Skip to content Skip to main navigation Report an accessibility issue

News

Scott Ruoti

Ruoti’s PhD Students Focus on User-Friendly Security Solutions

Not Your Grandpa’s Cybersecurity

If you’ve ever had to reset a password because you don’t remember where you added the required ‘special’ characters, or you’ve opted for a less secure password because it’s easier to type in, you’ve run into what Scott Ruoti calls “the old style of cybersecurity.”

“The old style treated humans as the problem that needed to be solved to achieve security,” said Ruoti, an associate professor in the Min H. Kao Department of Electrical Engineering and Computer Science (EECS). “My research is part of a growing field known as usable security, where the goal is to ensure secure operations without forcing users to take numerous, onerous steps.”

Basically, the more difficult or annoying a security protocol is, the less likely it is that users will be able to follow it correctly—or even try to. That makes security breaches more likely. Instead, Ruoti and his graduate students try to develop tools that help users increase cybersecurity without changing their behavior.

Last year, two of Ruoti’s PhD students published studies in top-tier electrical engineering and computer science venues. Anuj Gautam’s tool that better protects password manager users from malicious browser extensions was published in the 2025 ACM SIGSAC Conference on Computer and Communications Security (ACM CCS 2025). At the 2025 ACM Symposium on Pervasive and Ubiquitous Computing (UbiComp), John Sadik revealed how digital services can encourage memorable passwords that are also secure.

“Having our students publishing in top venues makes me very proud and shows that the University of Tennessee’s investments into cybersecurity are paying off,” Ruoti said. “Cybersecurity is critical to our national security, so it is only appropriate that Tennessee’s land grant university would focus on this topic.”

Publishing in prestigious venues also increases opportunities for Ruoti’s students to collaborate with researchers at UT’s peer institutions and well-established technology companies, which helps their results achieve real-world impact.

“Not only does this work help put UT on the map for cybersecurity research, but it also helps open doors for my students in their future careers,” Ruoti said. “Nothing could make me happier.”

Anuj Gautam and Malicious Browser Extensions

Password managers allow users to autofill passwords rather than typing them manually, which can be very helpful for avoiding some types of password theft. But Gautam and Ruoti discovered that the managers aren’t foolproof.

Anuj Gautam“Malicious browser extensions can steal passwords after a password manager has autofilled them,” Gautam said. “This type of attack is significantly harder to defend against, and is also much less researched, but it has much worse consequences. Malicious browser extensions can keep collecting passwords, credit card numbers, and other sensitive information indefinitely.”

Gautam and Ruoti collaborated with researchers at Brigham Young University (BYU), spending hundreds of hours creating a new version of the Firefox browser that successfully protects passwords, two-factor authentication codes, and hardware passkeys from malicious browser extensions.

The researchers’ tool and protocol were published in the ACM CCS 2025, a Top 4 cybersecurity venue, which was held in Taipei, Taiwan last October.

“Having my work featured in a Top 4 venue, where it can reach a wide and engaged audience, is both exciting and deeply rewarding,” said Gautam. “I’m especially excited to see how others build on this work to further strengthen web browser defenses.”

John Sadik and Passwords People Don’t Use

Before creating a usable security measure, it’s important to know how users already behave. That’s why Sadik and Ruoti surveyed nearly 1,000 people from across the United States, United Kingdom, and Europe about their password use on non-desktop digital devices.

John SadikSadik found that even when password managers are available, users prefer to generate their own passwords that are easier to enter on devices that aren’t password manager-compatible—even though they know their homemade passwords aren’t as secure.

Based on the results of the survey, Sadik highlighted actions that website and app owners should take to make it easier for users to remember and use strong passwords, including integrating cross-platform password managers, letting users see and edit failed password attempts or displaying the password requirements on the login page. For instance, if you know a password must include a number, you’re much more likely to remember that the password contains a number.

Sadik presented the finished paper at UbiComp in Espoo, Finland, in October last year. UbiComp is a Top 4 venue for research on human-computer interaction.

“Communication is an integral part of the research process,” Sadik said. “High-quality research remains valuable regardless of where it is published, but being featured in a top venue ensures our work has the best opportunity to be impactful beyond the academic sphere.”

Contact

Izzie Gall (egall4@utk.edu)