Thursday, April 17, 2014

Using Login Info Spreadsheets to Keep Track of Login Info

Disclaimer/Warning: Never keep your passwords in a text file on your computer, in your email, on a website, or anywhere on a computer or online.  That's not what this article is about.  In fact, the most secure thing to do is to not keep any of this stuff on your computer.  More on this later...

What we are going to talk about is how to create our own set of documents that will remind us of what our Login Credentials (password, email, etc.) are without going through the password reset process.

Disclaimer/Warning: Make sure these sheets don't fall into the wrong hands - they might not allow people access to your accounts in and of themselves, but it would be a useful cross-referencing tool to determine what accounts you're in control of...

But... why would I need to keep track of my personal login information?

If you already know why, you can skip to the next section.  If you don't, read my New Reasons to Keep Track of Login Info blog post.

The main message here is don't lose your login info.  It's up to you to keep track of it, and this is a relatively secure and simple method I use to do just that...

0. Getting Started

Start by creating a really good, long password. If you're not sure how to do that, read my Creating a secure password you can remember post. It will show you how to create several great passwords from one memorable sentence.  We'll assume you read that already.  You can still use your old password if it is secure enough and hasn't been compromised...

Note: You can use any program you're comfortable with to make these sheets - as an example I'm using Google Spreadsheets because it's free, online, and accessible on all my devices (phone, computers, tablets, etc).  You'll want to fill out both these sheets at the same time, and when you open the examples and compare them to one another, you'll see why...

1. Create a Login Info Helper spreadsheet

This sheet serves to remind you of your logins, associated emails, etc. and how you code your passwords.  Since it contains personal information (email addresses, usernames, etc.) it should be kept secure, and shouldn't really be digital at all.

Login Info Helper

2. Create a Login Info spreadsheet

This sheet is a coded reference sheet that serves to remind you of your Login Credentials.  Since it's coded it doesn't need to be as secure as the Login Info Helper, and if it is in your cloud it can be used to quickly jog your memory or at least give you a starting point when guessing what your password might be.  The safest thing to do is to keep it hidden and secure in a place that's separate from the other document(s).

At the bottom of the example below you'll see tabs called "Coded" and "Decoded Using Login Info Helper Spreadsheet".  Click between the tabs to see what happens when you take the Coded tab and Decode it using the Login Info Helper spreadsheet

Login Info

The Decoded page is a page representing what goes on when you compare the two sheets together.

That's it!  With these two spreadsheets available to you you're not likely to forget your Login Credentials - except maybe your password.  As long as you have a strategy for coming up with memorable passwords and/or remembering passwords you're in good shape.

To get started, copy the content of the spreadsheets below into your own documents, print (recommended) and fill in the information (not your passwords, of course)!

Login Info Helper Spreadsheet - Generic
Login Info Spreadsheet - Generic


You may want to keep a written record of what your passwords are, but I can't recommend it.  If you decide to do this, however, you should do it in the real world on a well hidden sheet of paper.  I'll probably write a future post with suggestions on how this could be done, but for now I'll just say "I can't recommend it".

What you should not do is keep your raw passwords on your computer.  If malware got on your computer then a hacker or bot could steal your list of logins and passwords.  It is much more difficult to search a library, house, or closet for a document containing passwords than it is a computer.  If one of your accounts or computers is compromised it's natural to assume they have your passwords already, but they probably don't have more than one (if that).  If they are in a text file on your computer, though, it won't be long before they find them, upload them to a server, and sell the data to companies that pay poor people $1 a day to ruin your life.  I'm not kidding :-/

If any of your passwords have ever been on a computer or common knowledge, it's time to make new passwords.  Start by reading my Creating a secure password you can remember post, and use the method above to keep track of things!

New Reasons to Keep Track of Login Info

Well, to be fair these aren't all new reasons per say, but there are an increasing number of consequences facing those of us that forget their login credentials.  The new consequences have ramifications which have consequences of their own...

Account Security

You may have noticed a gradual and constant shift in attitudes over the past several years when it comes to account security.  Whereas once you were allowed to remain logged in to hotmail for 13 years you are now required to login daily or weekly.  Captchas, maximum failed login attempts, new hoops required to reset passwords, sessions that time out, etc.

Contacting Support

If you lose your ability to login there are no longer numbers to call or people to talk to (yell at) until they agree to reset your password.  Google is a great example - there is no phone support for a free google account.  If you lose access to your google account and you haven't associated valid emails or phone numbers with your account (which they'll only ask you to do if you use the web interface) you may not ever be able to prove who you are to the robots.

Why now?

The reason for these beefed-up security measures is simple - the way our service providers were doing business on the internet for the last 20 years was never secure.  Their security measures were based on a blind faith attitude positing that requiring actual proof that you aren't an impostor wasn't necessary, and that for the most part no one was trying to steal account info and commit other offenses.

Of course, there have always been hackers, but in recent years people have begun to take advantage of how many intelligent, underpaid, underemployed people there are - in the US and other countries. They have set up businesses designed to defraud and take advantage of the droves of uninformed people populating the web.  There are plenty of people in the world that will work for low pay doing nefarious things, and there is a lot of money to be made by doing those nefarious things, but that's a subject worthy of another post.

Faced with these new forms of old miseries, the companies came up with more stringent security policies that make creating, recovering, and remembering login credentials, well, cOmPlIcAtEd!

Personal Reasons

Many of us have lots of email addresses, login names, userIDs, and the like.  Each site seems to have different criteria for choosing a "secure" password.  Each site needs (at the very least) a username, email, and password.  It is generally not a good idea to use the same password on each website, and there are reasons for that as well that are often unclear to the average user, such as the fact that your online identity may be indexed and cross-referenced, and your login info for other sites may be known to someone who hijacks and harvests your email and address book.

People oftentimes assume that if they are hacked, they'll know it.  Symptoms include strange emails being sent from their account, etc., and they know they need to login and change their password when they get a chance to stop the leak...


However, if you are hacked there's every possibility that you won't know it, and that instead of the hacker using your address to send out a few goofy emails or using your account to buy an xbox they will instead upload your name, home address, phone number, username, password, email history, purchase history, address book, list of logins and passwords, etc. to darknet databases where it is merged with all the other information they have collected about you and everyone you know! The information in these databases is for sale, in whole or in part, to anyone, and may not be used for years (if ever).

Being locked out of your accounts because of failed login attempts and/or permanently losing access to your account and all it's data isn't fun.  To make matters worse, when it comes to actually managing your login information the only advice you get from IT people consists of what not to do, not what to do.  They tell you, for example, not to write down your passwords - which is good advice up to a point...

The traditional method of regaining access to your accounts is always a bit sketchy... either it's far too easy to be secure or too difficult to remember when you need it (Security questions, etc.).  Also, at the end of a rather long road you oftentimes have to reset your password and then set it back to something new anyway.  The new password you create has to be different from the one you forgot in the first place (which by this time you remember).  Your new password is complicated and if you don't take action quickly, you'll forget it.  If you don't have access to the email account they send the password reset instructions to anymore... what do you do then?

And even if they do give you access again, is that what you want?  What if you aren't you?  The security is there for a reason! If someone does try to gain access to your account the security measures make a lot of sense.  The only thing you have left to complain about is that every company has a different method for allowing you to regain access to your account... but that's a first-world problem we can remedy by simply remembering our Login Info in the first place.

There is a method I've come up with to manage my own information which I'll share with you - Using Login Info Spreadsheets to Keep Track of Login Info
With this method, it's possible to keep everything straight so that you're secure and you can always regain access to your accounts simply by reminding yourself what your password is!

Sunday, April 13, 2014

Creating a secure password you can remember

When someone gains access to your accounts by guessing your password, it's not really hacking per say - it's some combination of guessing and typing.  The modern world is populated (in part) by malicious guessers and typists, most of whom luckily do not possess the skills or tools to actually hack your password.  There are, however, tools that can be downloaded by anyone that do the guessing and typing for someone.  When you are hacked in this way, it is usually because your passwords were not strong enough, leaving you vulnerable to this basic type of attack.

The purpose of this article is to provide you with a method to come up with secure passwords you can remember that will protect you from typists and guessers, not from government agencies or determined people who really want access to your data.  It's a method of password authoring that will help protect you from basic attacks while at the same time giving you a method of remembering your own passwords.  If you're a person who's password is "beanbag1943" because you can't remember anything else - this article is for you ;-)

1. Choose a really good, long password sentence
Come up with a sentence you can remember.  The length doesn't matter, but longer is more secure. Don't worry, when less security is desired your long(est) password can be abbreviated.

Example sentence: My dinosaur spot is a dog

2. Turn your password sentence into a longest password
  • My dinosaur spot is a dog
  • mydinosaurspotisadog (spaces removed)
  • myDinosaurspotisaDog (some words capitalized)
  • myDin0saursp0tisaD0g (some alphabetic characters replaced with similar looking numeric characters)
  • myDin0saursp0t!saD0g  (some alphanumerical characters replaced with similar looking punctuational characters)
    • Note: Be careful here, because some services won't allow you to use certain special characters in your passwords.  These are usually older and less secure sites, but you’ll still need to access them.  As a result, the beginning of your password should be less secure than the end so you can use a shorter version when necessary.
myDin0saursp0t!saD0g is a pretty good password that meets most of the criteria required by, say, a modern banking website.  Using the same method, lets make a couple more longest passwords out of sentences you might come up with for yourself.

Hover your mouse cursor over the links below (don't click, hover) to view the password sentence these passwords were created from.



Okay, we're going to call those passwords your longest passwords.  They're pretty easy to remember if you remember the sentences.

3. Turn your longest password into a series of shorter passwords
  • Longest: iTw4stheb3stofw1nes!twaSthew0rst0fsoup5
  • Longer: iTw4stheb3stofw1nes!twaSthe
  • Long: iTw4stheb3stofw1nes
  • Short: iTw4stheb3st
Optional: Add some other characters

That's it!  You now have one very complex password and 3 others.  If someone was able to guess or obtain your short password they would still not be able to guess the long, longer, and longest ones.  Simply choose the level of password security you want for each site and use an appropriately complex password to access it.

Want to try it?  Print and fill out the Password Authoring Worksheet.  You can keep your passwords somewhere secure and offline after you're done, but you should probably destroy your worksheet.  After you've done it a few times you can probably do it on a blank sheet of paper anyway.  Definitely don't keep important passwords in public view.

General Advice and Suggestions
  • Create a new longest password at least every year
    •  A good label for your password would be "2013 longest", etc.
  • Combine old passwords with new ones to make different passwords!
    • ex: iTw4stheb3stDin0saur
  • Make certain you have adequate antimalware protection. You can have the best passwords in the world and still be hacked if you have a keylogger installed. 
  • Only create accounts and login to websites you trust
  • Only login to your accounts from computers you trust.
  • Only login to your accounts from locations you trust
    • For example, don't do any online banking from starbucks or an airport lounge.
  • Use coded Login Info Spreadsheets and to remind you of your login info - just in case
    • Tutorials on creating these sheets are coming soon!
  • When updating passwords, be careful when you type them so you don't get locked out!
  • Don't get locked out of your Google account
  • Don't keep your passwords in documents on your computer or the internet 
One last thing...

Never give one of your passwords to someone you don't trust (and never trust anyone you don't know), type it yourself. Never say your password out loud.  Never type it with someone watching.  Never brag about how you "use the same one for everything and it's so easy - it's my birthday".  Your password should be yours alone.  As far as the rest of the world is concerned, if someone logs in as you they are you.  The days of consumers being forgiven for having their account information stolen and misused are numbered... Be careful out there!

Friday, April 4, 2014

Make a Universal RSVP Using Google Forms

Collecting RSVPs and Polling Data is useful for planning events, managing club or group activities, etc. but it can be a hassle to set up a separate form for each event or poll...  Users also dread having to learn how to use a new system each time information needs to be gathered from them. One solution to this problem is to create a RSVP that can be used for any event or poll.

Let's look at some oft-overlooked features of Google Forms that will allow us to create a Universal RSVP:
  • Pages - Pages make it so that you can create separate pages of questions within one form
  • Go to page based on answer - this allows you to collect additional information, but only if a specific answer to a question was given.  
    • For example, if someone answers no to a specific question you can take them to a page that asks why they chose no.  The person who answers yes does not see the page asking them why they chose no.
Here is an example form - go ahead and fill it out a few times:

Universal RSVP (Form)

The responses to this form are automatically entered in the spreadsheet below - have a look:
Universal RSVP (Responses)

The responses spreadsheet is color coded to make it easier for event coordinators to deal with. The top and left hand columns are frozen to make navigation easy.  You can scroll left and right through the data. Some columns are merged to create headings for the different "Events".

The form itself is fairly complicated on the back end, but the user never sees that - for them it's a simple and brief click-through.
When there's a new event requiring an rsvp, administrators just need to add a new multiple choice answer to the Big Question, create a page with event-specific questions, and that's it!

As an event coordinator, you can send everyone to the same place to RSVP for anything - just say "Go to the website and RSVP". 

I shudder to think about what it used to be like when we relied on paper and post or telephone to do this same thing, but the reality is that even with modern survey tools available people still collect RSVPs using email, which is almost as tedious and confusing.

By creating a consistent user experience the hope is that your users will participate more and have more confidence in their ability to participate.  Also, you're collecting participation metrics, which are useful for future planning (if they're there when you need them).

If you'd like your own form, leave a comment below and I'll post instructions on how to make one.  The Google Forms and Spreadsheets web-based applications are free with a Google Account.  If you're logged into gmail or your google account, you can visit drive.google.com to create a new form and experiment!  Good luck!

Monday, March 10, 2014

Google Drive Multi-Foldered File Snafu

Recently, Google Docs became Google Drive.  Google Docs was already a useful tool for authoring and collaboration, with new features being added all the time.  Along with the name change to Google Drive came the ability to sync a special Google Drive folder on your Windows computer with the GD cloud.  This sounds great, and it is great, but things can go wrong - sometimes very wrong.  The purpose of this article is to get you thinking about what could go wrong, notify you of some file management and other pitfalls and offer some solutions to problems you may run into.

Most of the things that can go really wrong have to do with discrepancies between the way that GD and Windows treat files and folders.  This info, to the best of my knowledge, is correct right now (12/02/2013) but may be fixed or changed in future versions of Google Drive’s cloud and computer interfaces and applications…  Windows is not likely to change the way it deals with files, and I believe Apple OS’s file manager functions in largely the same way, so it’s really up to Google to make the necessary changes.

  • GD = Google Drive
  • WE = Windows Explorer
  • GD folders - Within the GD cloud, “folders” were previously called labels, but now the icon is a folder, so we’ll be calling them folders even though they’re not
  • Multi-Foldered Files = files in the GD cloud that appear in multiple folders/locations in GD and WE
    • These files are treated differently by GD and WE

Multi-foldered files are really the main source of the problems we’ll encounter here - you’ll see that by simply organizing your files you can inadvertently and permanently delete them.  Intrigued?  Read on...

How GD works with files and folders:
  • One file can be in many folders
  • Duplicate filenames are allowed in the same folder
    • When GD syncs with your computer these same-folder-duplicates are renamed with parenthesized numbers
  • Characters (such as / and .) are allowed in file and directory names
    • When GD syncs with your computer the characters windows does not allow are replaced with underscores (or other characters)
  • Deleting (Removing) a folder deletes all files in the folder and also deletes the files from every other folder they are in
  • Deleting a file deletes it from all folders it is located in
  • Deleted files and folders go to the Trash
  • Files restored from the Trash go... (I'm not really sure where they return to, because I forgot to make a note of what happened in my testing, but my guess is that they would be re-multi-foldered)
  • Sharing is restored

How Windows Explorer (WE) works with files and folders:
  • One file can be in only one folder (generally speaking)
    • Duplicate filenames are not allowed in the same folder
  • Characters such as / and . are not allowed
  • Deleted files go to the recycle bin
  • Files restored from the recycle bin go into the folder they were last deleted from

When dealing with files in Windows, if you move a file from a folder in WE to another folder that contains a file of the same name, WE asks you if you want to overwrite the file.  Normally this is okay, but if those files are actually multi-foldered files within the GD cloud both files end up getting deleted!  If your multi-foldered file is in 5 folders in the GD cloud, all 5 are deleted when you instruct WE to overwrite the 1.  This make moving, organizing, and deleting files iNcReDiBlY dAnGeRoUs!

Supposition on what I think is happening:
  1. One file overwrites the other in WE (the user allows it)
  2. The GD sync program notices that a file is gone (in this case moved) from a synced folder and orders its deletion from the GD cloud
  3. The GD cloud deletes the file and all copies of it (which weren’t really copies) from other locations (labels/folders) in the GD cloud
  4. The GD sync program checks in with the GD cloud, notices that the file is gone from all locations, and orders WE to delete the other "copies" off of your computer.

You can recover from this error by restoring the file from your recycle bin, where WE puts deleted files by default - unless you’ve disabled the recycle bin or run out of space in it, and only if you realize it's happening.  I’m not sure at what point this type of file restore becomes unavailable for google document types (gdoc, gsheet, etc.), but remember - we’re talking about cloud computing here...  The google document is not on your computer - it’s a symbolic link to a file that is in the cloud (usually, maybe).  GD won’t keep deleted files in the cloud forever, so this type of restore should be done as quickly as possible.

It takes time for changes made on one side of the sync to be reflected in the other.  Sometimes, if you have multiple WE windows showing your Google Drive folder they will have scary x’s, which is meant to inform you that there was a sync error, but maybe there wasn’t.  

If you think you’ve messed something up, try these things first:
  • Refresh the browser window or tab that has the GD cloud web application
  • Pause and resume the GD sync application
  • Quit and restart the GD sync application and wait for a resync
  • Close and re-open any Windows Explorer windows
    • Try to keep only one WE window open on your drive at a time...

There are many situations where you may have multi-foldered files within the GD cloud.  If you have been using GD for many years, back when it was Google Docs, you may have multi-labeled your files.  If someone has shared a folder with you, its possible that they put documents you shared with them in that folder, too… You may not even know that this is the case, but you’d better take some time to find out.  

To check to see if a file is in multiple 'folders' within the GD cloud:
  • Login to the GD cloud - docs.google.com
  • Look  to the right of your file names
    • If the files are shared, it will say so
    • If the files are in other folders they will be listed there
  • Right-Click each file and choose Move To
    • Uncheck the folders until the only one that’s checked is the one you want the file to be in

  • Multi-foldered files can be turned into less volatile files quite easily, but the best (only?) way to do it safely is from the GD cloud interface.  
  • If you have any multi-foldered files in GD and you're using GD sync on WE (or other platforms) to organize your data, you may be inadvertently, silently, and permanently deleting files when you think you're only moving them.

Here's a link to a Demonstration if you're so inclined.  At the time of this writing it's not a great demo but I may update it in future.  Please comment below if you've experienced the aforementioned problems.