My tips for scales (beginners)

  1. Watch one hand going up and the other hand coming down.
  2. Always play two octaves, don’t just practice one. It’s crucial to build in those LH 5,3,4,3 and RH 3,4,3,5 muscle memories.
  3. On the way up, the 4 in the left hand is the trigger for the 4 in the right hand and vice-versa on the way down
  4. Say the names of the notes as you play them. This will reinforce the sharps and flats in the scale. Saying the notes as you go down the scale is a real challenge!

I can recommend the book Scales Bootcamp by Philip A Johnston. It really helped me crack my scales, 2 octaves, hands together.

Light, colour and underwater photography. Fixing colours using Adobe Photoshop (and Elements)


All photography is dependant on one thing: light.

The aim of taking a photo is to get enough light into the camera and detected by the film/sensor to produce a properly exposed image.

This means shadows are not too dark, highlights are not too bright and there’s a good distribution of light between those two extremes. Underexposing an image will discard shadows in favour of black. Overexposing an image will discard highlights in favour of bright white. For colour photography, in addition to receiving the right quantity of light, we also needs to capture light of the right colour.

Cameras have three factors which control the quantity of light and how it’s detected:

  • ISO: the film or sensor sensitivity.
  • Shutter speed: the amount of time the film or sensor is exposed to light.
  • Aperture: the size of the hole the light travels through towards the sensor.

When there’s lots of light a camera can be set with:

  • a low ISO rating (to decrease grain in the image)
  • a high shutter speed (to freeze the action)
  • a small aperture size (to increase the depth of field which makes more of the scene in focus).

When there’s less light, the opposite needs to be set:

  • a higher ISO rating (increasing grain in the image)
  • a lower shutter speed (which can make the photos blurry due to camera shake)
  • a wider aperture (which reduces depth of field making items in the extreme foreground or far background out of focus).

During the day above water when there’s lots of light, a camera can be left on automatic and you’ll generally get a properly exposed image.

Not all photographers use automatic settings and often isolate and manually set their ISO, shutter speed and aperture to get more creative control over their images.

What is light?

Electromagnetic Spectrum
Electromagnetic Spectrum

Light is energy that has a wavelength between 400nm (nano-metres) and 700nm. The source of this energy could be a light bulb, the sun, a candle, a hot piece of metal, some uranium etc.

These energy sources will invariably be radiating energy in lots of other wavelengths too (including gamma, x-ray, ultraviolet, thermal, infrared, microwave etc.), but its just the 400nm to 700nm wavelengths that our eyes can detect.


Retina Rods and Cones
Retina Rods and Cones

We have red, green and blue receptors (cones) on our retinas that detect these different wavelengths of light. Different proportions of different wavelengths are interpreted by our eyes as different colours. It’s the same principle for film or a sensor in a camera.

Every light source emits its energy at different wavelengths and therefore the colour of the light is different for every light source. This is called its colour temperature.

Whereas paint colours are created by mixing the primary pigment colours: red, yellow and blue (sometimes called magenta, yellow and cyan), light colours are created by mixing the primary light colours: red, green and blue.

The light emitted from the sun has roughly equal quantities of red, green and blue which results in white light with a colour temperature of between 5,000 to 6,000 Kelvins. Fluorescent tube lights produce much cooler, “bluer” light with a temperature of 4,000 to 5000 Kelvins. Incandescent filament bulbs produce warmer, more yellow light with a colour temperature of around 2,700 to 3,000 Kelvins.


Light energy travels in a straight line until it’s reflected, refracted or absorbed (or any combination of the three).

  • When light is reflected, it bounces and travels in a straight line in a different direction.
  • When it’s absorbed, the light energy is converted to a different sort of energy (i.e. heat).
  • When it’s refracted, the light continues in a straight line, but its direction of travel has changed.

There is no known material that reflects, refracts or absorbs 100% of light energy, there’s always some degree of reflection or absorption of light.

Every time light bounces off something, the material of that “something” absorbs some of the energy of the light affecting it’s colour and intensity.

Consider white light hitting a red snooker ball. The material of the ball absorbs blue and green light and reflects the remaining red light. The red light hits our retina and we see a red snooker ball.

The same white light hits the green baize under the snooker ball. The baize absorbs the red and blue light and reflects the remaining green light to our retina and we see the green baize.

The red light bouncing off the snooker ball also hits the green baize, the baize absorbs the red and traces of blue light and nothing perceivable is reflected. Similarly the green light bouncing off the baize hits the red snooker ball which in turn absorbs the green light and any traces of blue light and again nothing perceivable is reflected.

Light is bouncing around all the time constantly having its colour, direction and intensity changed by anything it interacts with.

Light and water

When we try and take photos underwater, we have an additional medium to deal with, which affects the colour and intensity of light: water.

In order for our retinas (and camera film/sensors) to see something, here’s what happens:

  1. White light is emitted by the sun and hits the surface of the water above you.
    • Some of the light is reflected back up into the air.
    • Some of the light energy is absorbed and increases the temperature of the water.
    • Some of the light is refracted by the water surface and travels down into the water at a slightly different angle.
  2. As the light travels through the water, it starts losing energy. It’s red energy is absorbed first, followed by green, then blue. The more water it passes though, the more energy is absorbed.
  3. The reduced energy light hits an orange fish in front of you.
  4. The orange fish absorbs some of the blue parts of the light (orange = red + green) and reflects the remaining red and green light to your retina.
  5. Unfortunately there wasn’t much red and green light left after it travelled through the water above you, so the fish appears a dull blue instead of its vibrant orange.

If you had a dive torch and shone it at the orange fish, here’s what would happen:

  1. You shine your dive torch (which emits white light) at the orange fish.
  2. There’s not much water between the torch and the fish or between the fish and your retina, so very little of the red part of the spectrum is absorbed by the water.
  3. The orange fish absorbs some of the blue parts of the light and reflects the remaining red and green light to your retina (orange = red + green).
  4. There’s now lots of reflected red and green light hitting your retina, so you now see the fish as a vivid orange.

Underwater photography

If you’re near the surface, then the water won’t absorb too much red light and your photos will usually look OK. They might have a very subtle blue cast.

If you’re deeper underwater and not using a light source such as a dive torch or underwater flash gun (called a strobe) then your photos will definitely have a blue or green cast to them.

Although the absorbed red data can never be recovered, the remaining few scraps combined with an approximation of what might have been can be generated using photo manipulation software such as Adobe Photoshop and Photoshop Elements.

I’ll be focusing on Adobe Photoshop CC in this article.

What is a digital image?

A digital image is a graph with X and Y axes. These are the horizontal and vertical dimensions of the image expressed in pixels.

Each X and Y location on the graph has three values: red, green and blue (RGB) each typically expressed as a value between 0 and 255. When these three values are combined, they are interpreted as a single point of colour of varying brightness and saturation (the strength of the colour).

When the graph is filled with all this RGB data, a digital representation of the image is visible.

A properly exposed image has a good spread of red, green and blue data with varying intensities. This can be seen by analysing an image’s RGB data on a set of charts known as histograms. In Photoshop, these are termed levels.

Here’s a photo taken at depth without additional light along with its RGB histograms.

The histograms show the quantity of red, green and blue data at varying levels of brightness in the image. The X axis is pixel brightness left to right, black to white. The Y axis is the quantity of pixels starting with zero at the bottom.

The red histogram shows there’s a lot of dark red data, but very little mid-level or bright red data in the image.

The green and blue histograms show there’s a good distribution of green and blue data across the image with the majority being at mid-level without too much dark or very bright data.

Blue and green data is good, the red is lacking. This is why the image has a blue/cyan cast (blue + green = cyan).

Here’s an example of a well-balanced image:

In this instance, the red data has a good spread of intensities from dark to light. Although there’s more dark red in the image, the image is balanced as the rest of the red data is in the mid tones and highlights.

Its blue and green data is similar to the previous image with a good spread, lots of mid-range and not too much very dark or very light data.

The effect of all three channels having a good spread of data, results in a pleasing image with no discernible colour cast.

We need to do something about the red data in the first image so it looks as good as the second image.

The missing red data

There are two methods for adding red data back into your underwater photos:

Method 1: Spread out the red data

We need to brighten the red highlights and mid-tones while leaving the shadow data untouched.

This will have the effect of stretching the existing red data out across the histogram to look more like the green and blue histograms.

Here’s how to do it:

  1. Open your image in Photoshop or Photoshop Elements
  2. Select Image -> Adjustments -> Levels
  3. Change the Channel dropdown to Red
  4. There are three sliders under the histogram, black, grey and white. Drag the white slider left to where the red data ends in the histogram. As you drag the slider, your image will be adjusted in real-time. Also try dragging the middle (grey) slider left or right to change the distribution of the mid-level data.
  5. Click OK when you’re happy.

You’ve now adjusted the distribution of the image’s red data. You can verify the change by viewing the red data histogram again.

The image looks a bit better but the updated histogram shows what happened. The small amount of red data was stretched out across the dynamic range which has resulted in some nasty fringing and obvious red pixels. It doesn’t look very natural.

Photoshop can’t fill-in the gaps in the histogram because it can’t know where the red data should have been in the image. The histogram only shows the distribution of light and dark data in an image, not it’s exact X and Y placement.

Method 2: Generate new red data

A new red channel can be generated by doing the following:

    1. Create a grey channel based on the average luminosity of the pixels in the original image.

    2. Remove the blue and green data from this new grey channel leaving only a red channel.

    3. Replace the red channel in the original image with the new luminosity-based red channel.

    4. Auto-balance the new composite image.

      [twenty20 img1=”1913″ img2=”1914″ offset=”0.5″ before=”Before” after=”After” width=”600px”]

This is quite an involved process, so I’ve created a Photoshop action which will work with a flattened image (i.e. a Background) and apply all these processed in one click.

You can download the action here

Unzip the file and drag and drop the contained .atn file into the Actions panel in Photoshop.

The action will come up as colourcorrect_red in the Underwater folder.

Double click the action name (colourcorrect_red) to run it or alternatively, select the action and hit the play triangle ► in the Actions panel.

Method 3: Use Photoshop’s new Match Color -> Neutralize function

There’s a new feature in Photoshop and Elements that approximates the effect of manually generating red data based on the luminosity of other channels. This is Photoshop’s new Match Color function.

Here how to use it:

  1. Open your image in Photoshop or Elements
  2. Select Image -> Adjustments -> Match Color
  3. Click Neutralize. The colour cast will be reduced.
  4. Click OK

The filter can be controlled by using the Luminance, Colour Intensity and Fade sliders.

Colour correcting underwater video using Adobe Premiere CC

Taken from Gustav Ovier’s site (offline since Dec 2017).
Retrieved using the WayBack Machine then translated from Portuguese to English using Google Translate.

Filters for Adobe Premiere CS6 and CC

I’ve made available to download some filters I created for Adobe Premiere CS6 and CC (I don’t know if it works in other versions) for colour correction of underwater images.

These filters enhance the colour of videos made during dives. You should test multiple filters to see what is best for your video. Sometimes the filter is good at the start of the shot, but it can get bad as the light changes. So it’s good to go through each clip with the filter applied before finalising it.

Underwater at depth, the colours fade due to light being absorbed by the water. Many people use a physical filter in front of the camera lens: usually red or magenta. I do’t really like this technique because it makes the video more red when there is light.

The best result can be obtained with continuous artificial light, so even at depth the colour capture will be accurate. It really is amazing the colours of fish, crustaceans and corals from the bottom of the sea.

To install the filters go to the effects tab of your Adobe Premiere CS6/CC and import them (one by one).

Here’s an example of the filters in action:

The filters can be downloaded here:

Instant Pot Beef / Ox Cheeks with Red Wine


Here’s my recipe for beef cheeks cooked in my Instant Pot Duo v2 7-in-1 Electric Pressure Cooker, 6 Qt, 5.5L. They’re cooked with vegetables, red wine and stock and have a Spanish/middle-eastern flavour.

Beef cheeks are very tough pieces of meat and can take all day to cook. Using a pressure cooker reduces that time right down to less than an hour.


  • 2 x whole uncooked beef cheeks
  • 2 brown onions – chopped 1cm
  • 4 carrots – chopped 1cm
  • 4 sticks of celery – chopped 1cm
  • 1 large glass of red wine
  • 1 tin of chopped tomatoes
  • Beef or chicken stock
  • Picante pimentón
  • Ground cumin
  • 2 x bay leaves
  • Cooking oil – rapeseed, sunflower, light olive oil etc.
  • Cornflour
  • Salt and ground black pepper
  • Balsamic glaze
  • Parsley – chopped



  1. If the beef cheeks have an outer membrane, use a sharp knife to remove it.
  2. Season the beef cheeks with ground black pepper. Don’t use any salt.
  3. In a pan on the hob, brown the beef cheeks on all sides in the cooking oil.
  4. While this is happening, set the InstantPot (IP) to Sauté and add cooking oil.
  5. Sauté the onions, carrot, celery and bay leaves until softened.
  6. Add a couple of teaspoons of ground cumin and picante pimentón and stir through the sautéed vegetables.
  7. Deglaze the IP with the red wine.
  8. Add the tin of chopped tomatoes.
  9. Add the beef cheeks to the IP and cover with the stock.
  10. Put the lid on the IP, turn the pressure valve to Sealing.
  11. Press the Manual or Pressure Cook button and set the time to 50 minutes.
  12. Press the Keep Warm button to turn off this feature.
  13. Allow the cooking to complete and let the IP release the pressure naturally.
  14. When the pressure indicator valve has dropped down, Press the Cancel button and open up the IP.
  15. Carefully remove the beef cheeks and put to one side.


  1. Give the IP a good stir and make sure nothing has stuck to the bottom.
  2. We need to reduce down the liquid in the IP, so press the Sauté button and leave the lid off. This will bring the liquid up to the boil and keep it on a rolling boil.
  3. Reduce the liquid down to half to a third of it’s original volume. For me, this took around 30 minutes.
  4. Press the Cancel button on the IP and unplug it.
  5. Slake a teaspoon of cornflour with some cold water and stir it into the remaining liquid. Depending on your preferred consistency, you may need to reduce or increase the amount of cornflour.
  6. Stir in a tablespoon of balsamic glaze to add a sweet/sour note.
  7. Taste the sauce for seasoning and add salt to taste.
  8. Put the beef cheeks back into the sauce.

Serving, portioning or storing

The meat at this point should be in large pieces – if not still whole, but it can be easily broken up as it’ll be super-tender. It can even be turned into pulled-beef and shredded up with a couple of forks.

Add the parsley just before serving.

Facebook security

Everyone uses Social Media these days and we’re trusting it with more and more of our personally identifiable information (PII).

Our interests, comments, check-ins, likes and the network of friends and family we build-up all contribute to a context-heavy online identity.

If an attacker gains control of your online identity, they can easily:

  • Steal all your personal information
  • Post content and messages on your behalf to hurt you or your network of friends and family
  • Use implicit trust to gain access to other online services
  • Impersonate you, abusing the trust you have with your network of friends and family to infiltrate their online identities and networks

In this guide, I’ll focus on the social media platform Facebook and talk about how to review your security settings.

Review your public profile

It’s important to review exactly what information you’ve entered as part of your Facebook Public Profile – as it’s exactly that: Public.

You may have entered something personal, inappropriate, misleading, regrettable or just incorrect without realising it’s being broadcast to the world. The settings controlling what’s displayed as part of your public profile are separate from Facebook’s general security settings so must be reviewed independently.

To configure your Public Profile, do this:

  1. Browse to and log in
  2. Find your mini profile picture and name in the top of the left navigation bar.
  3. Click on the the 3 vertical dots next to your name
  4. Click on Edit Profile from the pop-up menu
  5. Your Edit profile popup window will appear

Examine all photos and read all text and options in this window from top to bottom. Whatever you see here  is publicly visible to the whole world.

After making a change, remember to click the Save button that appears.

Edit your About Info

IMPORTANT: Make sure you click on the Edit your About Info link at the bottom of the Edit Profile window.

The About Info section can contain a huge amount of personal information you might want to keep private.

Go down the navigation items on the left and examine each panel of information on the right. Examine everything here. If there’s something you’d rather keep private or don’t want the world to see or know about – such as your mobile phone number or your relationship status, change it here.


Security and privacy settings

Facebook security settings can be accessed via the Facebook. Accessing the Facebook security settings:

  1. Browse to and log in
  2. Click on the down arrow ▼ in the top right corner
  3. Select Settings from the drop down list

Facebook Security Settings

There are lots of security-related settings here, so to save you time I’ve use the following colour coding:

[QUICK WIN] = You should address these straight away

[EFFORT] = Require a bit more thought and effort but will definitely improve your security posture

[REVIEW] = Items for you to review. These are mainly about privacy but also cover notifications and alerting.


Security and login

Where you’re logged in [REVIEW]

This is a list of all devices and locations that are currently logged into your Facebook account.

If you have a home PC, a laptop, a smart phone, a tablet etc. you’ll see multiple entries here. Facebook will try and identify the type of device and where geographically it’s logged in from.

Make sure you click on the See more button to display everything.

Look down the list and if there’s anything there you don’t recognise, click the three dots menu icon on the right and select Not you?. This tells Facebook that you are not responsible for this login and will help Facebook block this connection in the future.

If you’re knowingly using a VPN or routing your traffic via a different country, you’ll see that reflected here.

Seeing anything unexpected here can indicate that your Facebook account has been compromised and someone else is logging into your account without your knowledge. Is this is the case, I would recommend that you immediately do the following:

  1. Change your Facebook password
  2. Go back to the Where you’re logged in list and click Log out of all sessions at the bottom.

This will cause every device on the list to be logged out. If they try and log in again, they’ll be prompted to enter your password which you’ve just changed.

Setting up extra security

Get alerts about unrecognised logins [QUICK WIN]

This works hand-in-hand with the Where you’re logged in list (explained above).

Facebook can send you a notification if it sees a login that’s from a previously unknown device, browser or location. This is really important so you can react quickly if your account is compromised.

If this isn’t already On, click the Edit button and make sure notifications are enabled for all alert types. Remember to click Save Changes.

If you’ve just turned something on, you’ll get an alert saying so.

Use two-factor authentication [EFFORT]

You can learn more about the concept of Two Factor Authentication (2FA) by reading my guide here.

TL;DR; In order for a new device or browser to log into your Facebook account, a person will need to know not just your username and password (which might have been leaked) but also have access to your unlocked mobile device and use its code generator app.

If you enable 2FA in Facebook, it requires a minimum of your mobile phone number and a code generator of some sort.

The Facebook smartphone app will serve as a code generator, but if you’re embracing the concept of 2FA to protect your online identity across multiple online services, you should take the option to set up a third-party app as a code generator.

After you’ve read my guide to 2FA, adding Facebook’s QR code to your code generator app will be a breeze.

Choose 3 to 5 friends to contact if you are locked out [REVIEW]

Your Facebook account can be locked-out if someone is trying to brute-force your login credentials or someone has reported your account behaving maliciously – usually after it’s been compromised.

You can choose a few trusted Facebook contacts to help you out if your account becomes locked-out. They will be contacted by Facebook to help your identity to prove you are who you say you are.


Your activity

Who can see your future posts [QUICK WIN]

Unless you are a public figure and want everyone to know exactly what you had for lunch or where you went last night and with whom, I would strongly recommend making sure only your Friends can see your future posts.

This setting usually defaults to Friends, but can switch if you’ve recently changed the visibility of a post to Public.

If this is set to anything other than Friends, click the Edit button, change to Friends then click Close. This setting doesn’t have a Save Changes button and takes effect immediately.

Limit the audience of old posts on your timeline [QUICK WIN]

If you’ve posted stuff in the past that you might have thought was a good idea to make Public, or may have accidentally made Public, you can fix this and set everything you’ve done back to Friends.

Click Limit Past Posts then click the Limit Past Posts button that appears below, then click the Limit Past Posts button in the window that appears, then click Close. The change will take effect immediately.

How people can find and contact you

Who can see your friends list? [REVIEW]

If you want to stop people you don’t know seeing a list of your Facebook Friends, you can change that here.

Click Edit, then change the visibility button to Friends. The change takes effect immediately.

If you’re happy for people you don’t know to see your list of Facebook friends, leave it as Public.

Who can look you up using the email address you provided? [REVIEW]

If you want to prevent people you don’t know from finding your Facebook Profile via your email address, you can change that here.

Click Edit, then change the visibility button to either Friends or Friends of friends. The change takes effect immediately.

If you’re happy for people you don’t know to find you by your email address, leave it as Everyone.

Who can look you up using the phone number you provided? [REVIEW]

If you want to prevent people you don’t know from finding your Facebook Profile via your mobile phone number, you can change that here.

Click Edit, then change the visibility button to either Friends or Friends of friends. The change takes effect immediately.

If you’re happy for people you don’t know to find you by your mobile phone number, leave it as Everyone.

Do you want search engines outside of Facebook to link to your Profile? [REVIEW]

You can stop your Facebook Profile page from appearing in search engine results by changing this option.

Click the Edit button and either tick or un-tick Allow search engines outside of Facebook to link to your Profile, then click Close.

It can take days or weeks for your profile to disappear from search engine results, so don’t expect an immediate effect. If you’re still seeing your profile coming up in search engine results, you’ll need to contact the search engine company directly and request your profile to be removed.

Timeline and tagging


Who can post on your timeline? [QUICK WIN]


Who can see what others post on your timeline? [REVIEW]



Who can see posts that you’re tagged in on your timeline? [REVIEW]


When you’re tagged in a post, who do you want to add to the audience of the post if they can’t already see it? [REVIEW]



Review posts that you’re tagged in before the posts appear on your timeline? [REVIEW]


Review what other people see on your timeline [REVIEW]


Review tags that people add to your posts before the tags appear on Facebook? [REVIEW]


Public posts

Who Can Follow Me [REVIEW]


Public Post Comments [REVIEW]


Public Post Notifications [REVIEW]


Public Profile Info [REVIEW]


Apps and websites

Every time you interact with a Facebook app, you grant it access to one or more elements of your profile. This can include your personal profile i.e. age, sex, religion, address, email etc and your friends list.

Some apps, also demand permissions to post on your behalf.

This page is split into 3 tabs: “Active”, “Expired” and “Removed”.

Apps under “Active” have continued access to your data.

Apps under “Expired” previously had access to your data but their access has now expired.

Apps under “Removed” are those that have had access to your data removed manually by yourself.

For all “Active” apps, you can check exactly what privileges it has by clicking “View and edit”.

If you’re certain you don’t want an “Active” app to access your data any more, tick it’s box and click the “remove” button.

You should perform this simple check regularly – especially if you’re in the habit of completing Facebook quizzes, questionnaires or playing Facebook games.


Apps, Websites and games [QUICK WIN]


Game and app notifications [REVIEW]







Setting up and using Multi Factor Authentication (2FA/MFA)

What’s wrong with my username and password?

Typical online authentication requires a username and a password – this is something a user has to know.

These can be (and are frequently) written down, shared with other people or leaked from hacked sites to the world by malicious third parties..

Users will often setup the same username and password with multiple online services. This is super-convenient because they only have to remember one set of credentials, but if those credentials get leaked, hackers will have access to all services where that set of credentials have been used.

This could be your mailbox, your social media accounts, online shops, dating sites (!) etc. and once an attacker has access to your mailbox, they can use the “forgot password” function of any website to reset your password and control your account.

To remedy all this, you can add an additional layer of security called Two Factor Authentication (2FA), sometimes called Multi Factor Authentication (MFA).

What is Multi Factor Authentication?

This is so-called because it adds an additional factor to the authentication process. In additional to what a user knows (their username and password), it adds the requirements of something a user has.

MFA requires a physical device to deliver you a security “token” to enter alongside your username and password. This is typically a 6 to 8 digit number or sometimes a random text string. Here are some ways a code can be made available to you:

  • Via text message (SMS). You’ll be sent a unique code to your mobile phone.
  • Via a phone call. You’ll be called and an automated voice will read out a code to you.
  • Via an email. You’ll receive a message in your inbox that contains a code.
  • Via a hardware token. You’ll have a “fob” that continuously displays an ever-changing code.
  • Via a software token. You’ll have an app on your smartphone, tablet or computer which generates a continuously changing code – just like a hardware token.

Who supports MFA?

Not all online services, support MFA… but a growing number do. is a really useful site that tries to keep an up-to-date list of services that do offer MFA, and if they don’t, it (rather cheekily) provides a link to the service’s twitter page so you can ask them to.

Introducing Authy

For sites that support Software Tokens, I’d like to recommend an solution called Authy. This is a free system that has the following benefits:

  • It’s cloud-based. This means everything’s stored centrally and backed-up for you in case you lose your device.
  • It runs on multiple platforms including desktop, tablet, smartphone and smartwatch. This means you’re not limited to only having a single code-generator.
  • It’s password protected and can use the biometric authentication offered by laptops, tablets and smartphones.
  • It supports different types of code generators .
  • Although it’s a cloud-based service, the code generator works offline.
  • It supports three different type of security token including:
    • OTP (One-Time Passcode)
    • Soft token TOTP (Time-based One-time Passwords)
    • Push Authentication

Weak passwords and how to choose a strong complex memorable password

LoginWhat makes a password weak?

A weak password is one that can be easily guessed or broken.

This might be because it’s made up of public information associated with you. For example:

  • You or your family’s dates of birth
  • Names of your family members
  • Your pet’s names
  • Your nickname
  • your car
  • your favourite football team

Your password might be a known default password.

Many items of computer hardware which connect to the Internet have factory default usernames and passwords. These are often variations of the words admin and password.

Recently installed, but unconfigured software or content management systems will often use a default password which is publicly known and published in online manuals.

So far these are examples of public information being used as passwords.

For passwords made up of secret information, brute-force methods can be used to guess a password.

Common passwords

You might think your password is so easy to remember and type but so obscure, that no-one else would have ever thought of it, but you’re probably wrong.

Here are the top 100 most popular passwords that crop up on the leaked lists:

master’s degree1qaz2wsxbananafuckyouassholeaaaaaa

In 2017, it was estimated that almost 10% of people used at least one of the 100 most popular passwords and almost 3% of people have used 123456 as their password.

These lists are regularly used for brute-forcing passwords, so anything on this this list should be avoided.

You can check whether your password is on one of the leaked lists using this website:

Password complexity

The more complex a password is, the more difficult it will be for brute-force methods to succeed.

Password complexity can be improved by doing one or more (or all) of the following:

  • Avoid using a single word from a dictionary as your password. This will be found straight away when a list of dictionary words are tried one after another.
  • Increase the number of characters in the password. A four character password is much weaker than an eight character password for example.
  • Include upper and lower case characters in the password. Don’t just use a single uppercase letter followed by all lowercase letters.
  • Include numbers and symbols in the password.

It used to be popular to replace letters with numbers that look like their alphabetic counterparts. For example, replace O (oh) with 0 (zero), L with 1 (one), A with 4, S with 5 etc. to created words like:

Baseball = b455b411
password = pa55w0rd
secret = s3cr3t

However, the brute-force algorithms have long been wise to this, so this sort of character replacement is one of the first things they try.

The most secure passwords

The most secure form of password is a long string of random uppercase and lowercase letters, numbers and symbols like this:

zKa4zD#5    (8 chars)
$f4qX6rxBU&B    (12 chars)
1!^B5qUA$t0iU7l%    (16 chars)

The disadvantage of these un-guessable context-free, complex passwords, is that they’re almost impossible to remember and as a result are then written-down – which completely defeats their purpose.

Passwords are often found written on Post-it notes and stuck under keyboards, in front or back covers of notebooks or on computer monitors.

Hawaii Emergency Broadcast System now broadcasting their passwords

Using a Password Manager

I would always recommend the use of long strong complex passwords in conjunction with a Password Manager. A password manager will generate, remember and enter long strong complex passwords for you, so you don’t need to remember them or write them down.

Read my guide about setting up and using a password manager.

Of course, you’ll still need at least one strong complex memorable password to protect your password manager, so read-on.

Choosing a strong complex memorable password

  1. Think of 3 or 4 random words. Look around you and get some inspiration. Don’t choose words that can be guessed by someone else or could be associated with you.
  2. Imagine a silly or weird situation in your mind that can be described using those words. This image is the key to memorising your password.

If you’re forced to use special characters by someone’s password policy:

  1. Choose where to put your capital letters. Don’t use a capital letter as the first character. Maybe the start of the 2nd and/or 3rd words?
  2. Can one of your words be a number? Change it to its numeric version.
  3. Pick one or more symbol characters and put them somewhere in the middle of the password. Don’t use them as the 1st or last characters.

Here’s a fun cartoon from

xkcd Password Strength

This is a really popular cartoon, so please don’t use correcthorsebatterystaple as your password as I’m certain its now in every password cracking dictionary  🙂

Setting up and using a Password Manager

What is a Password Manager

A Password Manager (PM) is a service or app that stores and enters usernames and passwords for you into online services or mobile apps. A good PM will also generate strong passwords for you and also help you identify weak or compromised passwords.

The core concept is that you have a single strong but memorable Master Password that secures your PM. All the passwords for everything else should be complex and impossible to remember or guess (and often tricky to type). This makes them secure. In theory, the only passwords you ever need to remember is the Master Password of your PM and any passwords that can’t be entered for you by your PM. For example, an online banking site that asks you to enter the 3rd, 4th and 8th characters of your password.

Why should I use a PM?

Read my post titled Stop using the same password everywhere!

Important to understand

Obvious stuff:

  • A PM cannot enter a password to unlock your device i.e. desktop, laptop, tablet or smart phone.
  • A PM will not enter passwords for you or give you access to them unless you’ve logged-in with your Master Password.

Important stuff:

  • A PM will not generate easily guessable or memorable passwords. The whole point is that the passwords are not memorable or guessable.
  • A PM will not force you to use multi-factor-authentication.

Scary stuff:

  • If you forget your Master Password and have not set up any emergency access methods, all your passwords will be inaccessible – and effectively lost.
  • If you don’t set up multi-factor-authentication to protect your PM and someone obtains/guesses your Master Password, all your passwords will fall into enemy hands.

Getting started

There are a few password managers out there and at time of writing, two popular ones are LastPass and 1Password. Both offer their basic features as a free service. They both also offer a paid-for service for more advanced users.

I’ve been using LastPass for many years and this guide continues assuming you’re using the free service offered by LastPass.


I have personally paid for the more advanced services provided by LastPass and have not received any incentives or payments from either of the two PMs mentioned in this post.

Golden Rules

These are non-negotiable tenets that must be adhered-to if you are to realise the protection a PM can offer:

You will not use the same PM account for work and personal stuff.

You will disable, clear-out and never use the “password remembering” features of any browser on any of your devices.

You will use your PM as your sole repository for passwords.

You will never write down any passwords ever again.

You will use the password generation feature of your PM whenever you are required to enter a new password.

Ignoring any of these Golden Rules will greatly reduce the security of your passwords and the effectiveness of a PM.


Here’s are the steps you’ll be going through to switch over to using a PM:

  1. Identify the devices you have that are currently storing passwords for you. These could be desktop computers, laptops, tablets, phones etc.
    For each device:

    1. Install your PM of choice and all available extensions.
    2. Identify the browser(s) that are remembering passwords for you.
      For each browser:

      1. Disable the password remembering function your browser(s).
      2. Export the remembered passwords (if possible).
        If you can’t export the credentials:

        1. In a separate browser, log into each site and manually enter the credentials your browser has remembered for you.
        2. Allow your PM to store these credentials for you.
        3. Log out of the site and log in again using the credentials offered by your PM.
        4. Verify the site works with your PM before moving to the next site.
      3. If you can export the credentials:
        1. Import the credentials into your PM.
        2. Go to a few of your most important sites and check that the credentials in your PM work.
      4. Delete all the remembered credentials from your browser.
      5. Move onto the next browser.
  2. Move onto your next device.

Do this straight away

Choose a strong un-guessable password for your Master Password.

Read my guide here about weak passwords.

content to follow

Living with a Password Manager

content to follow

Using multiple devices

content to follow


content to follow

Tips & tricks

content to follow

Stop using the same password everywhere!

Why is this a bad thing?

Using the same password everywhere makes everyone’s life easier. It means you can log into your bank, your online shopping, your mailbox and social media without having to remember dozens of passwords.

However, using the same password on multiple online services is like using the same key to unlock your front door, your car, your suitcase and your safety deposit box.

If someone sees your key and makes a copy of it, they can now unlock everything. They can not only steal whatever you’re protecting with that key (money, personal information etc), but they can also impersonate you to steal your friends and family’s money and personal information buy abusing their trust in you.

My password is secret, so no-one will ever know it

You might think your password is secure because you’ve not told anyone about it.

You might be guilty of writing it down somewhere, but you’ve kept that private too. So there’s no problem right?


Every time you use a password, it gets sent over the internet. If it’s correct, you get logged in.

In order for an online service to validate your login, it has to know your password – or at least enough about it to ensure what you’ve provided is a match.

If an online service contains security vulnerabilities, it won’t be long before all the usernames and passwords of all its customers will be stolen and end end up online for all to see. Hackers do this for fun and commercial gain.

Can I find out if my credentials have been leaked?

Have I Been Pwned?Yes you can. Check out the website of Troy Hunt:

Troy is a reputable and professional Information Security advisor. He’s been collecting published usernames and password lists over the last few years and has built a free service where anyone can check to see if their email address or username has been leaked.

At time of writing, Troy’s database has over four billion unique username and passwords.

His site also allows you to check whether your password has been publicised. It doesn’t give anything away other than saying that it’s known and that it should never be changed immediately.

What should I do?

The first step is to make a conscious decision to never ever use the same password for any online service ever again. This means having a unique password for every one.

You can do this by enlisting the help of a Password Manager and being tidy and disciplined.

Set up and use a Password Manager

Here’s my guide for setting up and using a Password Manager.


Be tidy

Your password manager is the only place you should store your passwords.

To avoid storing (potentially different) passwords in different places, you should:

  • Stop your browser from remembering passwords – you will be using your Password Manager for this. Here’s how.
  • When you’ve got everything in your password manager, clear down all passwords stored in your browser. Here’s how.

Be disciplined

  • Always use your password manager and never store your passwords in a browser on any device.
  • Whenever you sign up for an online service, use your password manager to generate and store a unique password.
  • If you can’t use the password generation feature of your password manager, for example on your Smart TV, never use a weak password. Here’s a guide.

Add an extra layer of security

More and more online services also give you the option to add an extra layer of security called Two Factor Authentication (2FA) – sometimes called Multi Factor Authentication (MFA).

It sounds complicated, but is actually very straightforward and relatively friction-free.

Here’s my guide to setting up and using Multi Factor Authentication (MFA)