The Insecurity of Your Secure Password Policy

Let’s say you have a password policy that mandates passwords change every 90 days. Also imagine it takes 1-2 days for the user to get everything back in sync. They have their password manager, different web applications, maybe their iOS keychain…  You start warning people 10 days in advance. Also, you have systems that only allow passwords of certain lengths, and…  where was I?

What percentage of users do you think are using a password manager that randomly generates that password?  Don’t forget there are systems that people need to log into that don’t have anyway to directly insert from a password manager app.

Instead, you’re going to get a password progression like:

  • Puppies1!
  • Puppies2?
  • Puppies3!
  • Puppies4.

So if you have one set of compromised passwords, it is pretty likely that a WHOLE PASSWORD GENERATING METHOD is compromised for many users. The existence of a single digit and a single punctuation mark as above is a tell-tale sign of this. All an attacker needs to do is take those password patterns and increment or decrement the digit that comes with the password to try on other sites.

The extra burden of trying to come up with memorable but unique passwords so often is forcing users to dumb down their passwords.

Features in Microsoft Outlook that would do some *good*.

(Outlook client and Exchange server are lumped together here.)

“Reply to all” goggles.

Test Mail Goggles
Test Mail Goggles (Photo credit: tchuntfr)

GMail once offered “mail googles” in Google Labs that would require you to solve 5 basic arithmetic problems in a certain amount of time in order to send a late night email. You were able to preset the difficulty and hours that it was active.

In an Outlook version, the mail server administrator could set the difficulty and type of problems required and possibility a minimum threshold of participants before it was required, so that a team of 3 people could “Reply to All”, but someone couldn’t reply to everyone on an email about health benefits with a question about their preexisting condition without at least jumping through a few hoops first.

Automatic large image converter and scaler.

Does Outlook still by default embed images from Windows as .bmp files? Being able to email screenshots is nice, but 1024×768 bitmaps will quickly eat up a stingy mail quota. The more tech-savvy users can quickly figure out how to emails as a web page and images as a lighter weight image format, but the users sending you screenshots of something that “isn’t working” aren’t as likely to be Outlook power users.

Split large attachments in Calendar invites into a separate mail message.

How often do you receive party or big event invitations that have an embedded 8.5″x11″ bitmap file that was exported from a PowerPoint slide in which the invitation was drawn? Isn’t it lovely that *everyone’s calendars* by default have that 3+ MB file in their Calendar, and when you look in Outlook folders for the messages that are eating up your [ridiculously small] mail quota, you can’t find them because they’re in your calendar?

At the expense of adding duplicate emails to my inbox, I’d rather have the message with attachment split off as a separate email that I could send immediately to my trash than a Calendar invite that I have to modify to save space.

Out-of-office replies only to original sender on an email chain

Out-of-office replies only get sent one time to a sender, but nothing is more annoying than having to reply-to-all on an email chain, only to get blasted by “out-of-office” replies.

“Unsubscribe” for email chains.

Imagine that someone included you on a email about a topic because they thought you were a stakeholder, or maybe that people are replying to all on an email list that has wide distribution and are committing all sorts of faux pas as part of their replies. Wouldn’t it be nice to just be able to reply with “unsubscribe” like you could do with listserv and magically have the email replies stop appearing in your inbox?

“Me too” for email chains.

Seems like 80% of an email chain’s replies are saying the exact same thing that someone else said two replies ago. Wouldn’t it be nice if Outlook could figure out that those were “me too” replies and tally them up for the original sender like the poll functionality can do and leave everyone else’s email clean?

Enhanced by Zemanta

Automate Blatantly Repetitive Bureaucratic Tasks

AutoHotkey Logo png version
Image via Wikipedia

(No, this isn’t a paid advertisement, unless they decide to pay after the fact.)

Ever have one of those tasks on your computer that you feel like you could get a robot to do? I found that AutoHotkey works well for this purpose.

You can record tasks in specific windows that you have open and have them repeat the next time you need them.  Recording tracks mouse clicks and keyboard presses and records them to a readable script file.  You can then edit the generated script and add delays.

This sometimes proves useful when you have to set up detailed time sheets through a slow interface.  You can record what you need, press the button, and let things go.

Enhanced by Zemanta

Offensive Email

No, not offensive email that will get you in trouble with HR, just with the recipients of your emails who already have enough bloat in their inboxes.

This email is all wrong. Don't send it.

What’s the problem?

  1. I think we covered the part about motivational sayings in email signatures previously
  2. The information block in your email signature is excessive. Internally, we know what company you work for. Externally, the title/department information probably won’t mean much.
  3. You’re sending an email for a one word reply. I know acknowledgment is necessary, but coupled with everything else, it’s excessive.
  4. Your one word reply is the same as your valediction or complimentary close:  “Thanks. Thanks,” sounds like “Pizza! Pizza!
  5. You have an image that’s larger than the rest of your excessive signature block and message body combined–and it’s taking up way more space in email [if you’re using Outlook] than it did on the computer you copied it from.

Read Receipts in Outlook

Read receipts can be obnoxious. Outlook’s handling of them can be equally obnoxious.

I curiously received a read receipt in Outlook when I scheduled a meeting, that meeting was forwarded by a invitee of the meeting, and the recipient of the forward accepted.

Why, Outlook? Why? I don’t want read receipts. I don’t want a read receipt for every recipient of the 100 emails I sent last week. I have enough time balancing between my inbox quota and keeping the necessary emails on the server so that I can access them remotely.

Of course, after seeing the read receipt, I was curious how many people I’m sending read receipts to and not knowing it–so I turned on the option to “Ask me before sending a response” to read receipt requests:

  • In Outlook 2007, select the Tools menu.
  • Click on “Options…”
  • In the “Preferences” tab [the default tab], click the “E-mail Options” button.
  • In the “E-mail Options” window, click the “Tracking Options” button.
  • You have three options for setting the response.
    • Always send a response
    • Never send a response
    • Ask me before sending a response

Apparently, “read receipts” also mean “send a message if recipient deletes the message without reading it.” That concept is creepy enough, but apparently, even the messages that are just notifications that a recipient has accepted a meeting invite send receipts back if the recipient of the acceptance notification deletes the email.

I wonder if it sends a read receipt when I’ve read someone’s “Out of Office” message. I wouldn’t be surprised.

Inbox Trolling

A fun game to play when you have a completely unmanageable inbox is to start replying to long email threads that you were included on but never participated in. It helps if the administrators of your mail system allow messages to stick around for about 3 months–usually long enough to potentially impact a decision, but way too late to do so without tremendous cost.

The key is to remain inconspicuous about your trolling. You must raise legitimate concerns, but not be too adamant about decisions being changed. The best policy is to plant little nagging doubts in everyone’s minds, then walk away.

Start with the oldest threads first, resurrecting them in mid-discussion, then sit back and watch the discussion re-ignite.

Repeat in sequence with newer threads in your inbox once the entertainment value of the current thread dies away.

Instant Messenger is the Devil

I have my list of things to do. I’m right in the middle of wrapping one thing up, when *ping*.  A blinking notification on the task bar of my Windows machine, and a pop-up preview of a “yt?” message.

Gah.  I’d like to ignore the message, but then, that just means that Outlook will consider this a missed conversation and send it to me in an email. Either way, I’m marked away from my desk–unthinkable that that should happen at any point between 11am and 1pm.  Apparently, for impromptu instant messages, this is the time range in which senders figure they’re most likely to get a response, much like telemarketers at dinner time.

Back to reality…  I decide to respond, because it’s rude to not respond to a flashing notification and a “ding” noise.

The sender’s response is a simple question, which requires me to temporarily abandon the half-completed email that I was composing, and search my inbox for a message that answers the question.  This takes 15 minutes, because I eventually have to resort to sorting by sender, by conversation, by date, by size to find what should have been fairly easy to conduct a simple search on.  Question answered, and I forward the email that describes the answer in great detail.

I then take 5 minutes to regroup, and begin to focus on my next task.  20 minutes into that task, another impromptu instant message with similar results.

Fast forward to the end of the day:  I have 3 half-completed documents and 5 draft emails composed, and now, I can’t shut down my computer without dealing with them.

I guess I could’ve went the day with “do not disturb” on, but then people not nearby in the office would have assumed that I was out of the office and not working, which is fine until people start assuming that I’m never in the office.

Ok, maybe instant messenger isn’t the devil, but a stalker or overbearing significant other.


Some really good insight into why we all hate powerpoint…

Renegade HR:  The Folly of Powerpoint

I truly think that bad and misused PowerPoint is a symptom of a bigger problem:  either lack of intrinsic understanding of what you’re talking about or lack of writing skills.  Maybe you even have both problems.

The same goes for long-winded white papers.  At least in the case of the white paper, the individual circumstances of your audience are an unknown, so the lack of understanding on at least one side is understandable.  Ultimately, however, if you are defining what the problem is and how to solve it, you should have the depth of understanding to break down your message into very simple terms.

Which brings me back to PowerPoint:  If you are presenting on a topic in which you don’t have a strong enough understanding of the topic to put less than 100 words [YIKES!] on each slide, you probably shouldn’t be presenting on the topic.

Every one of the four tips mentioned in the post (tell stories, stop using bullets, stop using words, go naked) only works if you have enough understanding of your topic to let go of your slide show.

Otherwise, you’re just reading aloud the big print version of a research paper.

The double-sided copy initiative

I have doubts about this concept of using double-sided copy as the default on copying. I realize that I don’t do 50-copy jobs or copy stacks of 100 sheets of paper, but I seem to always throw away twice as much paper as I originally planned on using. Judging by the recycling bin next to the copier, I’m not alone.

The larger problem for the environment is the possibility that most of probably don’t need to be making copies of most of this stuff in the first place.  There are much better ways of sharing 10-50 copies of a document in this century than making printed copies–even if they are double-sided.

I have a better idea for a green initiative: Put the copying machines in one place in the building, and not next to every 50 cubicles. Cut the number of available machines in half [or less].  If someone truly needs to do a large copy job, they’ll make the trip to the copy room. For the rest of us, we’ll think twice about making the copies in the first place.

Our content filtering blocks “blogs”. Maybe we should block the “Internet”, too.

Apparently, there is dangerous stuff out there online.  Individuals are writing these subversive things called “blog posts”.  Word is, that if an employee of our company comes across one, all productivity ceases.

Unfortunately, much of the current or obscure information that I’m looking for online happens to be in either forums or blog posts.  I’ve heard these “internet forums” are dangerous, too.

There’s nothing more frustrating than finding the solution to a specific problem I’m having by doing a search, only to find the article which contains the answer is blocked because it’s on a “blog”.

This approach is tremendously effective in preventing me from wasting time of course, considering that I can pull up all those awful “blog posts” on my smartphone.  Of course, if I’m trying to actual bring up useful page, I have to view it on a 3.5″ screen.