Saranga Komanduri

(412) 256-8375

Saranga Komanduri

Ph.D. Candidate at Carnegie Mellon University

I am a fifth-year doctoral candidate in the School of Computer Science at Carnegie Mellon University advised by Lorrie Cranor and working in CyLab.

My main research projects involve passwords and security warnings, two situations where the burden of making security decisions is placed on lay users. I have presented full-length papers at CHI, SOUPS, GI, and Oakland.

My dissertation research focuses on estimating password strength by using a limited-knowledge model of the adversary. The framework I developed learns a linguistic model from a training corpus of passwords, and uses this model to evaluate a sample of passwords from a target policy. You can download a copy of my dissertation proposal here.

UPDATE: The Telepathwords project is now live! I worked on this project with Stuart Schechter at Microsoft Research. The official press release is here. It has also been picked up by several news sites.

Broad research interests
  • Usable privacy and security mechanisms
  • Judgment and decision making
  • Statistics, machine learning, and computational linguistics


Passwords ResearchCurrent Work
  • Studying the effect of password-composition requirements on password strength
  • Development of estimation techniques for password strength measurement

Warnings ResearchCurrent Work
  • Assessing the rate at which non-experts ignore security warnings
  • Comparing mental models of computer security between experts and non-experts

Privacy on Social Networks2010 − 2012
  • Understanding how behavioral biases affect decision-making on social networks
  • Developing tools that provide users with information relevant to privacy decisions

Behavioral Advertising2011
  • Measured compliance of NAI and DAA members with self-regulation guidelines

Master's thesis2007
  • Designed a picture-based password system based on research into cognitive science and usable security issues


All following publications are full-length, peer-reviewed conference or journal papers except where noted with a *.

Passwords Research

[2013] Measuring Password Guessability for an Entire University.
M. L. Mazurek, S. Komanduri, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, P. G. Kelley, R. Shay and B. Ur. Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS 2013). New York, NY, USA: ACM. pp. 173-186.
[local pdf] [official pdf] [cites] [doi] [bib]
[2013] * Modeling the adversary to evaluate password strength with limited samples.
S. Komanduri. Ph.D. Thesis Proposal. Carnegie Mellon University. 2013.
[local pdf] [bib]
[2013] The Impact of Length and Mathematical Operators on the Usability and Security of System-Assigned One-Time PINs.
P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin and L. F. Cranor. Financial Cryptography and Data Security -- FC 2013 Workshops, USEC and WAHC 2013 (Lecture Notes in Computer Science). A. A. Adams, M. Brenner, M. Smith, Eds.. Springer Berlin Heidelberg. pp. 34-51.
[local pdf] [official pdf] [doi] [bib]
[2013] Optimizing password composition policies.
J. Blocki, S. Komanduri, A. Procaccia and O. Sheffet. Proceedings of the fourteenth ACM conference on Electronic commerce (EC 2013). New York, NY, USA: ACM. 2013. pp. 105-122.
[local pdf] [official pdf] [cites] [doi] [bib]
[2012] How does your password measure up? The effect of strength meters on password creation.
B. Ur, P. G. Kelley, S. Komanduri, J. Lee, M. Maass, M. L. Mazurek, T. Passaro, R. Shay, T. Vidas, L. Bauer, N. Christin and L. F. Cranor. Proceedings of the 21st USENIX conference on Security symposium (USENIX Security 2012). Berkeley, CA, USA: USENIX Association. 2012. pp. 5-5.
[local pdf] [official pdf] [cites] [bib]
[2012] * Helping Users Create Better Passwords.
B. Ur, P. G. Kelley, S. Komanduri, J. Lee, M. Maass, M. L. Mazurek, T. Passaro, R. Shay, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, S. Egelman and J. Lopez. Usenix Login. vol. 37. no. 6. 2012. pp. 51-57.
[local pdf] [bib]
[2012] Correct horse battery staple: exploring the usability of system-assigned passphrases.
R. Shay, P. G. Kelley, S. Komanduri, M. L. Mazurek, B. Ur, T. Vidas, L. Bauer, N. Christin and L. F. Cranor. Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS 2012). New York, NY, USA: ACM. 2012. pp. 7:1-7:20.
[local pdf] [official pdf] [cites] [doi] [bib]
[2012] Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms.
P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, L. F. Cranor and J. Lopez. Proceedings of the 2012 IEEE Symposium on Security and Privacy (Oakland 2012). Washington, DC, USA: IEEE Computer Society. pp. 523-537
[local pdf] [official pdf] [cites] [doi] [bib]
[2011] Of passwords and people: measuring the effect of password-composition policies.
S. Komanduri, R. Shay, P. G. Kelley, M. L. Mazurek, L. Bauer, N. Christin, L. F. Cranor and S. Egelman. Proceedings of the 2011 annual conference on Human factors in computing systems (CHI 2011). New York, NY, USA: ACM. pp. 2595-2604
Honorable Mention
[local pdf] [official pdf] [cites] [doi] [bib]
[2010] Encountering stronger password requirements: user attitudes and behaviors.
R. Shay, S. Komanduri, P. G. Kelley, P. G. Leon, M. L. Mazurek, L. Bauer, N. Christin and L. F. Cranor. Proceedings of the Sixth Symposium on Usable Privacy and Security (SOUPS 2010). New York, NY, USA: ACM. 2010. pp. 2:1-2:20
[local pdf] [official pdf] [cites] [doi] [bib]
[2008] Order and entropy in picture passwords.
S. Komanduri, D. R. Hutchings. Proceedings of graphics interface 2008 (GI 2008). Toronto, Ont., Canada, Canada: Canadian Information Processing Society. pp. 115-122
[local pdf] [official pdf] [cites] [bib]
[2007] * Improving Password Usability with Visual Techniques.
S. Komanduri. M.S. Thesis. Bowling Green State University. 2007.
[local pdf] [official pdf] [cites] [bib]
Powered by bibtexbrowser

Warnings Research

[2013] Your attention please: designing security-decision UIs to make genuine risks harder to ignore.
C. Bravo-Lillo, S. Komanduri, L. F. Cranor, R. W. Reeder, M. Sleeper, J. Downs and S. Schechter. Proceedings of the Ninth Symposium on Usable Privacy and Security (SOUPS 2013). New York, NY, USA: ACM. 2013. pp. 6:1-6:12
Distinguished Paper Award.
[local pdf] [official pdf] [cites] [doi] [bib]
[2012] Operating system framed in case of mistaken identity: measuring the success of web-based spoofing attacks on OS password-entry dialogs.
C. Bravo-Lillo, L. Cranor, J. Downs, S. Komanduri, S. Schechter and M. Sleeper. Proceedings of the 2012 ACM conference on Computer and communications security (CCS 2012). New York, NY, USA: ACM. pp. 365-377.
[local pdf] [official pdf] [cites] [doi] [bib]
[2011] * Bridging the Gap in Computer Security Warnings: A Mental Model Approach.
C. Bravo-Lillo, L. F. Cranor, J. Downs and S. Komanduri. IEEE Security and Privacy. vol. 9. no. 2. mar 2011. pp. 18-26.
[local pdf] [official pdf] [cites] [doi] [bib]
[2011] Improving computer security dialogs.
C. Bravo-Lillo, L. F. Cranor, J. Downs, S. Komanduri and M. Sleeper. Proceedings of the 13th IFIP TC 13 international conference on Human-computer interaction - Volume Part IV (INTERACT 2011). Berlin, Heidelberg: Springer-Verlag. 2011. pp. 18-35.
[local pdf] [official pdf] [cites] [bib]
Powered by bibtexbrowser

Privacy on Social Networks

[2013] The Post Anachronism: The Temporal Dimension of Facebook Privacy.
L. Bauer, L. F. Cranor, S. Komanduri, M. L. Mazurek, M. K. Reiter, M. Sleeper and B. Ur. Proceedings of the 12th ACM Workshop on Workshop on Privacy in the Electronic Society (WPES 2013). New York, NY, USA: ACM. 2013. pp. 1-12.
[local pdf] [official pdf] [doi] [bib]
[2011] "I regretted the minute I pressed share": a qualitative study of regrets on Facebook.
Y. Wang, G. Norcie, S. Komanduri, A. Acquisti, P. G. Leon and L. F. Cranor. Proceedings of the Seventh Symposium on Usable Privacy and Security (SOUPS 2011). New York, NY, USA: ACM. 2011. pp. 10:1-10:16.
[local pdf] [official pdf] [cites] [doi] [bib]
Powered by bibtexbrowser

Social Search

[2012] Around the Water Cooler: Shared Discussion Topics and Contact Closeness in Social Search.
S. Komanduri, L. Fang, D. Huffaker and J. Staddon. Proceedings of the Sixth International AAAI Conference on Weblogs and Social Media (ICWSM-12). 2012.
[local pdf] [official pdf] [cites] [bib]
Powered by bibtexbrowser

Behavioral Advertising

[2011] AdChoices? Compliance with Online Behavioral Advertising Notice and Choice Requirements.
S. Komanduri, R. Shay, G. Norcie, B. Ur and L. F. Cranor. I/S: A Journal of Law & Policy for the Information Society. vol. 7. 2011. pp. 603-638.
[local pdf] [cites] [bib]
Powered by bibtexbrowser


CMUIntroduction to Information Security

Fall 2012Teaching Assistant

  • Professor: Nicolas Christin
  • Graduate-only course provided in-depth survey of many information security topics including threat models, cryptography, digital forensics, software vulnerabilities, network security, anonymity, and security economics
  • Students required to recreate specific exploits like smashing the stack with a buffer overflow, complete written homeworks and exams, and critique classic papers
  • Duties included delivering a guest lecture, assisting students with homework and lab assignments, holding office hours, and grading

CMUWeb Commerce, Security, and Privacy

Fall 2011Teaching Assistant

  • Professor: Norman Sadeh
  • Attended by both undergraduate students in computer science and graduate students from the Tepper business school who had selected an IT specialization
  • First half of course introduced technologies used in web commerce and considered their security issues, second half of course covered web commerce businesses and the computer science concepts they utilize such as automatic auctions, search, and recommender systems
  • Students required to present concepts, write case studies, and complete written homeworks and exams.
  • Duties included delivering a guest lecture, designing homework and exam problems, critiquing student presentations, holding office hours, and grading

Pittsburgh Science and Technology Academy (SciTech)Computational thinking


  • Taught by graduate students at CMU as part of the SCS4ALL outreach project
  • Attended by students in grades 6 - 9 who selected the course as an elective
  • Taught classes on information theory, algorithms, probability, cryptography, randomness, and fractals
  • Students worked on semester-long programming projects and completed hands-on, in-class activities to demonstrate understanding of the material
  • Duties included creating several lectures and assiting students with projects

Guest LecturesDelivered at CMU

Usable Security

  • Introduction to usable security for students in an information security course, taught using secure delete and healthcare leaks as case studies
  • Length: One hour

Internet Security Protocols

  • Introduction to security protocols and potential vulnerabilities, taught using Needham-Schroeder and TLS as case studies
  • Length: One hour

How to evaluate graphical password systems

  • An overview of graphical password systems for students in a usable security course
  • Covers their advantages and disadvantages from both usability and security perspectives
  • Length: 75 minutes


Redmond, WAMicrosoft Research

2012Research Intern

Mountain View, CAGoogle

2011Research Intern

  • Supervisors: Jessica Staddon, David Huffaker, and Ed H. Chi
  • Worked on Google+ project team during launch
  • Performed research and statistical analysis relevant to Google’s social products


  • Lorrie CranorUsable Privacy and Security
  • Lorrie CranorPrivacy Policy, Law, and Technology

  • George LoewensteinBehavioral Economics

  • Michael ShamosLaw of Computer Technology

  • Tom Mitchell, Eric Xing, Aarti SinghMachine Learning
  • Larry WassermanIntermediate Statistics
  • Howard SeltmanExperimental Design for Behavioral and Social Sciences


Pittsburgh, PACarnegie Mellon University
  • 2009 - 2014 (expected)Ph.D. in Computation, Organizations, and Society
  • 2011M.S. in Computation, Organizations, and Society

Bowling Green, OhioBowling Green State University
  • 2006 - 2007M.S. in Computer Science (4.0 GPA)
  • 2002 - 2005B.S. in Computer Science
    - Minors in Mathematics and Business Administration


  • Statistics: R (preferred), SPSS, and MATLAB
  • Languages: C/C++, Ruby, LaTeX, Java, Python, COBOL, FORTRAN, Perl, Visual Basic, Assembler, and others
  • Networking: Cisco IOS, Routing (EIGRP, OSPF, IS-IS, and BGP), VLANs, VPNs and QoS tuning
  • Hardware: Hard drive data recovery, Intel/AMD/Apple hardware diagnosis and repair

  • Cisco CCNP, CCDA, CCNA
  • Microsoft MCSE, MCP
  • Apple ACDT, ACPT
  • CompTIA A+, Linux+

  • 2003 and 2005 ACM/BGSU Programming Contest Champion


Perrysburg, OhioPerrysburg Heights Community Center


  • Removed malware from infected systems
  • Performed PC/network maintenance and troubleshooting

Bowling Green, OhioBowling Green State University ITS

2006 - 2007Hardware Support Supervisor

  • Managed and trained employees in troubleshooting and repair of hardware issues
  • Provided hardware diagnosis and repair services for over 10,000 desktop and laptop systems on campus
  • Provided installation, configuration, and support services to users with Windows-based systems and UNIX-based systems (including Linux and Mac OS X)
  • Main contact for emergency repairs and customer service issues
  • Specialized in hard drive data recovery and operating system repairs

Waterville, OhioOnline Brokerage Services

2005Web Developer / IT Support

  • Created and rebuilt public websites with Visual Studio.NET
  • Duties included PC support and server administration

Toledo, OhioLucas County Information Services

1999 - 2001Network Technician

  • Personally responsible for maintenance, repair, and upgrades for approximately 150 PCs and coincident networking in various county departments
  • Interacted directly with users and departments in resolving hardware and software issues
  • Developed strategies for software distribution and network-wide upgrades

(pre-2000)Previous employers
  • Best Buy
  • Medical College of Ohio


  • Video and board games
  • Drums
  • Bicycling



Comment? Question? Just want to say "Hello"?

You can reach me by filling out the contact form below. It should reach me fairly quickly, and I will get back to you as soon as possible.

Your Name:
Your Email:
verification provided by reCAPTCHA


View Saranga Komanduri's profile on LinkedIn

References available upon request. Thank you for your kind consideration of my CV.