hero image
Julie Thorpe, PhD - University of Ontario Institute of Technology. Oshawa, ON, CA

Julie Thorpe, PhD Julie Thorpe, PhD

Associate Professor, Faculty of Business and Information Technology | University of Ontario Institute of Technology

Oshawa, ON, CANADA

IT security expert develops authentication systems to protect consumer information and privacy


At a time when 3.6 billion people worldwide use the Internet each day for work, personal banking, online shopping, and a host of other scenarios, information security and privacy has never been more important. Yet, without rigorous security systems behind each of these platforms, users won’t embrace online technology and Internet trust begins to crumble.

IT security expert Julie Thorpe, PhD, examines online security, the way people interact with devices, and how that influences security systems. Users are prone to making mistakes in online authentication and security systems which can lead to loss and breach of trust. An Associate Professor in the Faculty of Business and Information Technology, Dr. Thorpe aims to improve online security by designing systems that understand key functions of the human brain.

With a myriad of online systems and services, users are required to select and remember a variety of character-specific passwords that don’t necessarily work well with human memory. Dr. Thorpe’s latest research focuses on the design and evaluation of stronger authentication systems that work with the users’ memory. Using a model that assumes most online users are working with a password manager, her research explores ways to help generate a secure password including the use of locations, password phrases and a set of policies to help create secure passwords.

Highly specialized computer security programs brought Dr. Thorpe to UOIT as an Assistant Professor in 2010, and she has developed and taught courses in Malware and Software Security, IT Security Policies and Procedures, and Operating System Security. An advocate for learning beyond the classroom, she founded UOIT’s IT Security Reading Group to create broad discussion of the latest IT security industry news and help students build critical thinking and communication skills. Dr. Thorpe is also a member of the ACM-W Women in Computing Chapter at UOIT and DC where she aims to raise the profile of female experts in her field. And as a founding member of the Information Forensics and Security Lab, she helped create an advanced space for hands-on learning.

Dr. Thorpe completed her Bachelor of Computer Science with First Class Honours at the Faculty of Computer Science at Dalhousie University in Halifax; then gained six years of invaluable industry experience as a software systems analyst before earning her Doctorate of Philosophy in Computer Science from Ottawa’s Carleton University in 2008.

Industry Expertise (7)

Computer/Network Security

Computer Software

Consumer Electronics


Information Technology and Services



Areas of Expertise (10)


Software Security

Human Factors



Security Policies

Operating System Security


Distributed Computing

Brain Computing Interfaces

Accomplishments (1)

Senate Medal Award, Carleton University (professional)


Awarded for Outstanding Academic Achievement, Dr. Thorpe was also nominated for a University Medal that same year and has received numerous academic scholarships and honours.

Education (2)

Carleton University: PhD, Philosophy (Computer Science) 2008

Dalhousie University: BSc, Computer Science, First Class Honours (Co-op Option) 2002

Affiliations (2)

  • UOIT IT Security Reading Group
  • ACM-W Women in Computing Chapter at UOIT and DC

Media Appearances (8)

Businesses slow to adopt even basic cyber security policies

The Deal Room  online


While cyber security experts are growing hoarse from telling businesses to wake up and realize leaks and IT infrastructure compromises are bleeding them billions of dollars, the looming threat isn’t savvy new hacking techniques – it’s just plain laziness, according to Hewlett-Packard’s latest Cyber Risk Report.

view more

Password protection

CBC Radio Yukon  online


Tech columnist Dan Misener talks about Yahoo's new plan to protect your online profile, and why it won't fly.

view more

Is there ‘love’ in your online passwords?

The Toronto Star  print


People are putting a little too much “love” into their online passwords. At least that’s what a team of researchers from the University of Ontario Institute of Technology (UOIT) says. They analyzed 32 million leaked passwords from the now-defunct RockYou.com website. The project was led by UOIT graduate student Rafael Veras in collaboration with UOIT faculty Dr. Christopher Collins and Dr. Julie Thorpe. And their findings are, um, lovely.

view more

The Secret Life of Passwords

The New York Times Magazine  


We despise them – yet we imbue them with our hopes and dreams, our dearest memories, our deepest meanings. They unlock much more than our accounts.

view more

Small business, big problems

The Toronto Star  print


There has never been a more dangerous time to be online. In numbers far greater than the combined populations of the U.S. and Canada, our Internet identities are falling into the hands of hackers—over 552 million breached in 2013 alone. And in this era of cybercrime, small businesses stand to lose big.

view more

Weak passwords

Durham Now  tv


This segment discusses Dr. Thorpe's Password Semantics research (NDSS 2014) and Geo Pass research (SOUPS 2013) research.

view more

UOIT researchers crack down on password security in wake of Heartbleed

Durhamregion.com  online


In the wake of an online bug that prompted a number of websites, including the Canada Revenue Agency’s tax filing system, to shut down, UOIT researchers are discussing personal password security and ways to make them stronger. Dr. Julie Thorpe, assistant professor of IT security at the University of Ontario Institute of Technology, said while high-impact vulnerabilities such as the latest online bug, Heartbleed, are somewhat rare, it highlights the need for education regarding online security.

view more

Data breaches: It’s more expensive to react than prevent

The Globe and Mail  print


On April 11, the Investment Industry Regulatory Organization of Canada (IIROC) announced the loss of a mobile device – reportedly a laptop – containing the personal financial information of about 52,000 brokerage firm clients.

view more

Event Appearances (3)

The Presentation Effect on Graphical Passwords

The ACM CHI Conference on Human Factors in Computing Systems  Toronto, Ontario


Usability and Security Evaluation of GeoPass: a Geographic Location-Password Scheme

The 9th Symposium on Usable Privacy and Security  Northumbria University, Newcastle, United Kingdom


Video Passwords: Advertising While Authenticating

The New Security Paradigms Workshop  Bertinoro, Italy


Patents (1)

Systems, Methods, and Computer Program Products for Providing Video-Passwords for User Authentication

U.S. Patent No. 8966614


This invention is related to authentication schemes utilizing advertising video-passwords, which require the user to watch and remember parts of a given advertisement video. Different embodiments of the invention can utilize just time reference point information, or can optionally include grid element, click point, tag phrase, or a combination of both click point and tag phrase information. A reference video-password is defined based on the time reference point information, and optionally with grid element, click point, or tag phrase information. Subsequently, the user will attempt authentication and the candidate video-password will be defined with the associated time reference point determined from the user's input, and optionally with grid element, click point, or tag phrase information received from the user. The system would then authenticate the user based on the comparison result between the reference video-password and the candidate video-password.

view more

Research Grants (2)

Towards Cognitive Aids for Stronger Computer Security

NSERC Discovery Grant $75000


As principal investigator of this five-year research program, Dr. Thorpe aims to design and evaluate systems that work cohesively with human brain function to achieve better online security and privacy.

Laboratory for Human-Centered Computer Science Research

Canada Foundation for Innovation (CFI) $21152


As co-founder, Dr. Thorpe helped create a hands-on, experiential lab to study how people interact with different technologies including desktop, mobile, touch screen, and eye tracking.

Courses (5)

IT Security Policies and Procedures

INFR 4680, 4th Year Undergraduate Course

view more

Security Policies and Risk Management

MITS 5600, Graduate Course

view more

Operating System Security

INFR 3610, 3rd Year Undergraduate Course

view more

Malware and Software Security

INFR 4670U, 4th Year Undergraduate Course

view more

Operating System Security

MITS 5300, Graduate Course

view more

Articles (9)

An Exploration of Geographic Authentication Schemes IEEE Transactions on Information Forensics and Security


We design and explore the usability and security of two geographic authentication schemes: GeoPass and GeoPassNotes. GeoPass requires users to choose a place on a digital map to authenticate with (a location password). GeoPassNotes—an extension of GeoPass—requires users to annotate their location password with a sequence of words that they can associate with the location (an annotated location password). In GeoPassNotes, users are authenticated by correctly entering both a location and an annotation. We conducted user studies to test the usability and assess the security of location passwords and annotated location passwords.

view more

Crypto-Assistant: Towards Facilitating Developer’s Encryption of Sensitive Data Proceedings of the 2014 Twelfth Annual International Conference on Privacy, Security and Trust


The lack of encryption of data at rest or in motion is one of the top 10 database vulnerabilities [1]. We suggest that this vulnerability could be prevented by encouraging developers to perform encryption-related tasks by enhancing their integrated development environment (IDE). To this end, we created the Crypto-Assistant: a modified version of the Hibernate Tools plug-in for the popular Eclipse IDE. The purpose of the Crypto-Assistant is to mitigate the impact of developers' lack of security knowledge related to encryption by facilitating the use of encryption directives via a graphical user interface that seamlessly integrates with Hibernate Tools.

view more

The Presentation Effect on Graphical Passwords Proceedings of the 32nd SIGCHI Conference on Human Factors in Computing Systems


We provide a simple yet powerful demonstration of how an unobtrusive change to a graphical password interface can modify the distribution of user chosen passwords, and thus possibly the security it provides. The only change to the interface is how the background image is presented to the user in the password creation phase—we call the effect of this change the “presentation effect”.

view more

On the Semantic Patterns of Passwords and Their Security Impact Proceedings of the 2014 Network and Distributed System Security Symposium


We present the first framework for segmentation, semantic classification, and semantic generalization of passwords and a model that captures the semantic essence of password samples. Researchers have only touched the surface of patterns in password creation, with the semantics of passwords remaining largely unexplored, leaving a gap in our understanding of their characteristics and, consequently, their security. In this paper, we begin to fill this gap by employing Natural Language Processing techniques to extract and leverage understanding of semantic patterns in passwords.

view more

Usability and Security Evaluation of GeoPass: a Geographic Location-Password Scheme Proceedings of the Symposium on Usable Privacy and Security 2013


We design, implement, and evaluate GeoPass: an interface for digital map-based authentication where a user chooses a place as his or her password (i.e., a“location-password”). We conducted a multi-session in-lab/at-home user study to evaluate the usability, memorability, and security of locationpasswords created with GeoPass.

view more

Visualizing Semantics in Passwords: The Role of Dates Proceedings of the Symposium on Visualization for Cyber Security


We begin an investigation into the semantic patterns underlying user choice in passwords. Understanding semantic patterns provides insight into how people choose passwords, which in turn can be used to inform usable password policies and password guidelines. As semantic patterns are difficult to recognize automatically, we turn to visualization to aid in their discovery. We focus on dates in passwords, designing an interactive visualization for their detailed analysis, and using it to explore the RockYou dataset of over 32 million passwords.

view more

Video-Passwords: Advertising While Authenticating Proceedings of the New Security Paradigms Workshop


We introduce a new class of authentication schemes called “video-passwords”, which require the user to watch and remember parts of a given video (e.g., a sequence of scenes, movements, and/or sounds). We propose four different videopassword schemes, describe their prototypes, and analyze their security. Under certain parameters, the security of some of these schemes appears to be theoretically comparable to traditional text passwords. Video-passwords provide more than potentially better security; they also present a unique opportunity for businesses to consider – advertising through the rich multimedia used in the login task.

view more

Exploiting Predictability in Click-based Graphical Passwords Journal of Computer Security


We provide an in-depth study of the security of click-based graphical password schemes like PassPoints (Weidenbeck et al., 2005), by exploring popular points (hot-spots), and examining strategies to predict and exploit them in guessing attacks. We report on both short- and long-term user studies: one lab-controlled, involving 43 users and 17 diverse images, the other a field test of 223 user accounts.

view more

Purely Automated Attacks on PassPoints-Style Graphical Passwords IEEE Transactions on Information Forensics and Security


We introduce and evaluate various methods for purely automated attacks against PassPoints-style graphical passwords. For generating these attacks, we introduce a graph-based algorithm to efficiently create dictionaries based on heuristics such as click-order patterns (e.g., five points all along a line).

view more