Notice: Trying to access array offset on value of type null in D:\home\\wwwroot\blog\admin\kernel\db\db_posts.class.php on line 375

Notice: Trying to access array offset on value of type null in D:\home\\wwwroot\blog\admin\kernel\db\db_pages.class.php on line 337

Notice: Trying to access array offset on value of type null in D:\home\\wwwroot\blog\admin\kernel\db\db_comments.class.php on line 282
Blog - Security advice for real people

freeCodeCamp HTML5 and CSS

02 May, 2016

This first lesson is a basic intro to HTML5 and CSS. 

These lessons are a great intro to HTML and CSS. Someone who has never done any coding could easily finish the lessons in about 5 hours. It starts small and builds gradually. The terms is uses seem to be very beginner friendly. There is little in the way of why included in the directions, but it's possible they left that out in order to keep the lessons from being too heavy.

If you are a beginner, I caution you to make sure you are really understanding the mechanics of what you are doing, not just copying the examples. I'm waiting to see if the site starts to explain more of the whys as the lessons get deeper. 

I'm looking forward to the next lesson, using Bootstrap to make a responsive design. 

New Series - freeCodeCamp

06 April, 2016

Today, we start a new series. This is a little different. I am participating in freeCodeCamp's challenges and writing about them here. 

My super-secret project (that is completely unrelated to alien life forms on this planet) is wrapping up, and I'm looking for my next adventure. I've really enjoyed living in the land of all the strict NDAs, but it leaves my profile a bit weak looking. The latest thing that I am allowed to show anyone without the threat of a lawsuit is barely from this decade. Yikes! That's forever in tech years. It's time to get that sorted! 

As my project at the "post office" winds down, I have been filling my time with teaching. Working with graduate students on their projects has opened my eyes to some of the challenges new programmers struggle with. 

freeCodeCamp fills 2 roles at once here. They promise that if you go through the program, you will not only have marketable skills, but also a great portfolio to get you hired. They brag that no one has yet finished the program, presumably because they get hired making more money than they could ever imagine and are way too busy to finish. We'll see how that goes. Second, working through the program gives me a chance to evaluate some learning tools for others. Keep watching here to see how it goes for me and learn if this could be a good learning tool for you!





Kids online: Rule 2 - The internet is forever

18 May, 2015

Rule 2 - The internet is forever. Really. 


Forever is a tough concept for most kids. Thankfully, about the time you need to help them understand that those pictures they post don't go away, they are trying to distance themselves from all things 'baby'. Use that to your advantage. Bring out some of those embarrassing pictures from last year. Show them what they looked like, and remind them that they posed for that picture on purpose! Show them how to make a copy or screenshot of something online. (Then please explain it is wrong to steal from people.) If you need some material to convince them, have a look at this

The point is do whatever you need to make them think twice about what they put online. Perhaps they are not worried about running for president now, but maybe they should be.

Kids online: Rule 1 - You are in public; these are strangers.

11 May, 2015

How do we explain something to our kids that we don't really understand? How do we make sure the kids are safe, but still allow them to have a healthy curiosity? How do we explain cyber security without them being scared of the bad man in the black trench coat lurking around every corner?

This series will offer some simple rules for the internet that even the youngest members of your family can follow. 

Rule #1

You are in public; these are strangers.

In my house, this is the first rule of the internet. Yes, we have other rules, but this one trumps them all because it lets the kids think for themselves. It covers situations that I might not have thought of to discuss. 

This starts the moment you allow a child to have access to other people on the internet. The internet is like a big playground (or, if you are explaining this to Grandma, substitute Mall). Anyone is allowed to be there. Most people are there for the right reason, but some are not. And some people like to play pretend. Online, you can put on the best costume in the world. We have to make sure we don't get confused by who is playing pretend and who is real. Kids don't have enough experience to know the difference. That's why you are not allowed to go to the park by yourself.

So, now we have a simple analogy that lets the kids understand there might be risks, and they have a good idea of acceptable behavior. From this, we can extrapolate more acceptable behaviors: 

  • At the park, do you have to ask mom before giving people money? Yes, so if someone asks for a credit card number, you should check with a parent. 
  • Do we yell out our home address at the park? No, so we don't tell people on the internet our home address or other personal information.
  • Do we keep our pants on at the park? Yes, so no naked pictures or naked webcam. And we tell an adult if a stranger asks us to take our clothes off.
  • Do we get in trouble if we are rude to the other kids at the park? Yes, so the same applies to saying mean things online. 
  • When we meet our friends at the park, do we treat them differently than strangers? Yes, so the rules can be different for friends (real people we have met before or trusted sites) than strangers.

If you are ever unsure of something - imagine a strange man at the park is asking you the same. How do you feel? 

This rule helps kids understand how to respond to people, the second rule helps them think about their own behavior. 


My 'bank' sent me an email - what do I do?

04 May, 2015

Sometimes we get a message that looks fishy. We've heard lots of stories about "phishing", people stealing your identity, etc. How do we know who to respond to and who to ignore? 


A reputable institution will never: 

  • use an email link as the ONLY way to resolve a situation.
  • ask you to call a number and give your login password.
  • require you to call a special number to resolve something.


Basically, you should not have to change your usual way of interacting with them. If they need to verify information, you should be able to call the customer service number you already have, or log into your account, or whatever contact means you usually prefer. 

If you are suspicious about an email or phone call, contact the company in your usual way and ask. 

If your account has been compromised, then the customer service line will be able to help you. 


How to remember 100 passwords - with no monitor Post-its!

27 April, 2015

So far, we discussed using a complex password (part 1), adding a salt (part 2), and the importance of using a unique password for each site (part 3). But Sarah, how do I remember a unique salted password for every site I visit? I don't have the brain power for that! Well, I'll tell you a secret - neither do I. But I have a trick. There are 3 parts to my password:

  • Part 1 - a string that makes sense to me, but appears to be nonsense. For example: the phrase, 'If it weren't for my horse' can be turned into the string '1iwfmhorse'. 
  • Part 2 - a special character - every site has different rules about what is allowed, so I have a few I like to use. For this example, I chose '&'.
  • Part 3 - a unique string that relates to the site where the pass will be used. You can take the first 3 letters of the site, or every other letter, whatever pattern makes sense to you. For this example, we will take the last 2 letters of the site name, and capitalize them. 

Let's see this in action: 

If the site were google, the password would be 1iwfmhorse&LE

Let's try - 1iwfmhorse&OK

Those appear to be completely random symbols. It has 2 capitals, special characters, numbers, and it's easy to remember!

Let's say you are worried you won't remember. Before, you would stick a post-it on your monitor and watch every IT person sigh and roll their eyes as they walked by. Ah, but now, you have a better system. Leave yourself a hint - "Horse". Change your desktop to a picture of a horse. Bring a life size replica of black beauty into the office. It does not matter, the odds of someone guessing your password based on the hint are quite small. 

What if your IT department makes you change passwords every 90 days? With this method, no problem! Change your string to 'This parrot is no more' - 'tparroti0' and carry on. Bird wallpaper replaces the horses and while the rest of the office is grumbling about password resets, you are getting stuff done. Unless of course you have to get security to help you move your life sized horse sculpture out through the loading dock doors. 

Your password is not being hacked

20 April, 2015

This is part 3 of a series on passwords. If you have not seen it, check out part 1 or part 2.


Recently I showed you a way to make a really secure password that no one can figure out. But, that does not really matter - no one is hacking your password! Wait, what??!? Does that mean we should change all our passwords to 'password' and give up? No, not at all. 


Think about your computer: 




If the bad guys get your password, they might find a few interesting things. Maybe you store your credit card number on it, some information about your work that might be useful. But, for the average person, there is not much that would interest the bad guys. However, what if they could get access to a whole bunch of passwords with one attack? 



So, the bad guys try to get into the server for a social media, email, or some other small account to get the whole list of usernames and passwords.

Now, these passwords are usually not stored in plain text. That means after you make up a password, the site runs it through a program that changes them from 'dogStetson' to something like '880552b5e12288b854370324da0887567a8de70f'. There is no program to change that long string back into dogStetson, but there are some ways around that. 

The bad guys have long lists of common passwords that people use, and what they look like after they are run through the changing program. All they have to do is compare that list with the list they stole from the server. After that they know a lot of the passwords and the username that goes with it. Our goal is to make sure our password is not one of those! If we have a complex password, then even if the bad guys get the changed password, they do not have anything they can use. And since they are usually not targeting you on purpose, they give up on the passwords that are harder to crack. 

No big deal, you think. I don't have anything important in that account - if they can get into my email and find out that I like Dunkin Donuts and my friend Julie is having a housewarming party, who cares? Maybe no one.

But, did Dunkin Donuts send you a birthday coupon? Well, now they know your birthday. What happens if you forget your Amazon account password? Do they send you an email to reset the password? Do they send it to that address? Now they can reset your account password, see at least part of your credit card numbers, and also see your address and possibly your family's addresses. What if you use the same username and password for your bank account? Now you are really in trouble!

In the last part of this series, I will show you an easy method to have a unique, strong password for every site you use - without resorting to a monitor full of post-its!

Image courtesy of supakitmod, hywards at

The Importance of Salt

13 April, 2015

This is part 2 of a series on passwords. If you have not seen it, check out part 1.


Now we understand why we should not use 7 lowercase characters. But, remembering which letters you changed to numbers is confusing. It does not work and wastes hours of our time.



Salt to the rescue! 

Salting is a big concept from cryptography that simply means adding a small something to a password or other secret phrase that makes it harder to break. 

Remember how when we added capital letters and symbols to 'stetson' last time, the time to break went from 2 seconds to months? Let's see what we can do with a salt. If we use ':)' as our salt, and add a capital, we get 'Stetson:)'. This is much easier to remember - it's your dog's name and a smile. But, is it more secure, or less? It looks easier, let's test it out. 





What?!??! How can that be a better password? It's not complicated at all!

If you just add the word 'dog' to your password, it takes 1 year. Even without any special characters, dogStetson takes more time to break than St3t5t0n!. Part of the reason is that we have taught computers that 5s can be substituted for Ss. Most of that time simply comes from the length. Longer passwords take longer to break. 'my1stdogStetson' gets you up to 6 billion years! 

Now, wait, don't go adding a smile to every password! That's mine. Not really, but please don't do that -- if we all do that, the bad guys would catch on pretty quickly. You need to pick something you like. It can be anything. Add a phrase you say, an emoji, whatever works for you. 

Before you get too excited and change all your passwords to Stetson:), wait for next week. We will talk about why you should not use the same password for everything. 



The Password problem

06 April, 2015

Are you frustrated when making up a new password? Don't you hate the "your password is not strong enough' message? This series explains how to make a strong, memorable password. First, let's talk about what we are doing now: 

One way to deal with needing a capital letter, a symbol, a specific length, etc is to use a word you will remember, with some substitutions. Let's pretend your dog's name is Stetson. With some creative substitutions, we can use St3t5t0n! Wonderful, now it meets all the requirements. As it's accepted, you breathe a sigh of relief. There is even a password hint box. Great, you think as you type "dog" - now I'll absolutely remember!


Who could forget this face?

Four weeks from now when you need to log into the site again, you are faced with the password box. After a few unsuccessful attempts, you are given the hint. It's some variation of the name Stetson. But did you replace both s's with 5's? Which one was capitalized? Was the 'o' a letter or number? Where did you put the symbol? Congrats, now you now know it's one of 32 versions of the word "Stetson".

If you were a computer, it would only take a few seconds to try all the different versions of your dog's name. in fact, there are computer programs that can try a list of possible passwords automatically - guessing thousands of passwords a second! Even if the person trying to guess the password did not know your dog's name, all he has to do is pull out the right list of passwords to try and he has your password in a few hours. 

Why do sites make you use all those strange symbols? In short, it makes it harder to break in. A computer can't look at your coffee mug with your pup's adorable face on it and guess you might use his name as your password. It will just go through all the words it can think of until it guesses the right one. If you only use lowercase letters, and limit your password to 7 characters, that's really a short list. If you add more length or more characters, then you have a longer list - which takes longer to get through. 

In this example, if we used 'stetson' as the password, how long does it take to break?




Now, what about 'St3t5t0n!'?




That's a big difference! Passwords are like locking the door. 'stetson' is a tiny chain installed with the smallest screws available. Adding more characters changes it to a big deadbolt. It's not perfect, but it will slow down the thief a lot.

Using a complex password makes a big difference, but does that mean we are forever doomed to wasting hours of our lives remembering if it was a 5 or an S? Nope, all we need is a little SALT! Next time we will talk about how you can use salt to make your passwords easy for you, but hard for the computer.