University of Newcastle, Computing Science foto

Jeff Yan

I did my Ph.D. with Ross Anderson in the Security Group at Cambridge University, and now lecture at Newcastle University in the UK. I am the founding research director for the Centre for Cybercrime and Computer Security at Newcastle. I used to coordinate weekly Informal Security Meetings and manage cs-security, a local emailing list for discussing all security-related issues.

I serve on the editorial board of Springer's International Journal of Information Security (IJIS) and IEEE Transactions on Information Forensics and Security (TIFS). Welcome to submit good papers!

Other organisations I was affiliated with in one way or another include:

I enjoy, among other hobbies, reading, photography, poker, badminton and table tennis.

What's New

Dagstuhl seminar on Socio-technical Security Metrics, Nov 30 - Dec 5, 2014

Our paper Security Analyses of Click-based Graphical Passwords via Image Point Memorability (ACM CCS'14) introduces a novel concept and a model of image point memorability, with both defensive and offensive applications. On one hand, we develop the first method for generating high-quality graphical honeywords. The notion of honeywords was first introduced by Ariel Juels and Turing Award winner Ron Rivest at CCS'13, but their algorithms only work with text passwords. On the other hand, under our new lens, the effective password space of the state-of-the-art click-based graphical passwords is actually weaker than its commonly believed strength by a factor of 2,048. Abundant room remains for researchers in security, computer vision and psychology to improve our work. Thanks Alexei Czeskis for presenting the paper for me.

We're given the first SOUPS Impact Award. Thanks to the award committee, and thanks to the community of usable security & pricacy for reading, citing and using our results! Also thank Rob Miller for presenting the paper for me, and thank Joe Bonneau for collecting the award at Facebook Headquarters on my behalf.

In July 2014, my student Andrew Ruddick won the best BSc dissertation prize in CS at Newcastle for some cryptanalysis work on PBKDF2. We will soon release a joint paper entitled OpenCL acceleration of cryptographic primitives: experiences and lessons. Cracking PBKDF2 with GPGPU is not news, but we will have something interesting to share.

A New Security Primitive Based on Hard AI Problems (IEEE Trans. on Information Forensics and Security, v9 no.6, 2014) introduces CaRP, a new family of security primitives that address a number of security threats altogether, such as online dictionary attacks, relay attacks and cross-site scripting. Our work is one step forward in the paradigm of using hard AI problems for security, which was introduced by Turing Award winner Manuel Blum's team at CMU.

A surreal true story How I became notorious on campus (Spring semester, 2014).

Our WWW'13 paper Security Implications of Discretization for Click-based Graphical Passwords resolves a long-standing open problem. We show that image discretization, a fundamental technical mechanism introduced to support both security and usability of popular graphical password schemes, leaks significant password information in representative designs such as PassPoints, Cued Click Points (CCP) and Persuasive Cued Click Points (PCCP).

Our CCS'13 paper The Robustness of Hollow CAPTCHAs reports a novel attack that breaks a whole family of new designs, deployed by major companies such as Yahoo!, Tencent, Sina, China Mobile and Baidu.

Earlier highlights

Two projects on security and cybercrime research. NIFTy , funded by EU, works on image forensics (keywords: digital camera fingerprint, fast search algorithm, forensic tools, law enforcement). The EPSRC-funded "Deterrence of deception in Socio-Technical Systems" works on deception and cybercrime via an interdisciplinary approach.

Our paper The Robustness of Google CAPTCHAs has been held in private for long, and finally we have released it now. Google were informed the results in advance. Coverage by Bruce Schneier and The Economist .

In CAPTCHA design: colour, usability and security (IEEE Internet Computing, March-April 2012), we shows that misusing colours in CAPTCHAs can have impact on usability and interesting but critical implications on security, although using colour in UI is a common practice of enhancing usability and has rarely caused security failures.

Captcha Robustness: A Security Engineering Perspective (IEEE Computer, Feb 2011) summarises our novel and successful approach to Captchas robustness analysis.

Our paper on shoulder-surfing resistant DAS graphical passwords appears at SOUPS'11. Thanks to Sacha Brostoff, who did almost the entire data analysis for the paper.

Attacks and Design of Image Recognition CAPTCHAs appears at CCS'10. We report: novel attacks on two representative image recognition CAPTHCAs: IMAGINATION (designed at Penn State around 2005) and ARTiFACIAL (designed at MSR Redmond around 2004); a theoretical explanation why well-known schemes such as IMAGINATION, ARTiFACIAL and Assira (another MSR design) have all failed; a simple framework for guiding the design of robust image recognition CAPTHCAs; and a new image recognition CAPTHCA, which we call Cortcha (Context-based Object Recognition to Tell Computers and Humans Apart). Coverage by Slashdot and Bruce Schneier.

Mary Ellen Zurko and I gave a full-day tutorial on usable security at ACSAC'10 (Austin, Texas) on Dec 7, 2010.

Collusion Detection in Online Bridge appears at AAAI-10 (slides).

My duo team (with student Ahmad) was a finalist for the Times Higher Education Award in the category of the Outstanding Engineering Research Team of the Year in the UK, 2009.

My tutorial on usable security, given at ACM CCS'09 in Chicago, was pretty well attended and received.

I gave an invited talk on CAPTCHA robustness (slides) to the Messaging Anti-Abuse Working Group (MAAWG). Longer versions were given at Cambridge, Cisco, Google, Microsoft, Yahoo, Royal Holloway and other organisations.

We have released a computer game, Magic Bullet, which is a spin-off from our CAPTCHA robustness project. Our paper about this game appears at IJCAI'09 in Pasadena, CA. Coverage by CACM, Science Daily, Phys.Org.

A Low-cost Attack on a Microsoft CAPTCHA (with Ahmad El Ahmad). This paper reports a novel attack that can break, with a success rate of higher than 60%, a CAPTCHA that was desinged by Microsoft and has been deployed for their Hotmail, MSN and Windows Live for years. Microsoft was notified our results in Sept, 2007. Responding to their request, we held this paper confidential until 10 April, 2008. Here are some frequently asked questions, and coverage in PC World, Network World, InfoWorld, Yahoo! News, ABC News, ACM Tech News, Register, Times Higher Education and MIT Technology Review (also here). Also have a look at The Economist. A peer-reviewed version appears at ACM CCS'08.

A related paper, "Is cheap labour behind the scene? - Low-cost automated attacks on Yahoo CAPTCHAs", is not released yet (an abstract is here), but has been reviewed by Yahoo! Engineering in Sunnyvale, California.

Breaking Visual CAPTCHAs with Naive Pattern Recognition Algorithms (with A El Ahmad), ACSAC'07. This paper reports a "pixel count" attack that works very well on quite some CAPTCHAs. In spirit, this is an interesting "side channel" attack.

Our graphical password scheme Background Draw a Secret (BDAS) appears at ACM CCS'07. Featured by BBC News, London Science Museum, ACM Tech News, Slashdot, and many others. Details see my BDAS page. Our BDAS and SSR-BDAS were selected by the Royal Society for their annual Summer Science Exhibition (Monday 30 June - Thursday 3 July 2008, London). A piece on BDAS I wrote for the Royal Society, and one piece for the London Mathematical Society. Our exhibit. Since 2011, Miscrosoft has deployed a version of BDAS in Windows 8.

Selected Professional Activities

Research Summary

I am interested in most aspects of computer and network security, both theoretical and practical, and my recent work focuses on systems security, including human aspects of security (e.g. usable security). My previous contributions illustrate both my view of security and research methodology. Namely, security fails not only because of the lack or failure of technical mechanisms, but also because of failures of other issues such as usability and motivation, and therefore an interdisciplinary approach is needed to tackle (many) security problems.

Below you will find brief descriptions of some of my previous work and pointers to selected papers where you can find out more.

Human Aspects of Information Security

Psychology of security


Deception is not just the basic problem at the heart of cybercrime, but is central to human behaviour. Our papers on this topic are forthcoming.

Usable Security

Password memorability and security

Passwords are one good example of the importance of the human factors and usability in security. In this work, carried out in collaboration with a psychologist, we tackled an old but fundamental security problem - how do you train users to choose passwords that are easy to remember but hard to guess? There's a lot of "folk wisdom" on this subject but little that would pass muster by the standards of applied psychology. We did a randomized controlled trial with four hundred of our first year science students, and produced solid empirical results. While confirming some widely held folk beliefs about passwords, we observed a number of phenomena which run counter to the established wisdom.

Graphical passwords

Secure and usable CAPTCHAs

Recent Talks

Incentive-compatible security

Failure of motivation also leads to security failure. Incentive compatible security design, as an emerging research topic, appears to be essential in an autonomous network environment like the Internet where many parties (or agents) involved are selfish.


Distributed Denial of Service (DDoS) is at heart a manifestation of what economists call the "tragedy of the commons": while everyone may have an interest in protecting a shared resource (Internet security), individuals have a stronger motive to cheat (connecting insecure computers). Most of the proposed technical countermeasures would not work, as they didn't consider the incentive issue. We propose the XenoService as a distributed remedy to DDoS attacks which can be deployed in such a way as to provide effective economic incentives for the principals to behave properly. For more information on this line of research, as well as security economics, a highly related topic, and its applications, refer to the Economics and Security Resource Page maintained by Ross Anderson.

Traditional Security Design

The design of technical mechanisms has been the traditional focus of security research. My main contribution in this aspect is the design of new techniques addressing emerging security threats, and improvement of existing security techniques.

Security for network games

The emergence of online games has fundamentally changed the traditional security requirement for computer games, which was mainly copy protection. Although online games share many security issues that other networked E-commerce applications concern, e.g., payment security and service availability, some unique characteristics of online game systems impose interesting and challenging new security requirements, which call for the novel use of existing technology and the invention of new techniques. While online games are developing into a multi-billion dollar business, their security has recently started to attract researchers' attention.
Invited Talks

Proactive password checking and password protocols

In this work, we attack the classical proactive password checking method, which is based on dictionary attack and often fails to prevent some weak passwords with low entropy. A new approach is proposed to deal with this new class of weak passwords by (roughly) measuring entropy. A simple example is given to exploit effective patterns to prevent low-entropy passwords as the first step of entropy-based proactive checking. We also argue why strong password authentication protocols like EKE, SRP cannot replace proactive checking, responding to Wu's proposal in NDSS'99. Here is a piece of related work on password security that I contributed.

Denial of Service

Although denial of service (DoS) attack has become a fast-growing concern in security research, previous work focused on a type of classical service denial caused by resource exhaustion. We look into the DoS problem (including distributed DoS) from some new angles.

Others: code obfuscation for software protection, and vulnerability analysis

Applied Cryptography


PBKDF2 is a popular crypto primitive and widely used in real systems such as Wi-Fi, Microsoft .NET, Cisco IOS and Apple's OS X. Cracking PBKDF2 with GPGPU is not news, but we will have something interesting to share here soon.

Traitor tracing

Traitor tracing is an emerging but promising cryptographic method introduced to combat copyright piracy of digital media, e.g. pay-TV. One threat model considered by researchers is that traitors, who are subscribed users in a content distribution system, build pirate decoders with their legitimate decoding keys to bypass the security mechanism of the system. Many schemes were proposed to catch traitors who leak their keys, and some supported a black-box tracing paradigm. In this work, we show that a type of intelligent self-protecting pirate decoder can defeat many black-box traitor-tracing schemes.
Invited Talks

Teaching highlights

How to contact me

Jeff Yan
School of Computing Science
University of Newcastle
Newcastle upon Tyne, NE1 7RU
United Kingdom
Email:  Jeff.Yan at 

Phone:  +44 191 222 8010
Fax:    +44 191 222 8232