Maximilian Golla

Postdoc at the Max Planck Institute for Security and Privacy in Bochum, Germany

• Doctorate (Dr.-Ing.) — Summa cum laude (With highest honors)
  • Usable Security and Privacy
  • «On the Usability and Security of Password-Based User Authentication» — Distinguished Thesis Award
  • Ruhr University Bochum
• Master of Science (M.Sc., Engineer) — Very good
  • IT Security - Network & Systems
  • «Graphical Fallback Authentication»
  • Ruhr University Bochum
• Bachelor of Engineering (B.Eng., Engineer) — Good
  • Computer Science - Communication in Distributed Systems
  • «Security Audit of a Web Interface for Building Automation»
  • University of Applied Sciences Würzburg-Schweinfurt

• ---

• 2022

• ---

• Elsevier Computer Speech & Language — Special Issue on Voice Privacy — Journal Publication

  Exploring Accidental Triggers of Smart Speakers

  Lea Schönherr, Maximilian Golla, Thorsten Eisenhofer, Jan Wiele, Dorothea Kolossa, and Thorsten Holz
  
  • Preprint Website Dataset

• ---

• 2021

• ---

• International Conference on Cryptology and Network Security (CANS '21) — December, 2021 — Vienna, Austria

  Towards Quantum Large-Scale Password Guessing on Real-World Distributions

  Markus Dürmuth, Maximilian Golla, Philipp Markert, Lars Schlieper, and Alexander May
  
  • Paper Slides Talk
• ACM Transactions on Privacy and Security (TOPS '21) — November, 2021 — Journal Publication

  On the Security of Smartphone Unlock PINs

  Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Dürmuth, and Adam J. Aviv
  
  • Paper Website Dataset
• USENIX Security Symposium (SSYM '21) — August, 2021 — Virtual Conference (Acceptance: 18.7%)

  "It's Stored, Hopefully, on an Encrypted Server": Mitigating Users' Misconceptions About FIDO2 Biometric WebAuthn

  Leona Lassak, Annika Hildebrandt, Maximilian Golla, and Blase Ur
  
  • Paper

    Extended Version Paper
    Slides
    Talk

    USENIX Security 21 PasswordsCon 21
    Source Code
• USENIX Security Symposium (SSYM '21) — August, 2021 — Virtual Conference (Acceptance: 18.7%)

  Are Privacy Dashboards Good for End Users? Evaluating User Perceptions and Reactions to Google's My Activity

  Florian M. Farke, David G. Balash, Maximilian Golla, Markus Dürmuth, and Adam J. Aviv
  
  • Paper

    Extended Version Paper
    Slides Talk
• USENIX Security Symposium (SSYM '21) — August, 2021 — Virtual Conference (Acceptance: 18.7%)

  Driving 2FA Adoption at Scale: Optimizing Two-Factor Authentication Notification Design Patterns

  Maximilian Golla, Grant Ho, Marika Lohmus, Monica Pulluri, and Elissa M. Redmiles
  
  • Paper Slides Talk

• ---

• 2020

• ---

• IEEE Symposium on Security and Privacy (SP '20) — May, 2020 — San Francisco, California, USA (Acceptance: 12.3%)

  This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Dürmuth, and Adam J. Aviv
  
  • Paper Slides Talk Website Dataset

• ---

• 2019

• ---

• USENIX Symposium on Usable Privacy and Security (SOUPS '19) — August, 2019 — Santa Clara, California, USA ( Distinguished Poster Award)

  POSTER: "What was that site doing with my Facebook password?" Designing Password-Reuse Notifications

  Miranda Wei, Maximilian Golla, Juliette Hainline, Lydia Filipe, Markus Dürmuth, Elissa Redmiles, and Blase Ur
  
  • Poster Session
• PhD Thesis — Ruhr University Bochum (RUB) — May, 2019 — Bochum, Germany ( Distinguished Thesis Award)

  On the Usability and Security of Password-Based User Authentication

  Maximilian Golla
  
  • PhD Thesis Slides
• IEEE Symposium on Security and Privacy (SP '19) — May, 2019 — San Francisco, California, USA (Acceptance: 11.7%)

  Reasoning Analytically About Password-Cracking Software

  Enze Liu, Amanda Nakanishi, Maximilian Golla, David Cash, Blase Ur
  
  • Paper
    Slides

    IEEE SP 19 PasswordsCon 19
    Talks

    IEEE SP 19 PasswordsCon 19
    Source Code
• ISOC Workshop on Usable Security (USEC '19) — February, 2019 — San Diego, California, USA

  Work in Progress: A Comparative Long-Term Study of Fallback Authentication

  Philipp Markert, Maximilian Golla, Elizabeth Stobert, and Markus Dürmuth
  
  • Paper Slides
• ISOC Workshop on Usable Security (USEC '19) — February, 2019 — San Diego, California, USA

  Work in Progress: On the In-Accuracy and Influence of Android Pattern Strength Meters

  Maximilian Golla, Jan Rimkus, Adam J. Aviv, and Markus Dürmuth
  
  • Paper Slides

• ---

• 2018

• ---

• ACM Conference on Computer and Communications Security (CCS '18) — October, 2018 — Toronto, Canada (Acceptance: 16.6%)

  "What was that site doing with my Facebook password?" Designing Password-Reuse Notifications

  Maximilian Golla, Miranda Wei, Juliette Hainline, Lydia Filipe, Markus Dürmuth, Elissa Redmiles, and Blase Ur
  
  • Paper Slides Talk
• ACM Conference on Computer and Communications Security (CCS '18) — October, 2018 — Toronto, Canada (Acceptance: 16.6%)

  On the Accuracy of Password Strength Meters

  Maximilian Golla and Markus Dürmuth
  
  • Paper Slides Talk Website Source Code
• USENIX Security Symposium (SSYM '18) — August, 2018 — Baltimore, Maryland, USA (Acceptance: 19.1%)

  Rethinking Access Control and Authentication for the Home Internet of Things (IoT)

  Weijia He, Maximilian Golla, Roshni Padhi, Jordan Ofek, Markus Dürmuth, Earlence Fernandes, and Blase Ur
  
  • Paper Slides Talk
• Who Are You?! Adventures in Authentication Workshop (WAY '18) — August, 2018 — Baltimore, Maryland, USA

  "Will Any Password Do?" Exploring Rate-Limiting on the Web

  Maximilian Golla, Theodor Schnitzler, and Markus Dürmuth
  
  • Paper Slides
• Who Are You?! Adventures in Authentication Workshop (WAY '18) — August, 2018 — Baltimore, Maryland, USA

  Bars, Badges, and High Scores: On the Impact of Password Strength Visualizations

  Maximilian Golla, Björn Hahn, Karsten Meyer zu Selhausen, Henry Hosseini, and Markus Dürmuth
  
  • Paper Slides
• Who Are You?! Adventures in Authentication Workshop (WAY '18) — August, 2018 — Baltimore, Maryland, USA

  The Password Doesn't Fall Far: How Service Influences Password Choice

  Miranda Wei, Maximilian Golla, and Blase Ur
  
  • Paper Slides

• ---

• 2017

• ---

• Who Are You?! Adventures in Authentication Workshop (WAY '17) — July, 2017 — Santa Clara, California, USA

  "I want my money back!" Limiting Online Password-Guessing Financially

  Maximilian Golla, Daniel V. Bailey, and Markus Dürmuth
  
  • Paper Slides
• USENIX Symposium on Usable Privacy and Security (SOUPS '17) — July, 2017 — Santa Clara, California, USA

  POSTER: Towards Implicit Visual Memory-Based Authentication

  Claude Castelluccia, Markus Dürmuth, Maximilian Golla, and Fatma Deniz
  
  • Poster Session
• ISOC Network and Distributed System Security Symposium (NDSS '17) — February, 2017 — San Diego, California, USA (Acceptance: 16.1%)

  Towards Implicit Visual Memory-Based Authentication

  Claude Castelluccia, Markus Dürmuth, Maximilian Golla, and Fatma Deniz
  
  • Paper Slides Talk Website
• ISOC Workshop on Usable Security (USEC '17) — February, 2017 — San Diego, California, USA

  EmojiAuth: Quantifying the Security of Emoji-based Authentication

  Maximilian Golla, Dennis Detering, and Markus Dürmuth
  
  • Paper Slides

• ---

• 2016

• ---

• ACM Conference on Computer and Communications Security (CCS '16) — October, 2016 — Vienna, Austria (Acceptance: 16.5%)

  On the Security of Cracking-Resistant Password Vaults

  Maximilian Golla, Benedict Beuscher, and Markus Dürmuth
  
  • Paper Slides Talk Source Code

• ---

• 2015

• ---

• International Conference on Passwords (PASSWORDS '15) — December, 2015 — Cambridge, United Kingdom

  Analyzing 4 Million Real-World Personal Knowledge Questions

  Maximilian Golla and Markus Dürmuth
  
  • Paper Slides Talk

• Reviewer: ACM Conference on Human Factors in Computing Systems (CHI '22)
• Reviewer: ACM Transactions on Privacy and Security (TOPS '21)
• Reviewer: IEEE Transactions on Information Forensics and Security (TIFS '21)
• Program Committee and Poster Chair: 17th Symposium on Usable Privacy and Security (SOUPS '21)
• External Reviewer: 42nd IEEE Symposium on Security and Privacy (SP '21)
• Reviewer: 16th International Conference on Wirtschaftsinformatik (WI '21)
• Reviewer: IEEE Transactions on Emerging Topics in Computing (TETC '20)
• Program Chair: 6th Who Are You?! Adventures in Authentication Workshop (WAY '20)
• Program Committee and Poster Chair: 16th Symposium on Usable Privacy and Security (SOUPS '20)
• Publicity Chair: 5th European Workshop on Usable Security (EuroUSEC '20)
• Reviewer: ACM Transactions on Privacy and Security (TOPS '20)
• External Reviewer: 29th USENIX Security Symposium (SSYM '20)
• Poster Jury: 15th Symposium on Usable Privacy and Security (SOUPS '19)
• Program Chair: 5th Who Are You?! Adventures in Authentication Workshop (WAY '19)
• Program Committee and Publicity Chair: 4th European Workshop on Usable Security (EuroUSEC '19)
• Program Committee: 4th Who Are You?! Adventures in Authentication Workshop (WAY '18)
• Reviewer: 39th International Conference on Information Systems (ICIS '18)
• Program Committee: 2018 Networked Privacy Workshop at ACM CHI (NPW '18)
• External Reviewer: 3rd Who Are You?! Adventures in Authentication Workshop (WAY '17)
• External Reviewer: 26th USENIX Security Symposium (SSYM '17)
• Reviewer: ACM Transactions on Privacy and Security (TOPS '17)
• Reviewer: 11th International Conference on Passwords (PASSWORDS '16)

• ---

• 2021

• ---

• RUB: Codebreakers Quantum Computers? (December 2021)
• Tech Conversationalist: Are You Accidentally 'Waking Up' Your Smart Devices? (June 2021)
• RUB: What Users Think About Logging in Without a Password (June 2021)
• Deutschlandfunk: Transparenzseiten schmälern Datenschutz-Bedenken - Interview mit Florian Farke (June 2021)
• RUB: Transparent Data Collection Increases Trust Among Users (June 2021)
• CHIP: Covid-Lens: Wer nutzt noch die Corona-Warn-App? (April 2021)

• ---

• 2020

• ---

• Das Erste: Ein internationales Forscherteam hat in einer Studie über PINs zum Entsperren von Smartphones herausgefunden, dass ...? (December 2020)
• Journalisten Werkstatt: Digitale Selbstverteidigung: Passwörter unter Verschluss (September 2020)
• WIRED: iOS 14's Best Privacy Feature? Catching Data-Grabbing Apps (August 2020)
• WIRED (UK): iOS 14's Best Privacy Feature is Catching Apps' Vast Data Grabs (August 2020)
• Ars Technica: Uncovered: 1,000 Phrases that Incorrectly Trigger Alexa, Siri, and Google Assistant (July 2020)
• The Times: Not in Front of the Speaker! Words that Wake Up Alexa (July 2020)
• STRG_F: Smart Speaker: Wobei Alexa, Siri & Co. heimlich mithören (June 2020)
• Süddeutsche Zeitung: Wenn Alexa aus Versehen lauscht (June 2020)
• Norddeutscher Rundfunk: Wenn der smarte Lautsprecher mit dem Tatort-Kommissar spricht (June 2020)
• Tagesschau: Alexa, Siri & Co. - Die lauschenden Lautsprecher (June 2020)
• Westdeutsche Allgemeine Zeitung: Wie die Polizei verschlüsselte Dateien knackt (June 2020)
• bszonline: Bochumer Sicherheitsexperten geben Corona-Warn-App grünes Licht (June 2020)
• Westdeutscher Rundfunk: Corona-Warn-App: Es kommt auf uns selbst an (June 2020)
• Tagesschau: Corona-Warn-App: Geglückter Start - mit Irritationen (June 2020)
• T-Online: So finden Sie heraus, ob jemand in der Nähe die Corona-Warn-App nutzt (June 2020)
• Forbes: You Can Change Passwords To PINs With Windows 10 2004 (May 2020)
• Deutschlandfunk: Smartphone-PINs sind viel zu oft einfach zu erraten (May 2020)
• Forbes: This $99 Robot Built From LEGO Bricks Can Scan iPhones For PIN Codes (March 2020)
• Westdeutscher Rundfunk: Sechs- oder vierstellige Handy-PIN? Auf die Kombi kommt es an! (March 2020)
• Süddeutsche Zeitung: Sechsstellige PINs sind nicht automatisch sicherer als vierstellige (March 2020)
• Die Zeit: Warum weniger Smartphone-PIN mehr ist (March 2020)
• ZDNet: This Raspberry Pi-powered LEGO robot brute-force attacked an iPhone to find out what PIN codes are blacklisted (March 2020)
• WIRED (UK): Why You Should Never Use Pattern Passwords on Your Phone (March 2020)
• Der Tagesspiegel: Können Emojis die PIN ersetzen? (February 2020)
• Süddeutsche Zeitung: Die Qual des ständigen Passwort-Wechsels endet (February 2020)
• Die Zeit: Bundesamt hält regelmäßigen Passwortwechsel nicht mehr für notwendig (February 2020)
• Inverse: Your Password is Less Safe than Ever, but Who's to Blame? (January 2020)

• ---

• Older

• ---

• WIRED: Why One Secure Platform Passed on Two-Factor Authentication (October 2019)
• Der Standard: Studie: Entsperrmuster für Smartphones oft unsicher (February 2019)
• RUB: Sichere Muster für die Smartphone-Displaysperre (February 2019)
• HGI: Secure Patterns for Smartphone Display Lockout (February 2019)
• RUB: Sieben Mythen über Passwörter (February 2019)
• bszonline: Warum Facebook und Co. auf dem Schwarzmarkt shoppen (January 2019)
• RUB: Wie man Internetnutzer dazu bringt, ihr Passwort zu ändern (January 2019)
• Technology Networks: The House Rules for a Smart Home (October 2018)
• RUB: More Rules for the Intelligent Household (October 2018)
• NRKbeta: Vil du heller huske et passord av emojier? (March 2018)
• RUBIN: Passwörter sicherer machen (June 2016)
• Science & Vie: Mots de passe: ils gagneraient à être des images! (February 2015)
• ERCIM News: Learning from Neuroscience to Improve Internet Security (September 2014)