rich at richshay dot com
Carnegie Mellon University,
Doctor of Philosophy in Computation, Organizations, and Society, 2015
Master of Science in Computation, Organizations, and Society, 2011.
Courses include cybersecurity, statistics, machine learning, data privacy, algorithms.
School of Computer Science
Advisor: Lorrie Faith Cranor
IGERT/CyLab Usable Privacy and Security (CUPS) Doctoral Training Program.
High School Degree, 1999
Senior Class President
Cum Laude Society
Senior Product Security Engineer, Natick, MA
2022 - 2023
Senior Software Engineer, Palo Alto, CA
Experience includes software engineering in Golang, building features for data pipelines.
MIT Lincoln Laboratory,
2015 - 2022
Technical Staff, Lexington, MA
Group 53—Secure Resilient Systems and Technology
Experience includes being principal investigator on test and evaluation effort on government advanced crypto program. Duties included interfacing with government sponsor and performer teams; intense software development; designing test plans; preparing and executing testing; data analysis and synthesis; and presenting findings. Built tools and infrastructure components in Python pandas and R.
Carnegie Mellon University,
Postdoc, Pittsburgh, PA
Advisor: Lorrie Faith Cranor
Streamed on twitch with nearly ten thousand followers. Achieved status of Twitch Partner. Audiences were up to several thousand simultaneous viewers. Playing Magic: the Gathering. Demonstrated ability to provide engaging content, live, in front of large audiences.
Intern, Mountain View, CA
Examined how people perceived and understood online account hijacking.
Intern, Boston, MA
Collaborated with a team to develop privacy-enhancing software. Conducted usability testing both remotely and in person.
Web Development Consultant,
Designed and created websites
Massachusetts Office of the Inspector General,
Intern, Boston, MA
Redesigned and implemented database system used to record the Office's cases
Researched, wrote, and edited documents disseminated by the Office
2001, 2002 (Summers)
Intern, Cambridge, MA
Designed and implemented graphical interfaces for internal research projects on network security
Named 2001 Verizon Northeast Region Intern of the Year
1999, 2000 (Summers)
Senior Technician, Waltham, MA
Designed, coded, and tested a graphical interface for Verizon customer website
IEEE Cybersecurity Award for Practice 2018
To recognize those who made a significant practical advancement in cybersecurity
Allen Newell Award for Research Excellence 2020
for pioneering contribution to the science of evaluating password strength and for embodying this science in online tools that enable individuals and groups to more easily secure their systems
Cybersecurity certification from the International Information System Security Certification Consortium
Group Identification System, US Patent 11,368,318
Inventors Robert Cunningham and Richard Shay; Assigned to MIT
Usable Privacy and Security
Teaching Assistant for Lorrie Faith Cranor, Spring 2015
Duties include grading homework assignments, creating and evaluating quizzes, helping to determine the lesson plan, presenting several lectures, meeting with students, and working with students on their class projects.
Mobile and Pervasive Computing Services
Teaching Assistant for Norman Sadeh, Spring 2015
Duties include grading, meeting with students to discuss project ideas, and helping to manage the logistics of running the course.
Information Security and Privacy
Teaching Assistant for Norman Sadeh, Fall 2012
Duties included assisting with determining course content, giving a lecture, and grading the exams, assignment, and class project.
Usable Privacy and Security
Teaching Assistant for Lorrie Faith Cranor, Fall 2011
Duties included grading weekly homework assignments, helping to create lesson plans, presenting two lectures, and meeting students outside of the classroom to discuss homework and the class project.
Gave guest lectures on my research, 2012-2015
I have given guest lectures on my research for classes at Carnegie Mellon University. This included a practicum course for my PhD program, and a discussion in James Herbsleb's Ethics and Policy course.
Diversify to Survive: Making Passwords Stronger with Adaptive Policies. USENIX 2017. (Sean M. Segreti, William Melicher, Saranga Komanduri, Darya Melicher, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Michelle L. Mazurek)
SoK: Cryptographically Protected Database Search. Oakland 2017. (Benjamin Fuller, Mayank Varia, Arkady Yerukhimovich, Emily Shen, Ariel Hamlin, Vijay Gadepally, Richard Shay, John Darby Mitchell, and Robert Cunningham)
SoK: Privacy on Mobile Devices – It’s Complicated. PETS 2016. (Chad Spensky, Jeffrey Stewart, Arkady Yerukhimovich, Richard Shay, Ari Trachtenberg, Rick Housley, Robert K. Cunningham)
Usability and Security of Text Passwords on Mobile Devices . CHI 2016. (William Melicher, Darya Kurilova, Sean M. Segreti, Pranshu Kalvani, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Michelle L. Mazurek)
Measuring Real-World Accuracies and Biases in Modeling Password Guessability. USENIX Security 2015. (Blase Ur, Sean M. Segreti, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Saranga Komanduri, Darya Kurilova, Michelle L. Mazurek, William Melicher, Richard Shay)
"I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab. SOUPS 2015. (Blase Ur, Fumiko Noma, Jonathan Bees, Sean M. Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor)
A Spoonful of Sugar? The Impact of Guidance and Feedback on Password-Creation Behavior. CHI 2015. (Richard Shay, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Alain Forget, Saranga Komanduri, Michelle L. Mazurek, William Melicher, Sean M. Segreti, Blase Ur)
Telepathwords: Preventing Weak Passwords by Reading Users' Minds. USENIX 2014. (Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, and Stuart Schechter)
Can Long Passwords be Secure and Usable?. CHI 2014. (Richard Shay, Saranga Komanduri, Adam L. Durity, Phillip (Seyoung) Huh, Michelle L Mazurek, Sean M. Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor)
My Religious Aunt Asked Why I Was Trying to Sell Her Viagra: Experiences with Account Hijacking. CHI 2014. (Richard Shay, Iulia Ion, Robert W. Reeder, Sunny Consolvo)
Measuring Password Guessability for an Entire University. CCS 2013. (Michelle Mazurek, Saranga Komanduri, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Richard Shay, Blase Ur)
What Matters to Users? Factors that Affect Users' Willingness to Share Information with Online Advertisers. SOUPS 2013. (Pedro G. Leon, Blase Ur, Yang Wang, Manya Sleeper, Rebecca Balebako, Richard Shay, Lujo Bauer, Mihai Christodorescu, Lorrie Faith Cranor)
The Impact of Length and Mathematical Operators on the Usability and Security of System-Assigned One-Time PINs. USEC 2013. (Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor)
How does your password measure up? The effect of strength meters on password creation. USENIX 2012. (Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor)
Guess Again (and again and again): Measuring password strength by simulating password-cracking algorithms. Oakland 2012. (Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez)
Correct horse battery staple: Exploring the usability of system-assigned passphrases. SOUPS 2012. (Richard Shay, Patrick Gage Kelley, Saranga Komanduri, Michelle Mazurek, Blase Ur, Timothy Vidas, Lujo Bauer, Nicholas Christin, Lorrie Faith Cranor)
Smart, Useful, Scary, Creepy: Perceptions of Online Bebahavioral Advertising. SOUPS 2012. (Blase Ur, Pedro G. Leon, Lorrie Faith Cranor, Richard Shay, Yang Wang)
Why Johnny Can't Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising. CHI 2012. (Pedro Leon, Blase Ur, Rebecca Balebako, Lorrie Faith Cranor, Richard Shay, and Yang Wang)
Exploring Reactive Access Control. CHI 2011. (Michelle Mazurek, Peter Klemperer, Richard Shay, Hassan Takabi, Lujo Bauer, and Lorrie Faith Cranor)
Of Passwords and People: Measuring the Effect of Password-Composition Policies. CHI 2011. (Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle Mazurek, Lujo Bauer, Nicholas Christin, Lorrie Faith Cranor, and Serge Egelman)
Encountering Stronger Password Requirements: User Attitudes and Behaviors. SOUPS 2010. (Richard Shay, Saranga Komanduri, Patrick Gage Kelley, Pedro Leon, Michelle Mazurek, Lujo Bauer, Nicholas Christin, and Lorrie Faith Cranor)
Access Control for Home Data Sharing: Attitudes, Needs and Practices. CHI 2010. (Michelle Mazurek, J.P. Arsenault, Joanna Bresee, Nitin Gupta, Iulia Ion, Christina Johns, Daniel Lee, Yuan Liang, Jenny Olsen, Brandon Salmon, Richard Shay, Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, Gregory R. Ganger, and Michael K. Reiter)
Don’t Even Ask: Database Access Control through Query Control. SIGMOD Record 2019. (Richard Shay, Uri Blumenthal, Vijay Gadepally, Ariel Hamlin, John Darby Mitchell, and Robert K. Cunningham)
Designing Password Policies for Strength and Usability. TISSEC 2016. (Richard Shay, Saranga Komanduri, Adam L. Durity, Phillip (Seyoung) Huh, Michelle L. Mazurek, Sean M. Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor)
AdChoices? Compliance with Online Behavioral Advertising Notice and Choice Requirements. I/S: A Journal of Law and Policy for the Information Society 2012. (Saranga Komanduri, Richard Shay, Greg Norcie, Blase Ur, and Lorrie Faith Cranor)
A Comprehensive Simulation Tool for the Analysis of Password Policies. International Journal of Information Security 2009. (Richard Shay and Elisa Bertino)
Creating Usable Policies for Stronger Passwords with MTurk. PhD Thesis 2015. (Richard Shay)
Measuring the Effectiveness of Privacy Tools for Limiting Behavioral Advertising. W2SP 2012. (Rebecca Balebako, Pedro Leon, Richard Shay, Blase Ur, and Lorrie Faith Cranor)
Password Policy Simulation and Analysis. DIM 2007. (Richard Shay, Abhilasha Bhargav-Spantzel, and Elisa Bertio)
Lessons Learned From Designing a Security Architecture for Real-World Government Agencies. IEEE Security and Privacy 2021. (Amy Dettmer, Hamed Okhravi, Kevin Perry, Nabil Schear, Richard Shay, Mary Ellen Zurko, Paula Donovan)
CyLab Usable Privacy and Security Laboratory. ACM XRDS Magazine 2013. (Rich Shay)
Helping Users Create Better Passwords . USENIX ;login: Magazine 2012. (Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle L. Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman, Julio López)
The Art of Password Creation. Oakland 2013. (Blase Ur, Saranga Komanduri, Richard Shay, Stephanos Matsumoto, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Michelle L. Mazurek, Timothy Vidas)
Exploring Reactive Access Control. CHI 2010. (Richard Shay, Michelle Mazurek, Peter Klemperer, and Hassan Takabi)
Jesus and Hierarchy. Brown University Senior Thesis 2003. (Richard Shay)
Experience and Skills
Programming Languages and Frameworks
Considerable experience with Python, R, Ruby, LaTeX, Ruby on Rails, Java, C.
Skill and Experience Highlights
Software development, data analysis, project leadership, research, scientific writing, stakeholder communication, data visualization, experimental design, usability testing
Hobbies and Interests
Former streamer with nearly ten thousand followers on Twitch. Achieved Twitch Partner status. Streamed and led discussions with large audiences, up to several thousand viewers at once.
I enjoy playing board games. I am the former New England champion in Agricola, Power Grid, Dominion, and Notre Dame.
I am interested in ancient Greek and Roman philosophy, especially the works of Plato.
Former professional Magic: the Gathering player. Playing since 1994, and attended several Pro-Tours. Written several articles on Magic that have been published online.
I am a native English speaker. I have been proficient at reading Latin, but am rusty. I have proficiency with Python, Ruby, Rails, Java, C, and LaTeX. I have proficiency analyzing large data sets using R. I have experience with SQL and Perl.