We explore how to manage a portfolio of passwords. We review why mandating exclusively strong passwords with no re-use gives users an impossible task as portfolio size grows. We find that approaches justified by loss-minimization alone, and those that ignore important...In this paper we explore why progress has been slow and examine several possible directions. First, the scale and diversity of the web makes one-size fits all approaches hard. Second, the competition for user attention is fierce: there are no pools of unexploited user...Conventional wisdom is that phishing represents easy money. In this paper we examine the economics that underlie the phenomenon, and find a very different picture. Phishing is a classic example of tragedy of the commons, where there is open access to a resource that...While a lot has changed in Internet security in the last 10 years, a lot has stayed the same – such as the use of alphanumeric passwords. Passwords remain the dominant means of authentication on the Internet, even in the face of significant problems related to...Principal Microsoft Researcher Cormac Herley argues users’ rejection of security procedures is often entirely rational as the expected benefits of following security advice are often outweighed by the expected costs.