Joseph Bonneau
email jbonneau@cs.stanford.edu   (PGP key)
mobile +1 650 804 6934
office +1 415 436 9333 x132

Academic publications

My thesis work focued on human authentication on the web, though I've also published on social networking privacy, crypto protocols, side-channel attacks, software obfuscation, and reverse engineering. I try to make full text available for all publications accepted into academic conferences and workshops as soon as possible.

My Google Scholar and Microsoft Academic Search pages have bibliometric data and links to citations of my papers.

Sort by topic Sort by year

Guessing statistics and metrics

  • Differentially Private Password Frequency Lists
    (dataset)
    Jeremiah Blocki, Anupam Datta and Joseph Bonneau. NDSS 2016. San Diego, CA, USA.
    Abstract Citation
  • Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google
    Joseph Bonneau, Elie Bursztein, Ilan Caron, Rob Jackson and Mike Williamson. 25th International World Wide Web Conference (WWW).
    Abstract Citation
  • The Tangled Web of Password Reuse
    Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov and XiaoFeng Wang. NDSS 2014. San Diego, CA, USA.
    Abstract Citation
  • The science of guessing: analyzing an anonymized corpus of 70 million passwords
    (source code)
    Joseph Bonneau. IEEE Security & Privacy (Oakland) 2012. San Francisco, CA, USA.
    Abstract Citation
  • Guessing human-chosen secrets (PhD dissertation)
    (bindable version) (tech report version) (DSpace version) (source code)
    Joseph Bonneau.
    Abstract Citation
  • Statistical metrics for individual password strength
    Joseph Bonneau. Twentieth International Workshop on Security Protocols. Cambridge, UK.
    Abstract Citation
  • Linguistic properties of multi-word passphrases
    Joseph Bonneau and Ekaterina Shutova. USEC '12: Workshop on Usable Security. Kralendijk, Bonaire, Netherlands.
    Abstract Citation
  • A birthday present every eleven wallets? The security of customer-chosen banking PINs
    (survey wording) (RockYou PIN plot) (iPhone PIN plot)
    Joseph Bonneau, Sören Preibusch and Ross Anderson. FC '12: The 16th International Conference on Financial Cryptography. Kralendijk, Bonaire, Netherlands.
    Abstract Citation
  • What's in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions
    (dataset)
    Joseph Bonneau, Mike Just and Greg Matthews. FC '10: The 14th International Conference on Financial Cryptography. Tenerife, Spain.
    Abstract Citation

Web authentication in practice

  • Passwords and the Evolution of Imperfect Authentication
    Joseph Bonneau, Cormac Herley, Paul C. van Oorschot and Frank Stajano. Communications of the ACM.
    Abstract Citation
  • Cracking-Resistant Password Vaults using Natural Language Encoders
    Rahul Chatterjee, Joseph Bonneau, Ari Juels and Thomas Ristenpart. IEEE Security & Privacy (Oakland) 2015. San Francisco, CA, USA.
    Abstract Citation
  • Of contraseñas, סיסמאות, and 密码: Character encoding issues for web passwords
    Joseph Bonneau and Rubin Xu. Web 2.0 Security & Privacy. San Francisco, CA, USA.
    Abstract Citation
  • The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes
    (full-length technical report)
    Joseph Bonneau, Cormac Herley, Paul C. van Oorschot and Frank Stajano. IEEE Security & Privacy (Oakland) 2012. San Francisco, CA, USA.
    Abstract Citation
  • Getting web authentication right: a best-case protocol for the remaining life of passwords
    Joseph Bonneau. 19th International Workshop on Security Protocols. Cambridge, UK.
    Abstract Citation
  • The Password Game: negative externalities from weak password practices
    Sören Preibusch and Joseph Bonneau. GameSec 2010: Conference on Decision and Game Theory for Security. Berlin, Germany.
    Abstract Citation
  • The password thicket: technical and market failures in human authentication on the web
    (dataset)
    Joseph Bonneau and Sören Preibusch. WEIS '10: The 9th Workshop on the Economics of Information Security. Boston, MA, USA.
    Abstract Citation

Security and privacy in the social web

  • Cognitive Disconnect: Understanding Facebook Connect Login Permissions
    (abridged version)
    Nicky Robinson and Joseph Bonneau. COSN '14: ACM Conference on Online Social Networks. Dublin, Ireland.
    Abstract Citation
  • Clarity of Facebook Connect login permissions (poster)
    (abstract)
    Nicky Robinson and Joseph Bonneau. SOUPS 2014: The 10th Symposium On Usable Privacy and Security. Menlo Park, CA, USA.
    Abstract Citation
  • Privacy concerns of implicit secondary factors for web authentication
    Joseph Bonneau, Ed Felten, Prateek Mittal and Arvind Narayanan. WAY 2014: Who are you?! Adventures in Authentication Workshop. Menlo Park, CA, USA.
    Citation
  • The privacy landscape: product differentiation on data collection
    (dataset)
    Sören Preibusch and Joseph Bonneau. WEIS '11: The 10th Workshop on the Economics of Information Security. Washington, DC, USA.
    Abstract Citation
  • Don't Tread on Me: Moderating Access to OSN Data with SpikeStrip
    Christo Wilson, Alessandra Sala, Joseph Bonneau, Robert Zablit and Ben Zhao. WOSN 2010: The 3rd Workshop on Online Social Networks. Boston, Massachussets.
    Abstract Citation
  • Privacy-Enhanced Public View for Social Graphs
    Hyoungshick Kim and Joseph Bonneau. SWSM '09: The 2nd Workshop on Social Web Search and Mining. Hong Kong, China.
    Abstract Citation
  • Privacy Preserving Social Networking Over Untrusted Networks
    Jonathan Anderson, Claudia Diaz, Joseph Bonneau and Frank Stajano. WOSN 2009: The 2nd ACM SIGCOMM Workshop on Online Social Networks. Barcelona, Spain.
    Abstract Citation
  • Prying Data out of a Social Network
    Joseph Bonneau, Jonathan Anderson and George Danezis. ASONAM 09: The 1st International Conference on Advances in Social Networks Analysis and Mining. Athens, Greece.
    Abstract Citation
  • Privacy Stories: Confidence in Privacy Behaviors through End User Programming (poster)
    (abstract)
    Luke Church, Jonathan Anderson, Joseph Bonneau and Frank Stajano. SOUPS 2009: The 5th Symposium On Usable Privacy and Security. Mountain View, CA, USA.
    Abstract Citation
  • Privacy Suites: Shared Privacy for Social Networks (poster)
    (abstract)
    Joseph Bonneau, Jonathan Anderson and Luke Church. SOUPS 2009: The 5th Symposium On Usable Privacy and Security. Mountain View, CA, USA.
    Abstract Citation
  • Security APIs for Online Applications
    Jonathan Anderson, Joseph Bonneau and Frank Stajano. 3rd International Workshop on Analysis of Security APIs. Port Jefferson, NY, USA.
    Abstract Citation
  • The Privacy Jungle: On the Market for Privacy in Social Networks
    (abridged paper) (dataset)
    Joseph Bonneau and Sören Preibusch. WEIS '09: The 8th Workshop on the Economics of Information Security. London, UK.
    Abstract Citation
  • Eight Friends Are Enough: Social Graph Approximation via Public Listings
    Joseph Bonneau, Jonathan Anderson, Frank Stajano and Ross Anderson. SNS '09: The 2nd ACM Workshop on Social Network Systems. Nuremberg, Germany.
    Abstract Citation

Side channel cryptanalysis

  • Robust Final-Round Cache-Trace Attacks Against AES
    Joseph Bonneau.
    Abstract Citation
  • Cache Collision Timing Attacks Against AES
    (source code)
    Joseph Bonneau and Ilya Mironov. CHES '06: Workshop on Cryptographic Hardware and Embedded Systems. Boston, MA, USA.
    Abstract Citation

Secure messaging

  • Secure Chat for the Masses? User-centered Security to the Rescue (poster)
    Ruba Abu-Salma, M. Angela Sasse and Joseph Bonneau. ACM CCS 2015. Denver, CO, USA.
    Abstract Citation
  • CONIKS: Bringing Key Transparency to End Users
    Marcela S. Melara, Aaron Blankstein, Joseph Bonneau, Michael J. Freedman and Edward W. Felten. USENIX Security 2015. Washington, DC, USA.
    Abstract Citation
  • SoK: Secure Messaging
    (abridged paper)
    Nik Unger, Sergej Dechand, Joseph Bonneau, Sascha Fahl, Henning Perl, Ian Goldberg and Matthew Smith. IEEE Security & Privacy (Oakland) 2015. San Francisco, CA, USA.
    Abstract Citation
  • Finite State Security Analysis of OTR Version 2
    Joseph Bonneau and Andrew Morrison.
    Abstract Citation

Bitcoin and cryptocurrencies

  • Why buy when you can rent? Bribery attacks on Bitcoin consensus
    Joseph Bonneau. BITCOIN '16: 3rd Workshop on Bitcoin and Blockchain Research. Barbados.
    Abstract Citation
  • EthIKS: Using Ethereum to audit a CONIKS key transparency log
    Joseph Bonneau. BITCOIN '16: 3rd Workshop on Bitcoin and Blockchain Research. Barbados.
    Abstract Citation
  • Incentive Compatibility of Bitcoin Mining Pool Reward Functions
    Okke Schrijvers, Joseph Bonneau, Dan Boneh and Tim Roughgarden. FC '16: The 20th International Conference on Financial Cryptography. Barbados.
    Abstract Citation
  • The Bitcoin Brain Drain: Examining the Use and Abuse of Bitcoin Brain Wallets
    Marie Vasek, Joseph Bonneau, Ryan Castellucci, Cameron Keith and Tyler Moore. FC '16: The 20th International Conference on Financial Cryptography. Barbados.
    Abstract Citation
  • [DRAFT] On Bitcoin as a public randomness source
    Joseph Bonneau, Jeremy Clark and Steven Goldfeder .
    Abstract Citation
  • Provisions: Privacy-preserving proofs of solvency for Bitcoin exchanges
    (eprint page)
    Gaby G. Dagher, Benedikt Buenz, Joseph Bonneau, Jeremy Clark and Dan Boneh. ACM CCS 2015. Denver, CO, USA.
    Abstract Citation
  • An empirical study of Namecoin and lessons for decentralized namespace design
    Harry Kalodner, Miles Carlsten, Paul Ellenbogen, Joseph Bonneau and Arvind Narayanan. WEIS '15: The 14th Workshop on the Economics of Information Security. Delft, Netherlands.
    Abstract Citation
  • Research Perspectives and Challenges for Bitcoin and Cryptocurrencies
    Joseph Bonneau, Andrew Miller, Jeremy Clark, Arvind Narayanan, Joshua A. Kroll and Edward W. Felten. IEEE Security & Privacy (Oakland) 2015. San Francisco, CA, USA.
    Abstract Citation
  • On Decentralizing Prediction Markets and Order Books
    Jeremy Clark, Joseph Bonneau, Edward W. Felten, Joshua A. Kroll, Andrew Miller and Arvind Narayanan. WEIS '14: The 13th Workshop on the Economics of Information Security. State College, PA, USA.
    Abstract Citation
  • Fawkescoin: A cryptocurrency without public-key cryptography
    Joseph Bonneau and Andrew Miller. 19th International Workshop on Security Protocols. Cambridge, UK.
    Abstract Citation
  • Mixcoin: Anonymity for Bitcoin with accountable mixes
    (abridged version) (ePrint mirror)
    Joseph Bonneau, Arvind Narayanan, Andrew Miller, Jeremy Clark, Joshua A. Kroll and Edward W. Felten. FC '14: The 18th International Conference on Financial Cryptography. Barbados.
    Abstract Citation
  • Bitcoin and Cryptocurrency Technologies
    Arvind Narayanan, Joseph Bonneau, Edward Felten, Andrew Miller and Steven Goldfeder.
    Citation

HTTPS

  • Upgrading HTTPS in Mid-Air: An Empirical Study of Strict Transport Security and Key Pinning
    Michael Kranch and Joseph Bonneau. NDSS 2015. San Diego, CA, USA.
    Abstract Citation
  • S-links: Why distributed security policy requires secure introduction
    (project homepage)
    Joseph Bonneau. Web 2.0 Security & Privacy. San Francisco, CA, USA.
    Abstract Citation

Miscellaneous

  • It’s Not Stealing If You Need It: A Panel on The Ethics of Performing Research Using Public Data of Illicit Origin (panel discussion)
    Serge Egelman, Joseph Bonneau, Sonia Chiasson, David Dittrich and Stuart Schechter. WECSR '12: Workshop on Ethics in Computer Security Research. Kralendijk, Bonaire, Netherlands.
    Citation
  • Scrambling for lightweight censorship resistance
    Joseph Bonneau and Rubin Xu. 19th International Workshop on Security Protocols. Cambridge, UK.
    Abstract Citation
  • Inglourious Installers: Security in the Application Marketplace
    Jonathan Anderson, Joseph Bonneau and Frank Stajano. WEIS '10: The 9th Workshop on the Economics of Information Security. Boston, MA, USA.
    Abstract Citation
  • Digital immolation: new directions in online protest
    Joseph Bonneau. Eighteenth International Workshop on Security Protocols. Cambridge, UK.
    Abstract Citation
  • Alice and Bob's life stories: Cryptographic communication using shared experiences
    Joseph Bonneau. 17th International Workshop on Security Protocols. Cambridge, UK.
    Abstract Citation

Improving password security

  • Learning Assigned Secrets for Unlocking Mobile Devices
    Stuart Schechter and Joseph Bonneau. SOUPS '15: The 11th Symposium On Usable Privacy and Security. Ottawa, Canada.
    Abstract Citation
  • Towards reliable storage of 56-bit secrets in human memory
    (abridged version)
    Joseph Bonneau and Stuart Schechter. USENIX Security 2014. San Diego, CA, USA.
    Abstract Citation