Got Caught with a Phishing Attack

Yesterday I received an e-mail from what I thought was my e-mail provider telling me I needed to change my password. It is something that happens every year or so. It really should be more frequent but I never look forward to changing passwords and am happy with the current frequency. I put off changing my e-mail password yesterday and decided to give it a try today.

First of all, the e-mail looked like it came from my service provider, which is to say it looked plain and simple. I clicked on the link and entered my current password. I immediately saw an invalid-password message. I entered my old password again with the same result. At this point I went back to the e-mail and realized someone was just looking to get my e-mail password. I felt like a fool.

Fortunately I realized within 30 seconds what was happening and immediately changed my e-mail password. I had to change it in my mail client for both incoming and outgoing messages. This caused very little disruption but I still felt bad for something I should have been able to prevent.

There is a rule we should all follow when an e-mail asks us to log into a system. That rule is to type in the URL of the site asking you to log in and not just click on the e-mail link. I didn't do that and now I can never use that password again for e-mail. I probably should never use it for anything. That is too bad because I liked it and doubt anyone would have guessed it even though I had an easy time remembering it. 

My Mac Not Recognizing my Password

Earlier this week I tried to log into my personal desktop computer, which is a Mac Mini from a few years ago. The machine is connected to the Internet but impossible to reach from outside my office, thanks to how I have set it up. As the only way to get on the computer is by being in my physical office in my house, I have a relatively easy password that I always remember. For simplicity's sake, let's assume that the password is "password" even though it is something different.

I went to log in and the computer didn't recognize my password. I thought I may have mistyped it so I tried again only to be denied access to my computer. I tried again making sure the caps-lock key didn't get inadvertently pressed. That didn't work either. I started to panic thinking that someone had hacked into my system. Then other equally problematic scenarios started running through my head. Fortunately I knew I didn't have to worry about my computer locking me out if I tried too many times. I took a deep breath and started applying my troubleshooting skills to the problem.

I looked carefully at the password field and started typing my password and it showed me the usual dots for each character. I typed "pass" but only saw 3 dots instead of the 4 I expected. I cleared the field and tried again watching the same result. For some reason, the first character I typed was not recognized and so I tried typing the first character twice. I entered "ppassword" and my computer let me in. I felt a huge wave of relief.

Eventually I stopped using my computer and the next time I came back to it, I had to enter my password to unlock it again. Fortunately the problem with the first character not being recognized did not happen. I counted the dots on the screen and they matched each key click I entered. I have not had the problem since that one time.

Should you find yourself trying to log into a Mac unsuccessfully, I suggest counting the dots and making sure all the characters are being recognized. If not, do what I did and double up on the first one. It may save you an anxious moment or two like I had.

Time to Change my Password Again

This morning I got an automated e-mail telling me it is time to change my password again. I have been getting them for the past several days and if I wait until tomorrow it will be too late. I have written in the past about ideas for passwords and I got another good suggestion today.

The password for my laptop has remained relatively the same for the past 10 iterations. I use something like "ThisIsVersion1ofMyPassword." It is a long sentence and all I need to do is change the version number to the next one in the sequence. It works well except I didn't want to start adding 2-digit numbers. One of my colleagues suggested using letters. At first I thought that would be a horrible idea because "ThisIsVersionaofMyPassword" just doesn't make as much sense. Sure it is easy to remember and I definitely think it makes it more difficult for people to guess my password. After all, what does "a" represent?

I thought about it a bit more and remembered the line from the movie "The Martian" where Matt Damon has an epiphany with hexadecimals. For those that don't know, hexadecimal is a base-16 numbering system. Instead of creating new symbols for the numbers between 10 and 15, you just use the letters a, b, c, d, e, and f. The letter a is equivalent to 10, b = 11, c = 12, etc. If you ever take a peek at your computer or phone's MAC address, it is stored in a hexadecimal number. So to me, "ThisIsVersionaofMyPassword" is really equivalent to "ThisIsVersion10ofMyPassword" but with one less character.

While saving one character in a really long password is not that big of a deal, I have discovered that typing a single letter is significantly easier than typing a number. Don't get me wrong, I still include other numbers in my passwords to make them more difficult to guess. Reducing the amount of them makes my password easier to type. Hopefully you will find this trick useful with your passwords as well.

Online Security

This afternoon I spent several hours reading through computer and online security policies for my company. They are not different from what you would find at any company concerned about making sure sensitive information remains so. While there is a lot that I read, the interesting point I would like to share today is with passwords.

I am going to start by saying that I hate my company's password policy. My company laptop password has to be a minimum of 12 characters, contain upper and lower-case letters, contain at least 1 number, and can optionally contain symbols. Furthermore I have to change the password every 90 days but cannot change it within 2 weeks of creating a new one. Why? So users don't just cycle through difficult passwords until they get back to their familiar one. We cannot use the same password again for a really long time. That means our password system remembers quite a few of our old passwords and won't let us re-use them. Of course, we are not allowed to write our passwords down. While this all sounds cumbersome to me, it actually has merit and should be adopted by others concerned about security.

Instead of looking at long passwords as being difficult to remember, I now look at them as ways of creating short sentences. For instance, when I have to create a password for someone and give it to them with the instruction to change it immediately, I always use something funny like "MattIsT0tallyAwesome!" It is longer than the 12-character minimum and is filled with upper and lower-case letters. I have also replaced one of the letter O's with a zero so I get a number in there. Then I end with the exclamation point which is an optional symbol.

The other thing that can get confusing is having to change my password so frequently. While I have come up with a short sentence for my first password, in 3 months I will have to change it again. Instead of coming up with a new password, I simply create a follow-on sentence. One example might be "YesHeReally1s!". Notice how all the rules are followed again with the number one replacing the capital letter I in the word "is". Once again I have used an exclamation point at the end but could have used another symbol just as easily. By the time I have changed my password 10 or 20 times, I have a fairly funny dialog that has been going on. The only trick is remembering which sentence I am on for my current password, but that is much easier than remembering a bunch of random characters.

For the record, I have never used either of my example passwords and they only serve as ideas. After all, what good is having a clever password if you post it somewhere for everyone to read?

Is it Really Hacking?

I have a son living in Armenia. He has been there for about 18 months and will be done with his assignment, ready to return in August. When he comes back he will be enrolling in the University and will begin classes in September. In order to get him ready for class, my wife has access to his e-mail account. The University is starting to send him information now and my wife wants to make sure everything is taken care of and he is ready to go. My son is relying on my wife to help with some of these tasks and is glad my wife can get into his e-mail. Is this considered "Hacking his e-mail?" I don't think so.

My son is in Armenia with a number of other American young men and women. The parents (mostly the mothers) of these kids sort of have a support group that remains in constant contact with one another. They even go to lunch on a monthly basis. Every Monday we get an e-mail from our son telling us how his week has gone. The parents in this support group also get e-mails from their children and then there is a flurry of e-mail exchanges that take place between the parents so we get an idea of how things are going for others. If any of those expected e-mails to the parents are late, there is a mass of group texting among the mothers to see who has received an e-mail and who hasn't. Sometimes e-mail servers are down and it takes an extra hour or two for messages to get through.

This past Monday happened to be President's day and it also happened that some of the e-mails were delayed. I got to listen to my wife's phone get group text message after message. I asked her what was going on and she explained about the frantic worries of mothers that had not heard from their kids. We got a letter from our son and so I knew there wasn't some sort of terrorist attack or massive earthquake over there. Eventually the mothers started calming down once they were able to "hack their kids' e-mail." They all have the passwords to their children's e-mail accounts. So they logged in and checked the "Sent" folder. Sure enough, the messages had been sent, just not yet received. I had to laugh at the term used by all of the mothers: hacked e-mail.

So that leads me to my question: Is it really hacking? Again, if you have your child's permission to log into his or her e-mail account and also have the password, I don't think it is hacking. It is more like "logging in." Perhaps I am being a bit too literal. What do you think?

Constantly Changing Passwords

I have a number of systems that I log into for work and all of them require passwords. The majority of them enforce some periodic changing. Usually I don't mind, however this week something strange is happening. About once a day I get locked out of my account because some automated program is trying to log into my e-mail with the wrong password. After a certain number of attempts, the system just locks me out. I have to call our help desk and have them unlock my account. This has me questioning rules in general.

As I started out with, I have a number of passwords I have to remember for work. Off the top of my head I can think of about a dozen. Generally I like to keep most of my work passwords the same. However since I am forced to change some of them on differing intervals, they are now out of sync. In fact they all seem to be different right now and that creates a problem: I can't remember which one is which. This requires me to request a new password. It seems to me that resetting passwords is yet another security risk.

I have to ask if requiring me to reset my password every 90 days is really an effective security protocol? If I only had one password to remember, I think 90 days is a reasonable amount of time. Considering I have a dozen passwords, I think 90 days is too short. Perhaps those responsible for security should consider that as they set policy and take a broader view instead of just the simple case.

Time to Update My Password

For the past couple of days, my Windows machine has been warning me that my password is about to expire. Today I finally decided to change it. I have three different passwords that I have used on this machine already and I was hoping to just recycle one of them. Unfortunately Windows keeps track of my last five passwords and so I couldn't. It was time to come up with something new.

Previously I mentioned using an old locker combination and this crossed my mind. I wanted to do something a bit different and so I decided to try something else. I am sure others have the same issue and so I thought I would write about some ideas for coming up with memorable passwords.

Passwords should be a word or phrase that you will remember but are impossible to guess. You should also never use a word found in a common dictionary. So how are you supposed to remember your password if it is not in a dictionary? This is where you get creative.

First, I like to come up with a hobby or interest such as football. Then I choose a word or phrase longer than six letters associated with that interest such as:

touchdown

Next I replace certain letters with numbers that look like letters. I am always confusing the letter O and the number zero and so that is a good starting place. You can also replace the letter E with the number 3 or the letter L with the number one. Doing this leads to:

t0uchd0wn

I also like to capitalize at least one letter in the password. This leads to:

t0uchD0wn

I also like to include at least one special character. The "at" sign or @ is always a good replacement for the letter A, but I don't have any of those in my example. We could add an underscore between "touch" and "down". My personal preference is to add an exclamation point after such an event and so my password might look like this:

t0uchD0wn!

Now if I was to go back and create a password cracking program, it would take a lot of different permutations to guess this one. That makes it a good password. Throw in that it is easy to remember and I am ready to use it.

Now comes the full disclosure. I do like football, but not enough to use "touchdown" as my password. So if you ever try to break one of my passwords, it won't be this one.

Combination Locks and Passwords

Yesterday I got to do a bit of shopping and picked up a lock for my bicycle. Now I can use my bike to go shopping and not worry about leaving my bike in the front of the store. While I was making the decision, I had a choice between a combination lock or a key lock. I decided on a combination lock so I don't have to worry about always having the key with me.

When I was about 8 years old, I discovered that padlocks came in two basic versions: keyed or combination. I told my dad that I didn't ever want a combination lock because I might forget the sequence of numbers. He informed me that it was much more likely that I would lose the key. When I finally got to Junior High, I was issued my first combination lock and quickly overcame my fear of using random numbers to open doors. I still have a padlock that I got during that era of my life and have not forgotten the combination even though it can be years between uses.

Several months ago, I was headed to the airport in Salt Lake when I realized that I left the keys for my California car at home. I had to rush home, get the keys, and return to the airport. I made my flight with only minutes to spare. Had I forgotten my keys, it would have been impossible to get my car out of long-term parking. I would have had to get my wife FedEx them to my office and paid for an extra day of parking. I would have also had to find an alternative way to get from the Oakland airport to my office in Foster City. I now have a spare car key that I keep on the boat in case something similar happens again.

Thinking about my new bike lock and why I chose the one I did, reminded me that we use combination locks all the time. Every time I use an automatic teller machine to withdraw money from the bank, I use a 4-digit combination or password. Every time I log into one of my many computers, I am forced to use a password which is a type of combination lock. That gives me an idea for a new password: thirty-0-twenty4, my old combination lock from Junior High.