Another new paper announcement: Popularity is Everything: A New Approach to Protecting Passwords from Statistical-Guessing Attacks, which will appear next month at HotSec 2010, is online. My co-authors are Stuart Schechter and Cormac Herley of Microsoft. The idea here is that the real problem with passwords is that some are too popular, making them easy to guess. Providers respond by forcing users to choose passwords that pass certain rules -- you must have a capital and lower-case letter, you must have a number, etc. These rules are somewhat arbitrary and don't directly tackle the significant problem of popularity. Our paper is about how that can be done. (As you might imagine, from my involvement, some Bloom filter variant -- the count-min filter in this case -- is part of the solution.)
This paper was one of those great examples of serendipity. Stuart (who was a grad student at Harvard, before joining Microsoft) came back to give a talk. I met with him and talked about problems. We found a nice intersection point and, some months later, a paper appears. As faculty we're often cajoling our students to go to the colloquia or to interesting talks outside their direct field -- and to, on occasion, talk with and meet the speakers. I admit that it's time consuming, and not all talks end up being worth going to. But if you give up on the chance to talk to people, including (and perhaps especially) people outside your direct problem space, you miss the chance for these wonderful bits of serendipity, where you can work on something new and different, and ideas can potentially cross between areas.