Embracing Inbox Zero for better productivity, security

Now more than ever I believe Inbox Zero is one of the most important technology processes a professional can adopt. The number of security breaches surrounding email has exploded, the amount of information communicated electronically is overwhelming, and the number of devices accessing and storing email is continually growing. All of these are great reasons to take some time to develop a process of protection: to protect your time, your data, and most of all protect your sanity.

Not sure what I’m talking about? You can find the full details of Inbox Zero at http://inboxzero.com/. For those who want the cliffsnotes version stick with me.

The idea of Inbox Zero is to get your mind out of email and onto productive tasks. I like to think of it as a framework that you can use to build an email processing system that works the way you want to work. The basic concept is simple. Choose times and process out your email by taking some simple actions.

  • Do – If the mail is something you can complete in a couple minutes just do it, don’t save it for later. Complete the task and delete the email.
  • Delegate – If the email is something that someone else could or should do then delegate it. Don’t hang on to tasks you won’t have the time to complete.
  • Defer – This is the one that gets people in trouble but the idea here is to take these items and move them out of the inbox into a schedule that ensures they actually get done. For me, this is my calendar. I force myself to make time within my schedule to complete these tasks.
  • Delete – This is the most important. Get rid of those things you don’t need.

You will notice that I specified “choose times to process your email.” What this means is removing the random bings, pings, and dings we all get when we receive an email. This keeps your mind out of email and focused on the task at hand. Meanwhile, if you have time set aside to process emails, you can rest assured you’ll still respond in a timely fashion. These replies will be dedicated to the task at hand, and normally result in better overall communications.

Keeping a clean inbox keeps you on task and ensures better communications, but those aren’t the only reasons email processing is important. Email is a huge security target and we increasingly make it less secure. Think about how many emails you currently have that contain confidential or proprietary information. What is the real impact of your email being breached? Now think about how easy and convenient it is to access your email. Can you access email nearly everywhere? Most will say yes, and this becomes the problem.

With convenience comes risk. Cloud based email systems have remote help desks with social engineering vulnerabilities. Mobile devices are easily lost and have real time access to all that email you’ve stored. We connect to email on any network available – coffee shops, airports, fast food restaurants – it doesn’t matter, we’re always checking email. All of these are risk points, and the more information you have in your email the more information you lose when your email is compromised. Processing out your email mitigates this risk.

So if you want a quick boost in productivity, and a bit more security checkout Inbox Zero and see what processes you can utilize to clean up your email.

Turn on Google multifactor authentication — now!

We’re all familiar with multifactor authentication, even if not everyone knows immediately that they are. Break the phrase down: “multi,” more than one; “factor,” necessary component; “authentication,” way of validating identity. Usually, multifactor systems combine “something you have” with “something you know,” or multiples of one or the other. For example:

  • Opening your house with a key is single-factor authentication: Something you have (the key).
  • Swiping your debit card is two-factor authentication: Something you have (the card) and something you know (the PIN).
  • Authorizing suspicious credit card transactions is often three or more factors of authentication: Your name, your credit card number, personal information questions (SSN, zip code, DOB, etc.), and a series of security questions (a large number of somethings you know).

Unfortunately, the biggest skeleton key in your life right now is most likely a single-factor authentication system: Not your bank website password, not your car key, not your Social Security Number, but your email password. Think about it for a moment: What do you use to sign up for accounts? Where would those accounts send password reset emails if you forgot your password? Exactly. If you’re like most people, your email account is the key to your entire life, and we’re talking more than just hijacking your account to send spam or send inappropriate tweets. These days, email access can get you into bank accounts, investment accounts, property deeds, passports, and everything else that could permanently ruin your life.

Now that I’ve scared you, let me help you. For starters, we’re going to assume you use Gmail for your email and thus Google accounts. If not, you’re SOL (especially if you use that company that rhymes with “mayo sell”), and you should think about switching. Sorry, them’s the chops. Now that I can assume you’re in the 21st century, let’s continue. (Not to say that no other email providers are in the 21st century. I acknowledge that they do, in fact, still exist now.)

Taken from Google’s blog post on the matter, the first step is visiting your Account Settings page. From this location, you’ll see a link to “Edit” your “2-step verification” — go ahead and click that.

At this point, Google will walk you through setting up multifactor authentication. You’ll be given the opportunity to generate and print backup codes, a good idea. These backup codes can be used in case you should lose access to your phone in the future (more on that later). You’ll also get to choose what phone (or phones) to use for verification, and be given download links for mobile apps. Take the time to read carefully and set up your account properly, because this is your personal security we’re talking about.

The next time you go to sign in to your Google accounts (Gmail, etc.), you’ll be prompted to enter a six digit code in addition to your password (the thing you know) — and here’s where the “something you have” aspect comes in. Depending on the settings you picked in Google’s wizard, you’ll either receive a text message, a phone call, or open the authentication app. The device receiving or generating that information is the “something you have,” and the code it enters (which Google also knows, on the other end) is proof of that fact. If you’re confident that the computer from which you’re logging in is secure, you can tell Google to remember you for 30 days, as well, which makes the additional layer of security almost invisible to you.

Setting up multi-factor authentication is a small additional step is a small step you can take yourself to ensure much greater security down the road. It may seem like a hassle every now and again when you need to enter an additional code to log in to your email, but then again, it would be painful to lose control over huge swaths of your life online, as well.

Protect yourself by becoming socially secure

Life is busy. We’re so focused on the day to day operations of our daily lives that you may not be thinking of your social security. No, not that Social Security – your social media security.

A poll conducted by MetLife Auto & Homes in the U.S. shows that 35% of Americans age 18-34 check in or tweet their location on Twitter, Foursquare or Facebook. There’s nothing like announcing to burglars, “Hey, my house will be vacant for the next several hours while I attend a concert! Have at it!”

Don’t think that criminals really take that much time to research their crimes beforehand? An astonishing 78% of burglars use Facebook, Twitter and Foursquare to target potential properties, according to an eye-opening infographic from Mashable. Even more concerning, 74% of them use Google Street View to stake out a property before they strike.

There are steps that you can take to improve your home’s social safety. Mashable outlines five practical steps to take:

  1. Set your Facebook privacy settings to allow only your friends to see your content.
  2. Only add actual friends into your network.
  3. Refrain from announcing that you’ll be out of town for an extended period of time.
  4. Avoid posting photos that reveal your address or landmarks near your home.
  5. Don’t post photos of expensive items in your home.

At OSCPA’s Professional Issues Updates, led by President and CEO, Clarke Price, attendees watched a news clip showing unaware proud parents posting photos of their children to their social networks from their smartphones. Sounds harmless right? Actually, it’s quite the opposite if you don’t have the right settings on your smartphone to hide your location.

Unless your phone’s settings are configured to specifically to turn off the location on your photos, they will have data attached to them that will show the exact location the photo was taken – and by exact, I’m talking right down to the bedroom that you took your daughters photo in. (See my post on Geotagging: The hidden danger of photo sharing.)

Let us know how you use social media. Does this change or confirm your opinions of location sharing, and how so? Will you change any of your sharing habits?

Dealing with a lost mobile device

Smartphones and tablets are powerful tools allowing us instant connectivity to nearly all of our personal and professional data. In the right hands they make for a great business tool, but what happens when they disappear? We’ve seen the stories of people tracking down lost devices. We may even revel in the idea of being an Internet PI but in reality, if our device is lost or stolen our first priority is to protect the data.

Step one is to have a screen lock turned on. To help you complete this step, our post on creating strong mobile device passwords will help. This will slow down any would be snoopers who may have found, or stolen your phone.

Next have the ability to locate and wipe your phone. For this to be successful, it’s critical that you go about setting this up before your phone is lost (if you’re on Android, see below). Once you’ve lost control of the device it’s too late, and unlike cell phones of yesteryear, calling your cellular provider does nothing to protect you. Depending on your device, the set-up and use of the locate and wipe features differ.

Windows Phone:

Setup – During your phone setup you were asked for a Windows Live ID to create a Windows Phone account. When you did this, it automatically registered your phone and enabled locate and wipe capabilities. If you want to check or modify these settings on your phone, visit settings – system – find my phone.

Use – Visit www.windowsphone.com and login with your Windows Live ID and select the My Phone option. Your device will be listed in the left column with a location map and options for erasing the data.

iOS Devices:

Unfortunately Apple keeps moving this feature within the OS, in versions prior to iOS 5 the feature was located under MobileMe. It’s now part of iCloud.

Setup – During your iPhone setup you will be asked to enter or create your Apple ID. You will then be asked if you would like to use iCloud. If you choose to use iCloud, you will be prompted with several options. The very last one on the list will be Find My iPhone. Turn this on and the location and wipe services will be enabled. If you would like to edit or enable this after the set-up process select Settings – iCloud, to access the same set of services.

Use – Visit www.icloud.com and login with your Apple ID and select the Find My iPhone icon. Select your device to see it on the map, and then select the information icon to see the option for remote wipe. You can also download a free Find My iPhone app in the App Store if you carry multiple mobile devices and wish to find one from the other.


While the Android system has the ability to remotely find and lock/wipe your phone for you, unless you’re on a Google Apps account (in which case your administrator will have this ability via Google’s website), you’ll have to do a little bit of work with third-party apps.

Setup – There are several options, but here are some of the most popular:

  • Lookout Security & Antivirus: Just download the app and follow its on-screen directions to create an account and set up security settings. Lookout provides free antivirus, app anti-malware scans, contact backup and restores, and remote device location (including the ability to activate an alarm on the phone) via www.myLookout.com. For an additional fee ($29.99/year or $2.99/month), you’ll get browser and text message phishing/malware protection, remote lock and wipe, app privacy advisor, and photo and call history backup and restore.
  • Where’s My Droid: Download and setup is simple here as well: Just download, run, and follow the directions. With Where’s My Droid, you get device location, remote ring/vibrate, passcode protection, notifications of changes to SIM card/phone number, and a few similar features, and they can be activated via its website, www.WheresMyDroid.com, or stealth (hidden) text message. For an additional $3.99, you gain the ability to remotely lock the device, wipe the phone and the SD card, activate it via a landline, and customize the “lost” ringtone.
  • Plan B: Made by the creators of Lookout, Plan B is a free one trick pony that leverages Google’s feature to install apps via the Market website. Setup is simple: log into market.android.com with your Google account, click the button to make Plan B install to your phone remotely, and when the app launches, it will email you the phone’s GPS location.

Use – As every app is different, follow the directions on setup. Most apps function similarly, though, asking you to create an account when you install it, and providing you a website to manage your device after it’s lost.

What makes a password

We’ve talked a lot about passwords. We wrote a work of fiction about how your bank account password might be compromised, we wrote about how to have fewer passwords, we mentioned how you can break into a secure WiFi network without breaking the password, and we’ve even reviewed password software. But what goes into a password? Other than its commonality, why is “123456” so much less secure than “123abc456?”

Password anatomy

If you’re a doctor, you need to know your coccyx from your larynx, and why humans have 23 chromosome pairs and what that means. In other words, you need to know your anatomy. If you’re a password-ologist, you need to know your password anatomy, too — and on the “information superhighway” we’re all password-ologists.

The first and most obvious component of a password is its length. Simply put, a longer password is harder to guess, because each additional character increases the number of possible passwords of the same length. So, obviously, it’s better to have a 10 character password than a 5 character one.

How much better? Well, that depends on its complexity, or in technical terms, the size of its keyspace. The keyspace of a password is determined by the number of symbols it could contain (without knowing how many it actually did contain — remember, the attacker here only knows the length and the class of characters). Let’s pretend our hypothetical password is a single character to illustrate for now:

  • If the password was numeric only, it would have a keyspace of 10 (0, 1, 2, …, 9)
  • If it was only lowercase letters, it would have a keyspace of 26
  • If it was upper- and lowercase letters, it would be 52 (2 × 26)
  • If it was upper- and lowercase letters, as well as digits, it would be 62 (2 × 26 + 10)
  • If it was the entire printable ASCII character set, it would be 95
  • If it was the entire (current) Unicode character set, it would be over 110,000

Combining the ideas of length and keyspace, if all common English printable characters (letters, numbers, and “special characters”) were allowed, our 5 character password would have 95 × 95 × 95 × 95 × 95 = 955 ≈ 7.7 billion different combinations; that 10 character password, by comparison, would be over 7.7 billion times more secure than that, with nearly 6 × 1019 combinations (just over 59 quintillion, but who’s counting?).

Security margin (simple)

How much security would that ginormous password really provide, though? Well, that all depends. Automated password crackers have gotten pretty fast. My favorite (linked), for instance, can easily reach around 20,000 attempts per second on a normal home computer — and that’s not even touching distributed computing or other more complex (and powerful) attacks. That means that if your attacker knows your super secure password (123456) is six digits and numeric only, expect it to be broken in 50 seconds or less. (That’s quite a bit faster than the roughly 95 million years john would take on that hyper-secure 10 character password, cracked naïvely.)

It’s not that simple

The thing is, I lied. Not all ten character ASCII passwords are equal. For example, T$f0_ke\E` is quite a bit more secure than gesundheit. Why? Entropy. In simple applied terms, entropy measures the randomness, or unpredictability, of a password. Higher entropy (less predictability) is better. While it’s difficult for the layperson to measure, the following mistakes are all things that will affect your password’s entropy:

  • Whether or not your password appears on a wordlist. If you’ve got a word or common phrase, consider your password broken out of the gate. Rainbow tables and wordlists of common words and phrases will devastate any security you think you have.
  • If you’ve used common substitutions. Did you swap a “!” or a “1” in for your “i”s and “l”s? We know. Did you use a “5” or a “$” for an “s,” or write “><” instead of “x?” So did everyone else. Cracking software is built to try these and many other common word alterations, so security gained by these tricks is not as great as you think it is.
  • If your password follows normal symbol distributions. For example, in English, q is frequently followed by u, so if it is in your password as well, it’s less secure.
  • Whether your password relies on anything that can be known about you. Expect all of your biographical information and interests, as well as anything you talk about, to be used as guesses against your password. If you’ve used any family member names or birth dates, pet names, components of favorite songs, words relating to your favorite sports teams, etc., then someone can guess your password more easily just by learning about you. Social media makes this even easier, as people voluntarily vomit up the very information that is often all that is needed to compromise their accounts.

So what’s a girl to do? Actually, the situation isn’t so bad:

  1. Pick one really good, secure password that will secure all your others. Bang on the keyboard a lot, then go into the middle and bang some more. Highlight some letters at random, and delete half of them. Bang some more in their place. Shuffle some things around. Bang. Delete. Bang bang bang. Tired yet? Good.
  2. Write it down on a piece of paper. Put the paper in your wallet or purse. You’re already really used to protecting the contents of that, so it’s pretty safe now.
  3. Download a password manager, or use one built into your system.
  4. Use the password manager to generate secure random passwords for any services you use. They can be long and crazy, because you won’t have to remember them. They can also be different, which is important because one account being compromised won’t compromise your others. (This is especially important for email accounts, which are often used to reset passwords for other services.)
  5. Whenever you need a password, take out your piece of paper, read off the password and use it to unlock your manager, and then copy-and-paste your random secure password into the login form as you need to.
  6. On a regular basis, go ahead and rotate your account passwords; and on a somewhat less regular basis, your “master password.”

How I stole your bank account

The following is a work of fiction, written from the perspective of a would-be attacker. While the work is fictional, the techniques are not. It’s a scary world out there, and with the bad guys roaming around, it helps to know just how they might nab you. Keep your head straight and their meddlesome ways at bay and you won’t be like Bill in this story!

“Hi, Judy, it’s Bill here. I’m so sorry — I forgot my network password again. I know, I’m such a dolt. Would you be able to reset it please? I’m on the road and I won’t be back until next week, and I know Doreen and Jim want my expense report tonight. Thanks!”

That was me, talking to Judy, the new girl at the IT help desk at your work. You might have guessed that my name isn’t Bill. Yours is. My name isn’t important at all. I’m just the guy who stole your bank account.

Remember the average looking sedan parked outside Starbucks? Of course you don’t. The guy sitting in it — the guy you don’t remember, sitting in the car you didn’t see — was me. Remember when you opened your laptop and joined the first open WiFi network you saw? I do, too, because that’s when we (well, our laptops) met, and you didn’t even know it.

The network was the coffee shop’s, sure, but I owned it. Well, I pwned it. A little arpspoof here, a little webmitm there, a sprinkling of iptables, and bam! — you think you’re talking to them, and they think they’re talking to you, and really, I’m relaying the traffic in the middle and I see it all. It isn’t hard to set yourself up silently to intercept all the traffic on a vulnerable WiFi network.

Sometimes it’s a little more difficult. If the only active networks around are encrypted, I might have to crack them with aircrack-ng or break into the WAP with reaver to obtain the network key. If there’s no network around at all, I might even have to tether my laptop to my phone over USB and use its 4G connection and my WiFi card in ad-hoc mode to set up my own honeypot network for you to join. Everyone likes free WiFi!

But however I get connected, the result’s always the same. Your traffic is running through my computer, so I see what you see. In your case, when you joined the coffee shop’s network, I took the time to nmap scan you as well and saw that you were running an older version of Adobe Reader, so after I saw you send a “check in” email to your wife, I forged one back to you via sendmail with a custom little attachment I cooked up for you in set. I said it was a PDF of the insurance forms and I asked you to take a look. And when you opened my precious little virus, I got a command shell on your box, and I had control of your operating system. Thanks for that.

Once inside, I started gathering information. I already knew your full name (from watching you log into Facebook) and from that and the files on your hard drive, I quickly found out where you went to school, where you worked, what your dog’s name was, your shoe size, when you would be back home from your business trip, and that you had an unhealthy collection of Bee Gees albums. After searching a couple public records databases, I also knew where you lived, how much money you made, who your kids and parents and grandparents were, where and when you were born, where you used to live, and that you just took out a loan on a brand new house. Nice location, by the way. Oceanfront property. Impressive. Not showy, but definitely upper-class.

That’s when I called Judy. I knew what bank you used (nice job trying to protect those tax forms, but zip encryption isn’t anything these days), but I didn’t have access to your account quite yet, and frankly, while I had enough data to make you miserable by having your power disconnected or quitting your job for you, pranks aren’t what I was after. I had to call Judy because you set your password reset email to your work address, but I hadn’t seen you type it (and yes, I already tried “barrygibb”). When Judy was nice enough to reset your work email’s password for me, I had the last piece of information I needed.

So I headed to the bank’s website. “Forgot your password?” Enter date of birth and mother’s maiden name, it told me. I did. It asked me to answer your security questions: the street you grew up on and your favorite band. Good thing I knew those too (I figured it was the Bee Gees from your iTunes account, but your Twitter profile said the same thing for everyone to read as well). “We’ve sent your new password to your email address,” it said. A moment later, your work account chimed. I opened the message, wrote down the temporary password, deleted the email for you so you wouldn’t notice for at least a little while, and logged in.

Gloves. Scalpel. Suction. Prepare transfer.

Thanks for the funds, sucker. Tell your wife and kids I like the new drapes you can’t afford anymore. It’s nothing personal. It’s just what I do. Nurse, we’re gonna need a crash cart.

Hate passwords? Have fewer!

Creating passwords sucks, remembering passwords sucks, and forgetting passwords, well you get the picture. Passwords affect nearly everybody. If you don’t believe me look around at all the password generation and management software. You can tell a technology is irritating when it’s supposed to be simple, but managing it creates its own industry.

Lets take some time to create a personal password strategy that will lesson your frustration, keep you from buying goofy unneeded software, and maybe make you a bit more secure. Yes, I’m going to recommend you rely on your brain rather than technology to solve this problem but stick with me and you’ll see it’s rather simple.

First, most people have either too many or too few passwords. In my perfect world you would have no more than 3-5 passwords. Think of passwords kind of like locks –  you wouldn’t use a bike lock to protect your car, and you wouldn’t use your house key to open a safety deposit box. At the same time, you wouldn’t create a key for walking into Walmart, or visiting the hair salon.

My suggestion for required passwords

  • Work – Used to login to internal company resources
  • Work Internet – Used to login to websites related to your work
  • Personal – Used to protect your personal equipment
  • Personal Internet – Used to login to websites you use on a personal level
  • E-commerce – Used for high security situations such as banking, taxes, etc.

Once this is completed your next step is to create passwords that are actually usable. Each company, website, application, operating system, or other technology do-dad has different password criteria. Our best bet is to set up a criteria that will manage to meet the requirements for the majority of the systems we might encounter.

Basic password requirements

  • Must exceed 8 characters
  • Must contain both upper and lower case numbers
  • Must contain one number
  • Must contain one special character

Based on this criteria we have a set of parameters we can use to create passwords. I like to use pass phrases myself, as they are easier for me to remember.

Sample password creation

Creating pass-phrases that meet my length limits:

  • OutsideCowsEat
  • CowsEatGrass
  • IHateCows
  • WhyCowsMoo
  • TastyBurgersCowsMake

NOTE: You can use about any method to create a pass phrase. I normally start with a simple statement and work into other statements. My strategy is to have one word in each password that remains constant.

Adjusting capitalization to make things a bit harder on bad guys:

  • outsideCowsEat
  • cowsEatGrass
  • iHateCows
  • whyCowsMoo
  • tastyBurgersCowsMake

NOTE: By default I have capitalization so I want to remove the pattern I’ve created. Most crackers will start with the first letter being a special character or capital. Not that this is a great advantage, but it makes me feel better setting this all to lower case.

Adjusting for numeric requirement:

  • outsideCow5Eat
  • cow5EatGrass
  • iHateCow5
  • whyCow5Moo
  • tastyBurgersCow5Make

NOTE: I chose the same letter within a word that is present for a reason. The s in cows will always be a 5, it helps me remember where the five is. It also ensures the 5 is in different places in different passwords. If I were to change all the representations of s to 5 it would also be easy to remember but password crackers commonly replace all letters with numbers. By leaving the other representations of s, it’s more secure.

Adjusting for special character:

  • outside?Cow5Eat
  • ?cow5EatGrass
  • iHate?Cow5
  • why?Cow5Moo
  • tastyBurgers?Cow5Make

NOTE: Most people will insert special characters at the beginning or end of a pass phrase. Because this is expected behavior I recommend doing what we did with the 5 and associating it with a trigger word. This places the special character in different locations within different passwords.

Complete secure pass phrases:

  • outside?Cow5Eat
  • ?cow5EatGrass
  • iHate?Cow5
  • why?Cow5Moo
  • tastyBurgers?Cow5Make

Now you have 5 strong pass phrases you can use as passwords. While I wouldn’t suggest testing passwords you plan to use (you never know who’s listening) you can use this tool http://www.passwordmeter.com/ to see if the strategy works.

Consistent use and fewer passwords should aid you in your memorization process. Creating pass phrases, and using patterns within each should help you recall passwords faster if you happen to stumble and forget one. I’ll be very honest and say I only have three passwords; work, personal, and banking. There is no hard and fast rule that you must have all five, but very few people require more than five.

Have other hints on managing passwords? Let me know in the comment box below.