Heng Xu was bullish, even back in 2001, on a future of clicks and taps. The National University of Singapore graduate student sent text messages and ordered vending machine beverages with her Nokia phone, all while interviewing telecommunications industry officials for her thesis on privacy issues with location-based services. 

“We don’t know how and in what format the mobile world will evolve,” the Kogod School of Business professor remembers them saying, “but we know for sure that if we don’t do privacy and security well, it will damage everything.”

Times and technology have changed, but privacy and unintended technological consequences remain both concerning and ripe for research. “Sometimes I think my research motivations come from my frustrations,” says Xu, who has published more than 100 papers on fairness in AI and machine learning, privacy protection, and cybersecurity management.

As director of the Kogod Cybersecurity Governance Center, Xu and her colleagues channel those frustrations by tackling real-world problems. In 2021, she and fellow Department of Information Technology and Analytics professor Nan Zhang landed a $1 million grant from the National Science Foundation and Amazon to study structural bias in AI hiring systems.

Technological advances have led to equally mature research on the technology itself while leaving important questions about the humans that interact with, operate, and make decisions about that technology unanswered.

“There is a lack of research on how that [human factor] blends with and shapes technological understanding,” Xu says. “We have been making progress by filling that space.”

Discover the fault in our *s—and @s, ^s, and &s. Follow Xu’s tips on good password hygiene:

• Forget your old habits. In 2017, the National Institute of Standards and Technology veered away from guidelines that emphasized complexity (think capital letters and special characters) because they nudged users to design passwords that became easy for machines to guess (e.g., Password1!) and hard for humans to remember.
• Now, above all else, length matters. The longer your password, the longer it will take a machine to crack it. There are more than 170,000 words in the English language. If you pick a random sequence of four of them, it could take hundreds of years to guess.
• Special characters aren’t inherently bad. But when humans are pushed toward complexity and have difficulty memorizing a password, they’re more likely to write it down on a Post-it. That’s a behavior we want to prevent.
• You shouldn’t need to regularly change your password. Some workplaces go against guidelines and require it, but if a password is sufficiently long and no suspicious activity has been detected, don’t try to fix what isn’t broken.
• Try a password manager. But when you do, remember to keep length and your ability to memorize a master password in mind.