Thursday, April 17, 2014

Using Login Info Spreadsheets to Keep Track of Login Info

Disclaimer/Warning: Never keep your passwords in a text file on your computer, in your email, on a website, or anywhere on a computer or online.  That's not what this article is about.  In fact, the most secure thing to do is to not keep any of this stuff on your computer.  More on this later...

What we are going to talk about is how to create our own set of documents that will remind us of what our Login Credentials (password, email, etc.) are without going through the password reset process.

Disclaimer/Warning: Make sure these sheets don't fall into the wrong hands - they might not allow people access to your accounts in and of themselves, but it would be a useful cross-referencing tool to determine what accounts you're in control of...

But... why would I need to keep track of my personal login information?

If you already know why, you can skip to the next section.  If you don't, read my New Reasons to Keep Track of Login Info blog post.

The main message here is don't lose your login info.  It's up to you to keep track of it, and this is a relatively secure and simple method I use to do just that...

0. Getting Started

Start by creating a really good, long password. If you're not sure how to do that, read my Creating a secure password you can remember post. It will show you how to create several great passwords from one memorable sentence.  We'll assume you read that already.  You can still use your old password if it is secure enough and hasn't been compromised...

Note: You can use any program you're comfortable with to make these sheets - as an example I'm using Google Spreadsheets because it's free, online, and accessible on all my devices (phone, computers, tablets, etc).  You'll want to fill out both these sheets at the same time, and when you open the examples and compare them to one another, you'll see why...

1. Create a Login Info Helper spreadsheet

This sheet serves to remind you of your logins, associated emails, etc. and how you code your passwords.  Since it contains personal information (email addresses, usernames, etc.) it should be kept secure, and shouldn't really be digital at all.

Login Info Helper

2. Create a Login Info spreadsheet

This sheet is a coded reference sheet that serves to remind you of your Login Credentials.  Since it's coded it doesn't need to be as secure as the Login Info Helper, and if it is in your cloud it can be used to quickly jog your memory or at least give you a starting point when guessing what your password might be.  The safest thing to do is to keep it hidden and secure in a place that's separate from the other document(s).

At the bottom of the example below you'll see tabs called "Coded" and "Decoded Using Login Info Helper Spreadsheet".  Click between the tabs to see what happens when you take the Coded tab and Decode it using the Login Info Helper spreadsheet

Login Info

The Decoded page is a page representing what goes on when you compare the two sheets together.

That's it!  With these two spreadsheets available to you you're not likely to forget your Login Credentials - except maybe your password.  As long as you have a strategy for coming up with memorable passwords and/or remembering passwords you're in good shape.

To get started, copy the content of the spreadsheets below into your own documents, print (recommended) and fill in the information (not your passwords, of course)!

Login Info Helper Spreadsheet - Generic
Login Info Spreadsheet - Generic


You may want to keep a written record of what your passwords are, but I can't recommend it.  If you decide to do this, however, you should do it in the real world on a well hidden sheet of paper.  I'll probably write a future post with suggestions on how this could be done, but for now I'll just say "I can't recommend it".

What you should not do is keep your raw passwords on your computer.  If malware got on your computer then a hacker or bot could steal your list of logins and passwords.  It is much more difficult to search a library, house, or closet for a document containing passwords than it is a computer.  If one of your accounts or computers is compromised it's natural to assume they have your passwords already, but they probably don't have more than one (if that).  If they are in a text file on your computer, though, it won't be long before they find them, upload them to a server, and sell the data to companies that pay poor people $1 a day to ruin your life.  I'm not kidding :-/

If any of your passwords have ever been on a computer or common knowledge, it's time to make new passwords.  Start by reading my Creating a secure password you can remember post, and use the method above to keep track of things!

New Reasons to Keep Track of Login Info

Well, to be fair these aren't all new reasons per say, but there are an increasing number of consequences facing those of us that forget their login credentials.  The new consequences have ramifications which have consequences of their own...

Account Security

You may have noticed a gradual and constant shift in attitudes over the past several years when it comes to account security.  Whereas once you were allowed to remain logged in to hotmail for 13 years you are now required to login daily or weekly.  Captchas, maximum failed login attempts, new hoops required to reset passwords, sessions that time out, etc.

Contacting Support

If you lose your ability to login there are no longer numbers to call or people to talk to (yell at) until they agree to reset your password.  Google is a great example - there is no phone support for a free google account.  If you lose access to your google account and you haven't associated valid emails or phone numbers with your account (which they'll only ask you to do if you use the web interface) you may not ever be able to prove who you are to the robots.

Why now?

The reason for these beefed-up security measures is simple - the way our service providers were doing business on the internet for the last 20 years was never secure.  Their security measures were based on a blind faith attitude positing that requiring actual proof that you aren't an impostor wasn't necessary, and that for the most part no one was trying to steal account info and commit other offenses.

Of course, there have always been hackers, but in recent years people have begun to take advantage of how many intelligent, underpaid, underemployed people there are - in the US and other countries. They have set up businesses designed to defraud and take advantage of the droves of uninformed people populating the web.  There are plenty of people in the world that will work for low pay doing nefarious things, and there is a lot of money to be made by doing those nefarious things, but that's a subject worthy of another post.

Faced with these new forms of old miseries, the companies came up with more stringent security policies that make creating, recovering, and remembering login credentials, well, cOmPlIcAtEd!

Personal Reasons

Many of us have lots of email addresses, login names, userIDs, and the like.  Each site seems to have different criteria for choosing a "secure" password.  Each site needs (at the very least) a username, email, and password.  It is generally not a good idea to use the same password on each website, and there are reasons for that as well that are often unclear to the average user, such as the fact that your online identity may be indexed and cross-referenced, and your login info for other sites may be known to someone who hijacks and harvests your email and address book.

People oftentimes assume that if they are hacked, they'll know it.  Symptoms include strange emails being sent from their account, etc., and they know they need to login and change their password when they get a chance to stop the leak...


However, if you are hacked there's every possibility that you won't know it, and that instead of the hacker using your address to send out a few goofy emails or using your account to buy an xbox they will instead upload your name, home address, phone number, username, password, email history, purchase history, address book, list of logins and passwords, etc. to darknet databases where it is merged with all the other information they have collected about you and everyone you know! The information in these databases is for sale, in whole or in part, to anyone, and may not be used for years (if ever).

Being locked out of your accounts because of failed login attempts and/or permanently losing access to your account and all it's data isn't fun.  To make matters worse, when it comes to actually managing your login information the only advice you get from IT people consists of what not to do, not what to do.  They tell you, for example, not to write down your passwords - which is good advice up to a point...

The traditional method of regaining access to your accounts is always a bit sketchy... either it's far too easy to be secure or too difficult to remember when you need it (Security questions, etc.).  Also, at the end of a rather long road you oftentimes have to reset your password and then set it back to something new anyway.  The new password you create has to be different from the one you forgot in the first place (which by this time you remember).  Your new password is complicated and if you don't take action quickly, you'll forget it.  If you don't have access to the email account they send the password reset instructions to anymore... what do you do then?

And even if they do give you access again, is that what you want?  What if you aren't you?  The security is there for a reason! If someone does try to gain access to your account the security measures make a lot of sense.  The only thing you have left to complain about is that every company has a different method for allowing you to regain access to your account... but that's a first-world problem we can remedy by simply remembering our Login Info in the first place.

There is a method I've come up with to manage my own information which I'll share with you - Using Login Info Spreadsheets to Keep Track of Login Info
With this method, it's possible to keep everything straight so that you're secure and you can always regain access to your accounts simply by reminding yourself what your password is!

Sunday, April 13, 2014

Creating a secure password you can remember

When someone gains access to your accounts by guessing your password, it's not really hacking per say - it's some combination of guessing and typing.  The modern world is populated (in part) by malicious guessers and typists, most of whom luckily do not possess the skills or tools to actually hack your password.  There are, however, tools that can be downloaded by anyone that do the guessing and typing for someone.  When you are hacked in this way, it is usually because your passwords were not strong enough, leaving you vulnerable to this basic type of attack.

The purpose of this article is to provide you with a method to come up with secure passwords you can remember that will protect you from typists and guessers, not from government agencies or determined people who really want access to your data.  It's a method of password authoring that will help protect you from basic attacks while at the same time giving you a method of remembering your own passwords.  If you're a person who's password is "beanbag1943" because you can't remember anything else - this article is for you ;-)

1. Choose a really good, long password sentence
Come up with a sentence you can remember.  The length doesn't matter, but longer is more secure. Don't worry, when less security is desired your long(est) password can be abbreviated.

Example sentence: My dinosaur spot is a dog

2. Turn your password sentence into a longest password
  • My dinosaur spot is a dog
  • mydinosaurspotisadog (spaces removed)
  • myDinosaurspotisaDog (some words capitalized)
  • myDin0saursp0tisaD0g (some alphabetic characters replaced with similar looking numeric characters)
  • myDin0saursp0t!saD0g  (some alphanumerical characters replaced with similar looking punctuational characters)
    • Note: Be careful here, because some services won't allow you to use certain special characters in your passwords.  These are usually older and less secure sites, but you’ll still need to access them.  As a result, the beginning of your password should be less secure than the end so you can use a shorter version when necessary.
myDin0saursp0t!saD0g is a pretty good password that meets most of the criteria required by, say, a modern banking website.  Using the same method, lets make a couple more longest passwords out of sentences you might come up with for yourself.

Hover your mouse cursor over the links below (don't click, hover) to view the password sentence these passwords were created from.



Okay, we're going to call those passwords your longest passwords.  They're pretty easy to remember if you remember the sentences.

3. Turn your longest password into a series of shorter passwords
  • Longest: iTw4stheb3stofw1nes!twaSthew0rst0fsoup5
  • Longer: iTw4stheb3stofw1nes!twaSthe
  • Long: iTw4stheb3stofw1nes
  • Short: iTw4stheb3st
Optional: Add some other characters

That's it!  You now have one very complex password and 3 others.  If someone was able to guess or obtain your short password they would still not be able to guess the long, longer, and longest ones.  Simply choose the level of password security you want for each site and use an appropriately complex password to access it.

Want to try it?  Print and fill out the Password Authoring Worksheet.  You can keep your passwords somewhere secure and offline after you're done, but you should probably destroy your worksheet.  After you've done it a few times you can probably do it on a blank sheet of paper anyway.  Definitely don't keep important passwords in public view.

General Advice and Suggestions
  • Create a new longest password at least every year
    •  A good label for your password would be "2013 longest", etc.
  • Combine old passwords with new ones to make different passwords!
    • ex: iTw4stheb3stDin0saur
  • Make certain you have adequate antimalware protection. You can have the best passwords in the world and still be hacked if you have a keylogger installed. 
  • Only create accounts and login to websites you trust
  • Only login to your accounts from computers you trust.
  • Only login to your accounts from locations you trust
    • For example, don't do any online banking from starbucks or an airport lounge.
  • Use coded Login Info Spreadsheets and to remind you of your login info - just in case
    • Tutorials on creating these sheets are coming soon!
  • When updating passwords, be careful when you type them so you don't get locked out!
  • Don't get locked out of your Google account
  • Don't keep your passwords in documents on your computer or the internet 
One last thing...

Never give one of your passwords to someone you don't trust (and never trust anyone you don't know), type it yourself. Never say your password out loud.  Never type it with someone watching.  Never brag about how you "use the same one for everything and it's so easy - it's my birthday".  Your password should be yours alone.  As far as the rest of the world is concerned, if someone logs in as you they are you.  The days of consumers being forgiven for having their account information stolen and misused are numbered... Be careful out there!

Friday, April 4, 2014

Make a Universal RSVP Using Google Forms

Collecting RSVPs and Polling Data is useful for planning events, managing club or group activities, etc. but it can be a hassle to set up a separate form for each event or poll...  Users also dread having to learn how to use a new system each time information needs to be gathered from them. One solution to this problem is to create a RSVP that can be used for any event or poll.

Let's look at some oft-overlooked features of Google Forms that will allow us to create a Universal RSVP:
  • Pages - Pages make it so that you can create separate pages of questions within one form
  • Go to page based on answer - this allows you to collect additional information, but only if a specific answer to a question was given.  
    • For example, if someone answers no to a specific question you can take them to a page that asks why they chose no.  The person who answers yes does not see the page asking them why they chose no.
Here is an example form - go ahead and fill it out a few times:

Universal RSVP (Form)

The responses to this form are automatically entered in the spreadsheet below - have a look:
Universal RSVP (Responses)

The responses spreadsheet is color coded to make it easier for event coordinators to deal with. The top and left hand columns are frozen to make navigation easy.  You can scroll left and right through the data. Some columns are merged to create headings for the different "Events".

The form itself is fairly complicated on the back end, but the user never sees that - for them it's a simple and brief click-through.
When there's a new event requiring an rsvp, administrators just need to add a new multiple choice answer to the Big Question, create a page with event-specific questions, and that's it!

As an event coordinator, you can send everyone to the same place to RSVP for anything - just say "Go to the website and RSVP". 

I shudder to think about what it used to be like when we relied on paper and post or telephone to do this same thing, but the reality is that even with modern survey tools available people still collect RSVPs using email, which is almost as tedious and confusing.

By creating a consistent user experience the hope is that your users will participate more and have more confidence in their ability to participate.  Also, you're collecting participation metrics, which are useful for future planning (if they're there when you need them).

If you'd like your own form, leave a comment below and I'll post instructions on how to make one.  The Google Forms and Spreadsheets web-based applications are free with a Google Account.  If you're logged into gmail or your google account, you can visit drive.google.com to create a new form and experiment!  Good luck!