Lorrie Faith Cranor-Engineering and Public Policy - Carnegie Mellon University

Lorrie Faith Cranor

Professor and Associate Department Head, Engineering & Public Policy

Professor, Computer Science

Director, CyLab Usable Privacy and Security Laboratory (CUPS)

CyLab Usable Privacy and Security Laboratory
Carnegie Mellon University
5000 Forbes Avenue
Pittsburgh, PA 15213
Office: CIC 2207
Phone: (412) 268-7534
Secretary:: Tiffany M. Todd - (412) 268-6367
Research Interests: Online privacy issues; privacy enhancing technology; usability of privacy and security software; technology policy; social impact of computers.


  • Professor, Carnegie Mellon, 2014-present
  • Chief Technologist, US Federal Trade Commission, 2016
  • Associate Professor, Carnegie Mellon, 2008-2014
  • Associate Research Professor, Carnegie Mellon 2003-2008
  • Adjunct Assistant Professor of Information Systems, New York University Stern School of Business, 2003
  • Principal Technical Staff Member, AT&T Labs-Research 2001-2003
  • Senior Technical Staff Member, AT&T Labs-Research 1996-2001

Lorrie Faith Cranor is a Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University where she is director of the CyLab Usable Privacy and Security Laboratory (CUPS) and co-director of the MSIT-Privacy Engineering masters program. In 2016 she served as Chief Technologist at the US Federal Trade Commission, working in the office of Chairwoman Ramirez. She is also a co-founder of Wombat Security Technologies, Inc, a security awareness training company. She has authored over 150 research papers on online privacy, usable security, and other topics. She has played a key role in building the usable privacy and security research community, having co-edited the seminal book Security and Usability (O'Reilly 2005) and founded the Symposium On Usable Privacy and Security (SOUPS). She also chaired the Platform for Privacy Preferences Project (P3P) Specification Working Group at the W3C and authored the book Web Privacy with P3P (O'Reilly 2002). She has served on a number of boards, including the Electronic Frontier FoundationBoard of Directors, and on the editorial boards of several journals. In her younger days she was honored as one of the top 100 innovators 35 or younger by Technology Review magazine. More recently she was named an ACM Fellow for her contributions to usable privacy and security research and education, and an IEEE Fellow for her contributions to privacy engineering. She was previously a researcher at AT&T-Labs Research and taught in the Stern School of Business at New York University. She holds a doctorate in Engineering and Policy from Washington University in St. Louis. In 2012-13 she spent her sabbatical as a fellow in the Frank-Ratchye STUDIO for Creative Inquiry at Carnegie Mellon University where she worked on fiber arts projects that combined her interests in privacy and security, quilting, computers, and technology. She practices yoga, plays soccer, and runs after her three children.


  • B.S. (Engineering and Public Policy) 1992, Washington University in St. Louis
  • M.S. (Technology and Human Affairs) 1993, Washington University in St. Louis
  • M.S. (Computer Science) 1996, Washington University in St. Louis M
  • D.Sc. (Engineering and Policy) 1996, Washington University in St. Louis


My research focuses on usable privacy and security. My current projects fall into several overlapping areas: privacy decision making (including applications of P3P), user-controllable security and privacy (including location-sharing privacy and file access control in the home), and usable cyber trust indicators, and and usable and secure passwords. Prior to coming to CMU I did research on P3P, electronic voting, security vulnerabilities in the movie production and distribution proces, and other topics.


Selected Publications

  1. Blase Ur, Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin, Jessica Colnago, Lorrie Faith Cranor, Henry Dixon, Pardis Emami Naeini, Hana Habib, Noah Johnson, and William Melicher. 2017. Design and Evaluation of a Data-Driven Password Meter. CHI 2017. http://dl.acm.org/citation.cfm?id=3026050&CFID=931599301
  2. W. Melicher, B. Ur, S. Segreti, S. Komanduri, L. Bauer, N. Christin, L. Cranor. Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks. USENIX Security, August 10-12, 2016, Austin, TX. https://www.ece.cmu.edu/~lbauer/papers/2016/usenixsec2016-neural-passwords.pdf
  3. B. Ur, J. Bees, S. Segreti, L. Bauer, N. Christin, and L. F. Cranor. CHI'16. Do users' perceptions of password security match reality? http://www.ece.cmu.edu/~lbauer/papers/2016/chi2016-pwd-perceptions.pdf
  4. F. Schaub, R. Balebako, A. Durity, and L. Cranor. A Design Space for Effective Privacy Notices. SOUPS 2015.
  5. R. Shay, L. Bauer, N. Christin, L. Cranor, A. Forget, S. Komanduri, M. Mazurek, W. Melicher, S. Segreti, and B. Ur. A Spoonful of Sugar? The Impact of Guidance and Feedback on Password-Creation Behavior. CHI 2015. http://cups.cs.cmu.edu/rshay/pubs/Feedback.pdf
  6. Chandrasekhar Bhagavatula, Blase Ur, Kevin Iacovino, Su Mon Kywe, Lorrie Faith Cranor, Marios Savvides. Biometric Authentication on iPhone and Android: Usability, Perceptions, and Influences on Adoption. USEC 2015, February 8, 2015. http://www.internetsociety.org/doc/biometric-authentication-iphone-and-android-usability-perceptions-and-influences-adoption
  7. F. Schaub, R. Balebako, A. Durity, and L. Cranor. Designing Effective Privacy Notices. SOUPS 2015. https://www.usenix.org/conference/soups2015/proceedings/presentation/schaub
  8. B. Ur, F. Noma, J. Bees, S. Segreti, R. Shay, L. Bauer, N. Christin, and L. Cranor. "I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab. SOUPS 2015. https://www.usenix.org/conference/soups2015/proceedings/presentation/ur
  9. Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, and Stuart Schechter. Telepathwords: Preventing Weak Passwords by Reading Users' Minds. USENIX Security 2014. August 20-22, 2014, San Diego, CA, pp. 591-606. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/komanduri
  10. L. Cranor, A. Durity, A. Marsh, and B. Ur. Parents' and Teens' Perspectives on Privacy in a Technology-Filled World. SOUPS 2014.  https://www.usenix.org/conference/soups2014/proceedings/presentation/cranor
  11. C. Bravo-Lillo, L. Cranor, S. Komanduri, S. Schechter, M. Sleeper. Harder to Ignore? Revisiting Pop-Up Fatigue and Approaches to Prevent It. SOUPS 2014.  https://www.usenix.org/conference/soups2014/proceedings/presentation/bravo-lillo
  12. Richard Shay, Saranga Komanduri, Adam L. Durity, Philip (Seyoung) Huh, Michelle L. Mazurek, Sean M. Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. Can long passwords be secure and usable? In CHI 2014: Conference on Human Factors in Computing Systems, April 2014. ACM.  http://lorrie.cranor.org/pubs/longpass-chi2014.pdf
  13. Y. Wang, P. Leon, A. Acquisti, L.F. Cranor, A. Forget, N. Sadeh. A Field Trial of Privacy Nudges for Facebook. ACM SIGCHI Conference on Human Factors in Computing Systems (CHI2014).  http://yangwang.syr.edu/papers/CHI2014.pdf
  14. M.L. Mazurek, S. Komanduri, T. Vidas, L. Bauer, N. Christin, L.F. Cranor, P.G. Kelley, R. Shay, and B. Ur. Measuring Password Guessability for an Entire University. ACM CCS 2013.  https://www.cylab.cmu.edu/research/techreports/2013/tr_cylab13013.html
  15. C. Bravo-Lillo, L.F. Cranor, J. Downs, S. Komanduri, R.W. Reeder, S. Schechter, and M. Sleeper. Your Attention Please: Designing security-decision UIs to make genuine risks harder to ignore. In Proceedings of the Eight Symposium On Usable Privacy and Security (SOUPS ’13), Newcastle, United Kingdom, 2013.  http://cups.cs.cmu.edu/soups/2013/proceedings/a6_Bravo-Lillo.pdf
  16. P.G. Leon, B. Ur, Y. Wang, M. Sleeper, R. Balebako, R. Shay, L. Bauer, M. Christodorescu, L.F. Cranor. What Matters to Users? Factors that Affect Users' Willingness to Share Information with Online Advertisers. In Proceedings of the Eight Symposium On Usable Privacy and Security (SOUPS ’13), Newcastle, United Kingdom, 2013.  http://cups.cs.cmu.edu/soups/2013/proceedings/a7_Leon.pdf
  17. B. Ur, P.G. Kelley, S. Komanduri, J. Lee, M. Maass, M. Mazurek, T. Passaro, R. Shay, T. Vidas, L. Bauer, N. Christin, and L.F. Cranor. How does your password measure up? The effect of strength meters on password creation. USENIX Security 2012.  http://www.ece.cmu.edu/~lbauer/papers/2012/usenix2012-meters.pdf
  18. P. Klemperer, Y. Liang, M. Mazurek, M. Sleeper, B. Ur, L. Bauer, L.F. Cranor, N. Gupta, and M. Reiter. Tag, You Can See It! Using Tags for Access Control in Photo Sharing. CHI 2012.  http://www.ece.cmu.edu/~lbauer/papers/2012/chi2012-tags.pdf
  19. L.F. Cranor. Necessary But Not Sufficient: Standardized Mechanisms for Privacy Notice and Choice. Journal of Telecommunications and High Technology Law, Vol. 10, No. 2, 2012.  http://www.jthtl.org/content/articles/V10I2/JTHTLv10i2_Cranor.PDF