At a time when 3.6 billion people worldwide use the Internet each day for work, personal banking, online shopping, and a host of other scenarios, information security and privacy has never been more important. Yet, without rigorous security systems behind each of these platforms, users won’t embrace online technology and Internet trust begins to crumble.
IT security expert Julie Thorpe, PhD, examines online security, the way people interact with devices, and how that influences security systems. Users are prone to making mistakes in online authentication and security systems which can lead to loss and breach of trust. An Associate Professor in the Faculty of Business and Information Technology, Dr. Thorpe aims to improve online security by designing systems that understand key functions of the human brain.
With a myriad of online systems and services, users are required to select and remember a variety of character-specific passwords that don’t necessarily work well with human memory. Dr. Thorpe’s latest research focuses on the design and evaluation of stronger authentication systems that work with the users’ memory. Using a model that assumes most online users are working with a password manager, her research explores ways to help generate a secure password including the use of locations, password phrases and a set of policies to help create secure passwords.
Highly specialized computer security programs brought Dr. Thorpe to UOIT as an Assistant Professor in 2010, and she has developed and taught courses in Malware and Software Security, IT Security Policies and Procedures, and Operating System Security. An advocate for learning beyond the classroom, she founded UOIT’s IT Security Reading Group to create broad discussion of the latest IT security industry news and help students build critical thinking and communication skills. Dr. Thorpe is also a member of the ACM-W Women in Computing Chapter at UOIT and DC where she aims to raise the profile of female experts in her field. And as a founding member of the Information Forensics and Security Lab, she helped create an advanced space for hands-on learning.
Dr. Thorpe completed her Bachelor of Computer Science with First Class Honours at the Faculty of Computer Science at Dalhousie University in Halifax; then gained six years of invaluable industry experience as a software systems analyst before earning her Doctorate of Philosophy in Computer Science from Ottawa’s Carleton University in 2008.
Industry Expertise (7)
Areas of Expertise (10)
Senate Medal Award, Carleton University (professional)
Awarded for Outstanding Academic Achievement, Dr. Thorpe was also nominated for a University Medal that same year and has received numerous academic scholarships and honours.
Carleton University: PhD, Philosophy (Computer Science) 2008
Dalhousie University: BSc, Computer Science, First Class Honours (Co-op Option) 2002
- UOIT IT Security Reading Group
- ACM-W Women in Computing Chapter at UOIT and DC
Media Appearances (8)
Businesses slow to adopt even basic cyber security policies
The Deal Room online
While cyber security experts are growing hoarse from telling businesses to wake up and realize leaks and IT infrastructure compromises are bleeding them billions of dollars, the looming threat isn’t savvy new hacking techniques – it’s just plain laziness, according to Hewlett-Packard’s latest Cyber Risk Report.
CBC Radio Yukon online
Tech columnist Dan Misener talks about Yahoo's new plan to protect your online profile, and why it won't fly.
Is there ‘love’ in your online passwords?
The Toronto Star print
People are putting a little too much “love” into their online passwords.
At least that’s what a team of researchers from the University of Ontario Institute of Technology (UOIT) says. They analyzed 32 million leaked passwords from the now-defunct RockYou.com website. The project was led by UOIT graduate student Rafael Veras in collaboration with UOIT faculty Dr. Christopher Collins and Dr. Julie Thorpe. And their findings are, um, lovely.
The Secret Life of Passwords
The New York Times Magazine
We despise them – yet we imbue them with our hopes and dreams, our dearest memories, our deepest meanings. They unlock much more than our accounts.
Small business, big problems
The Toronto Star print
There has never been a more dangerous time to be online.
In numbers far greater than the combined populations of the U.S. and Canada, our Internet identities are falling into the hands of hackers—over 552 million breached in 2013 alone. And in this era of cybercrime, small businesses stand to lose big.
Durham Now tv
This segment discusses Dr. Thorpe's Password Semantics research (NDSS 2014) and Geo Pass research (SOUPS 2013) research.
UOIT researchers crack down on password security in wake of Heartbleed
In the wake of an online bug that prompted a number of websites, including the Canada Revenue Agency’s tax filing system, to shut down, UOIT researchers are discussing personal password security and ways to make them stronger.
Dr. Julie Thorpe, assistant professor of IT security at the University of Ontario Institute of Technology, said while high-impact vulnerabilities such as the latest online bug, Heartbleed, are somewhat rare, it highlights the need for education regarding online security.
Data breaches: It’s more expensive to react than prevent
The Globe and Mail print
On April 11, the Investment Industry Regulatory Organization of Canada (IIROC) announced the loss of a mobile device – reportedly a laptop – containing the personal financial information of about 52,000 brokerage firm clients.
Event Appearances (3)
The Presentation Effect on Graphical Passwords
The ACM CHI Conference on Human Factors in Computing Systems Toronto, Ontario
Usability and Security Evaluation of GeoPass: a Geographic Location-Password Scheme
The 9th Symposium on Usable Privacy and Security Northumbria University, Newcastle, United Kingdom
Video Passwords: Advertising While Authenticating
The New Security Paradigms Workshop Bertinoro, Italy
Systems, Methods, and Computer Program Products for Providing Video-Passwords for User Authentication
U.S. Patent No. 8966614
This invention is related to authentication schemes utilizing advertising video-passwords, which require the user to watch and remember parts of a given advertisement video. Different embodiments of the invention can utilize just time reference point information, or can optionally include grid element, click point, tag phrase, or a combination of both click point and tag phrase information. A reference video-password is defined based on the time reference point information, and optionally with grid element, click point, or tag phrase information. Subsequently, the user will attempt authentication and the candidate video-password will be defined with the associated time reference point determined from the user's input, and optionally with grid element, click point, or tag phrase information received from the user. The system would then authenticate the user based on the comparison result between the reference video-password and the candidate video-password.
Research Grants (2)
Towards Cognitive Aids for Stronger Computer Security
NSERC Discovery Grant $75000
As principal investigator of this five-year research program, Dr. Thorpe aims to design and evaluate systems that work cohesively with human brain function to achieve better online security and privacy.
Laboratory for Human-Centered Computer Science Research
Canada Foundation for Innovation (CFI) $21152
As co-founder, Dr. Thorpe helped create a hands-on, experiential lab to study how people interact with different technologies including desktop, mobile, touch screen, and eye tracking.
IT Security Policies and Procedures
INFR 4680, 4th Year Undergraduate Course
Security Policies and Risk Management
MITS 5600, Graduate Course
Operating System Security
INFR 3610, 3rd Year Undergraduate Course
Malware and Software Security
INFR 4670U, 4th Year Undergraduate Course
Operating System Security
MITS 5300, Graduate Course
We design and explore the usability and security of two geographic authentication schemes: GeoPass and GeoPassNotes. GeoPass requires users to choose a place on a digital map to authenticate with (a location password). GeoPassNotes—an extension of GeoPass—requires users to annotate their location password with a sequence of words that they can associate with the location (an annotated location password). In GeoPassNotes, users are authenticated by correctly entering both a location and an annotation. We conducted user studies to test the usability and assess the security of location passwords and annotated location passwords.
The lack of encryption of data at rest or in motion is one of the top 10 database vulnerabilities . We suggest that this vulnerability could be prevented by encouraging developers to perform encryption-related tasks by enhancing their integrated development environment (IDE). To this end, we created the Crypto-Assistant: a modified version of the Hibernate Tools plug-in for the popular Eclipse IDE. The purpose of the Crypto-Assistant is to mitigate the impact of developers' lack of security knowledge related to encryption by facilitating the use of encryption directives via a graphical user interface that seamlessly integrates with Hibernate Tools.
We provide a simple yet powerful demonstration of how an unobtrusive change to a graphical password interface can modify the distribution of user chosen passwords, and thus possibly the security it provides. The only change to the interface is how the background image is presented to the user in the password creation phase—we call the effect of this change the “presentation effect”.
We present the ﬁrst framework for segmentation, semantic classiﬁcation, and semantic generalization of passwords and a model that captures the semantic essence of password samples. Researchers have only touched the surface of patterns in password creation, with the semantics of passwords remaining largely unexplored, leaving a gap in our understanding of their characteristics and, consequently, their security. In this paper, we begin to ﬁll this gap by employing Natural Language Processing techniques to extract and leverage understanding of semantic patterns in passwords.
We design, implement, and evaluate GeoPass: an interface for digital map-based authentication where a user chooses a place as his or her password (i.e., a“location-password”). We conducted a multi-session in-lab/at-home user study to evaluate the usability, memorability, and security of locationpasswords created with GeoPass.
We begin an investigation into the semantic patterns underlying user choice in passwords. Understanding semantic patterns provides insight into how people choose passwords, which in turn can be used to inform usable password policies and password guidelines. As semantic patterns are difﬁcult to recognize automatically, we turn to visualization to aid in their discovery. We focus on dates in passwords, designing an interactive visualization for their detailed analysis, and using it to explore the RockYou dataset of over 32 million passwords.
We introduce a new class of authentication schemes called “video-passwords”, which require the user to watch and remember parts of a given video (e.g., a sequence of scenes, movements, and/or sounds). We propose four diﬀerent videopassword schemes, describe their prototypes, and analyze their security. Under certain parameters, the security of some of these schemes appears to be theoretically comparable to traditional text passwords. Video-passwords provide more than potentially better security; they also present a unique opportunity for businesses to consider – advertising through the rich multimedia used in the login task.
We provide an in-depth study of the security of click-based graphical password schemes like PassPoints (Weidenbeck et al., 2005), by exploring popular points (hot-spots), and examining strategies to predict and exploit them in guessing attacks. We report on both short- and long-term user studies: one lab-controlled, involving 43 users and 17 diverse images, the other a field test of 223 user accounts.
We introduce and evaluate various methods for purely automated attacks against PassPoints-style graphical passwords. For generating these attacks, we introduce a graph-based algorithm to efficiently create dictionaries based on heuristics such as click-order patterns (e.g., five points all along a line).