Lorrie Faith Cranor-Engineering and Public Policy - Carnegie Mellon University

Lorrie Faith Cranor

Professor, Computer Science, Engineering and Public Policy

Director, CyLab Usable Privacy and Security Laboratory (CUPS)

CyLab Usable Privacy and Security Laboratory
Carnegie Mellon University
5000 Forbes Avenue
Pittsburgh, PA 15213
Office: CIC 2207
Phone: (412) 268-7534
Secretary:: Tiffany M. Todd - (412) 268-6367
Research Interests: Online privacy issues; privacy enhancing technology; usability of privacy and security software; technology policy; social impact of computers.


  • Professor, Carnegie Mellon, 2014-present
  • Associate Professor, Carnegie Mellon, 2008-2014
  • Associate Research Professor, Carnegie Mellon 2003-2008
  • Adjunct Assistant Professor of Information Systems, New York University Stern School of Business, 2003
Lorrie Faith Cranor is a Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University where she is director of the CyLab Usable Privacy and Security Laboratory (CUPS) and co-director of the MSIT-Privacy Engineering masters program. She is also a co-founder of Wombat Security Technologies, Inc. She has authored over 100 research papers on online privacy, usable security, and other topics. She has played a key role in building the usable privacy and security research community, having co-edited the seminal book Security and Usability (O'Reilly 2005) and founded the Symposium On Usable Privacy and Security (SOUPS). She also chaired the Platform for Privacy Preferences Project (P3P) Specification Working Group at the W3C and authored the book Web Privacy with P3P (O'Reilly 2002). She has served on a number of boards, including the Electronic Frontier Foundation Board of Directors, and on the editorial boards of several journals. In 2003 she was named one of the top 100 innovators 35 or younger by Technology Review magazine. She was previously a researcher at AT&T-Labs Research and taught in the Stern School of Business at New York University. In 2012-13 she spent her sabbatical year as a fellow in the Frank-Ratchye STUDIO for Creative Inquiry at Carnegie Mellon University where she worked on fiber arts projects that combined her interests in privacy and security, quilting, computers, and technology. She practices yoga, plays soccer, and runs after her three children.


  • B.S. (Engineering and Public Policy) 1992, Washington University in St. Louis
  • M.S. (Technology and Human Affairs) 1993, Washington University in St. Louis
  • M.S. (Computer Science) 1996, Washington University in St. Louis M
  • D.Sc. (Engineering and Policy) 1996, Washington University in St. Louis


My research focuses on usable privacy and security. My current projects fall into several overlapping areas: privacy decision making (including applications of P3P), user-controllable security and privacy (including location-sharing privacy and file access control in the home), and usable cyber trust indicators, and and usable and secure passwords. Prior to coming to CMU I did research on P3P, electronic voting, security vulnerabilities in the movie production and distribution proces, and other topics.


Selected Publications

  1. R. Shay, L. Bauer, N. Christin, L. Cranor, A. Forget, S. Komanduri, M. Mazurek, W. Melicher, S. Segreti, and B. Ur. A Spoonful of Sugar? The Impact of Guidance and Feedback on Password-Creation Behavior. CHI 2015. http://cups.cs.cmu.edu/rshay/pubs/Feedback.pdf
  2. Chandrasekhar Bhagavatula, Blase Ur, Kevin Iacovino, Su Mon Kywe, Lorrie Faith Cranor, Marios Savvides. Biometric Authentication on iPhone and Android: Usability, Perceptions, and Influences on Adoption. USEC 2015, February 8, 2015. http://www.internetsociety.org/doc/biometric-authentication-iphone-and-android-usability-perceptions-and-influences-adoption
  3. F. Schaub, R. Balebako, A. Durity, and L. Cranor. Designing Effective Privacy Notices. SOUPS 2015. https://www.usenix.org/conference/soups2015/proceedings/presentation/schaub
  4. B. Ur, F. Noma, J. Bees, S. Segreti, R. Shay, L. Bauer, N. Christin, and L. Cranor. "I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab. SOUPS 2015. https://www.usenix.org/conference/soups2015/proceedings/presentation/ur
  5. Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, and Stuart Schechter. Telepathwords: Preventing Weak Passwords by Reading Users' Minds. USENIX Security 2014. August 20-22, 2014, San Diego, CA, pp. 591-606. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/komanduri
  6. L. Cranor, A. Durity, A. Marsh, and B. Ur. Parents' and Teens' Perspectives on Privacy in a Technology-Filled World. SOUPS 2014.  https://www.usenix.org/conference/soups2014/proceedings/presentation/cranor
  7. C. Bravo-Lillo, L. Cranor, S. Komanduri, S. Schechter, M. Sleeper. Harder to Ignore? Revisiting Pop-Up Fatigue and Approaches to Prevent It. SOUPS 2014.  https://www.usenix.org/conference/soups2014/proceedings/presentation/bravo-lillo
  8. Richard Shay, Saranga Komanduri, Adam L. Durity, Philip (Seyoung) Huh, Michelle L. Mazurek, Sean M. Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. Can long passwords be secure and usable? In CHI 2014: Conference on Human Factors in Computing Systems, April 2014. ACM.  http://lorrie.cranor.org/pubs/longpass-chi2014.pdf
  9. Y. Wang, P. Leon, A. Acquisti, L.F. Cranor, A. Forget, N. Sadeh. A Field Trial of Privacy Nudges for Facebook. ACM SIGCHI Conference on Human Factors in Computing Systems (CHI2014).  http://yangwang.syr.edu/papers/CHI2014.pdf
  10. M.L. Mazurek, S. Komanduri, T. Vidas, L. Bauer, N. Christin, L.F. Cranor, P.G. Kelley, R. Shay, and B. Ur. Measuring Password Guessability for an Entire University. ACM CCS 2013.  https://www.cylab.cmu.edu/research/techreports/2013/tr_cylab13013.html
  11. C. Bravo-Lillo, L.F. Cranor, J. Downs, S. Komanduri, R.W. Reeder, S. Schechter, and M. Sleeper. Your Attention Please: Designing security-decision UIs to make genuine risks harder to ignore. In Proceedings of the Eight Symposium On Usable Privacy and Security (SOUPS ’13), Newcastle, United Kingdom, 2013.  http://cups.cs.cmu.edu/soups/2013/proceedings/a6_Bravo-Lillo.pdf
  12. P.G. Leon, B. Ur, Y. Wang, M. Sleeper, R. Balebako, R. Shay, L. Bauer, M. Christodorescu, L.F. Cranor. What Matters to Users? Factors that Affect Users' Willingness to Share Information with Online Advertisers. In Proceedings of the Eight Symposium On Usable Privacy and Security (SOUPS ’13), Newcastle, United Kingdom, 2013.  http://cups.cs.cmu.edu/soups/2013/proceedings/a7_Leon.pdf
  13. B. Ur, P.G. Kelley, S. Komanduri, J. Lee, M. Maass, M. Mazurek, T. Passaro, R. Shay, T. Vidas, L. Bauer, N. Christin, and L.F. Cranor. How does your password measure up? The effect of strength meters on password creation. USENIX Security 2012.  http://www.ece.cmu.edu/~lbauer/papers/2012/usenix2012-meters.pdf
  14. P. Klemperer, Y. Liang, M. Mazurek, M. Sleeper, B. Ur, L. Bauer, L.F. Cranor, N. Gupta, and M. Reiter. Tag, You Can See It! Using Tags for Access Control in Photo Sharing. CHI 2012.  http://www.ece.cmu.edu/~lbauer/papers/2012/chi2012-tags.pdf
  15. L.F. Cranor. Necessary But Not Sufficient: Standardized Mechanisms for Privacy Notice and Choice. Journal of Telecommunications and High Technology Law, Vol. 10, No. 2, 2012.  http://www.jthtl.org/content/articles/V10I2/JTHTLv10i2_Cranor.PDF