University of Newcastle, Computing Science foto

Jeff Yan

I did my Ph.D. with Ross Anderson in the Security Group at Cambridge University, and now lecture at Newcastle University in the UK. I am the founding research director for the Centre for Cybercrime and Computer Security at Newcastle. I used to coordinate a weekly Informal Security Meetings and manage cs-security, a local emailing list for discussing all security-related issues.

I serve on the editorial board of Springer's International Journal of Information Security (IJIS) and IEEE Transactions on Information Forensics and Security (TIFS). Welcome to submit good papers!

Other organisations I was affiliated with in one way or another include:

I enjoy, among other hobbies, reading, photography, poker, badminton and table tennis.

What's New

Our paper Security Analyses of Click-based Graphical Passwords via Image Point Memorability will appear at ACM CCS'14.

We're given the first SOUPS Impact Award. Thanks to the award committee, and thanks to the community of usable security & pricacy for reading, citing and using our results! We also thank Rob Miller for presenting the paper on our behalf, and thank Joe Bonneau for collecting the award for us.

In July 2014, my student Andrew Ruddick won the best BSc dissertation prize in CS at Newcastle for some cryptanalysis work on PBKDF2. We will soon release a joint paper entitled OpenCL acceleration of cryptographic primitives: experiences and lessons. Cracking PBKDF2 with GPGPU is not news, but we will have something interesting to share.

A New Security Primitive Based on Hard AI Problems (IEEE Trans. on Information Forensics and Security, v9 no.6, 2014) introduces CaRP, a new family of security primitives that address a number of security threats altogether, such as online dictionary attacks, relay attacks and cross-site scripting. Our work is one step forward in the paradigm of using hard AI problems for security.

Our WWW'13 paper Security Implications of Discretization for Click-based Graphical Passwords shows that a basic mechanism underlying both security and usability of some popular graphical password schemes turns out to leak significant password information. This resolves a long-standing open problem, and has an impact on a family of widely studied systems such as PassPoints, Cued Click Points (CCP) and Persuasive Cued Click Points (PCCP).

Our CCS'13 paper The Robustness of Hollow CAPTCHAs reports a novel attack that breaks a whole family of new designs, deployed by major companies such as Yahoo!, Tencent, Sina, China Mobile and Baidu.

I'm hiring 3 postdocs for security and cybercrime research. Two will work on NIFTy, an EU funded project on image forensics (keywords: digital camera fingerprint, fast search algorithm, forensic tools, law enforcement); one will work on the EPSRC-funded "Deterrence of deception in Socio-Technical Systems" (keywords: game cheating, natural experiment, big data analytics, psychology of deception, Ross Anderson (PI)). Idealy, the "Deception" project looks for a psychologist who can program!

Earlier highlights

Our paper The Robustness of Google CAPTCHAs has been held in private for long, and finally we have released it now. Google were informed the results in advance. Coverage by Bruce Schneier and The Economist .

In CAPTCHA design: colour, usability and security (IEEE Internet Computing, March-April 2012), we shows that misusing colours in CAPTCHAs can have impact on usability and interesting but critical implications on security, although using colour in UI is a common practice of enhancing usability and has rarely caused security failures.

Captcha Robustness: A Security Engineering Perspective (IEEE Computer, Feb 2011) summarises our novel and successful approach to Captchas robustness analysis.

Our paper on shoulder-surfing resistant DAS graphical passwords appears at SOUPS'11. Thanks to Sacha Brostoff, who did almost the entire data analysis for the paper.

Attacks and Design of Image Recognition CAPTCHAs appears at CCS'10. We report: novel attacks on two representative image recognition CAPTHCAs: IMAGINATION (designed at Penn State around 2005) and ARTiFACIAL (designed at MSR Redmond around 2004); a theoretical explanation why well-known schemes such as IMAGINATION, ARTiFACIAL and Assira (another MSR design) have all failed; a simple framework for guiding the design of robust image recognition CAPTHCAs; and a new image recognition CAPTHCA, which we call Cortcha (Context-based Object Recognition to Tell Computers and Humans Apart). Coverage by Slashdot and Bruce Schneier.

Mary Ellen Zurko and I gave a full-day tutorial on usable security at ACSAC'10 (Austin, Texas) on Dec 7, 2010.

Collusion Detection in Online Bridge appears at AAAI-10 (slides).

My student Ahmad and I were a finalist for the Times Higher Education award in the category of the Outstanding Engineering Research Team of the Year, 2009.

My tutorial on usable security, given at ACM CCS'09 in Chicago, was pretty well attended and received.

I gave an invited talk on CAPTCHA robustness (slides) to the Messaging Anti-Abuse Working Group (MAAWG). Longer versions were given at Cambridge, Cisco, Google, Microsoft, Yahoo, Royal Holloway and other organisations.

We have released a computer game, Magic Bullet, which is a spin-off from our CAPTCHA robustness project. Our paper about this game appears at IJCAI'09 in Pasadena, CA. Coverage by CACM, Science Daily, Phys.Org.

A Low-cost Attack on a Microsoft CAPTCHA (with Ahmad El Ahmad). This paper reports a novel attack that can break, with a success rate of higher than 60%, a CAPTCHA that was desinged by Microsoft and has been deployed for their Hotmail, MSN and Windows Live for years. Microsoft was notified our results in Sept, 2007. Responding to their request, we held this paper confidential until 10 April, 2008. Here are some frequently asked questions, and coverage in PC World, Network World, InfoWorld, Yahoo! News, ABC News, ACM Tech News, Register, Wikipedia, Times Higher Education and MIT Technology Review (also here). Also have a look at The Economist. A peer-reviewed version appears at ACM CCS'08.

A related paper, "Is cheap labour behind the scene? - Low-cost automated attacks on Yahoo CAPTCHAs", is not released yet (an abstract is here), but has been reviewed by Yahoo! Engineering in Sunnyvale, California.

Our graphical password project has been selected by the Royal Society for its 2008 Summer Science Exhibition. A piece on BDAS I wrote for the Royal Society, and one piece for the London Mathematical Society. Drop by our exhibit in London to try out our leading graphical password system on Monday 30 June - Thursday 3 July 2008.

Breaking Visual CAPTCHAs with Naive Pattern Recognition Algorithms (with A El Ahmad), ACSAC'07. This paper reports a "pixel count" attack that works very well on quite some CAPTCHAs. In spirit, this is an interesting "side channel" attack.

Graphical passwords: "Background Draw a Secret (BDAS)", ACM CCS'07. Featured by BBC News, ACM Tech News, London Science Museum, Slashdot, and many others. Details see my BDAS page.

Previous highlights include Enhancing collaborative spam detection with Bloom filters (ACSAC'06), Bot, Cyborg and Automated Turing Test (Cambridge Security Protocols Workshop 2006) and Phishing mitigation (patent pending).

Selected Professional Activities

Research Summary

I am interested in most aspects of computer and network security, both theoretical and practical, and my recent work focuses on systems security, including human aspects of security (e.g. usable security). My previous contributions illustrate both my view of security and research methodology. Namely, security fails not only because of the lack or failure of technical mechanisms, but also because of failures of other issues such as usability and motivation, and therefore an interdisciplinary approach is needed to tackle (many) security problems.

Below you will find brief descriptions of some of my previous work and pointers to selected papers where you can find out more.

Human Aspects of Information Security

Usable Security

Password memorability and security

Passwords are one good example of the importance of the human factors and usability in security. In this work, carried out in collaboration with a psychologist, we tackled an old but fundamental security problem - how do you train users to choose passwords that are easy to remember but hard to guess? There's a lot of "folk wisdom" on this subject but little that would pass muster by the standards of applied psychology. We did a randomized controlled trial with four hundred of our first year science students, and produced solid empirical results. While confirming some widely held folk beliefs about passwords, we observed a number of phenomena which run counter to the established wisdom.

Graphical passwords

Secure and usable CAPTCHAs

Recent Talks

Incentive-compatible security

Failure of motivation also leads to security failure. Incentive compatible security design, as an emerging research topic, appears to be essential in an autonomous network environment like the Internet where many parties (or agents) involved are selfish.


Distributed Denial of Service (DDoS) is at heart a manifestation of what economists call the "tragedy of the commons": while everyone may have an interest in protecting a shared resource (Internet security), individuals have a stronger motive to cheat (connecting insecure computers). Most of the proposed technical countermeasures would not work, as they didn't consider the incentive issue. We propose the XenoService as a distributed remedy to DDoS attacks which can be deployed in such a way as to provide effective economic incentives for the principals to behave properly. For more information on this line of research, as well as security economics, a highly related topic, and its applications, refer to the Economics and Security Resource Page maintained by Ross Anderson.

Traditional Security Design

The design of technical mechanisms has been the traditional focus of security research. My main contribution in this aspect is the design of new techniques addressing emerging security threats, and improvement of existing security techniques.

Security for network games

The emergence of online games has fundamentally changed the traditional security requirement for computer games, which was mainly copy protection. Although online games share many security issues that other networked E-commerce applications concern, e.g., payment security and service availability, some unique characteristics of online game systems impose interesting and challenging new security requirements, which call for the novel use of existing technology and the invention of new techniques. While online games are developing into a multi-billion dollar business, their security has recently started to attract researchers' attention.
Invited Talks

Proactive password checking and password protocols

In this work, we attack the classical proactive password checking method, which is based on dictionary attack and often fails to prevent some weak passwords with low entropy. A new approach is proposed to deal with this new class of weak passwords by (roughly) measuring entropy. A simple example is given to exploit effective patterns to prevent low-entropy passwords as the first step of entropy-based proactive checking. We also argue why strong password authentication protocols like EKE, SRP cannot replace proactive checking, responding to Wu's proposal in NDSS'99. Here is a piece of related work on password security that I contributed.

Denial of Service

Although denial of service (DoS) attack has become a fast-growing concern in security research, previous work focused on a type of classical service denial caused by resource exhaustion. We look into the DoS problem (including distributed DoS) from some new angles.

Others: code obfuscation for software protection, and vulnerability analysis

Applied Cryptography


PBKDF2 is a popular crypto primitive and widely used in real systems such as Wi-Fi, Microsoft .NET, Cisco IOS and Apple's OS X. Cracking PBKDF2 with GPGPU is not news, but we will have something interesting to share here soon.

Traitor tracing

Traitor tracing is an emerging but promising cryptographic method introduced to combat copyright piracy of digital media, e.g. pay-TV. One threat model considered by researchers is that traitors, who are subscribed users in a content distribution system, build pirate decoders with their legitimate decoding keys to bypass the security mechanism of the system. Many schemes were proposed to catch traitors who leak their keys, and some supported a black-box tracing paradigm. In this work, we show that a type of intelligent self-protecting pirate decoder can defeat many black-box traitor-tracing schemes.
Invited Talks

Teaching highlights

How to contact me

Jeff Yan
School of Computing Science
University of Newcastle
Newcastle upon Tyne, NE1 7RU
United Kingdom
Email:  Jeff.Yan at 

Phone:  +44 191 222 8010
Fax:    +44 191 222 8232