Google employee wins NSA security science competition

A paper by a current Google employee on the use and strength of passwords has won the United States' National Security Agency (NSA) inaugural Science of Security competition, beating out 44 other nominated works.

Named "The science of guessing: analysing an anonymised corpus of 70 million passwords", the paper was written by Dr Joseph Bonneau who worked on his PhD degree under well-known security engineering researcher professor Ross Anderson at Cambridge University. 

Currently, Bonneau works as a software engineer at Google's New York office.

Bonneau's paper measures password use in practice and provides theoretical suggestions on how to model their strength. 

"Dr Bonneau's paper offered careful and rigorous measurements of password use and strength, and is an example of research that demonstrates a sound scientific approach to cybersecurity," said Dr Patricia Muoio, who heads up the NSA Research Directorate's Trusted Systems Research Group.

The 2012 paper was presented by Bonneau at an NSA event last weekend, where he was also honoured for his work.

Two other papers received honourable mentions for their scientific methodology in the NSA competition.

Microsoft researcher Dr Martin Abadi and Dr Gordon Plotkin from the University of Edinburgh were commended for their work on layout randomisation, which used a formal approach to study the effect of dynamically changing what cyber attackers view, in order to confound them.

Dr Leyla Yumer from Symantec and Dr Tudor Dumitras of University of Maryland's empirical study of zero-day attacks in the real world used data fusion analysis which the NSA said could be used to protect government systems.

The NSA scientific cyber security paper competition was open to the public. Judged by nine experts from academia and private companies such as Goldman Sachs and Microsoft, the prize for winning the NSA competition was to present the paper before an audience of cybersecurity experts and government staff.