Dartmouth Events

I'll review some of my research on passwords and authentication, highlighting  areas where accepted wisdom turned out to be particularly wrong. It turns out that the ways we've been measuring password strength are flawed, and the ways we recommend to achieve it don't work. Mostly strength doesn't make a difference anyway, and mandatory expiration accomplishes little. Password re-use, far from being a shameful manifestation of user failing, is an all-but essential tool in allocating effort as portfolio size grows. And so on.

Rather than waste a good crisis I'll try to figure out why we've been so wrong so often, and why errors take so long to discover. Is there a pattern to these mistakes? What else have we got wrong? I suggest there is a problem with the way we reason about security problems, and suggest what we need to avoid and detect errors like these in the future.

Bio: Cormac Herley is a Principal Researcher at Microsoft Research. His main current interests are data analysis problems, authentication, fraud and abuse, and the economics of information security. He has published widely in signal processing, information theory, multimedia, and security.  He is inventor of 70 or so US patents, and has shipped technologies used by hundreds of millions of users. His research is a frequent subject of media coverage. He received the PhD degree from Columbia University, the MSEE from Georgia Tech, and  the BE(Elect) from the National University of Ireland.