Cornell University

Rahul Chatterjee
রাহুল চ্যাটার্জ্জী

PhD Student
Computer Science
Cornell University

Cornell Tech
2 W Loop Rd, New York,
NY 10044, USA

Who am I?

I work towards making digital technologies safe and secure for everyone. I combine methodical empiricism with rigorous theoretical analysis to drive secure system design.

I am a PhD cadidate in the Department of Computer Science at Cornell University advised by Prof. Thomas Ristenpart. I graduated with a Bachelor of Technology (B.Tech.) in Computer Science and Engineering in 2012 from Indian Institute of Technology, Kharagpur, India. I received my master's in Computer Sciences from the University of Wisconsin—Madison in 2015. Prior to joining UW—Madison, I worked for one year in an exciting company called Two Roads Technology Solutions on high frequency trading in Bangalore.

My research has been published in top security conferences, such as IEEE S&P '15, '16, '18, USENIX Security '15, CCS '17, and Crypto '17, and has been featured in many media outlets including The New York Times, MIT Tech Review, and

Research Interest

I am interested in security and privacy of the digital world, in particular, how to build secure but human friendly authentication systems. My primary research focus at the moment is on making passwords secure and humane. Lately, I am also working on how to stop abuse of technology in intimate partner violence scenarios.

Selected Publications

For the ranking of computer security conferences see here.
Acceptance rate of the IEEE S&P is around 12%, USENIX Security is 16%, ACM CCS is 18%, and Crypto is 22%. More statistics can be found here.
  1. Bijeeta Pal, Tal Daniel, Rahul Chatterjee, Thomas Ristenpart, Beyond Credential Stuffing: Password Similarity Models using Neural Networks, IEEE Symposium on Security and Privacy (S&P) — Oakland, 2019 (to appear) (PDF)
  2. Rahul Chatterjee, Periwinkle Doerfler, Hadas Orgad, Sam Havron, Jackeline Palmer, Diana Freed, Karen Levy, Nicola Dell, Damon McCoy, Thomas Ristenpart, The Spyware Used in Intimate Partner Violence, IEEE Symposium on Security and Privacy (S&P) — Oakland, 2018 (PDF, Slides (pptx), Slides (pdf), Talk at S&P '18, Project Page)
    Media coverage: The New York Times, Vox, Freedom to Tinker (Princeton CITP), CNN Espanol, SC Media, Global News , Security Baron.
  3. Rahul Chatterjee, Joanne Woodage, Yuval Pnueli, Anusha Chowdhury, Thomas Ristenpart, The TypTop System: Personalized Typo-tolerant Password Checking, ACM CCS 2017. (PDF, Slides (pptx), Slides (pdf), Talk at CCS '17, Project Page)
  4. Joanne Woodage, Rahul Chatterjee, Yevgeniy Dodis, Ari Juels, and Thomas Ristenpart, A New Distribution-Sensitive Secure Sketch and Popularity-Proportional Hashing. In Annual International Cryptology Conference (Crypto), 2017. (PDF)
  5. Rahul Chatterjee, Anish Athalye, Devdatta Akhawe, Ari Juels, Thomas Ristenpart, pASSWORD tYPOS and How to Correct Them Securely, IEEE Symposium on Security and Privacy (S&P) — Oakland, 2016. (PDF, Slides, Talk at S&P '16, Project Page) Distinguished Student Paper Award
    Media coverage: MIT Tech Review, Threat Post, Hacker News, and others.
  6. Adam Everspaugh, Rahul Chatterjee, Samuel Scott, Air Juels, Thomas Ristenpart, The Pythia PRF Service, USENIX Security 2015. (PDF, Project Page)
    Used by: Virgil Security
  7. Rahul Chatterjee, Joseph Bonneau, Ari Juels, Thomas Ristenpart, Cracking-Resistant Password Vaults using Natural Language Encoders, IEEE Symposium on Security and Privacy (S&P) — Oakland, 2015. (PDF, Slides, Talk at S&P'15, Project Page)

    Media coverage: IT World, .


  • Stopping Credential Tweaking Attacks ( S&P '19)

    Users regularly choose the same or similar passwords across multiple accounts. Leak of password from one web-service, therefore, jeopardize the security of others. A popular form of such attack is credential stuffing attack, where an attacker use leaked password from one website to impersonate a user in other websites. A generalized version of such attack is what we call credential tweaking attack: an attacker uses a tailored list of guesses based on a previously leaked password for an account.

    I am working on building defense against the risk of account compromise via credential tweaking attacks. I am working with a team of very talented researchers at Cornell Tech. We built the most damaging credential tweaking attack known so far using neural networks, and showed that about 15% of user accounts are still vulnerable to credential tweaking attack in 1000 guesses, despite the target passwords being different from the ones that are leaked to the attacker. We are also working on building a personalized password strength meter (PPSM) and a compromised credential check as a service (C3S) that will help web-services and users learn if any of their existing or newly chosen passwords are vulnerable to credential tweaking attacks.
  • Technology Abuse in Intimate Partner Violence ( S&P '18)

    We looked at the ecosystem of spyware tools and resources available in the open web and in official application stores that can be used for non-consensual intimate partner surveillance (IPS). We found thousands of apps, many of them what we call dual-use --- apps built for some legitimate purpose, but their functionality can be easily used for spying on an intimate partner. There are plenty of resources in the form of blogposts, forums, and videos to help an abuser use these tools for spying.

    We are actively working on this project with NYC Mayor's Office to End Domestic and Gender-Based Violence (ENDGBV) to help IPV victims identify if they are being tracked or spied on using their mobile phones. Feel free to reach out to me if you want the list of apps we identified as IPS relevant.
  • Correcting Password Typos ( S&P '16, CCS '17, Crypto '17)

    To typo is human, but it is extremely annoying when you make typographical mistakes in typing your long and complex login password and get rejected by the server for that small typo. Things become worse if you are using a touch-pad device, such as a tablet or smart phone. Wouldn't it be great if the server tolerates some small typos that users make frequently while entering their passwords?

    We investigated the impact of correcting some small set of typos in Dropbox production authentication server. We show that it is possible to allow a small set of typos to improve user experience without degrading the security (not more than a negligible amount). In 24 hours study at Dropbox, we show 3% of all users fail to log in to Dropbox despite making only some small typographical mistakes, while many more are delayed for their login. We also show tolerating these carefully chosen set of typos will increase an attacker's success probability in breaking into a user account by less than 0.02%, which is practically negligible. For more details visit the project page.

    Seeing the benefit of correcting few popular typos, we designed a password checking system that securely monitors password typing behaviors of a user, and allow log in with frequent typos of that user that are safe to do so. We call this system TypTop. We show nearly 70% of all typos can be corrected by TypTop at the cost of zero loss in security. More details about the project can be found in the project page.

  • Cracking Resistant Password Vault ( S&P '15 )

    This is a new kind of password manager (a.k.a. password vault), that encrypts user-credentials under a master password, but resists offline brute-force decryption. Dictionary attack on stolen password vaults, where users store all of their usernames and passwords, is an increasing threat for password managers. Thanks to poor choice of passwords by significant portion of internet users, and easy repudiation of successful decryption under a candidate master password, it is easy to mount a dictionary attack on any ciphertext encrypted under traditional encryption schemes with human chosen master password as key.

    NoCrack solves this problem to great extent. When one tries to decrypt a NoCrack ciphertext with wrong master password, NoCrack generates fake, plausible looking passwords (decoys) making it hard for the attacker to figure out offline whether or not his guess was correct. Unlike traditional password vaults, it never fails to decrypt and always outputs passwords which looks correct.

  • Oblivious Password Hardening ( USENIX '16 )

    Passwords normally are hashed using a cryptographic hash function before storing in a database. However, such hashes are computatble offline, in the sense that an attacker, after stealing a password database, can mount a full fledged guessing attack without needing to communicate with any service over the internet. We build an partially oblivious pseudo random function (POPRF) function, called Pythia, that can be used to harden passwords. The attacker, even after stealing the password database, has to contact Pythia (a service separate from the password storage) to check a guess. This makes the offline password guessing attack detectable to Pythia, which can implement some smart blocking and alerting systems. Pythia can do all these without ever seeing the users' passwords (in plaintext). Also, Pythia allows key rotation, that will enable a service to rotate keys after a breach and make the old copy of the password hash database completely useless, by cryptographically erasing them for the attacker. The service however, can update it's copy of the password database using a special update token and continue normal operation.

Undergraduate research

  • Simultaneous Localization and Mapping using Relational Trees

    We developed an unsupervised method of learning with which a robot, which is flying over an unknown region and taking snaps periodically, can build a semantic map of the region and localize its position on the map using those pictures. This project was sponsored by, European Aeronautic Defense and Space Company (EADS), Germany. The work was acknowledged by ICMMM-2011, China by selecting for conference presentation [1].
  • Creating Artistic Effects on Image using Random Digital Curve

    Developed algorithm for generating irreducible simple random digital curves in a constrained domain. Drawing multiple of them on the edge of binary image and then setting the intensity of each pixel proportional to the number of times it was visited by the curves give nice real pencil sketch effect. This work is published in CAIP-2011, Seville, Spain.

Work Experience

  • Internship

    Dropbox Inc, San Francisco, CA, USA. June 2016 - August 2016.
    Microsoft Research Technologies, Redmond, WA, USA. June 2015 - August 2015.
    Adobe Technology Lab, Adobe India Pvt. Ltd., Noida, India. June 2011 - August 2011.
  • Teaching Assistant

    Computer Sciences, University of Wisconsin-Madison.
    • C++ for JAVA Programmers. Fall, 2013
    • Introduction to Cryptography. Fall, 2014
    Computer Science, Cornell Tech, Cornell University
    • Building Startup Systems. Fall, 2017
    • Cryptography. Spring, 2016
    • Introduction to AI. Fall, 2015
  • Software Developer and Analyst

    Tworoads Technology Pvt. Ltd., Bangalore, India. June 2012 - June 2013.