Maximilian Golla

Postdoc at the Max Planck Institute for Security and Privacy in Bochum, Germany

• Doctorate (Dr.-Ing.) — Summa cum laude (With highest honors)
  • Usable Security and Privacy
  • «On the Usability and Security of Password-Based User Authentication» — Distinguished Thesis Award
  • Ruhr University Bochum
• Master of Science (M.Sc., Engineer) — Very good
  • IT Security - Network & Systems
  • «Graphical Fallback Authentication»
  • Ruhr University Bochum
• Bachelor of Engineering (B.Eng., Engineer) — Good
  • Computer Science - Communication in Distributed Systems
  • «Security Audit of a Web Interface for Building Automation»
  • University of Applied Sciences Würzburg-Schweinfurt

• ---

• 2021

• ---

• USENIX Security Symposium (SSYM '21) — August, 2021 — Virtual Conference

  "It's Stored, Hopefully, on an Encrypted Server": Mitigating Users' Misconceptions About FIDO2 Biometric WebAuthn

  Leona Lassak, Annika Hildebrandt, Maximilian Golla, and Blase Ur
  
  • Paper

    Extended Version Preprint
    Slides Talk Source Code
• USENIX Security Symposium (SSYM '21) — August, 2021 — Virtual Conference

  Are Privacy Dashboards Good for End Users? Evaluating User Perceptions and Reactions to Google's My Activity

  Florian M. Farke, David G. Balash, Maximilian Golla, Markus Dürmuth, and Adam J. Aviv
  
  • Paper

    Extended Version Preprint
    Slides Talk
• USENIX Security Symposium (SSYM '21) — August, 2021 — Virtual Conference

  Driving 2FA Adoption at Scale: Optimizing Two-Factor Authentication Notification Design Patterns

  Maximilian Golla, Grant Ho, Marika Lohmus, Monica Pulluri, and Elissa M. Redmiles
  
  • Preprint Slides Talk
• Under Review

  On the Security of Smartphone Unlock PINs

  Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Dürmuth, and Adam J. Aviv
  
  • Preprint

• ---

• 2020

• ---

• Under Review

  Towards Quantum Large-Scale Password Guessing on Real-World Distributions

  Markus Dürmuth, Maximilian Golla, Philipp Markert, Lars Schlieper, and Alexander May
  
  • Preprint
• Under Review

  Exploring Accidental Triggers of Smart Speakers

  Lea Schönherr, Maximilian Golla, Thorsten Eisenhofer, Jan Wiele, Dorothea Kolossa, and Thorsten Holz
  
  • Preprint Website
• IEEE Symposium on Security and Privacy (SP '20) — May, 2020 — San Francisco, California, USA (Acceptance: 12.3%)

  This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Dürmuth, and Adam J. Aviv
  
  • Paper Slides Talk Website Dataset

• ---

• 2019

• ---

• USENIX Symposium on Usable Privacy and Security (SOUPS '19) — August, 2019 — Santa Clara, California, USA ( Distinguished Poster Award)

  POSTER: "What was that site doing with my Facebook password?" Designing Password-Reuse Notifications

  Miranda Wei, Maximilian Golla, Juliette Hainline, Lydia Filipe, Markus Dürmuth, Elissa Redmiles, and Blase Ur
  
  • Poster Session
• PhD Thesis — Ruhr University Bochum (RUB) — May, 2019 — Bochum, Germany ( Distinguished Thesis Award)

  On the Usability and Security of Password-Based User Authentication

  Maximilian Golla
  
  • PhD Thesis Slides
• IEEE Symposium on Security and Privacy (SP '19) — May, 2019 — San Francisco, California, USA (Acceptance: 11.7%)

  Reasoning Analytically About Password-Cracking Software

  Enze Liu, Amanda Nakanishi, Maximilian Golla, David Cash, Blase Ur
  
  • Paper
    Slides

    IEEE SP 19 PasswordsCon 19
    Talks

    IEEE SP 19 PasswordsCon 19
    Source Code
• ISOC Workshop on Usable Security (USEC '19) — February, 2019 — San Diego, California, USA

  Work in Progress: A Comparative Long-Term Study of Fallback Authentication

  Philipp Markert, Maximilian Golla, Elizabeth Stobert, and Markus Dürmuth
  
  • Paper Slides
• ISOC Workshop on Usable Security (USEC '19) — February, 2019 — San Diego, California, USA

  Work in Progress: On the In-Accuracy and Influence of Android Pattern Strength Meters

  Maximilian Golla, Jan Rimkus, Adam J. Aviv, and Markus Dürmuth
  
  • Paper Slides

• ---

• 2018

• ---

• ACM Conference on Computer and Communications Security (CCS '18) — October, 2018 — Toronto, Canada (Acceptance: 16.6%)

  "What was that site doing with my Facebook password?" Designing Password-Reuse Notifications

  Maximilian Golla, Miranda Wei, Juliette Hainline, Lydia Filipe, Markus Dürmuth, Elissa Redmiles, and Blase Ur
  
  • Paper Slides Talk
• ACM Conference on Computer and Communications Security (CCS '18) — October, 2018 — Toronto, Canada (Acceptance: 16.6%)

  On the Accuracy of Password Strength Meters

  Maximilian Golla and Markus Dürmuth
  
  • Paper Slides Talk Website Source Code
• USENIX Security Symposium (SSYM '18) — August, 2018 — Baltimore, Maryland, USA (Acceptance: 19.1%)

  Rethinking Access Control and Authentication for the Home Internet of Things (IoT)

  Weijia He, Maximilian Golla, Roshni Padhi, Jordan Ofek, Markus Dürmuth, Earlence Fernandes, and Blase Ur
  
  • Paper Slides Talk
• Who Are You?! Adventures in Authentication Workshop (WAY '18) — August, 2018 — Baltimore, Maryland, USA

  "Will Any Password Do?" Exploring Rate-Limiting on the Web

  Maximilian Golla, Theodor Schnitzler, and Markus Dürmuth
  
  • Paper Slides
• Who Are You?! Adventures in Authentication Workshop (WAY '18) — August, 2018 — Baltimore, Maryland, USA

  Bars, Badges, and High Scores: On the Impact of Password Strength Visualizations

  Maximilian Golla, Björn Hahn, Karsten Meyer zu Selhausen, Henry Hosseini, and Markus Dürmuth
  
  • Paper Slides
• Who Are You?! Adventures in Authentication Workshop (WAY '18) — August, 2018 — Baltimore, Maryland, USA

  The Password Doesn't Fall Far: How Service Influences Password Choice

  Miranda Wei, Maximilian Golla, and Blase Ur
  
  • Paper Slides

• ---

• 2017

• ---

• Who Are You?! Adventures in Authentication Workshop (WAY '17) — July, 2017 — Santa Clara, California, USA

  "I want my money back!" Limiting Online Password-Guessing Financially

  Maximilian Golla, Daniel V. Bailey, and Markus Dürmuth
  
  • Paper Slides
• USENIX Symposium on Usable Privacy and Security (SOUPS '17) — July, 2017 — Santa Clara, California, USA

  POSTER: Towards Implicit Visual Memory-Based Authentication

  Claude Castelluccia, Markus Dürmuth, Maximilian Golla, and Fatma Deniz
  
  • Poster Session
• ISOC Network and Distributed System Security Symposium (NDSS '17) — February, 2017 — San Diego, California, USA (Acceptance: 16.1%)

  Towards Implicit Visual Memory-Based Authentication

  Claude Castelluccia, Markus Dürmuth, Maximilian Golla, and Fatma Deniz
  
  • Paper Slides Talk Website
• ISOC Workshop on Usable Security (USEC '17) — February, 2017 — San Diego, California, USA

  EmojiAuth: Quantifying the Security of Emoji-based Authentication

  Maximilian Golla, Dennis Detering, and Markus Dürmuth
  
  • Paper Slides

• ---

• 2016

• ---

• ACM Conference on Computer and Communications Security (CCS '16) — October, 2016 — Vienna, Austria (Acceptance: 16.5%)

  On the Security of Cracking-Resistant Password Vaults

  Maximilian Golla, Benedict Beuscher, and Markus Dürmuth
  
  • Paper Slides Talk Source Code

• ---

• 2015

• ---

• International Conference on Passwords (PASSWORDS '15) — December, 2015 — Cambridge, United Kingdom

  Analyzing 4 Million Real-World Personal Knowledge Questions

  Maximilian Golla and Markus Dürmuth
  
  • Paper Slides Talk

• Reviewer: ACM Transactions on Privacy and Security (TOPS '21)
• Reviewer: IEEE Transactions on Information Forensics and Security (TIFS '21)
• Program Committee and Poster Chair: 17th Symposium on Usable Privacy and Security (SOUPS '21)
• External Reviewer: 42nd IEEE Symposium on Security and Privacy (SP '21)
• Reviewer: 16th International Conference on Wirtschaftsinformatik (WI '21)
• Reviewer: IEEE Transactions on Emerging Topics in Computing (TETC '20)
• Program Chair: 6th Who Are You?! Adventures in Authentication Workshop (WAY '20)
• Program Committee and Poster Chair: 16th Symposium on Usable Privacy and Security (SOUPS '20)
• Publicity Chair: 5th European Workshop on Usable Security (EuroUSEC '20)
• Reviewer: ACM Transactions on Privacy and Security (TOPS '20)
• External Reviewer: 29th USENIX Security Symposium (SSYM '20)
• Poster Jury: 15th Symposium on Usable Privacy and Security (SOUPS '19)
• Program Chair: 5th Who Are You?! Adventures in Authentication Workshop (WAY '19)
• Program Committee and Publicity Chair: 4th European Workshop on Usable Security (EuroUSEC '19)
• Program Committee: 4th Who Are You?! Adventures in Authentication Workshop (WAY '18)
• Reviewer: 39th International Conference on Information Systems (ICIS '18)
• Program Committee: 2018 Networked Privacy Workshop at ACM CHI (NPW '18)
• External Reviewer: 3rd Who Are You?! Adventures in Authentication Workshop (WAY '17)
• External Reviewer: 26th USENIX Security Symposium (SSYM '17)
• Reviewer: ACM Transactions on Privacy and Security (TOPS '17)
• Reviewer: 11th International Conference on Passwords (PASSWORDS '16)

• ---

• 2021

• ---

• RUB: Transparent Data Collection Increases Trust Among Users (June 2021)

• ---

• 2020

• ---

• Das Erste: Ein internationales Forscherteam hat in einer Studie über PINs zum Entsperren von Smartphones herausgefunden, dass ...? (December 2020)
• Journalisten Werkstatt: Digitale Selbstverteidigung: Passwörter unter Verschluss (September 2020)
• WIRED: iOS 14's Best Privacy Feature? Catching Data-Grabbing Apps (August 2020)
• WIRED (UK): iOS 14's Best Privacy Feature is Catching Apps' Vast Data Grabs (August 2020)
• Ars Technica: Uncovered: 1,000 Phrases that Incorrectly Trigger Alexa, Siri, and Google Assistant (July 2020)
• The Times: Not in Front of the Speaker! Words that Wake Up Alexa (July 2020)
• STRG_F: Smart Speaker: Wobei Alexa, Siri & Co. heimlich mithören (June 2020)
• Süddeutsche Zeitung: Wenn Alexa aus Versehen lauscht (June 2020)
• Norddeutscher Rundfunk: Wenn der smarte Lautsprecher mit dem Tatort-Kommissar spricht (June 2020)
• Tagesschau: Alexa, Siri & Co. - Die lauschenden Lautsprecher (June 2020)
• Westdeutsche Allgemeine Zeitung: Wie die Polizei verschlüsselte Dateien knackt (June 2020)
• bszonline: Bochumer Sicherheitsexperten geben Corona-Warn-App grünes Licht (June 2020)
• Westdeutscher Rundfunk: Corona-Warn-App: Es kommt auf uns selbst an (June 2020)
• Tagesschau: Corona-Warn-App: Geglückter Start - mit Irritationen (June 2020)
• T-Online: So finden Sie heraus, ob jemand in der Nähe die Corona-Warn-App nutzt (June 2020)
• Forbes: You Can Change Passwords To PINs With Windows 10 2004 (May 2020)
• Deutschlandfunk: Smartphone-PINs sind viel zu oft einfach zu erraten (May 2020)
• Forbes: This $99 Robot Built From LEGO Bricks Can Scan iPhones For PIN Codes (March 2020)
• Westdeutscher Rundfunk: Sechs- oder vierstellige Handy-PIN? Auf die Kombi kommt es an! (March 2020)
• Süddeutsche Zeitung: Sechsstellige PINs sind nicht automatisch sicherer als vierstellige (March 2020)
• Die Zeit: Warum weniger Smartphone-PIN mehr ist (March 2020)
• ZDNet: This Raspberry Pi-powered LEGO robot brute-force attacked an iPhone to find out what PIN codes are blacklisted (March 2020)
• WIRED (UK): Why You Should Never Use Pattern Passwords on Your Phone (March 2020)
• Der Tagesspiegel: Können Emojis die PIN ersetzen? (February 2020)
• Süddeutsche Zeitung: Die Qual des ständigen Passwort-Wechsels endet (February 2020)
• Die Zeit: Bundesamt hält regelmäßigen Passwortwechsel nicht mehr für notwendig (February 2020)
• Inverse: Your Password is Less Safe than Ever, but Who's to Blame? (January 2020)

• ---

• Older

• ---

• WIRED: Why One Secure Platform Passed on Two-Factor Authentication (October 2019)
• Der Standard: Studie: Entsperrmuster für Smartphones oft unsicher (February 2019)
• RUB: Sichere Muster für die Smartphone-Displaysperre (February 2019)
• HGI: Secure Patterns for Smartphone Display Lockout (February 2019)
• RUB: Sieben Mythen über Passwörter (February 2019)
• bszonline: Warum Facebook und Co. auf dem Schwarzmarkt shoppen (January 2019)
• RUB: Wie man Internetnutzer dazu bringt, ihr Passwort zu ändern (January 2019)
• Technology Networks: The House Rules for a Smart Home (October 2018)
• RUB: More Rules for the Intelligent Household (October 2018)
• NRKbeta: Vil du heller huske et passord av emojier? (March 2018)
• RUBIN: Passwörter sicherer machen (June 2016)
• Science & Vie: Mots de passe: ils gagneraient à être des images! (February 2015)
• ERCIM News: Learning from Neuroscience to Improve Internet Security (September 2014)

• ---

• 2020

• ---

June 2020
Unacceptable-Privacy:
Exploring Accidental Triggers of Smart Speakers

June 2020
COVID-LENS:
List COVID-19 Exposure Notification Services

May 2020
PIN Blocklists:
This PIN Can Be Easily Guessed

• ---

• 2019

• ---

July 2019
Android (Unlock) Pattern Classifier:
Unlock Pattern Strength Meter

July 2019
NEMO:
Modeling Guessability Using Markov Models

June 2019
2FA Phishing:
SMS Verification in Gmail's Confidential Mode

• ---

• 2018

• ---

December 2018
Analytic Password Cracking:
Reasoning About Password-Cracking Software

October 2018
Password Strength Meters:
Meter Comparison Made Simple

January 2018
Comparing Fallback Schemes:
Usability Study of Fallback Authentication

• ---

• 2017

• ---

December 2017
Bars, Badges, and High Scores:
Impact of Password Strength Visualizations

May 2017
Authentication in Virtual Reality:
Predictive Keyboard for Entering Passwords

February 2017
MooneyAuth:
Implicit (Fallback) Authentication

• ---

• 2016

• ---

October 2016
Cracking NoCrack:
Security of Cracking-Resistant Vaults

August 2016
OMEN:
Ordered Markov ENumerator

March 2016
EmojiAuth:
Emoji-based Mobile Authentication

• ---

• 2015

• ---

December 2015
Comparing Guessing Strategies:
Framework for Comparing Password Guesser

October 2015
Gathering User Information:
PII-Based Password Guessing

July 2015
Learning Authentication Secrets:
Knock Patterns

• ---

• 2014

• ---

December 2014
Attacking Audio CAPTCHAs:
Breaking Apple's iCloud Audio CAPTCHA

July 2014
Graphical Fallback Authentication:
Google Street View-Based Authentication