Accessibility Reminders (WCAG 2.0)

As time progresses and your content changes, there will be some items that may fall out of compliance with WCAG web accessibility standards from simply updating your website. You can perform periodic tests, but what will also help will be to be mindful of these commonly overlooked tasks.

1. Images should have ALT Tags

Alt Text or Alt Tags are the text equivalent for an image. They are NOT the title, caption, description or file name. Alt Tags are hidden data in a web image that describe the photo to machines, readers, and robots.

Your CMS should have an ability to edit the alt tags of your images. Editing it once will affect all instances of the image on your site.

Decorative images like a flower or a background image DO NOT need alt tags. Slideshow images may need alt tags. Decorative flyers and images with informative text on it, definitely need alt tags.

2. Accessibility Check for PDFs

PDFs on your website will also be subject to accessibility standards. The idea behind it is that if they are not “accessible,” then you are depriving that content from certain users with impaired vision.

You can choose to eliminate PDFs, make the PDF content redundant by having an on-site equivalent, or you can perform an accessibility test for your PDF (“Accessibility Checker”) in Adobe Acrobat. This test has very similar standards to web standards in terms of forcing a certain structure.


3. Use Headings for Structure

On your pages, heading 1 (h1) is the title and should be seen once. Heading 2 (h2) can be used as section titles to break the article into parts. And heading 3 (h3) can be used within the heading 2 to break that heading 2 section into parts.

You should not have gaps in headings (example: heading 3s exist, but there’s no heading 2).

Your page structure, with headings, will look something like this (notice the hierarchy:

Title (h1)

Section 1 Title (h2)

Text here.

Sub-section A Title (h3)

Text here.

Sub-section B Title (h3)

Text here.

Section 2 Title (h2)

Text here.

The hierarchy helps both people and machines see the structure of your writing much better.

Note: I realize the above makes my page accessibility non-compliant. 

4. Form inputs should have labels

When you have forms, the fields will need labels. You may be able to edit these from your form builder system. If not, you will need to do it manually (details of the rules here).

5. Color Contrast Needs to be High

Your website should be styled to have a color scheme already and contrast should have been taken care of earlier. If you do, there should be a 4.5:1 contrast ratio at Level AA and a 7:1 contrast ratio at Level AAA between the text color and background.

This is important if you have changes in color for contextual and aesthetic reasons  (both are non-compliant). This is also important to test if you have background images or gradients, which most machines cannot detect.

For example:

(please highlight the below text if you can’t read it)

This background can’t be calculated by many contrast tools.

This background image may also not be detected by contrast tools.


You can use this contrast checker.

5 Easy-To-Understand Points in Google Analytics

The best thing about Google Analytics is that it is 100% free. The bad thing about Google Analytics is… it is difficult to learn how to use.

Google Analytics is literally a data dump. 

For the ordinary person who wants to understand basic information about their website, it’s not worth investing the time to learn how to change all the terminology and how to customize the application and to set up conversion measurements.

However, if you can understand the basic things to look for, you as a casual user can extract a lot of useful information.

First things first, be sure to go to Google Analytics’ website, sign in with the account with permissions to access the analytics account (located at the top-right corner), and select your website from the top left drop-down.

Here are 5 useful points you can understand about your website:

Point 1: Learn HOW MANY people are visiting your website and HOW MANY pages they view

Look at the image below. You can see that there are a couple of numbers that tell you how many people visited your website and how many pages were viewed. The default interval for me is 1 week, but you can change it using the top-right dropdown.

This is useful as a general metric of popularity. It becomes more useful when you begin to compare popularity month-to-month or compare to the prior year or see how it changes when you begin advertising for your website.


Point 2: Learn HOW engaged your visitors are

“Engagement” in marketing is important — it tells the owners if users are actually paying attention or are they just skimming through and ignoring things. A great example of low engagement are commercial breaks — your TV might be on, but you might use commercial breaks for the bathroom or send emails.

Some engagement metrics we see are “Pages/Session”, which tell you how many pages were visited by the person during a visit. “Avg. Session Duration” tells you how long people were on your website. “Bounce Rate” is a term I have only seen in online marketing — a “Bounce” is when a user visits one page, then does not visit any other page. Finally, New Visitor vs Returning Visitors is another important number, especially for e-commerce stores where it is common for users to visit a website, contemplate a purchase but don’t, then return and make a purchase later.


Point 3: Learn HOW your visitors ended up on your website

For marketers,  it is very important to know how people get to your website. By calculating the cost of the ad divided by the number of visits or the number of sign-ups (or “Conversions”, which will not be discussed here), you can see how effective certain channels are.

There are 4 general channels where your visitors come from :

Organic Search – search engines results (does not include search ads)

Direct – the URL was typed in or it was bookmarked

Referral – your page was linked to from another page or from a newsletter

Social – your page was linked to from social media

and another bonus one: Google Adwords, if you’re using ads by Google. This is so that you can distinguish those visits and determine how effective your ads are.


Point 4: WHAT are your most viewed pages?

The 80/20 rule applies to your website: not all your pages are created equal and not all of them will receive an equal amount of attention. In fact, you will see that certain pages, such as the homepage, will receive 10x more traffic than some pages, which means not all pages are as important.


Point 5: Learn WHAT your visitors use to visit your website

This point will help you understand if you need to possibly optimize your website for mobile viewing. As the cost of mobile devices and tablets has decreased and as the cost of mobile data has come down to affordable levels, we have seen more and more of internet usage on mobile devices, with mobile traffic exceeding desktop and laptop usage in 2017. For that reason, you need to start testing your website for various mobile devices, touch navigation, and for smaller screen sizes. Contact us for help with this!






Be Careful with WordPress Updates



Does that look familiar? If so, I’m sorry to hear that. You are not alone though: it’s not uncommon for some of my clients using a content management system like WordPress to make an update and then see the whole site “break.

Why is WordPress so volatile?

WordPress is actually a very solid system. If you just have WordPress with nothing else, your site will be just fine. The main issue is when you start adding additional things, namely 3rd party extensions or plugins, to WordPress.

The major weakness of WordPress is also its major strength: WordPress can be modified endlessly. With 1 click of a button, you can add any functionality to your website via PLUGINS. Want a slideshow? Done. Want a mortgage calculator? Done. Want to make your website have falling snowflakes? Done. At first, you will be amazed at what is available to you at the click of a button. The problem is that those plugins are built for WordPress version X, and when WordPress goes to version Y, that plugin may no longer work or the site may have issues as a whole. Frustration ensues.

Even worse, WordPress, by default, is set to run automatic updates, meaning your site can break without you even knowing it.

What does the fatal error mean?

WordPress is built on code (PHP). When you run additional items (plugins, themes) which are also built on code, they may have a large conflict with each other or with WordPress. The server stops loading the website immediately and returns a white screen with a fatal error message.

Unfortunately, there isn’t a safety feature in place for WordPress to protect you from fatal errors; if you casually update things, the entire site could stop working, both the regular site and the admin part of the site, locking you out of it complete. From there, you would need higher levels of access to fix your site.

What causes a fatal error?

In general, programs or systems are very consistent: if they were working fine, they will continue to work fine until something changes to cause it to stop working.

Regarding WordPress, what causes a fatal error is updating WordPress itself, updating an active theme, or installing/updating plugins. There are other causes I’ve seen in my history of working with WordPress, but they are rare.

Can anything else bad happen when I make updates?

Even worse than an actual, explicit error is an error that goes undetected. When you make updates, something may stop working due to a conflict, but it’s not big enough an error to cause the entire site to completely break. This is actually more dangerous than a fatal error because you have a false sense of security and the errors may not come to your attention until days or months later.

So, should I never update my website?

No, you should. WordPress updates are important because of the security improvements. You should still make updates, but when you do, it should be done carefully (more on that later). Also, you do not need to make the updates immediately. In software, sometimes new releases/versions have bugs themselves, and so another version is released shortly after to correct that bug.

What is the improper way to update my website?

Clicking on the UPDATE ALL button and hoping for the best. There’s a good chance nothing goes wrong. But there’s also a good chance your site will go down and you won’t know what happened.

What is the proper way to update my website?

The proper way to update a website is tedious, but it’s smart and the only way to properly ensure your website is stable.

  1. Create a backup of both your WordPress website files and database. You can use a backup plugin, you can rely on automatic backups from your webhosting (careful, some webhosting companies charge you a fee to restore backups!), or you can manually create backups in your Cpanel. YOU NEED THIS BACKUP TO FALL BACK ON IF ANYTHING GOES WRONG.
  2. Make your updates.
  3. Testing: test any plugin functions. For example, if you have a contact form plugin, fill in the contact form and make sure it goes through. Or if you have an e-commerce store, create a test transaction. Perform a walk-through of the major processes in your website.
  4. If you get a fatal error or something doesn’t work, you can investigate the issue or just restore a backup.

I find that most of the time, updates go fine, but it’s important to be prepared in case something breaks.

Project Management with Google Sheets

Project Management: it can be a job or it can be a task.

For Project Management Professionals, it is important for them to have robust project management software to help them organize files, people, deadlines, and facilitate communication with everyone involved. For those needing project management on a more casual basis or on a one-time basis  however, one of the best tools available is Google Sheets.

Google Sheets is basically a cloud-based (it’s used and stored online) version of Microsoft Excel with a few interesting tweaks:

  1. User access management
  2. Real-time, simultaneous editing
  3. Live chat
  4. Comments everywhere

All of the above features allow a simple spreadsheet program to turn into a flexible and easily-understood project management tool.

The Project

Let’s take a common task that requires project management as an example: planning a wedding. Bear in mind there are already programs for this, but we’re going to use it in this example.

First, Why Spreadsheets?

Spreadsheets are a great tool because they are very flexible. I consider them to be a digital whiteboard.  You can do accounting and math in them, or you can design, create dashboards, or create lists. Most important is this: people already know how to use spreadsheets. Excel has become a very common skill for anyone who uses a computer at their job. This means there is little or no training involved when introducing a project managed by an online spreadsheet.


Here, we can see that with just a spreadsheet, we can do a lot. Note the tabs at the bottom which separate different segments of the project (deadlines, tasks, team info, budget).

User Management

Once a project management page is setup in Google Sheets, you can now begin the collaboration process by sharing the document with others by “sharing.” You type in their emails, select their privilege level (can they alter the document or only view it), and write a message to accompany the sharing invite.


Real-Time Simultaneous Editing

If you’re ever worked in auditing or accessed files on a shared network, you may be familiar with the “file is being used” or “checked out” status when trying to edit a file someone else is using. When files are stored away for access by many users, the first person will be able to open and edit. Any additional people will only be able to view the document and not edit, to prevent any versioning issues (or create an endless cycle of people overwriting each other).

With Google Sheets (and Google Docs), you can actually truly collaborate and work in real-time, without the worry of overwriting and versioning issues. This video clears it up nicely:

Live Chat

image taken from

Chatting is not just for socializing on Facebook or AOL Messenger or Kik! Chatting can be a great way for people to communicate while working on a project simultaneously, without needing to talk on the phone or text message. Best of all, you can reply at your own pace.

Chatting is only for when people are online at the same time. For people with varying schedules, then that’s when comments are best.

Comments Everywhere

Communication is very important in project management. Your email inbox can become very cluttered without the necessary tools to help you manage communications. With the comment feature in Google Sheets, you can take care of issues right inside Google Sheets.

In this example, we are looking at the budget tab of the wedding. I notice that the expenses for hiring a DJ seem to be quite high. So, I write a comment. This comment will leave a tick mark in the box and also show a number in the tab, indicating it needs to be looked at or resolve. Optionally, project users can elect to receive email notifications when comments are made.


What does this mean? Issues can be recorded, are brought to the immediate attention of users, and as they are finished, they can be “resolved” and removed.


Google Sheets truly is a great tool. There are some drawbacks that you need to be aware of.

  1. Uploads/Images: Sheets is actually quite terrible with uploads and images. With images, they are inserted not as a link which you can click to open the image, but as an actual image, which blocks your cells. As for uploads like PDFs, it becomes a game of uploading it to your own space and then linking to it.
  2. Not useful offline: Sheets is meant to be used while online. You can still use it offline, but without the features mentioned in this article, it’s nothing special.
  3. What you see is what you get: Google Sheets is extremely flexible, but once you start needing particular functionality like invoicing, file management, Gantt charts, notifications / reminders, staging, projects dashboard and overview, report generation, you’ll need project management software like Podio, Wrike, Basecamp, Zoho Projects and Trello (another one of my favorites).


How to make websites load faster

One of the most common requests I get from small businesses who manage their own website is how to make their website load faster.

The first step to any sort of improvement is this: know where you are and know where  you want to be.

Audit the loading process

By using a website speed tool (like Pingdom‘s), you can easily gather all the information you need to understand the basis of your loading.

There are 4 things that are useful in figure 1 for understanding our load time:

  1. HTTP Requests
  2. Load time
  3. Total size of page/data
  4. A waterfall chart

    figure 1

Manage HTTP Requests

A web browser can load a finite amount of files (text files, images, scripts, etc) simultaneously from a single domain. Each file creates an HTTP request. In the current desktop browser landscape, there is a limit of around 4 to 11 HTTP requests.

When a website has an overwhelming amount of files being loaded, this creates a prolonged loading process, despite the fact that the site itself is not large in size. This is where a bottle-neck constraint happens.

In the figure 2, we see that in my test, it took 27 seconds to load the site, even though the site itself is only 11.3mb. The reason is that there are 403 HTTP requests, an exorbitant amount.

figure 2

Solution: Reduce HTTP requests or use a Content Delivery Network

The easy way is to simply reduce HTTP requests by going in and reducing the amount per page by dividing them into multiple pages or simply deleting necessary files.

For larger sites that are growing, it makes more sense for them to use a CDN or Content Delivery Network like Amazon Cloudfront or MaxCDN. They increased load time by loading from multiple domain sources, thus reducing the impact of a the HTTP request bottleneck.

Reduce Size of Page

Reducing the size of the website can also be useful. Due to the increased availability and affordability of high-speed internet, this is slowly becoming less of an issue. By looking at the waterfall, we can see any outliers in terms of size.

The main takeaway from this is that images and video take up a lot of space. In figure 3, we can usually easily spot these exceptionally large files (in this example, they aren’t that large though). When reducing size, it is smartest to reduce these items first if possible, as they make the majority of the page size.

For images, it requires an understanding of web-optimization of images. A single image for regular use should be no more than 400kb. If there are larger images, such as full-size photographs, they should be linked to via smaller thumbnails.

Note: Video streaming services are also becoming more efficient, due to the fact that Youtube and Vimeo will adjust the video quality based on the detected latency. However, if someone self-hosts videos, that will cause the load time to skyrocket.

figure 3
figure 3

Change Web Hosting

For those using Content Management Systems on budget hosting, another idea is to migrate to another web hosting company. Budget hosts tend to overload databases on servers to increase profit, leading to increased database query time and causing a normal-sized website that would load in 5 seconds to load in 25 instead. This is true of any website whose website bandwidth needs exceed their current web hosting capabilities.

The general path for a growing site would be this:

Shared Hosting (budget hosting) -> Virtual Private Server (VPS) -> Dedicated Server

Due to the complex nature of web servers, for websites being used for the public digestion, it is 99% recommended to outsource web hosting needs to a web hosting company such as Godaddy, Rackspace, Bluehost or Google.

Analysis of Advertising Dollars

An online retailer was getting ready for the holiday season and had placed ads with four different websites. They were looking to increase holiday-buying-season traffic to their site.

My task: determine the effectiveness of the advertising dollars.

First step: gather data

Analysis can be done when there is ample data available. In order to determine the effectiveness of the advertising dollars of my client, I had to first orient myself to the nature of their online traffic.

Online traffic analytics tool allows me to view a website’s overall traffic.

Figure A

In Figure A, We can see that the website’s traffic is divided into 3 sources. The one we are focusing on is “Referral”, which describes traffic originating from another website (that is not a search engine). This will include traffic from the client’s advertisers.

The second thing we want to look at is how much traffic is derived from each of our individual advertisers (Site A, Site B, Site C, Site D). In Figure B, we can see that over the entire data period, each of the individual advertisers contributed a decent amount of traffic (though they each only represent a fraction of the total traffic count).

Figure B

Second step: cost-benefit analysis

Why are Superbowl commercials going for $5 million per 30 seconds? Because the Superbowl consistently provides 100 million+ views or “impressions” (source). With a reach that wide, many large, marketing teams gladly pay for a Super Bowl ad spot because of the value (< 5 cents per impression).

To gauge the effectiveness of the client’s advertisers, a similar approach needs to be taken: we look at the amount of traffic received from the source and compare it to the cost of placing the ads.

Figure C

In Figure C, we start to compare traffic received against cost of ads. However, this graph is not particular useful, because there is no common base or denominator to compare them; we are comparing apples and oranges. To generate numbers we can actively use for analysis, we divide the advertisers’s fee by the amount of traffic received (“views,” in this case) to get a more useful number: the Cost-Per-Click Ratio.

Figure D

Now that we have calculated the Cost-Per-Click Ratio, we can compare the ratios of each advertiser. We do not need further deviation and variance analysis to see that one of these advertiser’s Cost-Per-Click Ratio is particularly high.

Last step: use findings to assist in decision-making

When it comes to cost ratios, we always want to keep them low. When it comes to ratios, they do not automate decisions for us, but rather, they provide useful data for us to make decisions.

Here are some basic ideas the data presents:

  1. Site C has a much higher Cost-Per-Click Ratio than the others, so it would be the most expendable. The reason behind this is if there is a limited budget, the least efficient should be the first to go.
  2. A general strategy would be that if there is a budget that needs to be best utilized, then it may make sense to remove the funds that are allocated to Site C and then use re-allocate them to more efficient advertisers, such as Site A.
  3. However, there are constraints to re-allocation, as we can’t be certain that the same Cost-Per-Click Ratio (a metric of cost efficiency) will continue if we were to double a budget for a particular advertiser. After all, if an advertiser has a reach of 200,000, showing more ads to that audience may not make them more likely to purchase than the first time the ad was shown. Or, if there is an increase, it may not be proportional to the increased in spending (doubling the ad spend may not result in doubled visitors and sales originating from that site).

Note: this analysis does not include an even more useful metric, Cost-Per-Conversion, due to the simplicity of this example.

SEO and the 80/20 Rule

SEO: so important that it cannot be ignored, yet mysterious enough so that everyone has a different idea of how it works.

A prospective client, let’s call him Vladimir, once said to me he spent days editing the alt tags on his e-commerce site to boost his rankings with search engines. Alt tag (99% of people on the planet will not know what these are), are the text that appear in place of images when the page is loading and they are also the text that is read to blind people who use screen readers.

Do alt tags affect SEO? Yes they do. The real question that prospective client should have been asking though, is this: “how much will alt tags help me?”

1. You cannot quantify SEO

Unfortunately, SEO progress and value are impossible to measure accurately. We can do A, B, and C to improve our site’s SEO, but any improvements will be delayed showing in search engines and we will not know if it was A, B, or C that caused the improvements, if it was a mixture of the three, or if it was simply because a competing site had done something to cause it to drop and push our site up.

Because of the lack of clarity and transparency available, SEO is incredibly difficult to account for and impossible to knowing the consequences of any SEO-related actions is impossible to predict.

So yes, maybe those alt tags did help Vladimir, but by how much or if at all, we cannot ever know.

2. The basis of SEO

The overall concept behind SEO is this: search engines want good content to be high in their search results and they want spam and junk content to be very low or completely removed from the search results. That is why one of the liaisons between search engine giant Google and SEO professionals is the head of spam at Google, Matt Cutts.

Search engines show results based on a complex and ever-changing algorithm — we can think of as it as the search engine “rules” — and the goal of SEO is to understand those rules and act accordingly.

The reason something as trivial as alt tags is relevant to SEO is because they are an indicator (one of many) of what the site is about. However, the extent of how important those alt tags cannot ever be quantified (see point 1). So, should Vladimir have spent all that time fretting over alt tags?

3. 80/20 Rule and SEO

The 80/20 Rule, aka “Pareto’s Principle,” is the idea that all are not of equal importance.

For example, if we were to look at a list of tasks for a day, it might look like this:

  • take out the trash
  • rake leaves
  • vacuum car
  • wash the dog
  • meet work deadline

If all the activities were of equal important, we would see a distribution of activity value such as Figure A, with each having a 1/5 or 20% value:

Figure A, activity value IF all tasks are of equal importance

What the 80/20 Rule suggests is that things are never of equal importance — a few clients are as important than the rest, a few relationships in lives provide more fulfillment than all the rest combined, and so on. This inequality, if applied to our list of activities, would then look like Figure B:

Figure B, activity value that conforms to the 80/20 rule

Although there are five tasks above, none except the work deadline is urgent and important. In fact, it’s actual value would definitely exceed 80%.

As mentioned before, SEO is not quantifiable and a breakdown of SEO value of a site can never be made, but if I had to estimate it, it would look something like Figure C:

Figure C, an extreme oversimplification of how search engines determine a website’s relevancy


Every SEO campaign should have a goal and strategic plan

SEO campaigns should be well-planned ahead of time. Though impossible to quantify through a point system, improvements in SEO can be ascertained through other metrics, such as increased search result placement, increased organic traffic, increased conversions from organic traffic, etc.

Understanding Bounce Rate

One of the most misunderstood metrics for web analytics is “bounce rate.”

Google defines bounce rate as “the percentage of single-page sessions (i.e. sessions in which the person left your site from the entrance page without interacting with the page)” (source).

In layman’s term, bounce rate is the rate visitors visit 1 page and do not view any other pages — one-and-done.

Like with other metrics, we can’t draw any conclusions based just on the bounce rate %, but rather, we use it along with other data to help us assess a situation. Here are many ways that bounce rate can be interpreted and many other things to be aware of when analyzing bounce rate.

  1. “Bounces” are normal

Bounce rates, in general, are a measure of engagement. Sometimes you engage, sometimes you don’t. Bounces are normal — you cannot get 0% bounce rate.

The following is from a small, e-commerce website.

Figure A

A 49.88% bounce rate means that pretty much half of all visitors do not go beyond the first page visited. Why is that? We can’t know without polling the visitors themselves. The common explantation is they weren’t interested.

For example, in a clothing store at a mall, there will be window shoppers and people who walk in with no intention of buying. This could be considered similar to a “bounce” for them, and again, it’s normal and part of doing business —  not all visitors are interested in your content.

2. Related content will lower bounce rate

These are the numbers from a blog that does not focus on any one particular topic:

Figure B

The ~90% bounce rate is quite high, but it is because the blog entries are almost entirely unrelated. This means that if someone were to land upon a blog entry after searching for something on Google, they might leave right after, simply because there is nothing else on the site they care to read about.

How might this happen? Here’s an example:

Going back to the mall example, let’s say instead of a clothing store, we look at a knick-knack store, like Spencer’s Gifts. The store, if you don’t know, is full of random items, ranging from gag gifts to t-shirts of death metal bands. Although they are able to stay in business, they do not have as much success as a store with a theme like Forever 21, which sells clothes targeting young women, thus increasing the chance of multiple purchases and return visits.

3. Paid traffic should have a low bounce rate

When you have a website, there will inevitably be a lot of “accidental” traffic — people are looking for one thing, end up on your site, and leave when they realize it’s not what they are looking for.

When traffic is paid for, however, the intention is to market to a target audience. When this happens, the content should appeal to the visitor from this channel, thus bounce rate should be lower.

Figure D
Figure D

In Figure D, we see the various sources of traffic and their corresponding bounce rates. While the bounce rate for the site is about 80%, averaged, it is actually much lower from the advertising source: 29.27%. Moreover, the traffic from the advertising source spent 7 minutes and 4 seconds on the site, when the average session for all traffic was 1 minute and 30 seconds. When it comes to targeting an audience, both these metrics correspond to a job well done.

4. There is a lot of fake traffic out there

In addition to accidental traffic, the biggest factor that skews our bounce rate data is fake traffic.

Fake traffic is not performed by an actual person, but rather, by a bot. This bot might be friendly, like the ones that Google use to browse and index websites. Or it can be spammy, like Figure E:

Figure E
Figure E

If you were to enter any of those 5 URLs in Figure E (but don’t do it!), you would end up on some bizarre website. These are just another spammy technique going around the web world. How can we tell without even visiting the websites? Because 4/5 have a 100% bounce rate.

While 0% bounce is unlikely for a large sample size, equally unlikely is a 100% bounce rate.

So if you are a webmaster to a large site, you should filter out these results in order to preserve the integrity of your data.

How to make a strong password that’s not nonsense.




This is what you see if you have recently had a password generated for you. These are passwords that are considered strong — lengthy, is not a word and includes a mix of capital letters, numbers and symbols. There is just one problem: IT MAKES NO SENSE.

A password needs to be complex enough to be secure, but at the same time, if the password looks like strange math formula, then it is not serving the user well.

There can be balance; it’s very possible that we can have a secure password that we don’t have to write down on a post-it note to remember. First however, we need to understand what a weak password is.

What is a weak password?

The first thing to look at is what makes a password weak. Here are 3 criteria for a weak password:

1. It’s Short

This comes down to combinations and permutations.

Each character in a password represents 95 combinations, as seen below:


If your password is only 1 character, then there are only 95 possibilities (95^1), meaning a hacker can guess your password with 95 tries. By simply adding a 2nd character, you can increase the complexity of your password exponentially to 9025 possibilities (95^2). And if you make your password 8 characters long (which is recommended by most password generators), that means 6,634,204,312,890,625 possibilities (95^8).

Let’s assume a hacker is using a strong hacking program to guess your password at a rate of 103,000 guesses/second. How long would it take to go through all combinations?

password length password possibilities time to crack (rounded)
1 95 < 1 seconds
2 9,025 < 1 seconds
3 857,375 8.3 seconds
4 81,450,625 13.18 minutes
5 7,737,809,375 20.9 hours
6 735,091,890,625 82.6 days
7 69,833,729,609,375 21.5 years
8 6,634,204,312,890,625 442,882.6 years

Lesson: don’t make your password too short.

2. It’s easily guessed.

Even if your password is long, it is useless if it is easily guessed. Here are 10 of the most common passwords in 2013 (source):

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. abc123
  6. 123456789
  7. 111111
  8. 1234567
  9. iloveyou
  10. adobe123

Anyone with the using the above passwords are probably using a device’s default password or probably not aware of how to make a secure password. Either way, if I was hacking someone’s password, even before running a program to guess every combination, I would go through a list of common passwords, like the one above, to save time.

Lesson: Ensure your password is not so generic that it’s easily guessed.

3. It can be found in a dictionary.

Much like the situation above, hackers aim to be efficient, to save time. Instead of trying to guess every single password combination, which can result in nonsense guesses, they can go through a dictionary.

Why a dictionary?

It’s because people don’t like passwords like “yu6RutR-” it’s secure, but it doesn’t make sense to them. Passwords need meaning in order to be remembered, so that is why it is very common for people to use real words and names in their passwords. This is also why a lengthy password like “aardvark” or “apocalypse” are bad passwords: they will be in a dictionary, thus a hacker’s dictionary as well (note: Oxford 2nd edition has only 171,476 words).

Lesson: Don’t make your password a dictionary word.


How to make a strong password.

Now that we know why passwords are considered weak, we can look at strategies to make a strong password without making it incoherently complex so that you can’t remember it.

First, make sure your password is long enough: 8 characters minimum.

Second, consider using words that are personal to you, which people would have a hard time guessing.

The idea is we don’t want anything easily guessed, used, or generic.

For example, if I am born on January 1, 2000, I can make my password “01012000” or “jan12000”. Or if I am a New York Giants fan, I can use a password “nygiants2007”.

Although my mother may be able to guess these passwords, a hacker that does not know me at all will not because they are personal.

Third, don’t use singular words, but rather, use strings of words, slang, mnemonics/acronyms, and foreign words coupled with numbers or symbols.

We already talked about how passwords found in dictionaries are easily guessed. This is because words allow us to remember our passwords easily by giving them meaning.

Here are some examples of passwords that aren’t words, but still have meaning: “showmedamoney$”, “kamsamnida313”, “hmimnwftroyd”

“Show”, “me”, “the”, “money” are all words that can be found in the dictionary, but combined, they become nonsense, especially when a misspelling is used (“da” instead of “the”). This password is memorable because it is from a popular movie, Jerry Maguire.

“Kamsamnida” meanwhile, is the romanization of “thank you” in the Korean language, thus something that is not going to show up in a dictionary. Even a Korean dictionary may not show it, as it is one of many variations of spelling it. The 313 meanwhile, is the area code of Detroit. To remember this, all we have to do is think “thank you, Detroit.”

Finally, “imnwftroyd” looks like nonsense, doesn’t it? It does not look much better than “Sta&afr4th”. However, this password is actually an acronym for song lyrics: “it means no worries, for the rest of your days.” These lyrics, of course, are from the unforgettable “Hakuna Matata” from the movie, the Lion King.

The Risks of Cloud Computing

This is an opinion piece.

Cloud computing is something that has changed the way normal people and businesses interact with data in the past 7 years or so.

Our Interactions with Data Changed

Regarding storage, prior to the age of cloud computing, we would have to carry and access our data in a more primitive way: USB flash drives, emailing ourselves attachments (albeit with size limits), burning onto CDs/DVDs. Now we can save things in cloud storage and access it from home or while on vacation.

Regarding applications, prior to cloud computing, our applications would have to be bought in stores and installed with a CD. Life would be cumbersome if we wanted to use the program on another computer. We would have licensing issues, copyright issues, and platform issues (remember programs that were only available in Windows??). Now, all our favorite programs like Microsoft Word, Intuit Quickbooks, and Adobe Photoshop can be accessed in an internet browser, whether it’s on our desktop, laptop, tablet, or phone.



However, as our data trends towards the cloud, it becomes more vulnerable.

Security vs Convenience

Cloud computing has changed our lives for the better by making data access more convenient. Data security is always a concern however, and with cloud storage, all it means is that our security concerns are exponentially increased.

Security is something that many people ignore or consider an afterthought.

In some offices I’ve seen, many people write passwords on a post-it note and then put it on their desk or in their drawer. Obviously, it defeats the purpose of a password to have it written in plain-view or nearly plain-view, but for the user, security is not as important as their convenience.

For a digital example, I notice that most people do not have passwords on their personal phones. Yes, inputting a password everytime you want to use it is annoying, but consider this: if you get possession of a person’s phone that is not password-protected, you will most likely be able to do all of the following:

Read their email, see their photos, access their cloud data, update their Facebook status, buy something on Amazon.

Vulnerability Evolves As Well

Cloud technology has meant that data that was once private and closely-held, can now be hacked by talented individuals from remote locations. Two great examples of this was the leaking of personal photos from Jennifer Lawrence’s iCloud account (source) and the mass data-hack at Sony (source) by North Korean-sympathizing hackers.

20 years ago, a CPA would keep his client work files in cabinets. His main security concern was to keep only his office secure from intruders.

To prevent a possibility of complete loss of files, the CPA would make copies of all his work papers periodically or daily. He would have to store them off-site (storage facility, archive, or at home) to prevent a single point of loss. Now however, the CPA has increased his vulnerability — the CPA now depends on a 3rd party to keep his files secure. Data redundancy creates vulnerability.

Flash forward 20 years, the CPA has hopefully adopted new technology and is now backing up work papers digitally to save time. The CPA still relies on a 3rd party, but this time, instead of the data being in an off-site storage center, it’s digitally stored on a server somewhere, accessible remotely. Now, being secure means being secure from intruders potentially all across the world, who have internet access. The CPA now depends on the vendor to provide this security, with no knowledge of their security protocols or the physical security of the physical servers.

There is no going back

The foregone conclusion is this: cloud computing is here to stay; the pros of it outweigh the cons. The main concerns is simply that people using the technology do not understand basic risks and security principles.