If you are concerned about the security of your content in the cloud, you are not the only one (See this article about the 'cloud' really is). This article will explain how passwords work, how hacking attempts are typically made, in clear non-technical terms. This article is aimed at all stakeholders in the education system, including teachers, administrators, parents and IT leaders.

Your door key

Let's start with this comparison. Were you every worried that a stranger can forge a key to your front door? You are probably more worried about losing your key and it falling in the wrong hands, than someone sitting in front of your door step trying every possible key on the planet.

This rational response is built on the premise that there are simply too many different keys for a person to (1) have them all in their possession (imagine the tons of metal needed) and (2) have the time to try each one before you come back from vacation.

The concept is similar for passwords. To prevent point #1 above (to have all the possibilities) is extremely difficult with digital technology. Bits are free, so passwords can be generated dynamically (we call this 'brute-force' attack, which is typically to try words from the dictionary)

Blocking based on time is a very convenient way to control access. If you fail to log in properly after a limited number of tries, your system locks up forever or for a given amount of time (did you ever lock your smartphone after failing to enter your code 5 times?)

We call this 'flood control', we prevent a flood of passwords.

Location & personal information

In addition to flood control, many systems will detect where you are from and block you if you are logging in from somewhere else (Google will send you an SMS to confirm you tried logging in from a different location). Location can refer to geographical location, or even computer address.

If you are always logging in from the US, and then suddenly a log in attempt is made from China, this raises suspicion.

Other identifiable information can also be asked, such as 'Where do you usually login from.' But they all relate to the same concept, identifying 'fishy login attempts'

Password Challenge

Have you ever wondered if your favourite login service saves your password on their system? If they are a reputable one, they don't. They do something called hashing.

Hashing is an algorithm to irreversibly generate a sequence of random letters (note that we used the word irreversibly here, you can't mathematically get the original word back -- your password is save). Such as this:

If my password is

A hash could be

This is what the service saves for your password. The hash will always be the same. (For techies, we used SHA-256, the same solid hashing algorithm we use with ClassroomAPP).

So every time you login, the program generates the Hash and compares with what it has stored for you. This is what is commonly called a Password Challenge. So your password is not exposed to hackers.

How come <someone> got hacked?

Great question!

If you ran the Hashing algorithm on all common words in the dictionary, you could get some really common password hashes.

And then you hacked into a service and looked at their saved hashes, you could then reverse engineer access to many users who used unsafe passwords. They will typically use the same passwords elsewhere, so they are compromised.

The answer to this problem is salting. It means that the server adds a string to your password (the same one each time) so that a completely new hash is generated.

My 'challenge' password becomes:
test123 (my password) + my_favourite_color_is_blue (constant salt) = test123my_favourite_color_is_blue

Which is then hashed as:

This makes it very hard for hackers. It means they need to (1) get the salt -- which is stored elsewhere, (2) run their hashing algorithm on all dictionary words for this service, which can take a very long time.

Securing your password

Now you know why securing your password is so important. So you can beat hackers, even if they gain access to your provider's servers.

Even if your provider gets hacked, the mere fact that you used a secure password, means they can't do much with the hash they obtained. They can't even log in as you.

Here is our advice to chose a password:

  • Start with a story that relates to you, so you can remember it. Say my dog's name is Brute.
  • Since you need at least 8 characters with at least one number, often a punctuation, and some capitalisation, we need to make some changes.
  • What we need is a method to generate our passwords (mnemonic), that we can re-use when we are having memory lapses.
  • Example 1: bRu2e!35 -- I upper cased the second letter, replaced 't' with my favourite number '2'. Since I am short on 8 characters, I added my favourite punctuation, then completed with my age when my second child was born -- to get exactly 8 characters.
  • Example 2: B@utus64 -- I kept the capitalization as-is (so I can remember it), but went for the Latin version of the word. I replaced the 'r' with a non-alpha, then completed with numbers starting with '6' that has a special meaning for me, but decided to go down in numbering by step of 2 -- because I like even numbers.

Students forgetting their passwords could be a big distraction in the classroom. There is only one teacher and twenty or more students. All it takes is one student forgetting their password and you have a disruption. Mnemonics can go a long way in minimising this disturbance.

Is the front door open?

Last and very important point. Whenever you log in to a site or service, make sure the page address (URL) starts with https://, the 's' here means it's secure. If you are entering a password and the webpage that is receiving it only has address with http://, it means (1) the password is sent unencrypted and (2) the website has been verified by someone trustworthy to be who they are.

Anyone 'sniffing' on the myriads of computers you go through to get to the final site, will see your plain text password. Your web browser is your last defence.

This means you have to validate the service you are using.

Case in point, ClassroomAPP sends all its data over secure channel. In fact, there is no path open to get to the data in an unsecured way.


Passwords are here to stay (at least for the short term until bio-metrics start becoming cost-effective and mainstream). Getting a good handle on them, as opposed to dealing with them as a nuisance, will make your digital experience much smoother.