A group of CyLab faculty and graduate students were just awarded the Allen Newell Award for Research Excellence “for pioneering contribution to the science of evaluating password strength and for embodying this science in online tools that enable individuals and groups to more easily secure their systems,” an internal announcement read.
The Allen Newell Award for Research Excellence is awarded by Carnegie Mellon’s School of Computer Science, and it recognizes an outstanding body of work that epitomizes the research style of the late Allen Newell, a prolific computer science and cognitive psychology researcher at Carnegie Mellon.
Newell’s rules of thumb for research were, in his own words: “Good science responds to real phenomena or real problems,” “Good science is in the details,” and “Good science makes a difference.”
The award recipients’ body of work on passwords checked all three boxes.
“We’ve now written about 20 papers about passwords trying to answer the question: what should a password policy be to balance usability with security?” said CyLab director Lorrie Cranor, who helped lead much of the research. “Ten years later, I think we have an answer.”
Passwords are here to stay given their simplicity and easy implementation.Nicolas Christin, Professor, Engineering and Public Policy, Institute for Software Research
Cranor said their work in passwords began about 10 years ago when Carnegie Mellon itself changed its password policy. She learned that the policy was based on NIST guidelines that were not heavily based on data, because little to no data on passwords existed.
“We thought, ‘We could do better than that,’ ” Cranor said. “We should be able to get some data and set guidelines based on scientific principles rather than just intuition.”
That they did. The passwords research group, co-led by Cranor, Lujo Bauer, and Nicolas Christin, went on to establish new, empirically-proven methods for evaluating both password usability for human users and also password strength against practical attacks. In 2016, the revised NIST password guidelines were influenced by the group’s work.
I'm excited not just by our results on what makes a good password, but even more by what we learned about how to do research on passwords.Lujo Bauer, Professor, Electrical and Computer Engineering, Institute for Software Research
“For all the progress in biometrics and other forms of authentication, we are reminded that, even though they are a comically archaic way to authenticate, passwords are here to stay given their simplicity and easy implementation,” said Christin. “When your facial recognition app fails, what do you fall back on? A PIN, which is a form of a password.”
The group’s body of work has led to tools like a password guessability service and a state-of-the-art password meter that gives users feedback on the strength of their passwords in real time and offers specific suggestions on how to make them stronger.
“I'm excited not just by our results on what makes a good password, but even more by what we learned about how to do research on passwords,” said Bauer. “We established a methodology for measuring password strength, which has by now been used by dozens of research groups. We also showed how to evaluate new password schemes through user studies and obtain results that generalize. Both of these were critical enablers for research on passwords."
Jim Herbsleb, a professor and director of the Institute for Software Research (ISR), has been impressed with the group’s research, leading him to write and submit the nomination for the team to receive the award.
This team of faculty and graduate students is remarkable for their ability to scientifically colonize an area previously dominated by folklore and anecdote.Jim Herbsleb, Director, Institute for Software Research
“This team of faculty and graduate students is remarkable for their ability to scientifically colonize an area previously dominated by folklore and anecdote,” Herbsleb said.
The members of the passwords group receiving the award include:
- Lujo Bauer, professor, Electrical and Computer Engineering (ECE), ISR
- Nicolas Christin, associate professor, Engineering and Public Policy (EPP), ISR
- Lorrie Cranor, director, CyLab; professor, EPP, ISR
- Saranga Komanduri, former ISR Ph.D. student; currently working at Civis Analytics
- Michelle Mazurek, former ECE Ph.D. student; currently an assistant professor at the University of Maryland
- William Melicher, former ECE Ph.D. student; currently working at Palo Alto Networks
- Sean Segreti, former ECE Master’s student; currently a research consultant, developer, and passwords researcher at KoreLogic
- Rich Shay, former ISR Ph.D. student; currently technical staff at the MIT Lincoln Laboratory
- Blase Ur, former ISR Ph.D. student; currently an assistant professor at the University of Chicago