Password Management is Easier Than You Think

I recently visited a client whose kids boasted that they know her passwords better than she does. They weren’t wrong. Like many people, she finds it difficult to make up and keep track of her passwords, and so she makes up very predictable ones and reuses them often. This was a problem, because one of the things I was called to do was restrict her children’s access to certain things on the computer, and doing so would require, among other things, the creation of some passwords that would have to be kept from the kids.

After a while, the demeanor of some of the kids began to irritate me, as their comments were increasingly disrespectful. At one point, one of them announced that the project was a waste of time because – he claimed – he could guess any password. I didn’t answer, but what I was thinking at that moment was, “Buddy, I have almost 50 years more life experience than you have, and you know almost nothing about me. If I can’t come up with a password that you can’t guess, then there’s something wrong with me.”

If you often find yourself in a similar situation to this child’s parent, or maybe you just have difficulty with passwords, then this post is for you. I am going to show you how to devise a strategy that makes it easy to come up with hard-to-crack passwords and keep track of them without maintaining a password reference notebook.

Let’s start by clarifying the problems. The first problem is password complexity. The days when you could get away with silly passwords like “123456789”, “11111111”, or, heaven forbid, “password” are long gone. Apart from the fact that these are the first three that anyone who wants to guess your password tries, most systems won’t let you use them. Nowadays, most systems impose password complexity requirements, and the most common rule is a minimum of 8 characters, and those characters must include at least one upper-case letter, at least one lower-case letter and at least one numeral. Some systems let you use a punctuation character instead of the numeral, and some require a punctuation character along with the other requirements. A lot of people find it extremely difficult to come up with passwords that satisfy all these requirements, much less remember them.

The second problem is just the sheer number of passwords we all must keep track of. Unless you’ve been living under a rock for the last few years, you know it’s a bad idea to use the same password for everything you need to log into. You don’t want one stolen password to give the thief access to your credit card accounts, e-mail and social media along with whatever system he already knew was associated with the password he stole. But a quick, informal web seach indicates that the average person has 80 to 100 different passwords as of this writing, and that number will only get higher as time goes on. So, many people succumb to the temptation to reuse passwords on many sites, even though it’s a security risk.

The simple solution to both of these problems is to use a consistent system to generate your passwords. I’m not talking about using a computer system to generate passwords, although I’ll address that possibility at the end of this post. What I mean is that you can come up with a simple set of rules for making up your passwords. I will show you three such systems that are easy for you to remember, hard for anyone else to guess (including snarky kids) and satisfy most password requirements; you can either use them as they are or derive your own using these concepts.

System 1 – Romances + Purpose: Let’s start with the number of people you dated steadily before you got engaged. I’ll claim two steady dates for the purpose of this exercise. (If you had a more interesting dating career than I did, let’s limit it to four, for the sake of both modesty and brevity.) So, the first character of all my passwords will be 2. Next, we’ll include the initials of our steadies. Mine were GK and EM, so I will add those letters, capitalized, so all my passwords will begin with 2GKEM. For the Purpose – remember, the name of our system is Romances+Purpose – we will use the first syllable of each word of whatever we need a password for. If our first one is Fidelity Investments, my password will be 2GKEMfidinv. Well, now, look at that — it’s more than 8 characters long, includes at least one upper-case letter, at least one lower-case letter and at least one number, so we’re probably all set. Now let’s say I need a password for Microsoft 365; that one would be 2GKEMmicthree. A password for Shell Fuel Rewards? That would be 2GKEMshellfuelrew. See how easy this is? It’s a snap to generate the passwords, you probably won’t guess wrong more than once when you need to remember one, and unless you’ve been sharing way too much information about yourself both online and offline, nobody other than you should be able to figure out how you came up with the first part of each password.

System 2 – Old Address + Purpose: This system works just like the previous one, but we’re going to base it on an old street address. But don’t use your current street address, or even one from as much as 20 years ago, because anyone who knows a little something about you could probably Google it. Instead, use the first address you can remember, from when you were very young. If you’re too young to remember life without the Internet, then pick on an address that isn’t associated with you, such as one where your grandparents lived, or maybe just an address you remember because you spent significant time there, such as a school or place of worship. I’m going to use the address of the first house (not apartment) that I lived in. I’m sure that this address is not associated with me in any databases, because I only lived there as a very young child for one year more than 40 years ago, and my parents didn’t even own it; they rented it. For privacy reasons, I’m making the address up rather than revealing what it really was, so let’s say I lived at 31 Harley Avenue, Leroy’s Point, NC. Taking the address number and the initials of the street and city, I have 31HALP. That will be the beginning of each password I generate using this system. For the rest, I’ll use the first syllables of each word of the name of whatever the password is for. So, for example, a password for Adobe Creative Cloud might be 31HALPadcrecloud, a password for the Illinois Department of Revenue might be 31HALPilldeprev, and so on.

System 3 – Tagline + Number + Purpose: OK, suppose the systems above are just not memorable enough for you. Or maybe you had a lousy romantic life before you met your spouse (or maybe you’ve never dated or been married), or you had an awful childhood and would rather forget all the addresses at which you spent significant time. No problem, here is something completely different. Let’s start with a phrase that’s memorable to you. I’m going to use the first line of a ridiculous poem that I once heard: “I gave my love a rubber peach”. We’ll take just the first letters of each word, all in caps, so I’m starting with “IGMLARP”. Next, I’m going to add the number 2. This is just to satisfy the “at least one numeral” rule that most sites require a password to include, so you could use whatever number you like, but to keep things easy to type, I would limit this to one or two digits. So, each of my passwords will start with “IGMLARP2”. Finally, we add the first syllable of each word of whatever we’re logging into, as before. So, my password for Jewel-Osco would be IGMLARP2jewosc, my password for Target would be IGMLARP2tar, and so on.

You have now seen three different methods that can be used to generate unique passwords that are easy for you to remember and hard for anyone else to guess, even if they know you well. Could you come up with passwords that are more secure? Sure, you could, but these are good compromises of ease of generation, ease of remembering and security.

Of course, even the best passwords can be stolen, perhaps by someone looking over your shoulder as you enter one, or by you falling for a phishing scam. That’s why there are password managers that can securely store your passwords for you, make up passwords that are far more complex than anything you could type or remember, and automatically provide your logon credentials when you need to log into something. These password managers associate web site logon credentials with the web addresses of the sites they’re for and aren’t fooled by fakes, so they even help thwart phishing attempts. In addition, there are more secure methods for logging into systems, such as two-factor authentication and hardware-based authenticators that use your smartphone or a USB device to log you in. But each of these deserves its own discussion, which will happen in future blog posts.

Laptop Upgrade

Just a quick entry for today.

It’s not often I get a chance to show something like this, but I have a client who happens to be replacing an old laptop with a new version of the same laptop. Here they are, side by side.

On the right, we have the old laptop, a Dell Latitude E7440 that was originally purchased in 2015. I believe it met Intel’s definition of an Ultrabook back then: fairly thin, weighs no more than 3 pounds, fast and powerful. This is actually a loose definition; Intel codified the specifications a laptop needed to meet in order to be an Ultrabook, and the better equipped versions of the Dell Latitude E7440 met them. This particular sample has a 4th generation Intel Core i5 processor, 8GB memory, and a 480GB SATA SSD. That SSD is an upgrade I installed; the laptop came with a 128GB mSATA SSD.

On the left, we have the new laptop, a Dell Latitude E7420. As you can see in the photo, it’s a little shorter than the older version, and it’s svelter and lighter as well, just over 2 pounds. It has an 11th generation Intel Core i5 CPU, 16GB memory and a 1TB NVMe SSD. As before, that SSD is an upgrade I installed; this laptop shipped with a 256GB NVMe SSD, and the client needed more local storage.

If you look closely at the photo, you can see that the old E7440 laptop has seen plenty of action, including what looks like some drop damage on the front right corner. You can’t see it in the photo, but the touchpad buttons are pretty well worn and not very responsive. But it still boots and runs at seven years of age, which makes this laptop a survivor. Hopefully, the new version will stand up to the test of time as well as its predecessor did.

So, What Printer Does the IT Guy Recommend? (Part 2 of 2)

In my last post, I explained why I won’t attempt to fix printers, particularly inkjet printers, for clients, and I illustrated my reasons by showing how my own inkjet printer had developed a problem that was too expensive to fix, even though I was providing my own skilled labor. That undoubtedly left you wondering what printer I would recommend, and perhaps hoping that I would demonstrate my choice by buying one for my own home office. Well, I am going to partially disappoint you. I’m not going to make any printer recommendations, because I don’t find any affordable printer satisfactory. For the last year or so, I have been telling clients to just go out and buy a printer they like, and I would set it up for them as best I can. But since I now had to make this very decision for myself, I thought it might be helpful for you to see how an IT pro goes about determining which printer is the least of all the evils for his own use.

In the affordable (under $500, considering today’s prices) printer space, the first two options – color/monochrome and printing technology – are more or less considered together. If you expect to print in color, that dictates an inkjet printer, because color laser printers are relatively bulky, heavy and start at over $500, and none of the color laser printers that cost less than $1,000 will print color photographs well. If you have no use for color, and just want a monochrome printer, then you’re automatically looking at monochrome laser printers, because except for specialty printers, there are no monochrome inkjet printers. The last time I owned a laser printer was in the mid 1990s, when I obtained a secondhand HP LaserJet Series II. Since 1998 or so, when I bought an HP DeskJet 720c, I had only owned color inkjet printers. They were good for the kids’ homework assignments, which often involved color graphics, and for awhile, I also printed my own greeting cards and photographs. So, I figured on getting another color inkjet printer.

Next came the options. In addition to printing, I do a lot of scanning and some copying, so an all-in-one printer makes the most sense for me. I usually print on both sides of the paper in order to save paper, so duplex printing was a must. Much of the scanning I do involves multiple pages, often both sides of each page, so my new printer would also need to have a document feeder and support automatic duplex scanning as well. Finally, I have multiple computers that have to use the printer, and it will occasionally be used by a tablet and maybe a smartphone or two. That meant my new printer would need to be a network printer, and since Ethernet is a much more reliable way to network a printer than wi-fi is, I wanted the new printer to have an Ethernet connection option. My Epson WorkForce (second to last printer) had two paper trays, so I could load photo paper or envelopes without unloading my regular letter paper. My Canon MAXIFY (last printer) lacked that, and its paper handling was inconvenient in comparison, but still, this would be a nice-to-have feature, not a must-have feature. So… I wanted an inkjet all-in-one printer with a document feeder, automatic duplex printing, automatic duplex scanning and an Ethernet connection, multiple paper trays optional.

Now it was time to consider brands. This narrowed my choices considerably. I have learned to avoid HP all-in-one printers, and some of their simple printers, because I have come to consider HP’s printer software dysfunctional. In the years after I bought my aforementioned HP DeskJet 720c printer, HP continued to develop the software package that they distributed with their printers. Its core components were given ever more features, making it more capable, but also making it arduous to install, a drain on computer resources, and prone to malfunctioning, which often needed to be fixed by uninstalling and reinstalling it, doubling the arduousness. More recently, HP replaced all that with a new app that they call HP Smart. The problem with it is that I have found the name “HP Smart” to be a misnomer. HP Smart is supposed to detect your new HP printer, find whatever drivers and software it needs and install them. In my experience, though, HP Smart fails to do that, requiring me to seek assistance online to get the printer installed. Once everything is up and running, HP Smart also becomes the scanning software, if the printer is an all-in-one, and in most cases, it doesn’t support scanning directly from the printer console. That’s not the end of the world if the printer is right next to the computer, but it’s a nuisance when scanning to a computer across the room or in a different room. So, no HP models for me.

My last two printers were an Epson WorkForce model, with what Epson calls “Precision Core” technology, and a Canon inkjet model, both of which failed prematurely due to print head clogs and failures. My online investigations indicated that this is an ongoing problem with Epson and Canon models. Still, technologies evolve and improve with time, so I might have been willing to take a chance on one of these brands again if I had been able to find one for less than $150 with the features I wanted. But I found that inkjet all-in-one printers with document feeder, automatic duplex printing, automatic duplex scanning and Ethernet connection were priced in the $300 range. For that kind of money, I wasn’t taking a risk on another Canon or Epson model.

That left Brother and a small selection of off-brand printers. The problem with off-brand printers is that consumables – ink, mostly, but sometimes other parts – might be hard to find. And it turned out that the only Brother models that had the feature set I wanted were large-footprint printers that could accommodate ledger-size paper. I have no use for ledger-size printouts, and I have no room for a printer that large. Those bruisers were expensive, too, with prices starting around $450. So, I found myself at a dead end.

That’s when I decided to reconsider whether or not I needed to be able to print in color. I haven’t printed a color photograph in over a year because I’ve found a number of online services that charge less to print and mail me color photos than I would pay for ink and photo paper to print them myself. That’s not as convenient as the ability to print my own photographs on a whim, but I almost never need color photos right away. My two older children used to print homework assignments in color all the time, but I only have one kid in high school now, and she mostly submits her assignments online and rarely needs to print anything. I haven’t made my own greeting cards in years, and I don’t think I even have any greeting card stock left. None of my business printing requires color.

Relieved of the need to stick with inkjet technology, I started my shopping expedition over again, this time looking at compact monochrome laser all-in-one printers with document feeders, automatic duplex printing, automatic duplex scanning and Ethernet connections. I found far more and better options. I still ruled out HP because of software concerns, and Epson doesn’t make any laser printers, but I knew of some venerable Brother MFC-L2700 series models and Canon imageCLASS MF200 series models that would likely be in my price range. I also hoped to find some small business models from Lexmark, Okidata, and Samsung.

In the end, the best deal I found was on the Brother MFC-L2750dw pictured at the top of this post, so that’s what I purchased. I knew it would do everything I needed it to do, because I have resold that same model to clients in the past. It uses two consumables other than paper: toner cartridges, which yield anywhere from 2,500 to 5,000 pages depending on the capacity you buy; and drum units, which last for about 15,000 pages. Brother-branded toner cartridges aren’t overly expensive compared with other printers’ branded cartridges, and Brother’s MFC-L2700 line is very popular, so there is very affordable 3rd party toner available for it. I’ll probably stick with Brother branded drums, which also aren’t terribly expensive, especially since I anticipate that mine will last 3-4 years apiece at the rate I print.

My new Brother MFC-L2750dw printer doesn’t have dual paper trays, but it does have a single-sheet override slot. That should make envelope printing more convenient.

Printer reliability has been a sore spot for many years now. My inkjet printers have lasted about 4-1/2 years on average, and even laser printers, which were once known to outlast virtually all other kinds of office computer equipment, now sport a lot of poorly made plastic parts. However, I’ve resold the Brother MFC-L2750dw and its predecessors to about 20 clients, and most of them have lasted 7 years or more. At least one that a client bought in 2010 or 2011 still works perfectly and has never needed anything more than consumables and an occasional paper jam removal. So, the chances of this one lasting longer than two inkjet printers – that’s roughly my break-even point, if we only consider the price of the printer – seem pretty good.

Is the Brother MFC-L2750dw perfect? No, not at all. I really wanted a color laser printer, but affordable, compact color laser printers that print photographs well do not exist. Professional reviews of this model suggest that other laser printers, such as the Canon imageCLASS MF200 series and most HP LaserJets, have better print quality, especially on graphics and very small fonts. And the MFC-L2750 printer driver on my laptop already messed itself up once and I had to reinstall it. But as I said at the beginning of this post, no affordable printer is truly satisfactory. As long as this one’s shortcomings are things I can live with, that’s the closest thing to a win that I can expect.

No, we’re not going to try to fix your printer. Here’s why. (Part 1 of 2)

The printer pictured at the top of this post is my recently failed Canon MAXIFY MB5120, an all-in-one inkjet printer I’ve had a love/hate relationship with pretty much ever since I bought it. I loved that it printed very well and scanned very competently, at least when it worked properly. I hated the haphazard way that Canon implemented its otherwise thoughtful feature set. For example, the printer offers fairly robust paper handling, but it is so inconvenient to change paper types on this model that I mostly found myself trying to avoid doing so. I loved that this printer is primarily intended to be used as a network printer, but hated that it took at least five minutes for the printer to wake up its network interface and connect to my (wired!) network after being power cycled. But most of all, I hated the frequency with which its print head would become partially clogged. For most of the time I’ve had this printer, I could never be sure if a print job was going to print in full color or not.

This printer is not “dead”. Notice that I said it had merely “failed”. It could be fixed, if someone wanted to do so badly enough. The problem is that it needs a new print head, and the cost of a new print head is close to what I paid for the whole printer. That’s more than I’m willing to pay to fix a printer that I’m not enamored with, even at today’s new printer prices, especially considering that a new print head probably wouldn’t perform better or last longer than the original one did. But the tale of how I got to this point with my printer will demonstrate to you why I generally won’t attempt to fix clients’ printers.

As I wrote earlier, this printer has always had problems with clogging print head nozzles, no matter whose ink I used in the printer. The trouble started even before I ran out of the Canon brand ink that came with the printer. I’m also quite sure the problems weren’t caused by the print head drying out, because I normally print upwards of 20 full color pages per week. Whatever the cause, certain colors wouldn’t print consistently; sometimes, it depended on whether I was printing on plain paper, envelopes, card stock or photographic paper. When the problem became consistent, I would run the built-in cleaning cycle, and if that didn’t clear things up, I’d run the deep cleaning cycle. Usually, one or two deep cleans would get things looking right again, but by the time the printer was six months old, the built-in cleaning cycles weren’t doing any good.

I suppose I could have made a warranty claim at that point. However, the Canon MAXIFY MB5120 has a print head that can be removed fairly easily for cleaning (or replacing), unlike the printer it replaced, an Epson WorkForce WF3640 all-in-one. (Part 2 of this series will discuss more about this.) A simple head cleaning seemed like a task that should be easy enough for one who fixes computer equipment for a living, so I looked up the procedure for my MAXIFY MB5120 and went to work on it. Getting the print head out was easy enough; finding ways to flush the print head out with solvent was more challenging. The job took me the better part of 2 hours, and I left the print head out to dry overnight, but when I put the print head back in, the printer was back to printing normally. Annoyingly, there was enough solvent left in the print head that it took about 50 pages worth of printing before the ink stopped smudging, but overall, it was a win.

About a year (and two sets of compatible ink cartridges later – so there, Canon!), I had to clean the print head again. The procedure and inconvenience were the same as the first time, but again, I had a working printer when I was done. The printer continued to work reasonably well for another year and a quarter.

Then, about a week and a half ago, the printer started producing muddy, inaccurate colors, skewing to red/brown. Clearly, there was a problem with cyan ink delivery. In fact, the built-in nozzle test print showed that the printer wasn’t squirting any cyan ink at all. The built-in cleaning and deep cleaning cycles didn’t restore even a little cyan ink flow, so out came the tools, and out came the print head for another manual cleaning. Only this time, when I put the print head back in, it still wasn’t delivering any cyan ink. Well, that wasn’t good. I could see the ink flowing during my cleaning procedure, so I was sure I wasn’t just experiencing a bad clog. Then the printer began having trouble recognizing the ink tanks. That combination is a pretty good sign of a print head gone south.

I went searching online for a replacement print head, but quickly discovered that the only thing harder than finding a print head for this printer that cost less than I had paid for the whole printer was finding one that I could get in the first place. Most sellers were out of stock. That wasn’t surprising, because my printer is almost three years old, and Canon doesn’t seem to be producing it anymore. (It’s still available as new-old stock from some online sellers, for about twice what I paid for it, but I don’t like this printer enough to pay that much for another one.) I finally found an Amazon seller offering the print head for just over $50, so I went for it.

A few days later, my replacement print head arrived. The inner foil package was torn open, the plastic head protector was missing and there were drops of clear liquid all over it; not good signs. Nevertheless, I installed it in the printer, put in my ink tanks, powered up the printer and… the printer displayed an error code. It didn’t take much troubleshooting to determine that I had received a faulty print head, so I filed for a return, and the seller sent out another one. The second print head looked more promising, as the package was properly sealed. The printer didn’t display any errors after I installed it, but when I printed the nozzle test, the cyan, yellow and magenta test patterns were fine, but there was a big gap in the black test pattern. I ran another cleaning cycle, followed by a deep clean, neither of which fixed the problem. Not surprisingly, when I tried printing a web page as a live test, much of the black text was unreadable. It was now apparent that a) the print head seller was peddling refurbished print heads, and b) he was doing a poor job of refurbishing them. I filed for another return, and was only offered the option for a refund this time, which was just as well because I really didn’t want to find out if the third time would be the charm or not. So, I am now in the market for a new printer, which will be Part 2 of this series.

Let’s recap what this process has entailed so far, and the amount of time I’ve wasted doing it. First, there was the job of trying to clean the original print head. That took about two hours of my time, not counting downtime for the printer. Then there was shopping around for a replacement print head, which took about another hour and a half. Then we have removing three print heads and installing two (remove original, install first replacement, remove first replacement, install second replacement, remove second replacement), each of which took about 15 minutes. Finally, there will be the time and inconvenience of taking the defective print heads to my nearest Amazon dropoff so I can get my purchase price back, which will be another half-hour. All together, that’s 5.25 hours, which would be up to $446.25 of billable time, if I were doing this for a client.

And there’s the rub, as Shakespeare might have said. Most inkjet printers aren’t worth $446.25. In fact, even with today’s inflation goosed, supply chain affected printer prices, most of you would be loath to spend more than $300 on a brand-new inkjet printer, much less $400+ to fix an old one. That’s why if you call to ask me to come and fix your printer, I will most likely tell you to just replace it. It’s not because I’m lazy or I feel that printer repairs are beneath me. It’s because I know from experience that trying to fix your printer will cost too much money with too little chance of success to be worth the attempt. In the end, you’ll spend less money and be more satisfied if you cut your losses and buy a new one.

My Email Was Hacked! (No, it wasn’t.)

Every two or three weeks, I get a call from someone who is sure their email was hacked. As the title of this post implies, in every case to date, I have found that their email was not, in fact, hacked, but there are a number of reasons why someone not thoroughly familiar with how the online world works might think otherwise. Note that just because someone’s e-mail wasn’t hacked doesn’t mean that a bad actor didn’t gain access to it. The purpose of this post is to help you understand how this actually happens and what you can do to protect your email account.

Hacking vs. Cracking

Let’s start with proper terminology: If someone gains access to your email account, or any other account or device you have, that isn’t hacking per se. “Hacking” means writing a short computer program for some very specific purpose. That purpose isn’t necessarily malicious. In fact, traditionally, it wasn’t malicious. Think in terms of “life hacks” featured in YouTube videos that show you how to soften butter faster for baking, or get wrinkles out of shirts without ironing, or build a mousetrap for less than $1.00. In the programming world, “hacking” is, quite literally, coding a hack, i.e., writing a bit of program code that solves a specific or unanticipated problem. For example, one of my clients depends heavily on being able to access data on a NAS via certain drive letters. Windows sometimes “forgets” those drive mappings, so I wrote a hack for them, in the form of a batch script, that re-establishes their drive mappings.

The proper word for breaking into a device or account is “cracking”.

Once upon a time, cracking usually involved hacking, although as you’ll see later in this post, that is usually no longer the case. Therefore, I’m going to use the words “crack”, “cracked” and “cracking” when referring to accessing someone’s account or device without permission.

How Can You Be So Sure That My Email Wasn’t Cracked?

The short answer is because cracking the security on email servers is hard, and crooks are lazy.

As I’ve said often, the days when people wrote malware, broke into computers and committed other online mischief just to get a thrill or show off or maybe find a job as a programmer are long gone. That’s not to say people no longer desire those things; it’s just that technology has provided more effective ways to get them.

Nowadays, people trying to get into other people’s accounts are usually trying to steal money. The attempt may be direct, like getting into someone’s bank account, or indirect, like using someone’s e-mail address to send out scammy spam mail that tries to bilk lots of people out of their savings. On rare occasions, the unauthorized access may be the work of an online stalker or cyberbully, but most of the time, money is the motive.

What nearly all modern cyber-criminals have in common is that they’re lazy and impatient. Getting good enough at cracking to breach logon security takes a lot of time, effort and money. That’s why I can be so certain that your email wasn’t cracked. Server software companies learned decades ago that as long as their logon systems were easy to defeat, there would be crackers breaking in, so they made logon systems among the toughest to crack. That’s not to say cracking them is impossible. If you’re enough of a celebrity or your work involves the sort of information that international spy organizations want, there might just be enough motivation for a bona fide professional cracker to break into whatever computer systems you use and get it. And if you’re one of those high-risk individuals, then I recommend you stop reading here and go find yourself a very high-level cybersecurity company to protect your digital assets. But the overwhelming majority of us aren’t worth that kind of effort, and the petty crooks and schnooks who want access to our accounts aren’t motivated, patient or capable enough to crack in.

But someone got into my email! If they didn’t hack/crack in, how’d they get in?

The short answer is that you gave them your email address and password.

Previously, I said that cracking into servers, particularly email servers, is too hard for most of us to be worth the effort, and I stand by that statement. But it’s very easy and inexpensive to trick people into handing over their account logon information, and so that’s what modern cybercriminals do. Here are the most common ways this is done:


This is, by far, the most common method of stealing email passwords, as well as other kinds of account credentials, and even personal information. Since we started talking about people thinking their email had been hacked, I’ll pick on that. The perpetrator composes an email message intended to look as though it came from a popular email provider, such as Google (GMail), Yahoo or Microsoft ( The email will claim that your account has been compromised, that the company is cleaning up old accounts and you need to prove that you’re actually using yours so they don’t close it, or some other persuasive come-on to get you to click on a convenient link and log on. If you click on the link, it takes you to a web site that looks like your regular GMail, Yahoo Mail or logon page. And if you then type in your email address and password, it will add those to a list of email account credentials the crook has been collecting, then, most likely, pass you through to your real email account.

The reason you have no recollection of having been phished is because the crooks rarely make use of the addresses and passwords they collect. Instead, they collect them for awhile, then sell their lists on the so-called Dark Web, which refers collectively to shady web sites where stolen information is bought and sold. Whoever buys that list will eventually make use of your credentials, but that probably won’t happen until months after the phishing incident took place.


While less common than phishing, there have been incidences of malware being used to capture account credentials and report them via the Internet to a server-side program being run by cyber-criminals to collect them, either for their own use or for selling on the Dark Web. A number of data breaches reported by major companies in recent years were perpetrated by such malware.

The most difficult part of using malware to steal account credentials is getting the malware installed on a targeted computer. Computers running up-to-date versions of Windows or Mac OS have enough anti-malware software built right in to foil typical attempts to run malware on them. Some of the corporate data breaches of the last few years were perpetrated by insiders, who were employees who were disgruntled, bribed or new hires who were part of the cyber-criminal ring. In other cases, phishing or tech support scam pages were used to trick employees into turning off their computers’ antivirus software and installing them malware, or allowing a criminal to remote in using common remote control software to run the malware.

OK, so someone got into my email because they have my password. What do I do now?

If you still have access to the account, log into it right away, change the password and make sure your account recovery information, typically a cell phone number and an alternate e-mail address, is set so that you and only you receive account recovery and password change request messages. This will lock out the unauthorized person and any ‘bots sending out spam via your account.

And what can I do to prevent this from happening again?

The single best thing you can do to prevent an account takeover – which is what generally happens after your email account credentials end up in the wrong hands – is to turn on two-factor authentication (2FA), sometimes called multi-factor authentication (MFA). Doing this requires anyone wanting to log into your email to have physical access to a second device, usually your cell phone, in order to log into your account, even if they have your e-mail address and password. That, combined with making sure your account recovery information is up-to-date, makes your account extremely difficult to take over.

2FA/MFA works by either sending a message to your second device anytime you want to log into your email, or by requiring a code generated by a smartphone app, such as Google Authenticator. It’s a minor inconvenience, but one well worth bearing, as it makes an account takeover almost impossible.

2FA/MFA is fine for people who access their email via a web browser, but it was a tough sell for those who use 3rd party email client software, such as Windows Mail and Mozilla Thunderbird, as it locked those programs out. Fortunately, 3rd party email clients have evolved to work with 2FA/MFA or their alternatives. For example, Mozilla Thunderbird can display a GMail logon page, and it is also designed to work with the Oauth2 protocol that GMail uses to allow 3rd party software to work with it.

But it’s so convenient to use the same password for more than just email. Is there anything else I can do to foil phishing?


For starters, get a password manager that will store your passwords invisibly and securely, will fill them in for you whenever you need to log into something, and can be shared among your computers, phones and tablets. That way, you can have the convenience of just remembering one password – for your password manager – without putting your email and other accounts at risk. Lebowitz IT Services is pleased to offer LastPass subscriptions on a monthly basis to our clients.

For our corporate clients, we also offer MailAssure, a world-class, managed anti-spam system. Anti-spam systems treat most phishing attempts as spam. We also offer Ironscales, another managed solution that targets phishing attempts that get past your anti-spam solution and quarantines it.

Finally, learn to recognize what phishing looks like. Remember the old refrain, “But I read it on the Internet — it must be true!”? Internet access has been commonplace for over 20 years now, but surprisingly, there still people who believe that. Phishing depends heavily on that mindset, or at least on the reader’s unwillingness to think critically about what’s on the screen in front of him. If the e-mail message has a Fifth/Third Bank logo in it, then it must have come from Fifth/Third Bank, right? Well, wrong, actually!

I’ve read many articles that talk about telltale signs that can help you recognize phishing attempts. A logo that doesn’t look quite right or doesn’t match the name of the company that the message purports to be from are two such signs. Misspellings, poor grammar, circumlocutions and stilted wording are others. An email domain name that doesn’t look like the company’s domain name is yet another sign, as are URLs that don’t look anything like the company’s domain name when you hover your mouse pointer over links in the message. But all these require attention and a bit of technical knowledge that not everyone has, and many people don’t have the English skills to spot misspellings and grammar mistakes.

So, is there anything that can tip you off to a phishing attempt even if you didn’t ace AP English or have a degree in Computer Science? Absolutely.

Start by looking at the name of the company the message is supposed to have come from. Have you ever had an account with that company, or done business with them in any capacity? You’d be surprised how many people don’t ask this basic question. If you receive a message saying your Yahoo Mail account is going to be deleted if you don’t log into it *right now*, and you can’t remember ever having a Yahoo Mail account, that’s a sure sign of a phishing attempt. If you receive a renewal notice for McAfee or Norton security software, and you have no recollection of ever buying their software, then the message is most likely a phishing attempt. If you need more evidence, hover your mouse over each icon in the “hidden icons” section of your Taskbar Notification Area. If you don’t find a McAfee or Norton icon there, then you aren’t using their software, and the message is most likely a phishing attempt.

Another question to ask yourself is, “Why would this company send me this kind of message?” Since we’ve been talking about email account cracking and takeovers, let’s pick on GMail. GMail is Google’s email service. Google is a company that has long been accused of keeping too much information about everybody. How much information is too much, what kind of information is appropriate for them to keep, and even whether or not this assertion is true are beyond the scope of this article, but if you accept it as fact, then why would Google need to ask you to log into your GMail account *right now* to confirm that you’re still using it? (I’m just going to let that one sink in for a moment. How is it that the same people who believe Google tracks what they ate for breakfast this morning can be tricked into thinking that Google doesn’t know when they last checked their GMail?)

Finally, think about the propriety of using email, which is generally a non-secure, easily faked means of communication, to reach out to someone whose account has been flagged as problematic. The majority of companies know better than to do that. What they do if their internal checks detect something amiss about your account is they lock your account and simply wait until the next time you try to log in. When you do, they display a message saying that your account is locked and why, and then they direct you to a page where you can take whatever action is appropriate, such as changing your password or contacting Customer Service. So, if you receive a message in your email that notifies you of an account problem, particularly if it includes an all-too-convenient hyperlink to a web form, that’s probably a phishing attack.

SSDs Fail, Too

I’m on the second week of helping someone recover from an encounter with ransomware. The details of that aren’t relevant, except that it’s likely that the next few blog posts will be drumbeats for backups. If you already have a backup regimen in place, good for you; you can stop reading now and go check to make sure your backups are running when they’re supposed to. For the rest of you…

The photo above is of a solid state drive – SSD, for short – that came out of a client’s laptop. There are two remarkable things about it. The first is its size. It’s an M.2 2230 NVMe SSD. M.2 is the type of socket it fits into. NVMe stands for “Non-Volatile Memory Express”, which means nothing to you unless you’re a computer hardware engineer or you’re playing a very recently revised game of Trivial Pursuit, but it’s the fastest type of consumer-replaceable SSD available as of this post. The 2230 is probably the most interesting thing about this SSD, because it describes its physical dimensions: nominally 22mm wide by 30mm long. SK Hynix managed to cram 512GB of memory on this tiny thing. Most 512GB SSDs are size 2280 – 22mm wide by 80mm long. I placed the SSD in the protective container from a 2280 size SSD to offer you some perspective.

That leads me to the second remarkable thing about the pictured SSD: it failed. So, if you guessed that the protective container it’s sitting in came from its replacement, which was a more common 2280 size SSD, then you deserve an award for deductive reasoning. But depending on who you’ve asked about data storage options recently, you might also be asking, “How’s that again? An SSD FAILED? They can do that?”

The short answer is yes, SSDs can fail, even though they have no moving parts. You may have been told by me that SSDs are far more reliable than conventional hard drives, and that modern ones typically outlive the computers they’re installed in. I stand by those statements, and, in general, I don’t install conventional hard drives anymore. But while SSD failures are rare, they do happen. (Don’t fixate on the brand or model here. With only one exception, and this SSD isn’t it, nothing in my experience suggests that any one brand or model of SSD is any more or less reliable than any other.) When they do fail, they usually do so catastrophically and with no advance warning. In addition, SSDs offer no inherent protection against malicious data destruction, such as ransomware encryption, and because they store and handle data very differently from hard drives, many of the tricks for getting files back after accidental deletion don’t work on SSDs.

So, even if all your computers use late-model SSDs for data storage, making and keeping regular backups is a must. If you don’t have a regular backup regimen, reach out to us right away. Getting started with a backup plan is quick, painless and inexpensive, and even the most expensive backup plans we offer cost a lot less than data loss, recovery attempts and related downtime do.

Cable Management: It’s a Necessity, Not an Option

Let’s face it, nobody likes to take the trouble to organize all the cables that run between their computer peripherals. But failure to do so can make it difficult to troubleshoot or replace equipment that fails, and also lead to a nest of cables that you can hook with your shoe all to easily, which can result in unplugged devices and even damaged cables. Then there are the extreme cases, like the time I was called in to unscramble a mass of cables running over and under a tabletop. That mess, which had been growing for years, was hiding cables that went nowhere, obsolete equipment and even old network hubs that should have been replaced with switches over a decade earlier. The result not only looked neater and made for easier service, but also improved network speed and reliability considerably.

Fortunately, organizing your cables doesn’t have to require anything fancy. Here is an article from that shows how to do it with inexpensive hardware items and even things you might have lying around the house.

Windows Wednesdays – “Folders” On the Windows 11 Start Menu

If you liked the Choose Which Folders Appear on Start settings in Windows 10, then you will appreciate today’s tip. I am going to show you how this feature was implemented in Windows 11, and how it makes use of otherwise wasted space on the Windows 11 Start Menu.

By default, the Windows 11 Start Menu has a line of empty space along the bottom, outlined in red in the picture below:

The good news is that you can fill that space with shortcuts for things like Documents, Pictures, Network and Settings, just as you may have had in the left margin of the Windows 10 Start Menu. To do that, start by opening Settings. There are a number of ways you can do this, but one good way is to right-click on your Start button and then (left) click on Settings, as shown below.

This will open the Settings window. From there, click Personalization.

From Settings -> Personalization, scroll down (a scrollbar will appear along the right edge if you hover your mouse pointer over it) until you see Start in the right section, then click on it.

From the Start subsection, click on Folders.

You will now be looking at the Folders subsection.

On my computer, I then need to scroll the right section of the window down a bit (again, there’s that hidden scrollbar along the right margin) so I can see all the folders. If your screen is large enough, you might not need to do that. I then click on the Off/On toggles for each “folder” I want to appear at the bottom of my Start Menu, like this:

Note that these are the items I like to have at the bottom of my Start Menu. Your preferences may vary. When you’re finished, simply close the window; there’s no Save button to click. Now, when I click my Start button, my Start Menu looks like this:

The red rectangle won’t appear on your Start Menu. I just added that to highlight my new, useful icons. But here’s something that will appear: If you hover your mouse over one of your new icons, the icon will highlight and a fly-over description will appear. Here’s an example in which I hovered my mouse over the Documents icon:

Windows Wednesdays – Widgets

Windows Vista, which many people don’t remember because it was widely considered a rough draft of Windows 7 as well as the second-most-infamous Windows That Should Never Have Happened, introduced an interesting, entertaining and even somewhat useful Desktop feature called Sidebar. Sidebar was a narrow rectangle of Desktop space, resembling a filmstrip, that could display clickable rectangles of information on the Desktop. Each of those rectangles contained a mini-app, which Microsoft called a Gadget, which was written in some combination of HTML and web scripting languages. Users could control the dimensions of the Sidebar and how many Gadgets were in it. It was probably used most often to display a clock, although I recall seeing Gadgets that displayed news feeds and thumbnail slideshows of the user’s Pictures library. Sidebar was available for awhile in Windows 7 (also, curiously, in Windows Server 2008), but at some point, Microsoft began recommending that users stop using it because its ability to run HTML and web scripts outside of the “sandbox” of a web browser made it a security threat. Microsoft eventually removed it about halfway through Windows 7’s lifecycle.

In the meantime, people were introduced to smartphones and tablets, both of which allow users to place handy information displays on their home screens using elements called “widgets”, at least on Android phones and tablets. For example, I placed widgets that display weather information, my current day’s schedule and my top five Evernote notes on my Android smartphone’s home screens. I can tap on the information in those widgets to open them up in their respective apps and interact with it.

Given how useful widgets are on phones and tablets, it’s not surprising that Microsoft decided to try another stab at bringing that functionality to the Windows desktop. And in Windows 11, they have done exactly that in a new feature called, predictably enough, Widgets.

However, Widgets in Windows 11 behave differently from widgets on a smartphone. I actually consider that a good thing, because I, for one, use my desktop and laptop computers very differently from the way I use my smartphone. The nature of a smartphone – small screen that can really only display one app at a time, and limited processing power and memory that really aren’t that great at multitasking – pretty much guarantees that you’ll be returning to your home screens often. And every time you do so, you see your widgets. Contrast this with a computer. I don’t know about you, but I always have lots of windows open on my computers, and I switch among them using keyboard shortcuts as the Taskbar, so I rarely see my Desktop. If my Widgets lived on my Desktop, I wouldn’t see them often, and they wouldn’t be convenient to access. So, Windows 11 provides a Widgets window for looking at and interacting with Widgets.

You can open the Widgets window from your Taskbar:

If you don’t see the Widgets icon, circled in the picture above, you may have turned it off. To turn it back on, simply right-click on the Taskbar anyplace where there isn’t a program icon, choose Taskbar Settings from the context menu and then turn Widgets back on from there.

After you click the Widgets button in the Taskbar, the Widgets window will open.

Click on something displayed in any widget to open it up in a web browser — Microsoft Edge, of course. Widgets with a line of horizontal or vertical bubbles contain multiple windows of content. Hover your mouse over the line of bubbles to make its scroll arrows appear, and then click on one of the scroll arrow to move to another item in the widget. The selection of widgets and their content appear to come from the same sources as the MSN news feed that Microsoft Edge displays on new tabs if you selected the “Informational” option when you set up Edge.

Do my Widgets look a little sparse and lonely? Don’t worry, there are plenty more. Did you notice that the window has a scroll bar? (To be fair, it’s hard to notice the scroll bars in many Windows 11 windows. That’s one of the things I dislike about it.) Here is another screen print to point it out:

There, now you can’t miss it – I’ve put a red oval around its slider. Slide that down, or press the down arrow or Page Down on the keyboard, and you quickly find that there can be many more pages of widgets. Here’s the next screenful of mine:

You can move your widgets around by dragging and dropping them within the Widgets window. The process feels similar to rearranging the Start menu in Windows 10, actually. Also notice that each widget has a horizontal 3-dot button in its lower right corner. This allows you to customize the widget’s size, content and other options, or remove it from the Widgets window.

If you accidentally delete a Widget that you’re interested in, or you simply want to see what other widgets you can add, scroll back to the top of your Widgets window, and click the “Add widgets” button:

Doing this will, of course, display a window of widgets you can add:

So, are widgets useful? The answer to that is highly subjective. Personally, I don’t use them very much, because I find a web browser to be a much more precise way to look for information. Those who are more in tune with the smartphone way of doing things may find widgets more helpful. Then again, those who are more in tune with the smartphone way of doing this may simply find themselves reaching for their smartphones. Ultimately, the only way to find out if Windows Widgets are useful to you is to use them. If you’re inclined to do that, hopefully I’ve given you a good start.

Windows Wednesdays – Focus Assist & Night Light

In my last Windows Wednesdays post, I began exploring Windows 11’s new Quick Settings panel. This week, I’m going to highlight two features that were actually introduced in Windows 10, Focus Assist and Night Light, which didn’t get much attention at the time because Microsoft didn’t do anything to call attention to them. Windows 11 brings them nearly to the forefront by featuring them on the default Quick Settings menu. So, unless you had reason to seek out these features before, you’ll probably notice them for the first time after upgrading to Windows 11.

Focus Assist is an interesting, almost ironic addition to Windows. Back in 1990, I attended a Microsoft product roll-out presentation for Windows 3.0, which had just been released to the public. The presenter was quick to show how Windows constantly “talked” to you. (I put that in quotation marks, because few computers in those days had sound capabilities beyond the tiny “beep” speaker inside the case, and software that could actually talk to you didn’t exist yet.) And, if you weren’t sure what to do, just clicking anywhere with the mouse would probably make something happen. Contrast this with an article I read about Unix at around the same time, which described Unix as a terse operating system, because, to quote from the article, “…when there’s nothing to say, Unix says nothing.” Each subsequent version of Windows ramped up the amount of information relayed to us by the operating system, the ever-increasing variety of software running on computers meant even more messages for us to see, and networking, which brought web site messages, e-mail notifications and various kinds of instant messages, have all made the average Windows Desktop a very noisy place. As far as I know, Focus Assist is the first feature built into Windows that’s specifically intended to quell your computer’s constant calls for your attention, ostensibly so you can get your work done.

Focus Assist aims to do this by letting you decide what programs may interrupt you during various kinds of activity. You set this up by clicking on the Network/Volume/Power icon group in the Taskbar Notification area to display the Quick Settings panel, right-clicking on Focus Assist, and then choosing “Go to settings” from the context menu. After that, you activate Focus Assist by clicking on its pad in the Quick Settings panel; doing that rotates among Priority Only, Alarms Only and Off modes.

A detailed explanation of how to use Focus Assist is beyond the scope of this post, but if you’re interested in trying it out, here is a link to a great article to get you started:

Night Light is a much simpler feature with a much simpler mission: to reduce eye strain by reducing the amount of blue light radiating from your screen when you’re using the computer in a darkened room. As with Focus Assist, you can change its default settings by right-clicking on the Night Light pad in the Quick Settings panel and choosing “Go to settings” from the context menu. The relevant settings allow you to determine the balance of blue vs. red/green light (accomplished with a simple slide control), activate Night Light immediately so you can test your selected color balance, and schedule the computer to automatically turn Night Light on and off at certain times of the day.