Hard to believe January is almost behind us. Yes, time flies. As Executive Director, I am now in my 31st year of working with web technologies (yep, started in 1992). Obviously a lot has changed over three decades. And things continue to change at a rapid pace. Since it has been 3 decades, I found it entertaining to review the site focusing on web browser engines from 1990 until today. Nice bit of history for those who want a refresher (and for educators). [Note: these links will all open in a new browser tab.]
OK, now that the past is behind us, let’s see what is happening with the following web technologies (a few articles which caught my attention in these areas).
If you are using CSS animations, you might consider AnimatiSS (a collection of CSS animations for your web project).
I also enjoyed reading more about the :has() pseudo-class including real world examples.
When working with media queries, I like the MediaQuery.style site. It has many of the more commonly employed ones readily available.
Although this is still a work in progress, the CSS fingerprint site demonstrates how one can use CSS (and only CSS) to track visitors. It is not really scalable as it presently requires over 1 MB of CSS downloads. However, it is an interesting concept. It does avoid technologies such as NoScript.
Yep, there are still changes happening to markup and tags. After much discussion, there has been some consensus on how to best use the dialog element. Actually, how it should handle its initial focus. You can read more at the post titled “Use the dialog element (reasonably)“. Note that this may not be implemented in all browsers, but it should be in subsequent releases of said browsers.
I also came across this interesting article explaining why using document.write() is not always a good idea. It is fairly in depth and explains why the placement of suck code matter as well.
Microsoft recently published their 2022 Digital Defense Report. You can follow the link to read much more. Here are some of the highlights (scary though they are).
- 921 password attacks happen every second (up 74% from last year).
- they blocked 37 billion email threats last year.
- Attackers are leveraging vulnerabilities in IoT device firmware to gain access to corporate networks.
- The average cost of a data breach reached $4.35 million.
- People are now the primary attack vector. Identity driven attacks account for 61% of breaches. Phishing remains the most common form of cyber attack.
These are some of the articles I have encountered and found interesting over the past month. What have you found in addition? We look forward to your comments and insights.
Human behavior is all about psychology, isn’t it? It is the study of our mind and behavior. And why should our use of passwords not fall into this category? The folks at LastPass recently published a report about their findings concerning password behaviors. [Note: link will open in a new browser tab/ window.] They found that 62% are still reusing passwords. Yes, in 2022. Even when people became aware, only 25% started using a password manager/ wallet. Yes, even Web Professionals Global did a recent post encouraging individuals to use a password wallet. To learn more about their findings, please visit the LastPass link above. It is easy reading and has a lot of useful information. Given that many may not be using a password wallet, what can we as professionals suggest?
Option 1 – be consistent
Each site you visit should have a unique password. Period. Of course, if you insist on not using a password wallet, what sort of methodology could you employ? Here is one simple example. Obviously, you may want to try something different but analogous to this approach.
Consider you want to have a unique password at Amazon and Facebook (perhaps you use both frequently). How could you make a unique password for each site and remember it without using a password wallet or writing them down and pasting them under your keyboard (what could be more secure – yes, we are being sardonic).
Consider that the word Amazon has 6 letters and a com top level domain. One could consistently count the letters in a domain and use the first and last letters – for example A6N (in the same way we end up with A11Y for AccessibilitY and I18N for InternationalizatioN. Such a password would be incredibly easy to crack. So, we begin with the top level domain as part of a passphrase. Thus our password for Amazon becomes COM-A6N. Still pretty easy to crack as it is less than 9 characters. We could append our favorite flower to this passphrase followed by a number such as COM-A6N-sunflower42. Now we are getting somewhere. Facebook would become COM-F8K-sunflower42 and so forth. Of course, we could add more consistent words to our phrase. Longer passphrases are more difficult to crack with various tools. Obviously, if someone were to guess our scheme, they would be able to access our accounts easily. By itself, this may not be the best option. However, it still beats reusing the same password over and over, doesn’t it?
Option 2 – Why use your name or email?
While we are working along these lines, one often is asked for a username. Of course, many simply rely on the tried and true first initial last name or some combination of initials and surname. It doesn’t have to be that way. If you are able to specify your own username (and that can be a big if as many sites now ask for your email and simply use that as your username), do so (and be creative).
For example, instead of mdubois or markdubois as a username at a site, I could use favorite fossils as a username. For example, trilobites or trilobites42. There is nothing tying me specifically to that fossil so that should be reasonably safe for a username. No, hackers, don’t bother as I am way ahead of you on this.
Option 3 – Always 2FA
We have mentioned this before, but if you really can’t use a password wallet for some reason, at a minimum, you should always activate 2 factor authentication (2FA). Yes, we addressed this as part of our discussion on web security in 2021 and employee burnout in cybersecurity in 2022. Not only do you need to know your password, you also need to have something (such as a mobile phone with an authentication app). Simply knowing the username and password is not enough. Many sites allow for the use of 2 factor authentication these days. If they don’t you should contact them and ask for it specifically.
If you really can’t use a password wallet, consider combining all the above approaches. Set your username to something meaningful to you but not readily obvious to others (in my simple example trilobites42). Set your password to something you can easily figure out by looking at the site and knowing something specific. For example, COM-F8K-sunflower42. And employ 2 factor authentication as well.
But wait, didn’t you tell me to change my passwords periodically in your prior web security article in 2021? Yes, we did. So we could expand upon the passphrase theme and use a password of winter23-COM-A6N-sunflower42 for our Amazon password. then, we could change that to spring23… when the time comes. We would change our passwords every quarter and each would be unique for that site. I know some sites will not let you change a password which is similar to the one you presently use. Just be consistently creative on your sites.
And, you can always reset passwords if all else fails and you forget. Or, you could just use a password wallet? Really, they aren’t that tough to use. Yes, it is important to grow beyond your comfort zone and these tips are meant to serve as a starting point. If you don’t want to use a password wallet, be creative. Use the above ideas as a starting point, not the end result. We know you are creative. Apply your creativity to the creation of your unique passwords on each site.
While we are thinking about passwords and resetting them, what about all those security phrases you are asked to update with your bank and related institutions. Given all the social media “quizzes” which mine information such as your high school mascot (really, why on earth would anyone willingly share that information – oh, yeah – so they can see what they would look like as a dog or whatever – c’mon folks – never fall for those online quizzes – they are just stealing your information). But, wait, I already know what my spirit animal looks like. Oops. How does one deal with this if your personal information is already out there. Make it a point to lie on those security questions. For example, if one of the questions is what was the name of your high school – lie. In part. Perhaps append a noun to everything. Again, you just have to be consistent. For example, I would tell the security answer to the high school question that I went to Washington Grass high school. My father’s middle name was Fred grass (no, it wasn’t even Fred). Now I have a little more security as I must know the actual answer and the word I append to everything. Again, be consistent. Not a perfect solution by any means, but if your information is already out there…
What are your thoughts? As always, we look forward to your comments and insights.
Mark DuBois, Executive Director
Web Professionals Global (aka World Organization of Webmasters)
December is already upon us. WOW. Let’s take a moment and focus on security. After all, passwords are like underwear – they should be changed frequently. Sure, I get that. And I can set all my passwords to either:
- be the same across all sites (definitely not a good idea), or
- ignore this advice and never update my password (also, definitely not a good idea).
OK, what if I want to change my passwords periodically but suffer from any sort of memory issues. How can I:
- use a unique password for each site I use,
- keep my passwords (actually passphrases) long and complex, and
- remember to change them from time to time?
Short answer – use a password wallet.
What is a Password Wallet?
In the same way you probably keep your folding money in an actual wallet and keep it close to you, a password wallet is a secure spot to store your passwords. It is a bit of software. It can be available only to you (perhaps on a USB drive – you recall those, don’t you) or it can be stored in the cloud (someone else’s computer). Regardless, access to the password wallet is controlled by a password (or preferably, a passphrase). Unless you know the password/ passphrase to access the wallet, the contents are not readily accessible. In a similar manner, the folding money in your wallet is not readily available to the world. Generally, contents in a password wallet are encrypted. This means if the data store is ever stolen, it is not of any use unless one knows the access word or phrase.
Yes, many browsers provide the ability to store your passwords these days. Many operating systems also provide this capability. That is always one alternative. Although we are not recommending/ endorsing any specific technology, it is important to know what options are available beyond your browser or operating system. Some examples of password wallets include:
- KeePassXC (you can store your access credentials on a thumb drive). This software is open source and OSI certified.
- LastPass (there are free and paid versions).
- NordPass (if you use Nord as your VPN, this paid version may be appropriate).
There are many other choices, Search engines are helpful, aren’t they?
Once you decide to that it might be useful to store your passwords in a secure wallet, here are some things to consider (this is not a complete list).
- How secure is my data? Does the wallet securely encrypt the contents? If you forget your password/ passphrase, you will likely not be able to access the contents. Confirm that no one can decrypt the contents (particularly if the password wallet is online).
- Is there a limit to the number of passwords/passphrases I can store? Some free versions limit you to 50 or 100 passwords. Of course, you get what you pay for.
- How much does it cost? Yes, many of these services cost. That is how they keep their software up to date (defending against the most current known vulnerabilities). Many services offer a discount if you pay annually.
- Password/ passphrase generator? The longer the password/ passphrase, typically the better. You should be able to specify the length. Also, you should be able to copy the information for a short period of time. When you use longer passwords, it is helpful to copy, then paste the contents into your browser. But, you don’t want that information remaining in your clipboard too long.
- What other services are included? Many paid options offer additional services (such as multi-factor authentication, or being able to selectively share information with family or co-workers). You decide what is necessary for you.
- Reminder to periodically change your password? It is a good idea to periodically change your passwords. Typically, we forget to do this. It is helpful if your software provides you with the ability to set a reminder for a given site.
Should I use one?
Ultimately, that decision is up to you. However, these days, one needs many passwords (and they should be unique for each site). Personally, my memory is simply not capable of remembering passwords for thousands of sites. And you want to make certain you periodically change important passwords. Those item alone likely dictate you should consider such an approach.
All this being said, I strongly recommend using 2 factor authentication in addition to a password/ passphrase on any given site. This means you must provide both your username and password along with a unique code to access a site. Most sites offer this option. Many allow you to use a technology like Google Authenticator or to receive a SMS text message with a unique code. These codes are typically only good for a minute or so.
Here at Web Professionals Global, we hope everyone has been experiencing a successful November. It is time again to focus on a few items which caught our attention during the month. We never cease to be impressed at how quickly web technologies change. Let’s briefly focus on these areas for now:
- Accessibility, and
Browsers are beginning to support media query range syntax. Sure, it is not supported in all browsers on all devices yet, but knowing this is coming is huge. It should save significant time coding CSS. Instead of having to specify specific media sizes, we may soon be able to employ mathematical symbols such as >, <, <=, and so forth. Perhaps we can avoid min-width and similar bits as this is supported more and more. Readers are encouraged to follow the above link (it will open in a new tab) to learn more. Please let us know what you think about the possibilities of this via comments.
Adrian Roselli posted an article earlier this year on buttons, enter and space. From a user experience perspective, this is a great refresher on what happens when you use native keyboard interactions. Adrian even provides a working example (with counters). His last word in the article is something we advocate all the time – test. What are your thoughts about keyboard interactions?
Let’s not overlook e-commerce accessibility either. We came across this article specifying UI elements using roles. As many of our readers know, specifying the purpose of UI elements is critical when visitors to a site rely on assistive technologies. We thought this article provided a great number of insights and examples. We look forward to your thoughts on this topic as well.
As we approach the end of the year (and many of us have to provide tech support to family and friends as they receive new devices), it might be wise to bookmark the OUCH newsletter site. Disclosure, Mark (your executive director) is one of the monthly reviewers of these articles before they go live. Each month, a security professional provides a timely overview of one aspect on security. Articles are kept short and are suitable for sharing with those not as savvy in various aspects of technology.
That is all for our November desktop view. We know your time is valuable and appreciate you reading this post. If you would like us to include additional articles or focus on additional aspects, please let us know via your comments below. Until next time…
Mark DuBois, Executive Director
Web Professionals Global (aka World Organization of Webmasters)
Today we are highlighting one of the emerging trends in the world of the web: cybersecurity teams dealing with burnout that is leading to increased vulnerability for individuals and organizations.
As ZDNET has reported, there has been a sharp rise in attacks and disruptions in the cyber world in recent years. Rates of ransomware, corporate espionage, and IP theft have all increased. As a result, cybersecurity professionals are experiencing high rates of burnout and both employee recruitment and retention are suffering. A recent study by Mimecast revealed roughly one-third of those who work in cybersecurity have considered leaving the profession, and it is becoming increasingly difficult to attract new professionals to the field. The shortage of qualified cybersecurity professionals has many worried that it is causing a domino effect of labor shortages across the entire IT industry.
One of the primary drivers of employee burnout is due to time and effort spent by cybersecurity teams cleaning up the mistakes of others. A 2020 study conducted by Tessian and Stanford University showed that nearly 90% of data breaches are caused by human error, which puts increased pressure on IT and cybersecurity teams. The Mimecast study found that over half of cyber attacks cost more than $100K to fix, which is comparable to what many companies spend on their cybersecurity plan. Additionally, cyber attacks often attract significant negative media attention, such as the Colonial Pipeline attack in May 2021.
Of course, this issue grows more complicated as more individuals work from home and may not be using a business computer for all their work.
Developing a Cybersecurity Plan
Web Professionals Global has been deeply involved in raising awareness of cybersecurity issues for web professionals, including this article in which we discussed safe practices regarding passwords and security. It is crucial that web professionals stay up to date on the latest cybersecurity trends to avoid data breaches and more. And companies and organizations must ensure they keep employees informed and aware of risks they may encounter, whether working from the office or from home. This may include increasing budgetary resources for more frequent and adequate cybersecurity training. After all, any organization is only as strong as its weakest link.
Web professionals can do the following as a start to protect against cyber threats:
- Keep software up to date
- Keep anti-virus protection up to date
- Use unique passwords
- Use two-factor authentication (2FA)
- Back up data regularly
- Avoid using public wifi networks (where possible, use a VPN)
- Avoid mixing personal and work accounts and devices
Career Pathways in Cybersecurity
You might be interested in exploring what it is like to work in the world of cybersecurity. It is a high-paying and in-demand career path due to the reasons we have discussed in this article. According to the U.S. Bureau of Labor Statistics, information security analyst hiring is expected to grow 35 percent from 2021 to 2031, faster than the average for other career tracks. This equates to almost 20,000 openings for information security analysts each year. As of May 2021, the average salary for the profession was just over $102K. Web developers are right behind, with a projected 30% rate of growth over the same period of time. Cybersecurity is an industry that will need talent for many years to come.
Contact us Today
Our work in cybersecurity is core to our mission of “Community, Education, Certification.” We are committed to training web professionals to fill the skills gaps in cybersecurity and other web sectors. To learn more about Web Professionals Global and our work in cybersecurity and other areas, contact us today.
It has been some time since I posted some thoughts on the current state of web technologies. A lot has happened during recent months. Let’s focus on several key areas:
- web accessibility,
- and CSS.
More areas may be the focus of subsequent articles. Stay tuned. As always, we at Web Professionals Global are interested in what you think. Let us know in the comments or contact us directly.
WCAG 3 has been released as a draft (published in December, 2021). Latest editors draft updated as of July, 2022. The approach is iterative with content ranging from temporary (just a placeholder for future content) to mature (ready for publication). This version is somewhat evolutionary in that it will be easy to understand and provide guidance. A key differentiator is that this version has a broader scope (beyond web content). I encourage you to view the above links and consider helping develop the next version of Web Content Accessibility Guidelines.
Of course, there is also a new ARIA authoring practices guide website. Lots of patterns and resources. Check it out.
As web professionals, we should remind ourselves (and our clients of some fundamental tactics which help mitigate these sorts of attacks.
At a minimum, never act on anything that purports to have an extreme sense of urgency. That is what malicious individuals want. Act before you have a chance to think about the implications. It is also good practice to never click on links in emails or text messages. Instead, open a browser and type the site directly (or use a reliable search engine). Lastly, only install updates from trusted sources (and use the traditional channels where those updates are distributed).
Remember the days of aural style sheets (yes, they were a thing). Of course, no browsers supported them. However, a recent article (October, 2022) has raised some hope for me again. Why we need CSS speech is the article. What are your thoughts about CSS speech? Again, reach out to us in the comments.
Of course, there are many enhancements in the works for CSS. These include items such as:
- The ability to nest selectors is presently in the works. This is possible a good way to organize your CSS code. Of course, no browsers yet support this.
- Cascade layers (which give authors the ability to group their CSS and affect how the cascade applies). The linked article should give you a much better understanding. This is like nesting selectors, but much more. Is this feature ready for prime time? No, but you might want to start learning about them.
- CSS subgrid allows for styling on a page to inherit the parent’s grid styling. MDN has a nice overview with examples. That is the reference linked at the start of this bullet.
Mark DuBois, Executive Director
Web Professionals Global (a.k.a. World Organization of Webmasters)