,” WWW 2007, Banff.
- D. Florencio, C. Herley and B. Coskun,“Do Strong Web Passwords Accomplish Anything?," Usenix HotSEC '07, Boston.
Economics of Cybercrime:
- D. Florencio, C. Herley and A. Shostack, "FUD: a plea for intolerance," Comm. ACM June 2014.
- C. Herley, "Security, Cyber-crime and Scale," Comm. ACM Sept. 2014.
- C. Herley, "Small World: Collisions among attackers in a finite population", WEIS 2013
- C. Herley, "When does Targeting Make Sense for an Attacker?" IEEE Security & Privacy magazine, March 2013.
- C. Herley, "Why do Nigerian Scammers say they are from Nigeria?", Proc. WEIS 2012
- D. Florencio and C. Herley, "Is Everything We Know About Password Stealing Wrong?" IEEE Security and Privacy magazine, Dec 2012.
- D. Florencio and C. Herley, "Where Do All the Attacks Go?" WEIS 2011
- D. Florencio and C. Herley, "Sex, Lies and Cyber-crime Surveys," [slides] WEIS 2011
- D. Florencio and C. Herley, Phishing and Money Mules, Proc WIFS, 2010
- C. Herley, "The Plight of the Targeted Attacker in a World of Scale," WEIS 2010
C. Herley and D. Florencio, "Economics and the Underground Economy," Black Hat 2009
- C. Herley and D. Florencio, “Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy,” WEIS 2009, London
- C. Herley and D. Florencio, “A Profitless Endeavor: Phishing as a Tragedy of the Commons,” NSPW 2008, Lake Tahoe, CA
Safety and Security:
- G. Wang, J. Stokes, C. Herley and D. Felstead, "Detecting Landing Pages in Malware Distribution Networks: A Comparisoon of Rule and Cklassifier-based Methods," IEEE DSN 2013
- Z. Mao, D. Florencio and C. Herley, "Painless Migration to Two-factor Authentication," Proc. WIFS 2011.
- D. Florencio and C. Herley, “One-time Password Access to Any Server Without Changing the Server," ISC 2008, Taipei
- B. Coskun and C. Herley, "Can Something-You-Know be Saved?" ISC 2008, Taipei
- C. Herley and D. Florencio, “Protecting Financial Institutions from Brute-Force Attacks,” SEC 2008, Milan
- D. Florencio and C. Herley, “Evaluating Password Re-Use for Phishing Prevention,” APWG eCrime '07 Pittsburgh.
- D. Florencio and C. Herley,“KLASSP: Entering Passwords on a Spyware Infected Machine Using a Shared-Secret Proxy,” Proc. ACSAC 2006.
- D. Florencio and C. Herley, “Password Rescue: A New Approach to Phishing Prevention,” Usenix HotSEC ’06, Vancouver.
- C. Herley and D. Florencio, “How to Login from an Internet Cafe Without Worrying about Keyloggers,” Symp. On Usable Privacy and Security ‘06 [poster] [Note: please don't rely on this. It was a cute idea in 2006, but offers very little protection in 2010]
- D. Florencio and C. Herley,“Analysis and Improvement of Anti-Phishing Schemes,” Proc SEC 2006.
- D. Florencio and C. Herley,“Stopping a Phishing Attack, Even when the Victims Ignore Warnings,” MSR-TR-2005-142.
P2P and Networking:
- Z. Mao and C. Herley, "A Robust Link-Translating Proxy Mirroring the Whole Web", Proc. ACM SAC 2010
- A. Bharambe, C. Herley and V. Padmanabhan,“Analyzing and Improving a BitTorrent Network's Performance Mechanisms,” Proc. InfoComm 2006. [Download the simulator]
- A. Bharambe, C. Herley and V. Padmanabhan, “Some Observations on BitTorrent,” Proc. ACM SigMetrics 2005 [poster].
- C. Herley, “ARGOS: Automatically extracting Repeating Objects from multimedia Streams”, IEEE Trans, Multimedia, Feb. 2006.
- R. Ragno, C. J. C. Burges and C. Herley, “Inferring Similarity Between Music Objects with Application to Playlist Generation,” Proc. ACM Workshop Multimedia Information Retrieval, 2005.
- C. Herley, “Accurate Repeat Finding and Object Skipping Using Fingerprints,” Proc. ACM Multimedia 2005
- C. Herley,”Why Watermarking is Nonsense”, Signal Processing Magazine, Sept. 2002.
- C. Herley, “Occlusion Removal with Minimum Number of Images,” Proc ICIP 2005.
- C. Herley, “Efficient Inscribing of Noisy Rectangular Objects in Scanned Images,” Proc. ICIP 2004.
- C. Herley, P. Vora and S. Yang, “Detection and Deterrence of Counterfeiting of Valuable Documents,” Proc. ICIP 2004.
- C. Herley, “Extracting Repeats from Media Streams”, ICASSP 2004, Montreal.
- C. Herley, “Recursive Method to Detect and Segment Multiple Rectangular Objects in Scanned Images”, MSR TR.
- C. Herley, “Recursive Method to Extract Rectangular Objects from Scans”, Proc ICIP 2003
- C. Herley, “Document Capture Using a Digital Camera”, Proc. Int Conf. Image Proc., Thessaloniki, Greece, Oct 2001.
- C. Herley, “Protecting Images Online: a Security Mechanism that does not involve Watermarking,” Proc. Int. Conf. Image Proc., Vancouver, BC, Sept. 2000
Press Coverage and Other Stuff
- Pushing on String: when password strength makes no difference. Video of my talk at Passwords15
- Very nice writeup of my keynote at UK Research Institute of Science of Cyber Security
- Video of me giving a talk on passwords at CMU
- Administrator's Guide to passwords: Wired, The Register, NakedSecurity, slashdot
- Password Portfolios: Ars Technica, Slashdot, The Register, The Guardian, Independent, Telegraph
- Password meters: Ars Technica, Threatpost, slashdot
- Why do Nigerian Scammers Say They are from Nigeria: The Economist, Slate, Bloomberg TV, Wall St Journal, Forbes, NPR [On The Media], The New Yorker, The Telegraph, Computerworld Australia, NY Times, BBC and Slashdot.
- Some reactions to an NY Times Oped I wrote: theAtlantic, Ars Technica, slashdot, Infoworld, threatpost, P=NP Blog
- Everything we Know about Password-stealing is Wrong: threatpost, theregister, slashdot, Freakonomics blog
- Video of me giving the keynote at WOOT 2012
- Persistence of Passwords: Wired, theRegister, slashdot, Network World, Wall St Journal
- A profile of me done by MSR.
- Why isn't Everyone hacked every day? TechRepublic
- Cyber-crime surveys: ProPublica, The Economist, theRegister, slashdot, BBC, RiskyBiz, Schneier, threatpost, Technology Review, Sydney Morning Herald, CSO, TheAge, StraightStatistics, The Economist [again]
- Where Do Security Policies Come From? NY Times, slashdot, theAtlantic, Schneier.
- Password Popularity: Technology Review, slashdot, techrepublic
- Economics of targeted attacks: threatpost
- Interview with Erik Meijer on MSDN Channel 9.
- Users and Security Advice: NPR, Boston Globe, CBS News, slashdot, slashdot [again], darkreading, techrepublic, internet evolution, SC magazine, NewSchoolScurity, SecurityNow!
- Interview with Dennis Fisher on threatpost.
- Video of me speaking at CMU
- Underground Economy and IRC channels: DarkReading, ZDnet
- Economics of Phishing: slashdot, theRegister, ZDnet, NY Times
- Password strength: Newsweek, slashdot, techrepublic, Technology Review, Infoworld
- Keylogging advice: Digg coverage, Washington Post
- Large scale password study:Folha, Infoworld
- US Treasury Secretary Paul O’Neill pretty happy with my work on anti-counterfeiting.
People worth following:
- NewSchoolSecurity: provocative thinking from some of the smartest people in the field