I am an assistant professor in Computer Science at the University of Wisconsin—Madison. I completed my Ph.D. from Cornell
I design secure systems to make digital
technologies safe and secure for everyone. My research
methodlogy combines empiricism with analytical
analysis. See below for
my research portfolio.
My full CV is here.
I am actively looking for motivated graduate students to work on real-world computer
security and privacy problems. Please get in touch with me if you are interested.
statistics can be
Stopping Credential Tweaking Attacks ( S&P '19)
Users regularly choose the same or similar passwords across multiple accounts. Leak of
password from one web-service, therefore, jeopardize the security of others. A popular form of
such attack is credential stuffing attack, where an attacker use leaked password from one
website to impersonate a user in other websites. A generalized version of such attack is what we
call credential tweaking attack:
an attacker uses a tailored list of guesses based on a previously leaked password for an account.
I am working on building defense against the risk of account compromise via credential tweaking
attacks. I am working with a team of very talented researchers at Cornell Tech. We built the
most damaging credential tweaking attack known so far using neural networks, and showed that about 15% of
user accounts are still vulnerable to credential tweaking attack in 1000 guesses, despite the
target passwords being different from the ones that are leaked to the attacker. We are also
working on building a personalized password strength meter (PPSM) and a compromised credential
check as a service (C3S) that will help web-services and users learn if any of their existing or
newly chosen passwords are vulnerable to credential tweaking attacks.
Technology Abuse in Intimate Partner Violence (S&P '18, CSCW '19, USENIX '19)
We looked at the ecosystem of spyware tools and resources available in the open web and in
official application stores that can be used for non-consensual intimate partner surveillance (IPS).
We found thousands of apps, many of them what we call dual-use --- apps built for some
legitimate purpose, but their functionality can be easily used for spying on an intimate partner.
There are plenty of resources in the form of blogposts, forums, and videos to help an abuser use
these tools for spying.
We are actively working on this project with NYC Mayor's Office to
End Domestic and Gender-Based Violence (ENDGBV)
to help IPV victims identify if they are being tracked or spied on using their mobile
phones. Feel free to reach out to me if you want the list of apps we identified as IPS relevant.
Typos (S&P '16, CCS '17, Crypto '17)
To typo is human, but it is extremely annoying when you make typographical mistakes in typing your
long and complex login password and get rejected by the server for that small typo. Things
become worse if you are using a touch-pad device, such as a tablet or smart phone. Wouldn't it
be great if the server tolerates some small typos that users make frequently while entering
We investigated the impact of correcting some small set of typos in Dropbox production
authentication server. We show that it is possible to allow a small set of typos to improve
user experience without degrading the security (not more than a negligible amount). In 24
hours study at Dropbox, we show 3% of all users fail to log in to Dropbox despite
making only some small typographical mistakes, while many more are delayed for their login.
We also show tolerating these carefully chosen set of typos will increase an attacker's success
probability in breaking into a user account by less than 0.02%, which is practically negligible.
For more details visit the project page.
Seeing the benefit of correcting few popular typos, we designed a password checking system that
securely monitors password typing behaviors of a user, and allow log in with frequent typos of that
user that are safe to do so. We call this system TypTop. We show nearly 70% of all typos can be
corrected by TypTop at the cost of zero loss in security. More details about the
project can be found in the project page.
Cracking Resistant Password Vault (S&P '15)
This is a new kind of password manager (a.k.a. password vault), that encrypts user-credentials
under a master password, but resists offline brute-force decryption. Dictionary attack on
stolen password vaults, where users store all of their usernames and passwords, is an
increasing threat for password managers. Thanks to poor choice of passwords by significant
portion of internet users, and easy repudiation of successful decryption under a candidate
master password, it is easy to mount a dictionary attack on any ciphertext encrypted under
traditional encryption schemes with human chosen master password as key.
NoCrack solves this problem to great extent. When one tries to decrypt a NoCrack ciphertext
with wrong master password, NoCrack generates fake, plausible looking passwords (decoys)
making it hard for the attacker to figure out offline whether or not his guess was
correct. Unlike traditional password vaults, it never fails to decrypt and always outputs
passwords which looks correct.
Oblivious Password Hardening (USENIX '16)
Passwords normally are hashed using a cryptographic hash function before storing in a
database. However, such hashes are computatble offline, in the sense that an attacker,
after stealing a password database, can mount a full fledged guessing attack without needing
to communicate with any service over the internet. We build an partially oblivious pseudo
random function (POPRF) function, called Pythia, that can be used to harden passwords. The
attacker, even after stealing the password database, has to contact Pythia (a service
separate from the password storage) to check a guess. This makes the offline password
guessing attack detectable to Pythia, which can implement some smart blocking and alerting
systems. Pythia can do all these without ever seeing the users' passwords (in plaintext).
Also, Pythia allows key rotation, that will enable a service to rotate keys after a breach
and make the old copy of the password hash database completely useless, by cryptographically
erasing them for the attacker. The service however, can update it's copy of the password
database using a special update token and continue normal operation.
- Yunang Chen (Co-advised with Earlence Fernandes)
- Athena Sayles (Co-advised with Earlence Fernandes)
- Majed Almansoori
- Mazharul Islam
- Suleman Ahmad (Spring 2020 - )
- Deepak Srinath (Fall 2019 - )
- Neal Pongmorrakot (UG 2020)
- Kieran Mulligan (UG 2020)
Other reviewing works: