| Event Date | December 2 2025, 12 pm |
| Location | MSEE 112 |
Abstract
For over a decade, I have studied various aspects of authentication ecosystems. I will first briefly discuss my initial journey modeling passwords and helping users create better passwords. The focus of the talk, however, will be a measurement study we performed of the University of Chicago’s vulnerability to credential-guessing attacks across twenty years. We collaborated with our university’s IT Security team to retrospectively analyze the degree to which both reused passwords (when a user employs similar credentials across different sites) and common passwords put our users at risk. Given a list of university usernames, we searched for matches in data breaches from hundreds of websites. Ultimately, we successfully guessed passwords for thousands of UChicago affiliates. I will conclude my talk by discussing our parallel investigations of FIDO2 passwordless authentication, including analyzing why passkeys have not yet replaced passwords for web authentication.
Biography
Blase Ur is an Associate Professor of Computer Science at the University of Chicago, where he studies computer security, privacy, human-computer interaction, and ethical AI. His lab, the UChicago SUPERgroup, uses data-driven methods to make complex computer systems more usable and to help users make better security and privacy decisions. He received the 2025 CRA Undergraduate Research Faculty Mentoring Award, an NSF CAREER Award, the Quantrell Award for Undergraduate Teaching, a Fulbright scholarship, and five best/distinguished paper awards. He holds degrees from Carnegie Mellon University (PhD and MS) and Harvard University (AB). He really likes bicycles, guitars, and cacti/succulents.