Lancaster University, SCC foto

Jeff Yan

I did my Ph.D. with Ross Anderson in the Security Group at Cambridge University.

We started to work on usable security long before it's so called. The password security and memorability study I did with colleagues in the 1990's (first published in 2000) has been widely recognised as an early influential work in usable security, a currently booming field in both academia and industry. I was a contributor to the first book on usable security, "Security and Usability: Designing Secure Systems that People Can Use" (edited by Cranor and Garfinkel, OReilly & Associates 2005), and served on the Program Committee for the first Symposium On Usable Privacy and Security (SOUPS'05, Carnegie Mellon). In 2014, I was given a (in fact, the first) SOUPS Impact Award in the USA for a paper I wrote in 2008. The award is presented every three years, recognising a SOUPS paper that has had a significant impact on usable security and privacy research and practice.

My work on graphical passwords, Background Draw a Secret (BDAS) [ACM CCS'07] and Shoulder-Surfing Resistant BDAS (SSR-BDAS) [SOUPS'11], were selected by the Royal Society - the UK's national academy of science - for their 2008 Summer Science Exhibition. Since 2011, Microsoft has deployed a version of BDAS in Windows 8 OS and its successors. On the offensive front, in collaboration with Ben Zhu at Microsoft Research, I've developed novel concepts and methods [WWW'13] [CCS'14] for analysing the security of graphical passwords. Our methods for the first time revealed severe security vulnerabilities in a major family of graphical password designs, which was extensively studied in the literature before our work. We also developed the first method for generating high-quality 'graphical honeywords', successfully extending the notion of honeyword from text passwords (proposed by Ariel Juels and Turing Award winner Ron Rivest) to graphical passwords.

My work on the robustness of Captcha (automated Turing tests), a standard Internet security mechanism, has led to highly cited papers (e.g. [ACSAC'07], [CCS'08], [CCS'10]), and influenced the system design of major companies such as Microsoft, Yahoo! and Google. Some technology developed by my team was licensed to Yahoo!. Invited talks were given at Cambridge, Cisco, Google, Microsoft and Yahoo!, as well as to the Messaging Anti-Abuse Working Group - this global industry consortium represented at the time nearly one billion mailboxes and considered my participation in their meeting "important in the global fight against online abuse". For this line of work, my duo team (with student Ahmad) was a finalist for a Times Higher Education award in the category of the Outstanding Engineering Research Team of the Year in the UK in 2009. A recent breakthrough was achieved via collaborating with HC Gao in China, and our joint effort has led to a surprisingly simple, low-cost, generic but powerful attack [NDSS'16] that breaks a wide variety of Captcha designs.

My research on graphical passwords and Captchas received significant media attention. Major outlets such as BBC News, London Science Museum, MIT Technology Review, Slashdot and The Economist have featured my work.

I wrote a well cited paper with Brian Randell analysing online game cheating; was the first to argue that fairness enforcement has emerged as the most important new security concern in online games. I designed Magic Bullet [IJCAI'09], a dual-purpose game that people play online for fun but their gameplay resolves a problem that no computer algorithm can yet solve. I was the first to work on collusion detection in contract Bridge [AAAI'10] and aim-bot detection in first-person shooters, and helped to launch NetGames in 2001, which has been a successful Int'l Workshop series on Network and Systems Support for Games.

My recent collaboration with Cambridge (2013-2016) looked into deception deterrence, with the aim to further the understanding of deception, which is not only the basic problem underlying security and cybercrime, but is central to human behaviour. Interesting results on poker deception, insurance fraud and stock market are either published or in the pipeline - stay tuned!

Most recently, my team won the best student paper award at the 32nd ACSAC (Los Angeles, USA) in Dec 2016.

Some star students I've advised (drop me a line if you belong to here but I forgot!): Naser Algwil, Pablo Arrighi, Tim Barclay, Michael Broughton, Pook Leong Cho, Ahmad El Ahmad, David Griffiths, Peter Parker, Alexander Plaskett, Andrew Ruddick.

Postdocs: Jussi Palomaki, David Mordic, Yu Guang, Xingjie Wei, Beibei Liu, Budi Arief.

Selected Professional Activities

Tutorials given at major conferences

Google scholar profile

Before coming to Lancaster, I have taught at Newcastle University, England and Chinese University of Hong Kong; was the founding research director for Newcastle University Centre for Cybercrime and Computer Security; worked at Microsoft Research Asia, Hewlett-Packard Labs and Singapore DSO National Laboratories.

What's New

A security analysis of automated Chinese Turing Tests (ACSAC 2016) resolved a long-standing open problem using deep learning and won the best student paper. Joint work with Dan Ciresan @ the Swiss AI Lab IDSIA.

Targeted Online Password Guessing: An Underestimated Threat (ACM CCS'16) examines how to best do targeted online guess attacks. Our new algorithms, with 100 guesses per account, achieve avg success rates ~70% against normal users, and ~30% against security-savvy users. In a pretty quick response to our results, NIST in the USA have revised part of SP 800-63-3 Digital Authentication Guideline, and invited our further comments on SP 800-63B etc. Media coverage: Forbes, C ACM, Naked Security, the Register, Svt (Sweden), Daily Mail, Metro, the Mirror, the Sun and hundreds more outlets. YouTube has a copy of the video of my talk at CCS'16.

Machiavelli as a poker mate - a naturalistic behavioural study on strategic deception (Journal of Personality and Individual Differences, 2016) shows that Machiavellian people don't bluff more frequently but when they bluff, they do it big; they are also more distraught by getting slow-played. Machiavellianism has rarely been studied outside the laboratory via behavioural experiments, but online poker gives us a naturalistic setting for such studies! Media coverage: Daily Mail, Science Daily, PokerStrategy (English, German, Dutch, Hungarian), CalvinAyre, PokerSites, TopPokerSites, LegalUSpokersites, Poker Academie (in French).

"To Bluff like a Man or Fold like a Girl?" - Gender Biased Deceptive Behavior in Online Poker (PLoS ONE, 2016) shows that our experiment participants (poker players) bluff 6% more frequently on average at tables with female-only avatars than at tables with male-only or gender mixed avatars. This is a significant effect in games involving repeated decisions. To put it in perspective, casinos kick out of their premises anyone who is able to obtain a marginal edge over the house, e.g. a 0.5% edge in blackjack (achieved typically via card counting). Joint work with postdocs Jussi Palomaki, David Mordic et al. A fan of our work made a video presentation lecturing this paper on YouTube.

Acceleration Attacks on PBKDF2: Or, What Is Inside the Black-Box of oclHashcat? (Usenix WOOT'16) reports the fastest attack to date on PBKDF2, a crypto primitive that is implemented in widely deployed security systems such as WiFi, Microsoft .NET, Apple OS X and iOS, Cisco IOS and Blackberry, among many others.

Failures of Security APIs: A New Case (Financial Crypto'16) expands the research of Security APIs to a new setting. Pioneered by Ross Anderson, this line of research had mostly focused on Hardware Security Module and cryptographic key managements. We also show that system architecture analysis is useful both for identifying vulnerabilities in security APIs and for fixing them.

A Simple Generic Attack on Text Captchas (NDSS'16) reports a surprisingly simple, low-cost but powerful attack on Captchas. It breaks a wide variety of representative schemes, each with distinctive design features, including those deployed by Google, Microsoft, Yahoo!, Amazon and other Internet giants. Our attack is a human-like solving algorithm, and it is deeply rooted in seminal research by Cambridge academics John Daugman and David Field (now at Cornell) for very different purposes.

Novel security and privacy perspectives of camera fingerprints (SPW'16) proposes new research directions out of the usual box of signal processing, e.g. using PRNU as a PUF to build a novel authentication mechanism - "any photo you take are you"; handling new socio-technical problems such as revenge porn; and applications in privacy intrusion.

The Science and Detection of Tilting (ICMR'16) proposes novel interdisciplinary research on tilting, a significant but rarely studied phenomenon, which both psychologists and computer scientists will find a fertile topic. This has nothing to do with security or privacy, but it just so happened that I had this brainchild during a brief lunch chat with Jussi Palomaki. We joyfully wrote it up, together with postdoc Xingjie Wei and Cambridge don Peter Robinson.

Enhancing Sensor Pattern Noise for Source Camera Identification: An Empirical Evaluation (ACM IH&MMSec 2015) identifies the best way for extracting camera fingerprints from images, and debunks misconceptions in the literature. Joint work with postdocs Bei-bei Liu and Xingjie Wei.

Security Analyses of Click-based Graphical Passwords via Image Point Memorability (ACM CCS'14) introduces a novel concept and a model of image point memorability, with both defensive and offensive applications. On one hand, we develop the first method for generating high-quality graphical honeywords. The notion of honeywords was first introduced by Ariel Juels and Turing Award winner Ron Rivest at CCS'13, but their algorithms only work with text passwords. On the other hand, under our new lens, the effective password space of the state-of-the-art click-based graphical passwords is actually weaker than its commonly believed strength by a factor of 2,048. Abundant room remains for researchers in security, computer vision and psychology to improve our work. Thanks Alexei Czeskis for presenting the paper for me.

We're given the first SOUPS Impact Award. Thanks to the award committee, and thanks to the community of usable security & pricacy for reading, citing and using our results! Also thank Rob Miller for presenting the paper and Joe Bonneau for collecting the award at Facebook Headquarters on my behalf.

A New Security Primitive Based on Hard AI Problems (IEEE Trans. on Information Forensics and Security, v9 no.6, 2014) introduces CaRP, a new family of security primitives that address a number of security threats altogether, such as online dictionary attacks, relay attacks and cross-site scripting. Our work is one step forward in the paradigm of using hard AI problems for security, which was introduced by Turing Award winner Manuel Blum's team at CMU.

A surreal true story How I became notorious on campus (Spring semester, 2014).

Our WWW'13 paper Security Implications of Discretization for Click-based Graphical Passwords resolves a long-standing open problem. We show that image discretization, a fundamental technical mechanism introduced to support both security and usability of popular graphical password schemes, leaks significant password information in representative designs such as PassPoints, Cued Click Points (CCP) and Persuasive Cued Click Points (PCCP).

Our CCS'13 paper The Robustness of Hollow CAPTCHAs reports a novel attack that breaks a whole family of new designs, deployed by major companies such as Yahoo!, Tencent, Sina, China Mobile and Baidu.

Earlier highlights

Two projects on security and cybercrime research. NIFTy , funded by EU, works on image forensics (keywords: digital camera fingerprint, fast search algorithm, forensic tools, law enforcement). The EPSRC-funded "Deterrence of deception in Socio-Technical Systems" works on deception and cybercrime via an interdisciplinary approach.

The Robustness of Google CAPTCHAs has been held in private for long, and finally we have released it now. Google were informed the results in advance. Coverage by Bruce Schneier and The Economist .

CAPTCHA design: colour, usability and security (IEEE Internet Computing, March-April 2012), shows that colour misuse in CAPTCHAs has impact beyond usability. Using colour in user interface is a common practice for enhancing usability and has rarely caused security concerns. Here, we discuss interesting but critical security failures caused by colour (mis)use.

Captcha Robustness: A Security Engineering Perspective (IEEE Computer, Feb 2011) summarises our novel and successful approach to Captchas robustness analysis.

Attacks and Design of Image Recognition CAPTCHAs appears at CCS'10. We report: novel attacks on two representative image recognition CAPTHCAs: IMAGINATION (designed at Penn State around 2005) and ARTiFACIAL (designed at MSR Redmond around 2004); a theoretical explanation why well-known schemes such as IMAGINATION, ARTiFACIAL and Assira (another MSR design) have all failed; a simple framework for guiding the design of robust image recognition CAPTHCAs; and a new image recognition CAPTHCA, which we call Cortcha (Context-based Object Recognition to Tell Computers and Humans Apart). Coverage by Slashdot and Bruce Schneier.

We have released a computer game, Magic Bullet, which is a spin-off from our CAPTCHA robustness project. Our paper about this game appears at IJCAI'09 in Pasadena, CA. Coverage by CACM, Science Daily, TechRadar, Phys.Org.

A Low-cost Attack on a Microsoft CAPTCHA reports a novel attack that can break, with a success rate of higher than 60%, a CAPTCHA that was desinged by Microsoft and has been deployed for their Hotmail, MSN and Windows Live for years. Microsoft was notified our results in Sept, 2007. Responding to their request, we held this paper confidential until 10 April, 2008. Here are some frequently asked questions, and coverage in PC World, Network World, InfoWorld, Yahoo! News, ABC News, ACM Tech News, Register, Times Higher Education and MIT Technology Review (also here). Also have a look at The Economist. A peer-reviewed version appears at ACM CCS'08.

A related paper, "Is cheap labour behind the scene? - Low-cost automated attacks on Yahoo CAPTCHAs", is not released yet (an abstract is here), but has been reviewed by Yahoo! Engineering in Sunnyvale, California.

Our graphical password scheme Background Draw a Secret (BDAS) appears at ACM CCS'07. Featured by BBC News, London Science Museum, ACM Tech News, Slashdot, and many others. Details see my BDAS page. Our BDAS and SSR-BDAS were selected by the Royal Society for their annual Summer Science Exhibition (Monday 30 June - Thursday 3 July 2008, London). A piece on BDAS I wrote for the Royal Society, and one piece for the London Mathematical Society. Our exhibit. Since 2011, Microsoft has deployed a version of BDAS in Windows 8.

Research Summary

I am interested in most aspects of computer and network security, both theoretical and practical, and my recent work focuses on systems security, including human aspects of security (e.g. usable security). My previous contributions illustrate both my view of security and research methodology. Namely, security fails not only because of the lack or failure of technical mechanisms, but also because of failures of other issues such as usability and motivation, and therefore an interdisciplinary approach is needed to tackle (many) security problems.

Below you will find brief descriptions of some of my previous work and pointers to selected papers where you can find out more.

Human Aspects of Information Security

Psychology of security


Deception is not just the basic problem at the heart of cybercrime, but is central to human behaviour. More papers on this topic are forthcoming.

Usable Security

Password memorability and security

Passwords are one good example of the importance of the human factors and usability in security. In this work, carried out in collaboration with a psychologist, we tackled an old but fundamental security problem - how do you train users to choose passwords that are easy to remember but hard to guess? There's a lot of "folk wisdom" on this subject but little that would pass muster by the standards of applied psychology. We did a randomized controlled trial with four hundred of our first year science students, and produced solid empirical results. While confirming some widely held folk beliefs about passwords, we observed a number of phenomena which run counter to the established wisdom.

Graphical passwords

Secure and usable CAPTCHAs

Recent Talks

Incentive-compatible security

Failure of motivation also leads to security failure. Incentive compatible security design, as an emerging research topic, appears to be essential in an autonomous network environment like the Internet where many parties (or agents) involved are selfish.


Distributed Denial of Service (DDoS) is at heart a manifestation of what economists call the "tragedy of the commons": while everyone may have an interest in protecting a shared resource (Internet security), individuals have a stronger motive to cheat (connecting insecure computers). Most of the proposed technical countermeasures would not work, as they didn't consider the incentive issue. We propose the XenoService as a distributed remedy to DDoS attacks which can be deployed in such a way as to provide effective economic incentives for the principals to behave properly. For more information on this line of research, as well as security economics, a highly related topic, and its applications, refer to the Economics and Security Resource Page maintained by Ross Anderson.

Traditional Security Design

The design of technical mechanisms has been the traditional focus of security research. My main contribution in this aspect is the design of new techniques addressing emerging security threats, and improvement of existing security techniques.

Data structure for Security

Invited Talks

Security for network games

The emergence of online games has fundamentally changed the traditional security requirement for computer games, which was mainly copy protection. Although online games share many security issues that other networked E-commerce applications concern, e.g., payment security and service availability, some unique characteristics of online game systems impose interesting and challenging new security requirements, which call for the novel use of existing technology and the invention of new techniques. While online games are developing into a multi-billion dollar business, their security has recently started to attract researchers' attention.
Invited Talks

Proactive password checking and password protocols

In this work, we attack the classical proactive password checking method, which is based on dictionary attack and often fails to prevent some weak passwords with low entropy. A new approach is proposed to deal with this new class of weak passwords by (roughly) measuring entropy. A simple example is given to exploit effective patterns to prevent low-entropy passwords as the first step of entropy-based proactive checking. We also argue why strong password authentication protocols like EKE, SRP cannot replace proactive checking, responding to Wu's proposal in NDSS'99. Here is a piece of related work on password security that I contributed.

Denial of Service

Although denial of service (DoS) attack has become a fast-growing concern in security research, previous work focused on a type of classical service denial caused by resource exhaustion. We look into the DoS problem (including distributed DoS) from some new angles.

Others: code obfuscation for software protection, and vulnerability analysis

Applied Cryptography

I am mostly interesed in cryptanalysis, which has also informed my series of work on breaking Captchas.

API attacks


PBKDF2 is a popular crypto primitive and widely used in real systems such as Wi-Fi, Microsoft .NET, Cisco IOS and Apple's OS X. Cracking PBKDF2 with GPGPU is not news, but we will have something interesting to share here soon.

Traitor tracing

Traitor tracing is an emerging but promising cryptographic method introduced to combat copyright piracy of digital media, e.g. pay-TV. One threat model considered by researchers is that traitors, who are subscribed users in a content distribution system, build pirate decoders with their legitimate decoding keys to bypass the security mechanism of the system. Many schemes were proposed to catch traitors who leak their keys, and some supported a black-box tracing paradigm. In this work, we show that a type of intelligent self-protecting pirate decoder can defeat many black-box traitor-tracing schemes.
Invited Talks

Digital Forensics

Camera fingerprints

Teaching highlights

How to contact me

Jeff Yan
School of Computing and Communications
Lancaster University
InfoLab21, Lancaster LA1 4WA
United Kingdom
Email:  Jeff.Yan at 

Phone:  +44 1524 510396