Tuesday, March 12, 2013

Email Password security tips

Here are some general security tips to keep your email account safe.

1. Use a unique password for your email that you do not use anywhere else. The reason for this is pretty simple. Most websites when you register on them ask you to give them your email address. If you give that website your email address AND you use the same password that you used on your email login, you've just given that website access to your email account. Most websites are probably trustworthy. But what happens if that website gets hacked and someone steals all your registration information? Now some hacker has your email login information. So ALWAYS use a unique password for your email account that you do not use anywhere else.

2. Do not use a simple password. A simple password would be one that's only a few characters long and/or consist of simple words. Most hackers are not sitting in front of a computer typing in one password at a time. They have tools to automate it. So if your password is very short or consists of simple words, they can use a dictionary to guess your password. The best passwords are at least 10-12 characters long. Longer is even better. And it's good if it contains a mixture of letters and numbers. Even better if it contains letters, numbers and punctuation characters like $#@!%. Most passwords are case sensitive, which means mypassword is not the same as myPassWord. So mixing up the casing of the letters is another very good method to make your password hard to guess. The best passwords combine all of this into something called a pass phrase. A password implies a single word. A pass phrase is a combination of words.
So rather then having 'password' as your password, you would have 'this is my password' as your password, or pass phrase. And if you combine it with the other suggestions it might look like '@thiS is mY 1 passworD!'

3. Pick security question/answers only you know. Many websites ask you to set up security questions that you can answer if you ever forget your password, or login from a strange computer. These security questions can turn into security holes. If you pick a very simple question ' what is my favorite color' and pick an equally simple answer 'blue', it wont take very long for someone to guess your security answers. The best thing to do is to pick questions that only you would know the answer to. However, many sites don't allow you to type your own question, you have to pick one of their questions. And their questions are often questions that other people know the answer to. Like what school you went to, the name of your spouse, your first job etc. Those are all questions other people have the answers to and in many cases even strangers can find the answers to them by doing a little google searching. For example, if you have a linkedin account,  your first job AND what schools you attended might be listed there. Your spouse might be listed on facebook or another social site.

So if you can't type in your own question, you can always give an answer that has nothing to do with the question or is completely made up. For example, if it asked what school you went to, you might say Startfleet Academy (although in my case my friends could guess I'd pick that answer). Or make up an answer that's completely random. Instead of Starfleet Academy, you could say apple pie. You just have to remember the answer you give. The key is to make sure it's an answer know one but you knows and no one could figure out.

4. Don't type your password into strange computers. It's basically the same as catching an STD. You don't know who else used that computer or where it's been. That computer could have a virus on it and as soon as you type in your password, it's recorded it and sent it off to some nefarious hacker who now has access to your account. This applies even to your friends computer, unless you are sure they are practicing safe computing.

How can you tell if you were hacked/if a friend was hacked?


5. Don't click strange links. If you get an email from a friend that has a ton of people it was sent to and all the email contains is a strange looking link, chances are they were hacked. I would contact your friend other then through their email and ask them if they sent it. If they did not, have them read this post and then change their passwords. I said passwords, plural, because once someone has access to your email account, they could potentially gain access to your other online accounts since many of them have a forgot password feature that will email you instructions on how to change your password. So the hacker gains access to your email account and looks through your emails to find an email from your bank. They then go to your bank's website. The first thing they'll try doing is using your email password in case you used the same password for your email as for your bank. If that doesn't work, then they'll try the forgot password feature and within a minute they could have access to your bank account. I'm sure they'll enjoy spending your money.

6. You wake up one morning and suddenly find a bunch of returned messages in your email. This is a good sign your account may have been hacked. This could be because the hacker logged into your email and then sent out an email to EVERYONE you ever emailed before. Or at least everyone in your address book. Some of those emails might have gone to addresses that don't exist anymore, or might have been caught by spam filters. That's why you'll suddenly have a bunch of returned messages in your email.

Many email websites allow you to check and see all the places you logged in from. if so, take a look and see if there's a login from somewhere you've never been, or at time you know you weren't online. If you find a strange login or have an inbox full of returned messages, it's time to change your passwords and contact your friends and let them know not to click any links that were sent.

Prevention


7. Use 2-step authentication. One of the features I like with gmail is something called 2 step authentication. It's basically using two passwords. You only are prompted for the 2nd password if you login from a new computer, or it's been 30 days since the last time you used the 2nd password.  If you have a smart phone, you download a small app to your phone and the app generates a new password for you every 30 seconds that you would type into your account the first time you log on from a new pc. That means even if a hacker gets your password, they still wont be able to log in because they wont have that random password generator. I still won't log in from a strange PC even with this if I can possibly avoid it. But at least if you do you know it'll still be almost impossible for them to get into your account. If you do login from a strange computer I would still change your password when you get home even with using the 2 step authentication.

I strongly encourage you to see if your email provider has 2-step authentication. If not, I would switch to someone who does.


Wednesday, March 6, 2013

Crashplan is untrustworthy - do not trust them with your back or data

I started using Crashplan for my backup needs back when Mozy switched away from doing an unlimited backup.  Initially I was very happy with their service.

However, since at least June of 2012 when I first noticed it, Crashplan has had horribly slow upload speeds. Many people are getting much less then 1mb uploads even though their internet connection supports speeds many times faster then that.

For anyone who frequently adds files to their backup set, this would make crashplan almost useless since you would never have a complete backup. You would always have files pending to be uploaded.

I myself could probably live with these speeds since I don't often add files to my backup. What I can not live with though is a company that lies. And crashplan lies. Their support has NOT ONCE responded to the thread I started here: https://crashplan.zendesk.com/entries/21660011 (they require you to register to view threads, probably to hide complaints from showing up in search engines - i'll post a complete copy at the end of this post).

That thread is almost 6 months old and has NEVER received a response from someone in support. It did however receive a response within a day when I finally got fed up and accused them of being incompetent or liars. Then a Mike Evangelist (listed as Chief Marketing officer according to his linkedin profile) suddenly stepped in and deleted my post accusing me of 'name calling'. I'm not sure what other conclusion you can come to when you have a problem that's ongoing for months and the only response you get from CP support, if they respond at all, is to tell you the internet is shared resource. Basically their excuse is that the internet is slow, not them. Apparently the internet has been slow, ONLY for crashplan customers, night or day, for months.

His idea of customer support was to offer me a refund. That's a pretty shoddy business model - no actual response to the problem itself, just someone who gets upset when you use harsh words about the lack of support and communication and then tells you to leave.

The only conclusion I can draw is that crashplan is either incompetent and doesn't know how to fix the problem or is otherwise incapable of doing so, or they are lying to me. I think it's both. I suspect they signed up too many users too fast and don't have the resources to support them all and are just hoping people wont notice.

As I said earlier, I could probably live with the slower upload speeds. But I will not do business with a company that treats their customers like this. They lie to their customers pretending there is no problem or pretending the problem is with you and not with them. They don't respond to complaints in their forum for MONTHS and then the only official response they finally give is to delete a post that calls them out for what they are - liars.

I don't know about you, but I would not do business with a company that is dishonest with you and treats their customers like idiots. Would you trust all your personal data with them? What's going to happen if their servers ever get hacked, do you think they'll actually let you know? Can you be sure you're data is really encrypted and safe on their server? And what happens if some day you need to download your data, how can you be sure you'll be able to get it? Or that it wont take months or years to download because of their poor service?

I apologize if this sounds like a rant, but I am angry. I think anyone would be angry if they are lied to for months on end. Because of this I've canceled my subscription to crashplan. Oh, and they are actually planning on raising their rates at the start of 2013. I'm going to use amazon glacier with cloudberry. Shockingly, the shared resource that is the internet seems to have no problem maxing out my upload speed when uploading to amazon. And it'll cost me less then what crashplan charges.

Edit: I've been using cloudberry in conjunction with amazon glacier for several weeks now without a single slow down. And it's only costing me $2/mo. To be fair, it looks as though the issue with crashplan has been resolved, at least the technical issue has. The customer service/honesty issue though has not. Crashplan only once admitted to there being any problem and it was a rather vague message along the lines of 'some' customers report problems and 'they are looking into it'. No explanation as to what the problem was. No explanation as to what they did to fix it. No sort of apology. I still don't trust them.

Edit 2: It loosk like CP might still be lying to their customers. Someone who just signed up with CP starts off getting 6mbps uploads but then quickly drops down to 250-300kbps. When they contacted CP support, this is what they were told:
I looked over your backup logs from the past few days and it looks like everything is going exceptionally well. 200-300 KBps sustained transfer rates are normal for most people and are common when the CrashPlan Client is backing up media files or other large chunks of data (applications come to mind). Those types of data don't compress well and therefore have to be sent in their entirety versus smaller chunks that have already been efficiently indexed by the CrashPlan Client.
That's the first time I've heard that not being able to compress file means it'll download MUCH slower then your maximum internet connection. The support rep went on to say turning off data de-duplication might speed up the upload. Which I assume is also either a lie or an indication their system is poorly made if data de-duplication means a 20x reduction in upload speeds.

Edit 3: For anyone still using crashplan and having problems, you might want to take a look at this blog post. He greatly sped up his upload speeds by disabling the deduplication function in crashplan's client.