Lujo Bauer
[loo'yo]

Professor, Electrical & Computer Engineering + Computer Science (Software and Societal Systems Department)
Co-director, Future Enterprise Security Initiative (FutureEnterprise@CyLab)
Coordinator, ECE and SCS undergraduate concentrations in security and privacy
Director, minor in Information Security, Privacy and Policy
Affiliated with: CyLab, Societal Computing

Contact info
Short bio

Please consider submitting a paper or attending:

Wordle representation of paper titles.

Teaching

Fall 2023: Privacy Policy, Law, and Technology (17-333 / 17-733 / 19-608 / 95-818)
Spring 2023: Introduction to Computer Security (15-330 / 18-330)
Fall 2022: Privacy Policy, Law, and Technology (17-333 / 17-733 / 19-608 / 95-818)

Previous... Spring 2022: Introduction to Computer Security (15-330 / 18-330)
Fall 2021: Privacy Policy, Law, and Technology (17-333 / 17-733 / 19-608 / 95-818)
Spring 2021: Introduction to Computer Security (15-330 / 18-330)
Fall 2020: Privacy Policy, Law, and Technology (17-333 / 17-733 / 19-608 / 95-818)
Spring 2020: Introduction to Computer Security (15-330 / 18-330)
Fall 2019: Privacy Policy, Law, and Technology (17-333 / 17-733 / 19-608 / 95-818) (previously 8-533 / 8-733)
Spring 2019: Secure Software Systems (18-335 / 18-732)
Fall 2018: Privacy Policy, Law, and Technology (17-333 / 17-733 / 19-608 / 95-818) (previously 8-533 / 8-733)
Spring 2018: Secure Software Systems (18-732)
Fall 2017: Privacy Policy, Law, and Technology (8-533 / 8-733 / 19-608 / 95-818)
Spring 2017: Secure Software Systems (18-732)
Fall 2016: Privacy Policy, Law, and Technology (8-533 / 8-733 / 19-608 / 95-818)
Spring 2016: Usable Privacy and Security (05-436 / 05-836 / 08-534 / 08-734 / 19-534 / 19-734)
Spring 2016: Secure Software Systems (18-732)
Fall 2015: Introduction to Computer Security (18-730)
Fall 2015: Information Security & Privacy (15-421 / 08-731 / 08-761 / 45-885 / 45-985)
Spring 2015: Secure Software Systems (18-732)
Fall 2014: Information Security and Privacy (08-731 / 15-421 / 08-761 / 45-885 / 45-985)
Spring 2014: Secure Software Systems (18-732)
Spring 2013: Secure Software Systems (18-732)
Fall 2011: Intro to Computer & Network Security & Applied Cryptography (18-487)
Fall 2010: Secure Software Systems (18-732)
Fall 2009: Introduction to Security and Policy (18-630 / 19-631 / 95-830)
Fall 2008: Secure Software Systems (18-732)
Fall 2007: Introduction to Computer Security (18-730)

Research

I do research on many aspects of computer security and privacy. I'm particularly interested in usable security and privacy, adversarial machine learning, the security of smarthomes, the risks of online tracking, and user authentication.

Here are some topics that I currently research:

Adversarial ML: Machine learning (ML) algorithms are becoming ubiquitous; they're used in applications from playing chess and predicting the weather to cancer diagnosis and self-driving cars. Our research attempts to discover how robust ML algorithms are in the face of an adversary. Specifically, we study whether an adversary can fool ML classifiers in practical settings without arousing the suspicion of a human. For instance, we showed that it is possible to 3d print a pair of eyeglasses that, when worn by an adversary, can cause a state-of-the-art face-recognition algorithm to identify the adversary as (a specific) someone else. We leverage what we learn of ML algorithms' weaknesses to design ML algorithms that are more resistant to attack.

Publications

Group-based robustness: A general framework for customized robustness in the real world.   [PDF, BibTeX, talk video, ]
Weiran Lin, Keane Lucas, Neo Eyal, Lujo Bauer, Michael K. Reiter, and Mahmood Sharif.
In Proceedings of the 31st Network and Distributed System Security Symposium, February 2024. Internet Society. © authors  DOI:10.14722/ndss.2024.24084

Adversarial training for raw-binary malware classifiers.   [PDF, BibTeX, talk video and slides, ]
Keane Lucas, Samruddhi Pai, Weiran Lin, Lujo Bauer, Michael K. Reiter, and Mahmood Sharif.
In Proceedings of the 32nd USENIX Security Symposium, August 2023. USENIX.

Constrained Gradient Descent: a powerful and principled evasion attack against neural networks.   [PDF, BibTeX, talk video, talk slides, ]
Weiran Lin, Keane Lucas, Lujo Bauer, Michael K. Reiter, and Mahmood Sharif.
In Proceedings of the 39th International Conference on Machine Learning, ICML 2022, July 2022.

Malware makeover: breaking ML-based static analysis by modifying executable bytes.   [PDF, BibTeX, slides, talk video, code, ]
Keane Lucas, Mahmood Sharif, Lujo Bauer, Michael K. Reiter, and Saurabh Shintre.
In Proceedings of the ACM Asia Conference on Computer and Communications Security, June 2021. © authors  DOI:10.1145/3433210.3453086

n-ML: Mitigating adversarial examples via ensembles of topologically manipulated classifiers.   [PDF, BibTeX, project page, ]
Mahmood Sharif, Lujo Bauer, and Michael K. Reiter.
arXiv preprint 1912.09059, December 2019.

Optimization-guided binary diversification to mislead neural networks for malware detection.   [PDF, BibTeX, project page, ]
Mahmood Sharif, Keane Lucas, Lujo Bauer, Michael K. Reiter, and Saurabh Shintre.
arXiv preprint 1912.09064, December 2019.

A general framework for adversarial examples with objectives.   [PDF, BibTeX, project page, ]
Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, and Michael K. Reiter.
ACM Transactions on Privacy and Security, 22 (3). June 2019. (Revised version of arXiv preprint 1801.00349.) © authors  DOI:10.1145/3317611

On the suitability of Lp-norms for creating and preventing adversarial examples.   [PDF, BibTeX, project page, ]
Mahmood Sharif, Lujo Bauer, and Michael K. Reiter.
In Proceedings of The Bright and Dark Sides of Computer Vision: Challenges and Opportunities for Privacy and Security (in conjunction with the 2018 IEEE Conference on Computer Vision and Pattern Recognition), June 2018. © IEEE

Adversarial Generative Nets: Neural network attacks on state-of-the-art face recognition.   [PDF, BibTeX, project page, ]
Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, and Michael K. Reiter.
arXiv preprint 1801.00349, December 2017.

Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition.   [PDF, BibTeX, talk video, project page, ]
Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, and Michael K. Reiter.
In Proceedings of the 23rd ACM SIGSAC Conference on Computer and Communications Security, October 2016.  DOI:10.1145/2976749.2978392

Secure digital home / access control for non-security-experts: This collection of projects explores architectures, mechanisms, and interfaces for helping users manage access control in the digital home of the future and on online social networks. Recent research includes new methods to discover smart-home configurations that may leak information, new ways to specify access-control policies (e.g., reactively, and via metadata-based policy rules), and using machine learning to help users specify security policies and privacy preferences.

Publications

Towards usable security analysis tools for trigger-action programming.   [PDF, BibTeX, talk video and slides, ]
McKenna McCall, Eric Zeng, Faysal Hossain Shezan, Mitchell Yang, Lujo Bauer, Abhishek Bichhawat, Camille Cobb, Limin Jia, and Yuan Tian.
In SOUPS '23: Proceedings of the 19th Symposium on Usable Privacy and Security, August 2023. USENIX. © authors

“I would have to evaluate their objections”: Privacy tensions between smart home device owners and incidental users.   [PDF, BibTeX, talk video, ]
Camille Cobb, Sruti Bhagavatula, Kalil Anderson Garrett, Alison Hoffman, Varun Rao, and Lujo Bauer.
Proceedings on Privacy Enhancing Technologies, 2021 (4). October 2021. De Gruyter Open. © authors  DOI:10.2478/popets-2021-0060

How risky are real users' IFTTT applets?   [PDF, BibTeX, 5-min talk (+ slides), 14-min talk, ]
Camille Cobb, Milijana Surbatovich, Anna Kawakami, Mahmood Sharif, Lujo Bauer, Anupam Das, and Limin Jia.
In SOUPS '20: Proceedings of the 16th Symposium on Usable Privacy and Security, August 2020. © authors

Some recipes can do more than spoil your appetite: Analyzing the security and privacy risks of IFTTT recipes.   [PDF, BibTeX, video from PrivacyCon, ]
Milijana Surbatovich, Jassim Aljuraidan, Lujo Bauer, Anupam Das, and Limin Jia.
In Proceedings of the 26th International World Wide Web Conference, April 2017. © IW3C2, CC BY 4.0  DOI:10.1145/3038912.3052709

(Do not) Track me sometimes: Users' contextual preferences for web tracking.   [PDF, BibTeX, slides, talk video, ]
William Melicher, Mahmood Sharif, Joshua Tan, Lujo Bauer, Mihai Christodorescu, and Pedro Giovanni Leon.
Proceedings on Privacy Enhancing Technologies (2). April 2016. De Gruyter Open. © authors  DOI:10.1515/popets-2016-0009

Sharing personal content online: exploring channel choice and multi-channel behaviors.   [PDF, BibTeX, video teaser, ]
Manya Sleeper, William Melicher, Hana Habib, Lujo Bauer, Lorrie Faith Cranor, and Michelle L. Mazurek.
In CHI'16: 34th Annual ACM Conference on Human Factors in Computing Systems, May 2016. ACM. © authors  DOI:10.1145/2858036.2858170

Toward strong, usable access control for shared distributed data.   [PDF, BibTeX, talk video, ]
Michelle L. Mazurek, Yuan Liang, William Melicher, Manya Sleeper, Lujo Bauer, Gregory R. Ganger, Nitin Gupta, and Michael K. Reiter.
In Proceedings of the 12th USENIX Conference on File and Storage Technologies (FAST '14), February 2014. USENIX.

Challenges faced in working with users to design access-control systems for domestic environments.   [PDF, BibTeX, ]
Manya Sleeper, Michelle L. Mazurek, and Lujo Bauer.
In Designing with Users for Domestic Environments workshop at CSCW14 (the 17th ACM Conference on Computer Supported Cooperative Work and Social Computing), February 2014. Position paper.

The post anachronism: The temporal dimension of Facebook privacy.   [PDF, BibTeX, ]
Lujo Bauer, Lorrie Faith Cranor, Saranga Komanduri, Michelle L. Mazurek, Michael K. Reiter, Manya Sleeper, and Blase Ur.
In Proceedings of the 12th Annual Workshop on Privacy in the Electronic Society, November 2013. ACM. © authors  DOI:10.1145/2517840.2517859

What you want is not what you get: Predicting sharing policies for text-based content on Facebook.   [PDF, BibTeX, ]
Arunesh Sinha, Yan Li, and Lujo Bauer.
In Proceedings of the 6th ACM Workshop on Security and Artificial Intelligence, November 2013. ACM. © authors  DOI:10.1145/2517312.2517317

What matters to users? Factors that affect users' willingness to share information with online advertisers.   [PDF, BibTeX, ]
Pedro G. Leon, Blase Ur, Yang Wang, Manya Sleeper, Rebecca Balebako, Richard Shay, Lujo Bauer, Mihai Christodorescu, and Lorrie Faith Cranor.
In SOUPS '13: Proceedings of the 9th Symposium on Usable Privacy and Security, July 2013. ACM. © authors  DOI:10.1145/2501604.2501611

Out of sight, out of mind: Effects of displaying access-control information near the item it controls.   [PDF, BibTeX, ]
Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, and Michael K. Reiter.
In Proceedings of the 2012 Tenth Annual International Conference on Privacy, Security and Trust (PST), pages 128--136, July 2012. IEEE. © IEEE  DOI:10.1109/PST.2012.6297929

Tag, you can see it! Using tags for access control in photo sharing.   [PDF, BibTeX, ]
Peter F. Klemperer, Yuan Liang, Michelle L. Mazurek, Manya Sleeper, Blase Ur, Lujo Bauer, Lorrie Faith Cranor, Nitin Gupta, and Michael K. Reiter.
In CHI 2012: Conference on Human Factors in Computing Systems, pages 377--386, May 2012. ACM. © ACM  DOI:10.1145/2207676.2207728

Exploring Reactive Access Control.   [PDF, BibTeX, ]
Michelle L. Mazurek, Peter F. Klemperer, Richard Shay, Hassan Takabi, Lujo Bauer, and Lorrie Faith Cranor.
In CHI '11: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 2085--2094, May 2011. ACM. © ACM  DOI:10.1145/1978942.1979245

Access control for home data sharing: Attitudes, needs and practices.   [PDF, BibTeX, ]
Michelle L. Mazurek, J.P. Arsenault, Joanna Breese, Nitin Gupta, Iulia Ion, Christina Johns, Daniel Lee, Yuan Liang, Jenny Olsen, Brandon Salmon, Richard Shay, Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, Gregory R. Ganger, and Michael K. Reiter.
In CHI 2010: Conference on Human Factors in Computing Systems, pages 645--654, April 2010. ACM. © ACM  DOI:10.1145/1753326.1753421

Security and privacy for the Internet of Things (IoT) outside the home: IoT devices are becoming ubiquitous. They enable fantastic new functionality, but also present new security and privacy risks. We try to discover these risks and develop solutions that address them.

Publications

Attributions for ML-based ICS anomaly detection: From theory to practice.   [PDF, BibTeX, talk video, code, ]
Clement Fung, Eric Zeng, and Lujo Bauer.
In Proceedings of the 31st Network and Distributed System Security Symposium, February 2024. Internet Society. © authors  DOI:10.14722/ndss.2024.23216

Perspectives from a comprehensive evaluation of reconstruction-based anomaly detection in industrial control systems.   [PDF, BibTeX, talk video, code, ]
Clement Fung, Shreya Srinarasi, Keane Lucas, Hay Bryan Phee, and Lujo Bauer.
In ESORICS 2022: 27th European Symposium on Research in Computer Security, September 2022. © authors  DOI:10.1007/978-3-031-17143-7_24

“Did you know this camera tracks your mood?”: Understanding privacy expectations and preferences in the age of video analytics.   [PDF, BibTeX, ]
Shikun Zhang, Yuanyuan Feng, Lujo Bauer, Lorrie Cranor, Anupam Das, and Norman Sadeh.
Proceedings on Privacy Enhancing Technologies, 2021 (2). April 2021. De Gruyter Open. 2022 Privacy Papers for Policymakers Award. © authors  DOI:10.2478/popets-2021-0028

The influence of friends and experts on privacy decision making in IoT scenarios.   [PDF, BibTeX, ]
Pardis Emami Naeini, Martin Degeling, Lujo Bauer, Richard Chow, Lorrie Cranor, Mohammad Reza Haghighat, and Heather Patterson.
In Proceedings of the 21st ACM Conference on Computer-Supported Cooperative Work and Social Computing, November 2018. © authors  DOI:10.1145/3274317

Privacy expectations and preferences in an IoT world.   [PDF, BibTeX, slides, audio, ]
Pardis Emami-Naeini, Sruti Bhagavatula, Hana Habib, Martin Degeling, Lujo Bauer, Lorrie Cranor, and Norman Sadeh.
In SOUPS '17: Proceedings of the 13th Symposium on Usable Privacy and Security, July 2017. USENIX. © authors

Self-driving cars and data collection: Privacy perceptions of networked autonomous vehicles.   [PDF, BibTeX, slides, audio, ]
Cara Bloom, Joshua Tan, Javed Ramjon, and Lujo Bauer.
In SOUPS '17: Proceedings of the 13th Symposium on Usable Privacy and Security, July 2017. USENIX. © authors

Towards privacy-aware smart buildings: Capturing, communicating, and enforcing privacy policies and preferences.   [BibTeX, ]
Primal Pappachan, Martin Degeling, Roberto Yus, Anupam Das, Sruti Bhagavatula, William Melicher, Pardis Emami Naeini, Shikun Zhang, Lujo Bauer, Alfred Kobsa, Sharad Mehrotra, Norman Sadeh, and Nalini Venkatasubramanian.
In International Workshop on the Internet of Things Computing and Applications, June 2017. In conjunction with ICDCS2017.

Online tracking: While we browse the web our behavior is observed by online trackers, which construct profiles of users based on the websites we visit. These profiles are used to select ads and show content customized to our interests, but trackers also invade our privacy. We study how much tracking users are subjected to and whether tools like privacy-preserving web browsers and browser extensions like Ghostery can help.

Publications

Widespread third-party tracking on hospital websites poses privacy risks for patients and legal liability for hospitals.   [PDF, BibTeX, ]
Ari B. Friedman, Raina M. Merchant, Amey Maley, Karim Farhat, Kristen Smith, Jackson Felkins, Rachel E. Gonzales, Lujo Bauer, and Matthew S. McCoy.
Health Affairs, 42 (4) 508-515. 2023.  DOI:10.1377/hlthaff.2022.01205

Prevalence of third-party tracking on abortion clinic web pages.   [PDF, BibTeX, ]
Ari B. Friedman, Lujo Bauer, Rachel Gonzales, and Matthew S. McCoy.
JAMA Internal Medicine. 2022.  DOI:10.1001/jamainternmed.2022.4208

Investigating advertisers' domain-changing behaviors and their impacts on ad-blocker filter lists.   [PDF, BibTeX, talk video, ]
Su-Chin Lin, Kai-Hsiang Chou, Yen Chen, Hsu-Chun Hsiao, Darion Cassel, Lujo Bauer, and Limin Jia.
In Proceedings of The Web Conference, April 2022. © ACM  DOI:10.1145/3485447.3512218

OmniCrawl: Comprehensive measurement of Web tracking with real desktop and mobile browsers.   [PDF, BibTeX, code, talk video, slides, ]
Darion Cassel, Su-Chin Lin, Alessio Buraggina, William Wang, Andrew Zhang, Lujo Bauer, Hsu-Chun Hsiao, Limin Jia, and Timothy Libert.
Proceedings on Privacy Enhancing Technologies, 2022 (1). January 2022. De Gruyter Open. PETS 2022 Artifact Award. © authors  DOI:10.2478/popets-2022-0012

(Do not) Track me sometimes: Users' contextual preferences for web tracking.   [PDF, BibTeX, slides, talk video, ]
William Melicher, Mahmood Sharif, Joshua Tan, Lujo Bauer, Mihai Christodorescu, and Pedro Giovanni Leon.
Proceedings on Privacy Enhancing Technologies (2). April 2016. De Gruyter Open. © authors  DOI:10.1515/popets-2016-0009

Passwords: Although they are often insecure and inconvenient, passwords aren't quite about to disappear. This project's goal is to help users create passwords that are easy for them to remember, but hard for attackers to guess. We work towards this goal by trying to deeply understand the password-creation process and the security of the resulting passwords, including by investigating the effects of password-composition policies and password meters on the security and usability of passwords, and by studying metrics for quantifying password strength.

Publications

(How) Do people change their passwords after a breach?   [PDF, BibTeX, ]
Sruti Bhagavatula, Lujo Bauer, and Apu Kapadia.
USENIX ;login:. December 2021. USENIX. © authors

Practical recommendations for stronger, more usable passwords combining minimum-strength, minimum-length, and blocklist requirements.   [PDF, BibTeX, talk video, ]
Joshua Tan, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In Proceedings of the 27th ACM SIGSAC Conference on Computer and Communications Security, November 2020. ACM. © authors  DOI:10.1145/3372297.3417882

Why people (don't) use password managers effectively.   [PDF, BibTeX, ]
Sarah Pearman, Aerin Shikun Zhang, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In SOUPS '19: Proceedings of the 15th Symposium on Usable Privacy and Security, July 2019. © authors

User behaviors and attitudes under password expiration policies.   [PDF, BibTeX, slides, ]
Hana Habib, Pardis Emami-Naeini, Maggie Oates, Chelse Swoopes, Lujo Bauer, Lorrie Faith Cranor, and Nicolas Christin.
In SOUPS '18: Proceedings of the 14th Symposium on Usable Privacy and Security, August 2018. © authors

“It's not actually that horrible”: Exploring adoption of two-factor authentication at a university.   [PDF, BibTeX, teaser video, ]
Jessica Colnago, Summer Devlin, Maggie Oates, Chelse Swoopes, Lujo Bauer, Lorrie Faith Cranor, and Nicolas Christin.
In CHI'18: 36th Annual ACM Conference on Human Factors in Computing Systems, April 2018. ACM. © authors  DOI:10.1145/3173574.3174030

Better passwords through science (and neural networks).   [PDF, BibTeX, official version, ]
William Melicher, Blase Ur, Sean Segreti, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
USENIX ;login:, 42 (4). December 2017. USENIX. © authors

Let's go in for a closer look: Observing passwords in their natural habitat.   [PDF, BibTeX, ]
Sarah Pearman, Jeremy Thomas, Pardis Emami Naeini, Hana Habib, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman, and Alain Forget.
In Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security, October 2017. ACM. © authors  DOI:10.1145/3133956.3133973

Diversify to survive: Making passwords stronger with adaptive policies.   [PDF, BibTeX, slides, audio, ]
Sean Segreti, William Melicher, Saranga Komanduri, Darya Melicher, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Cranor, and Michelle L. Mazurek.
In SOUPS '17: Proceedings of the 13th Symposium on Usable Privacy and Security, July 2017. USENIX. © authors

Design and evaluation of a data-driven password meter.   [PDF, BibTeX, video teaser, code, online demo, ]
Blase Ur, Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin, Jessica Colnago, Lorrie Cranor, Harold Dixon, Pardis Emami Naeini, Hana Habib, Noah Johnson, and William Melicher.
In CHI'17: 35th Annual ACM Conference on Human Factors in Computing Systems, May 2017. ACM. CHI Best Paper. © authors  DOI:10.1145/3025453.3026050

Password creation in the presence of blacklists.   [PDF, BibTeX, slides, ]
Hana Habib, Jessica Colnago, William Melicher, Blase Ur, Sean Segreti, Lujo Bauer, Nicolas Christin, and Lorrie Cranor.
In Proceedings of Usable Security (USEC) 2017, February 2017. Internet Society. © Internet Society  DOI:10.14722/usec.2017.23043

Fast, lean, and accurate: Modeling password guessability using neural networks.   [PDF, BibTeX, video teaser, slides, talk video, code, ]
William Melicher, Blase Ur, Sean M. Segreti, Saranga Komanduri, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In Proceedings of the 25th USENIX Security Symposium, August 2016. USENIX Security Best Paper.

Do Users' Perceptions of Password Security Match Reality?   [PDF, BibTeX, video teaser, online game, ]
Blase Ur, Jonathan Bees, Sean Segreti, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In CHI'16: 34th Annual ACM Conference on Human Factors in Computing Systems, May 2016. ACM. CHI 2016 Honorable Mention. © authors  DOI:10.1145/2858036.2858546

Measuring Real-World Accuracies and Biases in Modeling Password Guessability.   [PDF, BibTeX, talk video, video teaser, ]
Blase Ur, Sean M. Segreti, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Saranga Komanduri, Darya Kurilova, Michelle L. Mazurek, William Melicher, and Richard Shay.
In Proceedings of the 24th USENIX Security Symposium, August 2015. USENIX. © authors

The impact of length and mathematical operators on the usability and security of system-assigned one-time PINs.   [PDF, BibTeX, ]
Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In 2013 Workshop on Usable Security (USEC), volume 7862 of Lecture Notes in Computer Science, pages 34--51, April 2013. Springer. © Springer-Verlag  DOI:10.1007/978-3-642-41320-9_3

How does your password measure up? The effect of strength meters on password creation.   [PDF, BibTeX, talk video, ]
Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In Proceedings of the 21st USENIX Security Symposium, August 2012. USENIX Association. © authors

Correct horse battery staple: Exploring the usability of system-assigned passphrases.   [PDF, BibTeX, ]
Richard Shay, Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Blase Ur, Tim Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In SOUPS '12: Proceedings of the 8th Symposium on Usable Privacy and Security, July 2012. ACM. © authors  DOI:10.1145/2335356.2335366

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms.   [PDF, BibTeX, ]
Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez.
In Proceedings of the 2012 IEEE Symposium on Security and Privacy, pages 523--537, May 2012. IEEE. © IEEE  DOI:10.1109/SP.2012.38

Of passwords and people: Measuring the effect of password-composition policies.   [PDF, BibTeX, ]
Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman.
In CHI '11: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 2595--2604, May 2011. ACM. CHI 2011 Honorable Mention. © ACM  DOI:10.1145/1978942.1979321

Students, Postdocs, and Staff

I'm fortunate to advise and work with many talented students, postdocs, and staff, including:

Students and postdocs I advised or worked with closely:
PhD students: Scott Garriss (CMU ECE, PhD 2008; now at Google), Rob Reeder (CMU CSD, advised by Lorrie Cranor, PhD 2008; now at Google), Kami Vaniea (CMU CSD, PhD 2012, co-advised with Lorrie Cranor; now at Edinburgh University), Michelle Mazurek (CMU ECE, co-advised with Greg Ganger, PhD 2014; now at University of Maryland at College Park), Saranga Komanduri (CMU COS, advised by Lorrie Cranor, PhD 2016), Xiaoxiao Tang (visiting PhD student from SMU, Singapore), Blase Ur (CMU SC, advised by Lorrie Cranor, PhD 2016; now at University of Chicago), Yannis Mallios (CMU ECE, PhD 2017, now at Google Pittsburgh), Jassim Aljuraidan (CMU ECE, PhD 2018, now at Kuwait University), Billy Melicher (CMU ECE, PhD 2019, now at Palo Alto Networks), Mahmood Sharif (CMU ECE, PhD 2019, now at Tel Aviv University), Josh Tan (CMU Societal Computing, PhD 2020, now at Amazon), Sruti Bhagavatula (CMU Societal Computing, PhD 2021, now at Northwestern University).
Postdocs: Matthias Beckerle (CyLab postdoc 2014–2015, now at Karlstad University), Camille Cobb (CyLab postdoc 2019–2021, now at the University of Illinois Urbana-Champaign), Willard Rafnsson (CyLab postdoc 2015–2017, now at the IT University of Copenhagen).
Others: Sean Segreti (CMU ECE, MS 2016; now KoreLogic), Shaoying Cai (visiting PhD student from SMU, Singapore, 2014), Tony Felice (CMU ECE ugrad/masters), Elli Fragkaki (CMU ECE, MS 2013), Wataru Hasegawa (CMU INI masters), Philip Seyoung Huh (CMU ECE, MS 2014), Joel Lee (CMU Heinz masters, 2013), Sudeep Modi (CMU INI masters), Sean Segreti (CMU ECE masters, 2015), Brad Miller (CMU ECE, BS 2009), Timothy Passaro (CMU ECE, BS/MS 2014), Ariel Rao (CMU undergraduate),

Recent publications (full list)

This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder.

new!  The impact of exposed passwords on honeyword efficacy.   [BibTeX, ]
Zonghao Huang, Lujo Bauer, and Michael K. Reiter.
In Proceedings of the 33rd USENIX Security Symposium, August 2024. USENIX. To appear. © authors

new!  Approach for the optimization of machine learning models for calculating binary function similarity.   [BibTeX, ]
Suguru Horimoto, Keane Lucas, and Lujo Bauer.
In Proceedings of the 21st Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA '24), July 2024. To appear.

new!  CoCoT: Collaborative contact tracing.   [PDF, BibTeX, ]
Trevor Kann, Lujo Bauer, and Robert K. Cunningham.
In Proceedings of the 14th ACM Conference on Data and Application Security and Privacy (CODASPY), June 2024. ACM. © authors  DOI:10.1145/3626232.3653254

new!  Interdisciplinary approaches to cybervulnerability impact assessment for energy critical infrastructure.   [PDF, BibTeX, talk video, ]
Andrea Gallardo, Robert Erbes, Katya Le Blanc, Lujo Bauer, and Lorrie Faith Cranor.
In CHI '24: Proceedings of the 2024 CHI Conference on Human Factors in Computing Systems, May 2024. ACM. CHI 2024 Honorable Mention © authors  DOI:10.1145/3613904.3642493

Group-based robustness: A general framework for customized robustness in the real world.   [PDF, BibTeX, talk video, ]
Weiran Lin, Keane Lucas, Neo Eyal, Lujo Bauer, Michael K. Reiter, and Mahmood Sharif.
In Proceedings of the 31st Network and Distributed System Security Symposium, February 2024. Internet Society. © authors  DOI:10.14722/ndss.2024.24084

Attributions for ML-based ICS anomaly detection: From theory to practice.   [PDF, BibTeX, talk video, code, ]
Clement Fung, Eric Zeng, and Lujo Bauer.
In Proceedings of the 31st Network and Distributed System Security Symposium, February 2024. Internet Society. © authors  DOI:10.14722/ndss.2024.23216

RS-Del: Edit distance robustness certificates for sequence classifiers via randomized deletion.   [PDF, BibTeX, ]
Zhuoqun Huang, Neil G. Marchant, Keane Lucas, Lujo Bauer, Olga Ohrimenko, and Benjamin I. P. Rubinstein.
In Advances in Neural Information Processing Systems 36 (NeurIPS 2023), 2023.

Adversarial training for raw-binary malware classifiers.   [PDF, BibTeX, talk video and slides, ]
Keane Lucas, Samruddhi Pai, Weiran Lin, Lujo Bauer, Michael K. Reiter, and Mahmood Sharif.
In Proceedings of the 32nd USENIX Security Symposium, August 2023. USENIX.

Towards usable security analysis tools for trigger-action programming.   [PDF, BibTeX, talk video and slides, ]
McKenna McCall, Eric Zeng, Faysal Hossain Shezan, Mitchell Yang, Lujo Bauer, Abhishek Bichhawat, Camille Cobb, Limin Jia, and Yuan Tian.
In SOUPS '23: Proceedings of the 19th Symposium on Usable Privacy and Security, August 2023. USENIX. © authors

Speculative privacy attitudes and concerns about AR glasses data collection.   [PDF, BibTeX, ]
Andrea Gallardo, Christopher Choy, Jaideep Juneja, Efe Bozkir, Camille Cobb, Lujo Bauer, and Lorrie Faith Cranor.
Proceedings on Privacy Enhancing Technologies, 2023 (4). July 2023. © authors  DOI:10.56553/popets-2023-0117

Shedding light on inconcistencies in grid cybersecurity: Disconnects and recommendations.   [PDF, BibTeX, YouTube, talk video, ]
Brian Singer, Amritanshu Pandey, Shimiao Li, Lujo Bauer, Craig Miller, Lawrence Pileggi, and Vyas Sekar.
In Proceedings of the 2023 IEEE Symposium on Security and Privacy, May 2023.  DOI:10.1109/SP46215.2023.10179343

Widespread third-party tracking on hospital websites poses privacy risks for patients and legal liability for hospitals.   [PDF, BibTeX, ]
Ari B. Friedman, Raina M. Merchant, Amey Maley, Karim Farhat, Kristen Smith, Jackson Felkins, Rachel E. Gonzales, Lujo Bauer, and Matthew S. McCoy.
Health Affairs, 42 (4) 508-515. 2023.  DOI:10.1377/hlthaff.2022.01205  

Updated 2024.02.03.
Copyright © Lujo Bauer