Guides
The reasoning behind the tools — how the mechanisms actually work, and how to use them well.
- A Practical Guide to Cron Expressions Read and write any crontab line with confidence — the five fields, step and range syntax, the day-of-week trap, timezone pitfalls and worked examples.
- Base64 Is Not Encryption: Encoding vs Encryption vs Hashing Base64 looks scrambled, so people treat it as security. Here is how encoding, encryption and hashing actually differ, with worked examples you can check.
- Browser Fingerprinting Explained: Tracking Without Cookies How trackers recognise your browser with no cookie at all — the entropy budget behind canvas, fonts and WebGL, and which defences actually reduce it.
- Diceware Passphrases: Four Random Words Beat P@ssw0rd1 The xkcd 936 argument checked with real numbers — how diceware turns dice into memorable passphrases, the EFF wordlist maths, and how many words you actually need.
- Does Your Website Need a Privacy Policy? When GDPR, CCPA and the Australian Privacy Act actually reach a small site, which analytics and forms trigger the duty, and what a policy must contain.
- How a Password Leak Check Works Without Seeing Your Password The k-anonymity range protocol behind Have I Been Pwned, walked through with a real SHA-1 hash — why five hex characters keep your password private.
- How Password Entropy Actually Works Entropy measures the process that produced a password, not the string itself. Here is the log₂ maths, a worked example, and realistic GPU crack rates.
- How Password Managers Work — and How to Choose One A password manager is an encrypted vault unlocked by one master password. Here is the key-derivation maths behind it and how to pick one.
- JWT Security Mistakes Developers Still Make The recurring JWT bugs — decode treated as verify, alg:none, HS/RS confusion, secrets in the payload, no revocation — shown with real token values and fixes.
- PIN Security — What Four Digits Can and Can't Do A four-digit PIN holds just 13.3 bits of entropy, yet PINs protect phones and cards fine. Here is why, which PINs to avoid, and when to use more digits.
- What EXIF Data Reveals About You — and How to Strip It Photos carry hidden EXIF metadata — GPS coordinates, camera serials, timestamps and software tags. Here is what gets embedded, who strips it, and how to remove it.
- What utm_, fbclid and gclid Actually Do A field guide to the tracking tail on shared links: what utm_source, fbclid and gclid record, why they rarely break a page, and how to strip them safely.
- What Your IP Address Reveals — and What a VPN Changes Your IP maps to an ISP and a city-sized area, not your front door. Here is who sees it, how geolocation actually works, and exactly what a VPN moves.
- Why Math.random() Can't Make Passwords: CSPRNGs Explained Math.random() is fast but predictable, so it must never generate secrets. Here is how a CSPRNG differs, plus the modulo-bias trap and how to avoid it.