Latest News

Lorrie Faith Cranor – The Continuing Quest for Secure and Usable Passwords

Date: May 16
Time: 11am
Place: Senate Chambers, Ross N940
Focus Session: LAS 3033, 12:30 – 2:30

Graduate students and postdocs who wish to attend the focus session should send the IC@L Admin, Ms Cimoan Atkins (, an email with their name, supervisor, and any dietary concerns – (lunch will be provided).

Title: The Continuing Quest for Secure and Usable Passwords

Lorrie Faith Cranor
Carnegie Mellon University

While a properly-written password policy might provide an organization with increased security, it is unclear just what such a well-written policy would be, or even how to determine whether a given policy is effective. Although it is easy to calculate the theoretical password space that corresponds to a particular password policy, it is difficult to determine the practical password space. Users may, for example, react to a policy rule requiring them to include numbers in passwords by overwhelmingly picking the same number, or by always using the number in the same location in their passwords. In addition, some password policies may result in passwords that are difficult to remember or type. This may cause users to forget their passwords or to engage in behaviors that might compromise the security of passwords. We seek to advance understanding of the factors that make following password policies difficult, collect empirical data on password strength and memorability under various password policies, and propose password policy guidelines to simultaneously maximize security and usability of passwords. To that end, our research group at Carnegie Mellon University has conducted a series of online studies in which we asked tens of thousands of people to create passwords that comply with specific password policies. We developed an efficient method for calculating how effectively several password-guessing algorithms guess passwords and used it to analyze leaked password sets, passwords created for our studies, and the single-sign-on passwords used by over 25,000 faculty, staff, and students at our university. We investigated a variety of password policies, including those with requirements on length and character classes, as well as exclusion of blacklisted words. We also investigated system-assigned passphrases and the impact of various password meter designs on password security and usability. We studied user perceptions of password security and developed an open source password meter based on our research. In this talk I will describe our password research study methodology and highlight some of our most interesting findings. Our password research papers are available at:


Lorrie Faith Cranor is a Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University where she is director of the CyLab Usable Privacy and Security Laboratory (CUPS) and co-director of the MSIT-Privacy Engineering masters program. In 2016 she served as Chief Technologist at the US Federal Trade Commission, working in the office of Chairwoman Ramirez. She is also a co-founder of Wombat Security Technologies, Inc, a security awareness training company. She has authored over 150 research papers on online privacy, usable security, and other topics. She has played a key role in building the usable privacy and security research community, having co-edited the seminal book Security and Usability (O’Reilly 2005) and founded the Symposium On Usable Privacy and Security (SOUPS). She also chaired the Platform for Privacy Preferences Project (P3P) Specification Working Group at the W3C and authored the book Web Privacy with P3P (O’Reilly 2002). She has served on a number of boards, including the Electronic Frontier Foundation Board of Directors, and on the editorial boards of several journals. In her younger days she was honored as one of the top 100 innovators 35 or younger by Technology Review magazine. More recently she was named an ACM Fellow for her contributions to usable privacy and security research and education, and an IEEE Fellow for her contributions to privacy engineering. She was previously a researcher at AT&T-Labs Research and taught in the Stern School of Business at New York University. She holds a doctorate in Engineering and Policy from Washington University in St. Louis. In 2012-13 she spent her sabbatical as a fellow in the Frank-Ratchye STUDIO for Creative Inquiry at Carnegie Mellon University where she worked on fiber arts projects that combined her interests in privacy and security, quilting, computers, and technology. She practices yoga, plays soccer, and runs after her three children.