Easy to remember passwords… made easy. Use a pass phrase.

Strong, hard to crack but easy to remember passwords are actually easy.

Use a pass phrase.
3 or 4 words.
They can be in lower case.
Remember the spaces between the words.

For example: “black eggs sometimes yellow”.

Forget password complexity rules (watch https://www.youtube.com/watch?v=6L5G2MBzflo at around the 7 minute mark).

Easy to remember words, separated by spaces, all lower case.
25+ characters in the phrase is damn hard to crack, even if they are dictionary words. The bad guys still need to get the words in the right order.

Application Security: Validate uploaded files before processing them

This is not a “how to” but a “what to”.

If you’re a software developer working on a system that allows file uploads, before you allow any code to process the file (i.e.  the file has uploaded, now you want to do something with it), you first need to check the file extension matches the “content” of the actual file.

A simple example: A user may upload a file with an “.ico” file extension, but it’s actually an image file with EXIF data, and your system has an EXIF data vulnerability. You can’t trust the underlying software libraries you use will first validate the file extension matches the actual data embedded in the file.

What this means is the software libraries you use may see the .ico extension, think that it’s OK (just an icon), not run any checks that would ordinarily be run to verify the file on file extensions containing EXIF data, but while processing the file it will still executes EXIF functions and processes the vulnerability.

You think that won’t happen? Think again. That’s an attack vector Black hat hackers use. And it works.

As a software developer, when you think about security you have to assume all the things that are “not likely” to happen are going to be the most likely attack vectors for hackers.


Our job as software developers is harder than ever. We have to think every “not likely to happen” scenario is going to be a step in an attack by someone malicious.

Great podcast about identify theft (“Firewalls Don’t Stop Dragons”)

The “Firewalls Don’t Stop Dragons” podcast (link to main site) has a great 2-part episode on identity theft.

The podcast is aimed at everyday, non-technical people and these 2 episodes really make you think about the perils of online identity theft in an easy to understand way.

Check the episode pages at the following 2 links, and you will find the show in all the usual podcast feeds.