Please don't email me my password

This will be a bit of a technical blog - sorry about that, but since it's something I have tried to teach my Senior Info. Tech. students, it is probably worth knowing about. And unfortunately it appears that lots of people in IT haven't learnt it yet.

We want to keep our passwords secure, and IT people are constantly reminding people of what makes a good password (length, capital letters, numbers, symbols etc. in a random mixture where possible). And IT people are also the same people who push out regular password changes.

So why then, do these IT people, frequently choose to store my password in plain text within a database??

Just to explain what I mean by plain text - inside a database of users, there would be these two fields: "username" and "password".

eg. Username: Freddy95, Password: mysecretpassword

It might seem natural that you actually store the username and password in these fields, but it is extremely bad practice to store the password inside the database.
 But how, you may ask, do you check someone's username / password if you don't have their password stored?

The answer is in one-way encryption (also known as 'hashing'). Think of it like a valve that lets water through one direction, but it can't return.



MD5 is a very common method, and for even better encoding, include a "salt" which makes it exponentially harder to be compromised by 'brute force attacks'.

eg. Username: Freddy95, Password: 4cab2a2db6a3c31b01d804def28276e6


(The computer has a way of getting from "mysecretpassword" to the password generated above, but it can't go the other way. You can check it using an MD5 generator, but you won't find any 'reverse MD5 generators' - please don't sign up to any of the pages you find via that search!)

Read an article here that outlines an example of where this happened. http://blog.moertel.com/articles/2006/12/15/never-store-passwords-in-a-database

The reason for IT people not following this practice is not lack of knowledge or laziness, but simply so that they can email out your password to you if you've forgotten.


If you've ever received an email from a company that includes your password in it, they are following this bad practice!!! (It's just a pity you can't know what they will do with your password when you are typing it into an online form, otherwise I wouldn't sign up for any of these companies!)


The risks associated with having your password stored in plain text are many:

• If the database is 'stolen' (or sold) or compromised in some way, your username / password is there
• Despite the IT people suggesting to use a different password for every account, it's likely that someone who got your username / password could try it in various other accounts (Ebay / Facebook / Paypal / Hotmail etc.) and likely find a match somewhere (if your username / password the same in each account??)
• Even if the database is not 'lost' or 'compromised' an email they've sent with the password in it could be intercepted (or read on a local network via packet capturing etc.) or even simpler, be read over your shoulder in your email client!
• Plus, I simply do not trust every single company online. It only requires one 'unethical' employee of one of those companies you've signed up for.

Is it any wonder that at the moment there are so many cases of people having their Facebook accounts hacked?? How many different places can you stick in your credentials with the many different Facebook applications and interfaces? (There's more to this which I might discuss in a different blog - Facebook applications are not stored on facebook.com but rather on individual / companies servers - playing Farmville means you are allowing the Farmville server access to your Facebook information.)



So please don't email my password, there are other ways of resetting it if I forget the 246th different password I've used on the net.

Trying to find the positives in the iPad

My students absolutely love my iPad...

Despite my constant whinging about it's lack of functionality...
And crippled usability.

As I write this on the iPad, it's not the touchscreen keyboard that is frustrating. I've already got quite proficient at using 2 fingers to touch type, instead of my standard 10 fingers.

And it's not the lack of a camera, because I have a camcorder, a camera and a phone with gigapixel camera in it.

I'm trying to not just see the iPad as a toy. And it's been two weeks now that I've been trying to use it productively. It is great as a toy, as a web browser, as a video viewer and as a babysitter.

It hasn't been very productive though. For starters, where are my files? I downloaded goodreader and usbdisk which allow a way of transferring files. I have emailed files to myself and that then duplicates it in multiple places when I 'open with' so I now have 4 copies of a PDF I wanted to view. Help me if I was trying to edit it. I know some cloud solutions exist, but even within the iPad, why can't I just have a my documents or home drive. Of course you can't save a PDF directly from the web - obviously the ipad wouldn't know where to store it. Goodreader has a reasonable solution to this, but still doesn't work if the page requires authentication, ie. Moodle.

And why can't I have an arrow key? There are situations, even typing this, where the select magnifying glass just can't go where you require- to the very left of this input box in safari. Multiple backspaces later I fix my error.

And why is the USB input crippled? I got the camera connection kit, but it won't let you open anything other than camera files. It will let you connect a USB keyboard (after an error) but one has to figure they just couldn't disable this basic unix functionality or I think they would have.

Speaking of reducing functionality, why has Bluetooth been crippled so much that I can't even send a file via bluetooth? No photos or files can be sent or received via Bluetooth, and with USB crippled it leaves syncing via iTunes or a cloud solution the only way.

But even then, I am still struggling to find a way of getting a video file into reeldirector, which looks to be an adequate video editor and creator if only I could get a video into the file to edit it. Apparantely you need to transfer then via the iTunes photo album but even converting them into formats which the iPad is meant to play (h264) they still won't sync.

Why can't I sync over wifi? It appears the only thing I can do over USB and am forced into it. No chance of using Bluetooth here either.

Gps on the iPad is awesome. Picks up signal quickly and very functional apps. I think it's a rather overpriced tom-tom though.

Ok enough of a rant here. I bought the iPad to explore the possibilities, given that it is a valid device for the government's 1-2-1 program. The possibility of it ending up on ebay is quite strong.

I would love if someone can correct some of these thing, but I haven't even got on to the lack of multitasking...

ICTs with Purpose and Guidelines

A recent experience with utilising a chatroom in moodle with a Year 11 class has left me reflecting on the key necessities of utilising ICTs in the classroom:

1. A purpose
2. Specific guidelines

I decided to use the chatroom (a basic feature of moodle) to explain the next phase of the course. The PURPOSE of this was to record the discussion and allow for students who are absent to look back on the conversation as well as those there (but who's brains were absent) to review the conversation later on.

The conversation went something like this:

• Teacher: Intro and questions based on next phase of curriculum
• Student1: Blah
• Student2: Blah Blah
• Student1: Beep
• Student2: Yadda Yadda
• Student3: OMG
• Student2: OMG?
• Student4: $*(#&*

...
and so it continued with a couple more teacher interventions but nothing that got the attention of the students.

Eventually we decided (well I decided) that a simple spoken conversation might be more effective than the online chat which had looked so promising.

What did I learn from this?

Well, apart from learning a few new interesting acronyms used in chatrooms, I was reminded that it's important to not just use ICTs and assume that students know how to use them. They usually use them for 'personal', 'informal' chat and in my experience just couldn't cope with trying to do anything productive with them.  So do we throw the baby out with the bathwater?

No - I am to blame. As the teacher, if we were going to have a 'debate' in class - I would have introduced it with some guidelines about how it was going to work.  If we were going to have a class 'discussion' - I would have introduced it with some guidelines about speaking one at a time and respecting the person who is speaking. 

So I should have placed some guidelines on their chat.... listening to the person who is 'chatting', thinking before they 'click', only writing something if it is appropriate to the topic and so on... basic stuff that we struggle with getting students to follow when they are using the 'native tongue' (spoken english) but seem to ignore when it comes to ICTs.

Although perhaps I need to reconsider what these particular students 'native tongue' actually is...

New Blog

I will introduce myself as we go - but for now here's what you need to know:

I am

• an ICT teacher
• a Husband and Dad
• a bit of a nerd
• interested in all things related to computers, but sometimes skeptical of their use
• a musician - although I don't often get as much time for this as I would like
• the ICT Co-ordinator at Endeavour College, Mawson Lakes - an exciting, friendly College in the northern suburbs of Adelaide, South Australia