22Profile: Dr. Cormac Herley

Dr. Cormac Herley is an unintentional disruptor. He says things that challenge long‐standing dogma, which not everyone wants to hear, especially if they’ve invested millions of dollars and decades of resources into doing the exact opposite for years. Dr. Herley uses data mining to seek the truth. He’s even well aware that some of his contrarian views, backed by data, may take a decade or longer before people will even listen.

One example is his research into computer passwords. The conventional wisdom is that passwords need to be long, complex, and frequently changed. Dr. Herley’s research (https://www.microsoft.com/en‐us/research/wp‐content/uploads/2016/09/pushingOnString.pdf) showed that the globally accepted security reasoning, supported by nearly every computer security expert in existence and a requirement on every computer security guideline ever produced, is probably wrong at the very least and is likely exacerbating the problem. Dr. Herley’s research showed that long and complex passwords don’t mitigate most password hacking these days and often result in higher risk due to end‐user issues (such as writing passwords down or reusing on different sites).

He’s even been bold enough to say that “most [computer] security advice is a waste of time” (https://www.microsoft.com/en‐us/research/wp‐content/uploads/2016/02/SoLongAndNoThanks.pdf). And he does it with data and evidence. Dr. Herley is my kind of guy.

Dr. Herley got his PhD from Columbia ...

Get Hacking the Hacker now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.