Saranga Komanduri

www.saranga.me

(412) 256-8375

Saranga Komanduri

Ph.D. Candidate at Carnegie Mellon University

I am a fifth-year doctoral candidate in the School of Computer Science at Carnegie Mellon University advised by Lorrie Cranor and working in CyLab. My specialization is usable security, a human-centric approach to the design of secure systems.

My dissertation research focuses on estimating password strength using a linguistic, machine-learning framework. From a training corpus of passwords, the framework I developed learns a stochastic grammar and generates the most likely password guesses. Standard password cracking tools do not make guesses in order of likelihood, so this technique allows one to emulate a more sophisticated adversary than is available with current techniques. My framework has been used to evaluate passwords against sophisticated adversaries that can make hundreds of trillions of guesses. It was recently used to evaluate the passwords of over 25,000 students, faculty, and staff at Carnegie Mellon University.

I have published full-length papers at CHI, Oakland, CCS, USENIX Security, ICWSM, SOUPS, and many other conferences. Projects that I have worked on have also been featured on a number of websites such as Ars Technica and MIT Technology Review.

Telepathwords is now live! I worked on this project with Stuart Schechter at Microsoft Research. The official press release is here. It has also been picked up by several news sites, including Digital Trends, Geek, Gizmodo, Inc., and TIME.

RESEARCH PROJECTS

PasswordsCurrent Work
  • Studying the effect of password-composition requirements on password strength
  • Development of estimation techniques for password strength measurement

Computer Security WarningsCurrent Work
  • Assessing the rate at which non-experts ignore security warnings
  • Comparing mental models of computer security between experts and non-experts

Privacy on Social Networks2010 − 2012
  • Performed exploratory research into how behavioral biases affect decision-making on social networks
  • Developed tools that provide users with information relevant to privacy decisions

Behavioral Advertising2011
  • Measured compliance of NAI and DAA members with self-regulation guidelines

PUBLICATIONS

Awards
  • Honorable Mention at CHI 2011 (awarded to top 5% of submissions)
  • Distinguished Paper Award at SOUPS 2013 (awarded to 2/51 submissions)

All following publications are full-length, peer-reviewed conference or journal papers except where noted with a *.

Passwords

2014
USENIX Security 2014
Telepathwords: preventing weak passwords by reading users' minds.
S. Komanduri, R. Shay, L. F. Cranor, C. Herley and S. Schechter. Proceedings of the 23rd USENIX conference on Security symposium (USENIX Security 2014). 2014.
Accepted but unpublished.
Presenter.
[bib]
CHI 2014
Can Long Passwords Be Secure and Usable?
R. Shay, S. Komanduri, A. L. Durity, P. S. Huh, M. L. Mazurek, S. M. Segreti, B. Ur, L. Bauer, N. Christin and L. F. Cranor. Proceedings of the 2014 Annual ACM Conference on Human Factors in Computing Systems (CHI 2014). New York, NY, USA: ACM. pp. 2927-2936.
Acceptance rate: 26.7% (382/1433)
[official pdf] [doi] [bib]
2013
CCS 2013
Measuring Password Guessability for an Entire University.
M. L. Mazurek, S. Komanduri, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, P. G. Kelley, R. Shay and B. Ur. Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS 2013). New York, NY, USA: ACM. pp. 173-186.
Acceptance rate: 19.8% (105/530)
[local pdf] [official pdf] [cites] [doi] [bib]
* Modeling the adversary to evaluate password strength with limited samples.
S. Komanduri. Ph.D. Thesis Proposal. Carnegie Mellon University. 2013.
[local pdf] [bib]
USEC 2013
The Impact of Length and Mathematical Operators on the Usability and Security of System-Assigned One-Time PINs.
P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin and L. F. Cranor. Financial Cryptography and Data Security -- FC 2013 Workshops (USEC 2013). A. A. Adams, M. Brenner, M. Smith, Eds.. Springer Berlin Heidelberg. pp. 34-51.
[local pdf] [official pdf] [doi] [bib]
EC 2013
Optimizing password composition policies.
J. Blocki, S. Komanduri, A. Procaccia and O. Sheffet. Proceedings of the fourteenth ACM conference on Electronic commerce (EC 2013). New York, NY, USA: ACM. 2013. pp. 105-122.
Acceptance rate: 30.9% (72/233)
[local pdf] [official pdf] [cites] [doi] [bib]
2012
USENIX Security 2012
How does your password measure up? The effect of strength meters on password creation.
B. Ur, P. G. Kelley, S. Komanduri, J. Lee, M. Maass, M. L. Mazurek, T. Passaro, R. Shay, T. Vidas, L. Bauer, N. Christin and L. F. Cranor. Proceedings of the 21st USENIX conference on Security symposium (USENIX Security 2012). Berkeley, CA, USA: USENIX Association. 2012. pp. 5-5.
Acceptance rate: 19.4% (43/222)
[local pdf] [official pdf] [cites] [bib]
* Helping Users Create Better Passwords.
B. Ur, P. G. Kelley, S. Komanduri, J. Lee, M. Maass, M. L. Mazurek, T. Passaro, R. Shay, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, S. Egelman and J. Lopez. Usenix Login. vol. 37. no. 6. 2012. pp. 51-57.
[local pdf] [bib]
SOUPS 2012
Correct horse battery staple: exploring the usability of system-assigned passphrases.
R. Shay, P. G. Kelley, S. Komanduri, M. L. Mazurek, B. Ur, T. Vidas, L. Bauer, N. Christin and L. F. Cranor. Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS 2012). New York, NY, USA: ACM. 2012. pp. 7:1-7:20.
Acceptance rate: 20.9% (14/67)
[local pdf] [official pdf] [cites] [doi] [bib]
Oakland 2012
Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms.
P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, L. F. Cranor and J. Lopez. Proceedings of the 2012 IEEE Symposium on Security and Privacy (Oakland 2012). Washington, DC, USA: IEEE Computer Society. pp. 523-537.
Acceptance rate: 13.0% (40/307)
Presenter.
[local pdf] [official pdf] [cites] [doi] [bib]
2011
CHI 2011
Of passwords and people: measuring the effect of password-composition policies.
S. Komanduri, R. Shay, P. G. Kelley, M. L. Mazurek, L. Bauer, N. Christin, L. F. Cranor and S. Egelman. Proceedings of the 2011 Annual ACM Conference on Human Factors in Computing Systems (CHI 2011). New York, NY, USA: ACM. pp. 2595-2604.
Acceptance rate: 26.8% (410/1532)
Presenter.
Honorable Mention
.
[local pdf] [official pdf] [cites] [doi] [bib]
2010
SOUPS 2010
Encountering stronger password requirements: user attitudes and behaviors.
R. Shay, S. Komanduri, P. G. Kelley, P. G. Leon, M. L. Mazurek, L. Bauer, N. Christin and L. F. Cranor. Proceedings of the Sixth Symposium on Usable Privacy and Security (SOUPS 2010). New York, NY, USA: ACM. 2010. pp. 2:1-2:20.
Acceptance rate: 24.6% (16/65)
Presenter.
[local pdf] [official pdf] [cites] [doi] [bib]
2008
GI 2008
Order and entropy in picture passwords.
S. Komanduri, D. R. Hutchings. Proceedings of graphics interface 2008 (GI 2008). Toronto, Ont., Canada, Canada: Canadian Information Processing Society. pp. 115-122.
Acceptance rate: 40.0% (34/85)
Presenter.
[local pdf] [official pdf] [cites] [bib]
2007
* Improving Password Usability with Visual Techniques.
S. Komanduri. M.S. Thesis. Bowling Green State University. 2007.
[local pdf] [official pdf] [cites] [bib]
Powered by bibtexbrowser

Computer Security Warnings

2014
SOUPS 2014
Harder to Ignore? Revisiting Pop-Up Fatigue and Approaches to Prevent It.
C. Bravo-Lillo, L. F. Cranor, S. Komanduri, S. Schechter and M. Sleeper. Proceedings of the Tenth Symposium on Usable Privacy and Security (SOUPS 2014). 2014.
Accepted but unpublished.
Presenter.
[bib]
2013
SOUPS 2013
Your attention please: designing security-decision UIs to make genuine risks harder to ignore.
C. Bravo-Lillo, S. Komanduri, L. F. Cranor, R. W. Reeder, M. Sleeper, J. Downs and S. Schechter. Proceedings of the Ninth Symposium on Usable Privacy and Security (SOUPS 2013). New York, NY, USA: ACM. 2013. pp. 6:1-6:12.
Acceptance rate: 29.4% (15/51)
Distinguished Paper Award.
[local pdf] [official pdf] [cites] [doi] [bib]
2012
CCS 2012
Operating system framed in case of mistaken identity: measuring the success of web-based spoofing attacks on OS password-entry dialogs.
C. Bravo-Lillo, L. Cranor, J. Downs, S. Komanduri, S. Schechter and M. Sleeper. Proceedings of the 2012 ACM conference on Computer and communications security (CCS 2012). New York, NY, USA: ACM. pp. 365-377.
Acceptance rate: 19.0% (81/426)
[local pdf] [official pdf] [cites] [doi] [bib]
2011
* Bridging the Gap in Computer Security Warnings: A Mental Model Approach.
C. Bravo-Lillo, L. F. Cranor, J. Downs and S. Komanduri. IEEE Security and Privacy. vol. 9. no. 2. mar 2011. pp. 18-26.
[local pdf] [official pdf] [cites] [doi] [bib]
INTERACT 2011
Improving computer security dialogs.
C. Bravo-Lillo, L. F. Cranor, J. Downs, S. Komanduri and M. Sleeper. Proceedings of the 13th IFIP TC 13 international conference on Human-computer interaction - Volume Part IV (INTERACT 2011). Berlin, Heidelberg: Springer-Verlag. 2011. pp. 18-35.
Acceptance rate: 27.9% (112/402)
[local pdf] [official pdf] [cites] [bib]
Powered by bibtexbrowser

Privacy on Social Networks

2013
WPES 2013
The Post Anachronism: The Temporal Dimension of Facebook Privacy.
L. Bauer, L. F. Cranor, S. Komanduri, M. L. Mazurek, M. K. Reiter, M. Sleeper and B. Ur. Proceedings of the 12th ACM Workshop on Workshop on Privacy in the Electronic Society (WPES 2013). New York, NY, USA: ACM. 2013. pp. 1-12.
Acceptance rate: 29.1% (30/103)
[local pdf] [official pdf] [cites] [doi] [bib]
2011
SOUPS 2011
"I regretted the minute I pressed share": a qualitative study of regrets on Facebook.
Y. Wang, G. Norcie, S. Komanduri, A. Acquisti, P. G. Leon and L. F. Cranor. Proceedings of the Seventh Symposium on Usable Privacy and Security (SOUPS 2011). New York, NY, USA: ACM. 2011. pp. 10:1-10:16.
Acceptance rate: 33.3% (15/45)
[local pdf] [official pdf] [cites] [doi] [bib]
Powered by bibtexbrowser

Social Search

2012
ICWSM 2012
Around the Water Cooler: Shared Discussion Topics and Contact Closeness in Social Search.
S. Komanduri, L. Fang, D. Huffaker and J. Staddon. Proceedings of the Sixth International AAAI Conference on Weblogs and Social Media (ICWSM 2012). 2012.
Acceptance rate: 20.0% (counts not provided)
[local pdf] [official pdf] [cites] [bib]
Powered by bibtexbrowser

Behavioral Advertising

2011
I/S (Journal)
AdChoices? Compliance with Online Behavioral Advertising Notice and Choice Requirements.
S. Komanduri, R. Shay, G. Norcie, B. Ur and L. F. Cranor. I/S: A Journal of Law & Policy for the Information Society. vol. 7. 2011. pp. 603-638.
[local pdf] [cites] [bib]
Powered by bibtexbrowser

TEACHING EXPERIENCE

CMUIntroduction to Information Security

Fall 2012Teaching Assistant

  • Professor: Nicolas Christin
  • Graduate-only course provided in-depth survey of many information security topics including threat models, cryptography, digital forensics, software vulnerabilities, network security, anonymity, and security economics
  • Students required to recreate specific exploits like smashing the stack with a buffer overflow, complete written homeworks and exams, and critique classic papers
  • Duties included delivering a guest lecture, assisting students with homework and lab assignments, holding office hours, and grading

CMUWeb Commerce, Security, and Privacy

Fall 2011Teaching Assistant

  • Professor: Norman Sadeh
  • Attended by both undergraduate students in computer science and graduate students from the Tepper business school who had selected an IT specialization
  • First half of course introduced technologies used in web commerce and considered their security issues, second half of course covered web commerce businesses and the computer science concepts they utilize such as automatic auctions, search, and recommender systems
  • Students required to present concepts, write case studies, and complete written homeworks and exams.
  • Duties included delivering a guest lecture, designing homework and exam problems, critiquing student presentations, holding office hours, and grading

Pittsburgh Science and Technology Academy (SciTech)Computational Thinking

2012Volunteer Instructor

  • Taught by graduate students at CMU as part of the SCS4ALL outreach project
  • Attended by students in grades 6 - 9 who selected the course as an elective
  • Taught classes on information theory, algorithms, probability, cryptography, randomness, and fractals
  • Students worked on semester-long programming projects and completed hands-on, in-class activities
  • Duties included creating several lectures and assisting students with projects

CMUGuest Lecture: Internet Security Protocols
  • Introduction to security protocols and potential vulnerabilities, taught using Needham-Schroeder and TLS as case studies
  • Length: One hour

CMUGuest Lecture: Usable Security
  • Introduction to usable security for students in an information security course, taught using secure delete and health-care leaks as case studies
  • Length: One hour

CMUGuest Lecture: How to Evaluate Graphical Password Systems
  • An overview of graphical password systems for students in an information security course, as part of a usable security module
  • Covers advantages and disadvantages from both usability and security perspectives
  • Length: 75 minutes

EDUCATION

Pittsburgh, PACarnegie Mellon University
  • 2014 (expected)Ph.D. in Computation, Organizations, and Society
  • 2009 - 2011M.S. in Computation, Organizations, and Society

Bowling Green, OhioBowling Green State University
  • 2006 - 2007M.S. in Computer Science (4.0 GPA)
  • 2002 - 2005B.S. in Computer Science
    - Minors in Mathematics and Business Administration

INTERNSHIPS

Redmond, WAMicrosoft Research

2012Research Intern

Mountain View, CAGoogle

2011Research Intern

  • Supervisors: Jessica Staddon, David Huffaker, and Ed H. Chi
  • Performed research and statistical analysis relevant to Google’s social products

PHD-LEVEL COURSES

Privacy
  • Lorrie CranorUsable Privacy and Security
  • Lorrie CranorPrivacy Policy, Law, and Technology

Judgment and Decision Making
  • George LoewensteinBehavioral Economics

Law
  • Michael ShamosLaw of Computer Technology

Statistics and Machine Learning
  • Tom Mitchell, Eric Xing, Aarti SinghMachine Learning
  • Larry WassermanIntermediate Statistics
  • Howard SeltmanExperimental Design for Behavioral and Social Sciences

TECHNICAL SKILLS

Proficiencies
  • Statistics: R (preferred), SPSS, and MATLAB
  • Frameworks: Apache Hadoop, Ruby on Rails
  • Languages: C/C++, Perl, Ruby, JavaScript, Python, LaTeX, Java, COBOL, FORTRAN, Visual Basic, Assembler, and others
  • Network engineering: Cisco IOS, Routing (EIGRP, OSPF, IS-IS, and BGP), VLANs, VPNs and QoS tuning
  • Hardware: Hard drive data recovery, Intel/AMD/Apple hardware diagnosis and repair

IT Certificiations
  • Cisco CCNP, CCDA, CCNA
  • Microsoft MCSE, MCP
  • Apple ACDT, ACPT
  • CompTIA A+, Linux+

WORK EXPERIENCE

Bowling Green, OhioBowling Green State University ITS

2006 - 2007Hardware Support Supervisor

  • Managed and trained employees in troubleshooting and repair of hardware issues
  • Provided hardware diagnosis and repair services for over 10,000 desktop and laptop systems on campus
  • Provided installation, configuration, and support services to users with Windows-based systems and UNIX-based systems (including Linux and Mac OS X)
  • Main contact for emergency repairs and customer service issues
  • Specialized in hard drive data recovery and operating system repairs

Waterville, OhioOnline Brokerage Services

2005Web Developer / IT Support

  • Created and rebuilt public websites with Visual Studio.NET
  • Duties included PC support and server administration

Toledo, OhioLucas County Information Services

1999 - 2001Network Technician

  • Personally responsible for maintenance, repair, and upgrades for approximately 150 PCs and coincident networking in various county departments
  • Interacted directly with users and departments in resolving hardware and software issues
  • Developed strategies for software distribution and network-wide upgrades

HOBBIES

  • Video and board games
  • Drums
  • Bicycling

CONTACT ME

CONTACT ME

Comment? Question? Just want to say "Hello"?

You can reach me by filling out the contact form below. It should reach me fairly quickly, and I will get back to you as soon as possible.

Your Name:
Your Email:
Subject:
Verify:
Message:
verification provided by reCAPTCHA

SOCIAL MEDIA

View Saranga Komanduri's profile on LinkedIn