qrcodeThis week, Educause released a PDF article about QR Codes. What are these codes? Here’s a snip from the article:

QR codes are two-dimensional bar codes that can contain any alphanumeric text and that often feature URLs that direct users to sites where they can learn about an object or place (a practice known as “mobile tagging”). Decoding software on tools such as camera phones interprets the codes, which are increasingly found in places such as product labels, billboards, and buildings, inviting passers-by to pull out their mobile phones and uncover the encoded information.

These codes, popular in Japan, allow users to use a device, most often their cell phone camera, at a QR Code and be given information, such as a URL to visit or some other information.

While the article deals with the pedagogical uses or these codes, I think there are many possible uses on the marketing side as well.

I think it will eventually be a great resource for prospective students. For example, lets say that tomorrow we send them a postcard telling them the due date for applications is coming up. On that postcard, you include text and a URL for your online application urging them to apply. It requires the user to enter in the address manually.

In the future, perhaps we will send students a postcard urging them to apply with a QR or other 2d barcode image on it. They point their phone or mobile device at it (or hold it up to the camera in their netbook) and they are instantly taken to your application. In fact, I’ve mocked up a sample to show you what that could look like. 2 caveats: I’m not a graphic designer in any sense and the picture is from Selwyn College in Cambridge.

QR Code Example

Click for a larger version.

If you’re tracking your conversions closely, you should know these URLs can contain all sorts of analytics data, so you would be able to get very reliable information about response rates, perhaps better then using other redirect techniques.

While the technology is ready for use today, you may not be at a point where it would make sense to introduce these types of codes. When I think about where mobile technology will be in two years, I think there will be demand for it. Today’s 14-year-olds will be starting their college searches before you know it.

Online, free QR Code Generator
2D Sense, iPhone app that will read QR Codes

Let’s say you’re building a big new web app at your institution. One of the parts of this application will be storing usernames and passwords. There are a ton of ways to do this, but today I want to share with you one way that I do things, in the hopes of making my logins as secure as possible. For our examples today, we’ll be using PHP.

Before I get going too far, I should mention that when I say storing passwords, what we’re really doing is storing a hash of the user’s password. When we authenticate a user, we run the password they supply through whatever algorithm we’re using to encrypt and hash their input and we compare the result to what we’re storing in our database.

That being said, when storing passwords for your app, you have a many options. You could skip all security and store your users’ passwords in plain text in MySQL. Bad idea. You could use MySQL’s default password functionality. This is okay, but you could do things better.

For the rest of this post, let’s create a password variable, $pass. For all the examples, let’s set the value of $pass as “highedwebtech1”.

Let’s look at what’s generated when we pass the $pass variable through MD5.

echo md5($pass);

That gives us the following hash:


That’s not a terrible way to store a password, but there’s been research for the last couple of years that its possible to create MD5 collisions – where you generate lists and lists of MD5 hashes and look for matches. For example, this site will look up your MD5 hashes and check for collisions.

Well, we could use SHA1 to encode the password. Let’s run our $pass variable through SHA1:

echo sha1($pass);

That gives this:


Getting better. But – SHA1’s been broken as well. The chances of your user accounts being brute-forced by someone running SHA1 collisions is very minute, but let’s keep searching for something better.

Let’s do some crazy hashing and mashing. Let’s look at PHP’s crypt function.

crypt() will return an encrypted string using the standard Unix DES-based encryption algorithm or alternative algorithms that may be available on the system.

If we run the following code:

echo crypt($pass);

We get the following:


crypt() also allows you to add a salt. Wikipedia describes a salt thusly: “a salt comprises random bits that are used as one of the inputs to a key derivation function.” This basically means we can specify some characters that will become part of our encryption scheme.

Let’s create a $salt variable. We’ll give $salt a value of, for now, “yummysalt”.

Let’s run crypt() again but this time we’ll specify a specific salt. The system I’m running this on in these examples is using standard DES as its encryption.

echo crypt($pass,$salt);

This returns:


Standard DES puts the first 2 characters of the salt at the beginning of the hash of the password. If we use “yummysalt” as our salt (footnote – DES only uses the first 2 characters, we could have just made our salt “yu”), every time we run our password through crypt we will get the same value. The number of characters in your salt can depend on your system settings, including values in PHP and your server software.

Specifying a salt isn’t a bad thing to do, but you’ve got to now store that salt somewhere in your code. If your system is compromised, and with your salt, cracking passwords may be a little easier for your user passwords to be cracked.

If you’re sensing a theme here, you’d be right. DES is also susceptible to cracking, even when using a salt.

So, what’s a way to do it thats secure and has little chance of getting cracked? There are a lot of different ways to answer that question, but here’s some ideas I had, along with some help from a friend, who’s a security professional at a major research institution.

He recommends using something like the following, which is based on the username and password responses we receive from the user.

$username = "user1";
$password = "highedwebtech1";

echo sha1($username.$password);

In the code above, we’re creating a hash from a concatenation of the username and the password they enter. But, Mike, you say, a few paragraphs earlier you said SHA1 wasn’t the best choice. In this case though, we’re not hashing just the password. We’re hashing an entirely new value, in this case, user1highedwebtech1. That would be much more difficult to crack, especially using a brute-force attack. Here’s the hash value we get back from this function:


It’s long, and difficult to crack. When it comes time for a user to log in, checking against what they enter is easy. Just put the two values together, run it through SHA1 and then compare that to the value we originally stored in the database.

It should also go without saying that you should never email a user’s password to them. Either send them a replacement, temporary password or make them reset it altogether by emailing them a link with a hashed value they need to reproduce. But that’s a whole other post.

Want to learn more about doing this stuff in PHP? I’d recommend reading about about the mcrypt module. It offers a great deal of additional functionality.

Happy hashing!

What tips or tricks do you use when it comes to handling passwords? I’d like to learn how you deal with this issue.

This week, I’m going to take a look at some of the video hosting options available to IHEs. I’ll be looking at each of them from more of the technical end – production, upload and quality wise.

Let’s start things off with the big fish in the pond: YouTube. I think it’s safe to say they are the top when it comes to online video, and they get the most media attention and eyeballs from prospective students. There are plenty of other resources out there about how to set up your channel, make it pretty, etc. I’ll skip the bits about how to customize your landing page. Here’s the landing page for my college.

From a technical perspective, YouTube will take any format you throw at it. You’re limited to 10 minutes and 100mb per upload. I try to upload as high a quality as I can, since by default they stream some of the lowest video quality, fidelity-wise, not content-wise (though some videos out there are just awful.) You can tweak quality settings in your user prefs, but most users probably haven’t and I don’t think that setting carries across to embeds.

Speaking of embedding your videos, it’s very easy with YouTube, just grab the code and you are good to go.

I mentioned a second ago about quality, and I want to dig into that a little bit more. Here’s an example. I made this video in 2006. We shot with a 3CCD camera so we started with very good quality source video. We edited in iMovie and output to a high quality MOV.

Now, visit this YouTube link and see the quality difference? Go ahead, I’ll wait here. It’s startling, isn’t it?

As far as I can find, you can’t change that embed quality. I can get why – those files are larger and take more bandwidth, but YouTube is doing that conversion for some reason. But, why? I’ll tell you.

The iPhone. Well that’s part of it. Since the iPhone lacks Flash support (for now,) Apple most likely said to YouTube “hey, give us H.264 files!” The iPhone plays videos, so it already has the codecs for that format.

Want to see if your video is available in higher quality? Browse to a video in YouTube that isn’t an embed, and tack this bit onto the URL “&fmt=18“.

One newer thing that’s very interesting about YouTube is their API. They recently upgraded their tools and now offer a myriad of ways to use content inside YouTube to create your own mini-YouTube. You could easily create a video portal of videos about your institution or allow users to upload videos through your site and into YouTube and become part of your portal. The API is pretty interesting and there are some definite opportunities for IHEs here.

Despite some of the quality issues, putting your school’s videos in YouTube is a no-brainer. It’s easy, accessible and best of all, free.