Hi there!
I'm a postdoctoral researcher interested in usable security and privacy. While I studied computer science, I later specialized in information security and developed an interest for usability and human factors in computer security.
During my PhD, I focused on exploring the usability and security of password-based user authentication.
At the time, I was a scholar of the DFG (German Research Foundation) research training group UbiCrypt.
I worked extensively with Blase Ur from 
SUPERgroup at the University of Chicago and Adam J. Aviv from 
GWUSEC Lab at the George Washington University.
I received my PhD in 2019 from 
Ruhr University Bochum, where I was advised by Prof. Dr. Markus Dürmuth.
Since October 2019, I'm a postdoc at the 
Max Planck Institute for Security and Privacy in Bochum, Germany.
The research of our group at MPI-SP focuses on computer security, privacy, and human-computer interaction (HCI). We are especially working on methods to help users make better security and privacy decisions, as well as, to make complex computer systems more usable for non-technical users.
Interests
User Authentication
Privacy Controls
- User Authentication
- Passwords (Strength, Recovery, Reuse, Management, ...)
- Mobile Authentication (PINs, Patterns, Biometrics)
- Smart Home & IoT (Access Control)
- Alternative Schemes (Implicit Memory, Gamification)
- Passwordless (FIDO2 & WebAuthn)
- Privacy Controls
- Voice Assistants (Private Mode & Accidential Triggers)
- Social Networks (Targeting & Transparency)
- Secure Communication (Messenger & Email Encryption)
Education
- Doctorate (Dr.-Ing.) — Summa cum laude (With highest honors)
- Usable Security and Privacy
- «On the Usability and Security of Password-Based User Authentication» — Distinguished Thesis Award
- Ruhr University Bochum
- Master of Science (M.Sc., Engineer) — Very good
- IT Security - Network & Systems
- «Graphical Fallback Authentication»
- Ruhr University Bochum
- Bachelor of Engineering (B.Eng., Engineer) — Good
- Computer Science - Communication in Distributed Systems
- «Security Audit of a Web Interface for Building Automation»
- University of Applied Sciences Würzburg-Schweinfurt
Contact
Maximilian Golla
Max Planck Institute for Security and Privacy
Ruhr University Bochum, ID 2/129
Universitaetsstr. 150, 44780 Bochum
maximilian.golla@rub.de
MPI-SP RUB Twitter Slack GitHub PGP Key
Peer-Reviewed Publications
Below you can find a list of selected papers and posters.Last update: August 2020
Citation Profiles:
Google Scholar DBLP ORCID iD
2020
-
Under Review
"Unacceptable, where is my privacy?" Exploring Accidental Triggers of Smart Speakers
Lea Schönherr, Maximilian Golla, Thorsten Eisenhofer, Jan Wiele, Dorothea Kolossa, and Thorsten Holz
-
IEEE Symposium on Security and Privacy (SP '20) — May, 2020 — San Francisco, California, USA (Acceptance: 12.3%)
This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs
Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Dürmuth, and Adam J. Aviv
2019
-
USENIX Symposium on Usable Privacy and Security (SOUPS '19) — August, 2019 — Santa Clara, California, USA ( Distinguished Poster Award)
POSTER: "What was that site doing with my Facebook password?" Designing Password-Reuse Notifications
Miranda Wei, Maximilian Golla, Juliette Hainline, Lydia Filipe, Markus Dürmuth, Elissa Redmiles, and Blase Ur
-
PhD Thesis — Ruhr University Bochum (RUB) — May, 2019 — Bochum, Germany ( Distinguished Thesis Award)
On the Usability and Security of Password-Based User Authentication
Maximilian Golla
-
IEEE Symposium on Security and Privacy (SP '19) — May, 2019 — San Francisco, California, USA (Acceptance: 11.7%)
Reasoning Analytically About Password-Cracking Software
Enze Liu, Amanda Nakanishi, Maximilian Golla, David Cash, Blase Ur
-
ISOC Workshop on Usable Security (USEC '19) — February, 2019 — San Diego, California, USA
Work in Progress: A Comparative Long-Term Study of Fallback Authentication
Philipp Markert, Maximilian Golla, Elizabeth Stobert, and Markus Dürmuth
-
ISOC Workshop on Usable Security (USEC '19) — February, 2019 — San Diego, California, USA
Work in Progress: On the In-Accuracy and Influence of Android Pattern Strength Meters
Maximilian Golla, Jan Rimkus, Adam J. Aviv, and Markus Dürmuth
2018
-
ACM Conference on Computer and Communications Security (CCS '18) — October, 2018 — Toronto, Canada (Acceptance: 16.6%)
"What was that site doing with my Facebook password?" Designing Password-Reuse Notifications
Maximilian Golla, Miranda Wei, Juliette Hainline, Lydia Filipe, Markus Dürmuth, Elissa Redmiles, and Blase Ur
-
ACM Conference on Computer and Communications Security (CCS '18) — October, 2018 — Toronto, Canada (Acceptance: 16.6%)
On the Accuracy of Password Strength Meters
Maximilian Golla and Markus Dürmuth
-
USENIX Security Symposium (SSYM '18) — August, 2018 — Baltimore, Maryland, USA (Acceptance: 19.1%)
Rethinking Access Control and Authentication for the Home Internet of Things (IoT)
Weijia He, Maximilian Golla, Roshni Padhi, Jordan Ofek, Markus Dürmuth, Earlence Fernandes, and Blase Ur
-
Who Are You?! Adventures in Authentication Workshop (WAY '18) — August, 2018 — Baltimore, Maryland, USA
"Will Any Password Do?" Exploring Rate-Limiting on the Web
Maximilian Golla, Theodor Schnitzler, and Markus Dürmuth
-
Who Are You?! Adventures in Authentication Workshop (WAY '18) — August, 2018 — Baltimore, Maryland, USA
Bars, Badges, and High Scores: On the Impact of Password Strength Visualizations
Maximilian Golla, Björn Hahn, Karsten Meyer zu Selhausen, Henry Hosseini, and Markus Dürmuth
-
Who Are You?! Adventures in Authentication Workshop (WAY '18) — August, 2018 — Baltimore, Maryland, USA
The Password Doesn't Fall Far: How Service Influences Password Choice
Miranda Wei, Maximilian Golla, and Blase Ur
2017
-
Who Are You?! Adventures in Authentication Workshop (WAY '17) — July, 2017 — Santa Clara, California, USA
"I want my money back!" Limiting Online Password-Guessing Financially
Maximilian Golla, Daniel V. Bailey, and Markus Dürmuth
-
USENIX Symposium on Usable Privacy and Security (SOUPS '17) — July, 2017 — Santa Clara, California, USA
POSTER: Towards Implicit Visual Memory-Based Authentication
Claude Castelluccia, Markus Dürmuth, Maximilian Golla, and Fatma Deniz
-
ISOC Network and Distributed System Security Symposium (NDSS '17) — February, 2017 — San Diego, California, USA (Acceptance: 16.1%)
Towards Implicit Visual Memory-Based Authentication
Claude Castelluccia, Markus Dürmuth, Maximilian Golla, and Fatma Deniz
-
ISOC Workshop on Usable Security (USEC '17) — February, 2017 — San Diego, California, USA
EmojiAuth: Quantifying the Security of Emoji-based Authentication
Maximilian Golla, Dennis Detering, and Markus Dürmuth
2016
-
ACM Conference on Computer and Communications Security (CCS '16) — October, 2016 — Vienna, Austria (Acceptance: 16.5%)
On the Security of Cracking-Resistant Password Vaults
Maximilian Golla, Benedict Beuscher, and Markus Dürmuth
2015
-
International Conference on Passwords (PASSWORDS '15) — December, 2015 — Cambridge, United Kingdom
Analyzing 4 Million Real-World Personal Knowledge Questions
Maximilian Golla and Markus Dürmuth
Community Service, Committees, and Reviewing Activities
Last update: October 2020- External Reviewer: 42nd IEEE Symposium on Security and Privacy (SP '21)
- Reviewer: 16th International Conference on Wirtschaftsinformatik (WI '21)
- Reviewer: IEEE Transactions on Emerging Topics in Computing (TETC '20)
- Program Chair: 6th Who Are You?! Adventures in Authentication Workshop (WAY '20)
- Program Committee and Poster Chair: 16th Symposium on Usable Privacy and Security (SOUPS '20)
- Publicity Chair: 5th European Workshop on Usable Security (EuroUSEC '20)
- Reviewer: ACM Transactions on Privacy and Security (TOPS '20)
- External Reviewer: 29th USENIX Security Symposium (SSYM '20)
- Poster Jury: 15th Symposium on Usable Privacy and Security (SOUPS '19)
- Program Chair: 5th Who Are You?! Adventures in Authentication Workshop (WAY '19)
- Program Committee and Publicity Chair: 4th European Workshop on Usable Security (EuroUSEC '19)
- Program Committee: 4th Who Are You?! Adventures in Authentication Workshop (WAY '18)
- Reviewer: 39th International Conference on Information Systems (ICIS '18)
- Program Committee: 2018 Networked Privacy Workshop at ACM CHI (NPW '18)
- External Reviewer: 3rd Who Are You?! Adventures in Authentication Workshop (WAY '17)
- External Reviewer: 26th USENIX Security Symposium (SSYM '17)
- Reviewer: ACM Transactions on Privacy and Security (TOPS '17)
- Reviewer: 11th International Conference on Passwords (PASSWORDS '16)
Talks
Below you can find some recordings of talks I gave at various conferences.
In the News
Below you can find a list of selected news articles.
Last update: August 20202020
- WIRED: iOS 14's Best Privacy Feature? Catching Data-Grabbing Apps (August 2020)
- WIRED (UK): iOS 14's Best Privacy Feature is Catching Apps' Vast Data Grabs (August 2020)
- Ars Technica: Uncovered: 1,000 Phrases that Incorrectly Trigger Alexa, Siri, and Google Assistant (July 2020)
- STRG_F: Smart Speaker: Wobei Alexa, Siri & Co. heimlich mithören (June 2020)
- Süddeutsche Zeitung: Wenn Alexa aus Versehen lauscht (June 2020)
- Norddeutscher Rundfunk: Wenn der smarte Lautsprecher mit dem Tatort-Kommissar spricht (June 2020)
- Tagesschau: Alexa, Siri & Co. - Die lauschenden Lautsprecher (June 2020)
- T-Online: So finden Sie heraus, ob jemand in der Nähe die Corona-Warn-App nutzt (June 2020)
- Tagesschau: Corona-Warn-App: Geglückter Start - mit Irritationen (June 2020)
- Westdeutsche Allgemeine Zeitung: Wie die Polizei verschlüsselte Dateien knackt (June 2020)
- Forbes: You Can Change Passwords To PINs With Windows 10 2004 (May 2020)
- Deutschlandfunk: Smartphone-PINs sind viel zu oft einfach zu erraten (May 2020)
- Forbes: This $99 Robot Built From LEGO Bricks Can Scan iPhones For PIN Codes (March 2020)
- Westdeutscher Rundfunk: Sechs- oder vierstellige Handy-PIN? Auf die Kombi kommt es an! (March 2020)
- Süddeutsche Zeitung: Sechsstellige PINs sind nicht automatisch sicherer als vierstellige (March 2020)
- Die Zeit: Warum weniger Smartphone-PIN mehr ist (March 2020)
- ZDNet: This Raspberry Pi-powered LEGO robot brute-force attacked an iPhone to find out what PIN codes are blacklisted (March 2020)
- WIRED (UK): Why You Should Never Use Pattern Passwords on Your Phone (March 2020)
- Der Tagesspiegel: Können Emojis die PIN ersetzen? (February 2020)
- Süddeutsche Zeitung: Die Qual des ständigen Passwort-Wechsels endet (February 2020)
- Die Zeit: Bundesamt hält regelmäßigen Passwortwechsel nicht mehr für notwendig (February 2020)
- Inverse: Your Password is Less Safe than Ever, but Who's to Blame? (January 2020)
2019
- WIRED: Why One Secure Platform Passed on Two-Factor Authentication (October 2019)
- Der Standard: Studie: Entsperrmuster für Smartphones oft unsicher (February 2019)
- bszonline: Warum Facebook und Co. auf dem Schwarzmarkt shoppen (January 2019)
2018
- Technology Networks: The House Rules for a Smart Home (October 2018)
- NRKbeta: Vil du heller huske et passord av emojier? (March 2018)
Projects & Software
Below you can find a list of cool projects I created or have been involved with.
2020
2019
2018
2017
May 2017
Authentication in Virtual Reality:
Predictive Keyboard for Entering Passwords
Predictive Keyboard for Entering Passwords
2016
2015
October 2015
Gathering User Information:
PII-Based Password Guessing
PII-Based Password Guessing
July 2015
Learning Authentication Secrets:
Knock Patterns
Knock Patterns
2014
December 2014
Attacking Audio CAPTCHAs:
Breaking Apple's iCloud Audio CAPTCHA
Breaking Apple's iCloud Audio CAPTCHA
July 2014
Graphical Fallback Authentication:
Google Street View-Based Authentication
Google Street View-Based Authentication