A Word About Passwords

This piece is intended to help the reader understand some basics about how website password security should be implemented. It's just a bit technical I suppose, but don't let that turn you off.  Read on if you want a better understanding of how easy it is to do passwords right, and how consumers just don't have a way of knowing who deserves an A and who deserves an F when it comes to this critical element of cyber security.

From time to time, we see headlines about massive data breaches, in which millions (recently over 1 billion) sets of user credentials have been stolen by cyber criminals. Scary stuff, right?

Most people don't realize that what happens behind the scenes, the actual security practices employed by the software architects and engineers, can vary widely in their efficacy. So having your credentials stolen from a poorly managed site is a potentially much worse thing than one that does things the "right" way. There really aren't any laws, or even a widely accepted seal of approval for sites that employ best practices in this area. This fact should be even more scary than the data breach headlines, but it takes a minute or two to fully understand, and thus doesn't get much airplay.

False Sense of Security

Some sites require complex character combinations for passwords, while others don't seem to care. Have you ever wondered why some sites have very specific requirements on length, or the inclusion of special characters, and others don't? There is a general feeling that an interactive red=weak, green=good! indicator as you type means you are dealing with a firm that takes security seriously, and that you have less to fear than with sites which don't take such care.

But, that's not necessarily true.  Here's why.

1. If the site is actually storing the password you enter, that's bad! And there's really no way for you to know that unless they tell you.

2. Despite many, many warnings, a lot of people still use the same password for multiple sites.  Maybe even for ALL business they transact on the web.  For these folks, having their password stolen from one site could be a BIG problem.

If passwords were handled properly by all web developers, you could literally use the same password everywhere without fear of it being stolen by cyber-criminals breaking into this or that website's database.  Yes, really. How? See "The Right Way..." below.

What about https:// and that lock icon?

Most of us know that SSL (https:) and its associated lock icon (and green bar, sometimes) are things you should look for when logging in to a website.  Secure Socket Layer (SSL) provides encryption between your computer and the server it's communicating with, and it provides third-party identity verification for the website's operator. That's it - it does not have anything to do with how your credentials are stored on the other side of the connection.  Don't assume everything is secure just because you see https in the URL.

The Right Way: Never Store a Password in the First Place

The right thing for the website developer to do is convert your password using a mathematical function (hash) that acts as a sort of one-way scrambler.  I'm calling it a "scrambler" here, but it always yields the same result for a given string of characters.  Without getting into the math, a hashed value cannot be reversed to determine your password. And what makes it really useful is that a hash function always yields the same result for a given string of text. Once set, the code running the website simply uses the same one-way scrambler every time you log in, and compares the value with what is stored for your account. If they match, you get in. And NOBODY (including people who work on that site) can know what you are using for a password.

Example: "password", when run through a typical scrambling (hash) function, yields:
5f4dcc3b5aa765d61d8327deb882cf99.

There are a number of commonly used hashing functions these days. Unfortunately there are also pre-compiled lists of common words that have been already been hashed. They are called Rainbow Tables. Click the link I inserted on the hashed value above and you'll see that someone has already figured that one out.

The solution for a developer is pretty simple, just tack on some extra random stuff to the user's password before running it through the hash function, and keep that "extra stuff" secret.  This is called a "salt", and thus a "salted hash".

Let's try again, using "password" plus a made-up salt value of "4d^yy8@2zqnde$3" appended on the end.  We get: 061398b4d8ba7374aa11d61272360572, which doesn't show up in a Rainbow Table and cannot be reversed engineered.  Use a different salt value and you get a different result. Try for yourself here, it's fun!

If you are still following along here, you see now that as long as sites all use different salt (aka secret key) values, and only store the result of the hashing function, you really could be perfectly safe using the same password everywhere without worrying when the next cyber-breach takes place.

But again, it's really up to the folks who design the software that powers a particular website as to how they choose to implement password security.

Bottom Line

Bottom Line #1: Since you don't know if the websites you use are handling passwords correctly, you really, really need to use different ones for each site.

Bottom Line #2: If you manage this function in your company and don't know how this is done, you should find out immediately.  Storing actual passwords is not a good practice, and should never be done unless there is some super-good reason.

tl;dr

I think it's true. The Internet is re-wiring our brains. People don't read anymore, they scan.  We can't help it - there is just too much stuff to be reviewed and possibly digested.  You are probably scanning this post right now. Quickly assessing whether it's worth your time to dig deeper.  Wondering, however briefly, if there is anything to gain by committing a few seconds to giving this a look.

What is this about, anyway?  It's about maximizing the chance that what you write will be read and understood by your audience.

Sometimes a longer memo or e-mail is just unavoidable.  You may have a lot to communicate, and you don't want to leave any important bits out.  And in some cases, it really is ALL important.

So how do you ensure what you write is going to be read?  I suppose you can't, but there are some things you can do to help.

1. Stick to the essentials. Don't waste time on a bunch of background or explanation that isn't necessary.  You can always fill in the holes later if needed. Don't leave out information that helps makes your case, but don't include a bunch of superfluous non-essential details.  The longer your piece, the more likely the reader is going to bail out early.

2. Break it up.  Pay attention to structure. Split up long sentences, make sure paragraphs and sections are in logical order.

3. Take time to get it right.  Review what you write and make sure it's crystal clear and as short as you can make it.  Come back to it later if that works for you. If it's really important, take some time to edit.  Take out non-essential words.  Try using Hemmingway and see what you can take out and still make your point.

4. When you're done, write a brief summary and put it at the top.  This is for people that don't have time or just aren't inclined to go deep.  As a recent hire described this to me "BLUF" - Bottom Line Up Front.  Love that!

Maybe, if your summary is good enough, you can DELETE everything else!

And what does tl;dr mean?  "Too long; didn't read".

Your New Boss

Starting a new job can be a source of stress, particularly if you are uncertain about some (or many) aspects of your job. It doesn't have to be that way. A friend recently got a new boss - but kept the same job - and asked me for some advice. Here are some tips I gave him, plus a few directed at anyone starting with a new employer.

1. Be Prepared. If you are new to the company, read as much as you can about its products, customers, competitors, and people. Big Picture: If you find what appear to be weaknesses of any sort (customer complaints, seemingly stronger offerings from other companies), think about how you would address them if you could. Small Stuff: Know your route to work. Get there early. Think about things that could go wrong and make sure you have adequate plans in place.

2. Know Your Role. Understand the important role your position plays in the company. Think you're not important? Maybe you are in the wrong place.

3. Look the Part. People who don't already know you will form opinions about you quickly. Sorry, but that's just the way it is. Smile, be open and friendly, and be well groomed and dressed appropriately for the work environment. On your first day, why not dress up a bit? You're new, everybody knows that. 

4. Anticipate Next Steps. When you receive an assignment, think (or ask) about how it fits into the big picture or is part of a larger effort. Knowing how what you do will be impact other roles will help you do better work. Knowing how what you do fits into the mission of the company will help you make better decisions, and perhaps over time enable you to make suggestions for improvements.

 5. Over Communicate. Never make your manager wonder what you are working on, where you are, when you will get your work done, or if you understand what you are supposed to be doing. Try sending the boss a brief summary of accomplishments for the week on Friday afternoon, and let him or her know what you will be doing next week. Do this until they tell you to stop, and you will definitely make a good impression.

6. If Something Isn't Clear, Ask. Trust me: you will not offend your manager by asking for clarification on an assignment, or asking for a firm due date, or asking for help prioritizing your work. Make sure there is no confusion upfront and you will have less stress. They won't be worrying about whether or not they will get what they asked for, and neither will you.

7. Exceed Expectations. Try to beat the deadlines if you can. But pay attention to how much time you spend on assignments, and don't overdo it. Again, ask if you are on the right track - don't be shy and don't make assumptions. Your first few weeks are critical in establishing a good relationship with the new manager and he or she will appreciate your desire to do the right thing. Don't think you are bugging him or her, they will welcome your interest.

8. Don't Get Discouraged. It will take some time to establish your reputation with your new manager and/or co-workers. Try hard to make the best impression you can early on, and they will look on you favorably. It's not that hard - show that you care, listen, react, and work hard and you will be exceeding expectations before you know it.

Don't Say That. Say This.

"No Problem"

If you work in customer service of any sort, from a sandwich shop to the highest level of elite product or service, you should never say "no problem" or "not a problem" when a customer thanks you.

Saying "no problem" sort of carries an implied "...this time." doesn't it?  As if you might have inconvenienced the person providing you with service, but fortunately for you in this instance, you did not. You want to delight your customers, not leave them with an uneasy feeling that they narrowly avoided offending you.

"My pleasure" (a la Chik-fil-A), "Glad I could help", or a simple "You're welcome!" are definitely more positive ways to respond.

"To Be Perfectly Honest..."

Another good one: "To be perfectly honest" or "In all honesty" or any variation of this.  What exactly is implied when someone says this? That they ordinarily are not completely honest, but in this case have decided to forego lying in favor of full candor and truthfulness?  Not likely what is intended, but what is conveyed nonetheless.

"I would suggest...", "I would recommend..."

Remove would from these phrases and they have real impact.  Leave it in and you are making a much more timid and tentative statement.  People want to know what you really think. If you are willing to make a suggestion or recommendation say it with conviction - don't diminish the value of your opinion by making it sound conditional. Unless of course it really is.

Gmail Tips and Tricks

E-mail may be on the way out, but it's not leaving most of our lives anytime soon. Here are some  Gmail Tips and Tricks that I've found useful in managing mine.

Yeah, rainy day at the beach today...

Cable Cutters: 18 Months Later

In November 2013, we decided to join the growing ranks of “cable cutters”, folks who no longer purchase cable TV through the traditional flat-rate subscription model.  Taking a look back 18 months later the results are pretty much what we expected: We've saved a lot of cash, watched higher quality programming than we likely would have otherwise, and lost the ability to talk about the latest TV commercials - because we simply don’t see them much anymore.

We had DirecTV with no sports package and no premium channels and were paying $100+/month. Today we use FREE Over The Air (OTA) digital TV (yes, it still exists you just need an antenna), TiVo, a Netflix Subscription and Amazon Video on Demand (we have Prime, so we get a fair amount of shows included at no extra charge). We pay an average of $56/month. We also added a Roku 3 to the mix, which has turned out to offer much better performance than the TiVo for streaming content.  It support Netflix, Amazon, YouTube, and many other channels.  An excellent value at around $100.

The results: Over the first 18 months, we have saved just over $700, with an average savings of around $45/month.

Here’s the cool part, and what I was hoping to achieve by embarking on this experiment: our expense now varies month-by-month based on how much we watch, as it should.  When the kids are on break from school or we have downtime, we may watch more.  When we are too busy to watch TV, we watch less and we pay less.

My problem with the old model wasn't really with the expense. It’s the way the product is sold. Nobody needs or really wants 175+ channels of TV.  So why subsidize all that?  And why pay a provider for something that consists of approximately 33% ads that you don’t want to see?  Whether you watch them or not, if you have cable you are paying for ESPN, NFL Network and others which are built-in to your subscription fees.

It seems that we have known about the “really good” series and movies before they are released for on-demand viewing, saving us from wasting time watching potentially lower quality shows.  So we benefit from the thousands of people watching and providing feedback when these shows are originally broadcast, as well as suggestions from family and friends. The Wisdom of the Crowds certainly works especially well for the cable-cutter, but patience is required. Some content moves very quickly from broadcast TV to on-demand availability, and some takes a very long time for whatever reasons.  I’m sure there are a myriad of licensing and contractual issues at play, but it will be nice when things flow more quickly to being available on-demand.

We like sports, but very rarely sit down to watch an entire game all the way through.  We’re really satisfied with what is available OTA.  And while I originally thought we would want to record more stuff on the OTA networks like ABC, NBC, CBS, PBS, etc. that has not turned out to be the case.

Also, while doing this analysis, I realized we have paid nearly $150 for the privilege of watching a relatively small handful of movies on DVD from Netflix.  Definitely time to turn that off. RedBox?

Our TiVo is typically 99% full and we just don’t watch those recorded shows much.  Maybe time for it to go, too...

How I Work

Lifehacker runs How I Work features from time-to-time, and I've always enjoyed reading them.  It's interesting to see how people in various roles do their thing on day-to-day basis, and it's a good way to get inspired and pick up some tips, tricks and ideas for new and better ways to get things done.

To that end, here's my contribution.  I'll keep this updated over time as I discover new things or drop old ones.  I'm not saying any of these tools are the "best", they are just what I've found works for me right now.  Comments and suggestions are always welcome!

The Hidden Cost of Remote Work

Loss of Synergy. Loss of Momentum. Loss of Flow.

Much has been written about the value of telecommuting and the flexibility that comes with being able to work any time, anywhere. Even the most conservative organizations have come around to the idea that people don't necessarily have to be in the same space at the same time to get work done.

The costs for setting up and maintaining remote workers has fallen dramatically in the past few years, and there are now more options than ever before. In a hyper-connected world, we can create and consume digital content from 36,000 feet just as easily as we can at home, the office, or pretty much any place else in the developed world.

The traditional back-office business operation, in which workers have assembled in the same space and time for years, is probably the place that comes to mind most often when thinking about the paradigm shift that represents remote work today. The IT group installs some software, the remote work candidate is either provided equipment or allowed to use his/her own. There is talk of management monitoring productivity and the arrangement being allowed on a trial basis. And then, voila! the bonds are cut and the worker is free to be more productive and enjoy a greater work-life balance than ever before. Today, the technological barriers are minimal, and its hard to come up with a solid reason why most people with office jobs couldn't “work from home” if they wanted. But in our haste to rejoice at the removal of the technological hurdles, we are failing to count some rather significant hidden costs – ones that don't result in a positive ROI.

Good remote workers endeavor to minimize the impact of their absence from the physical space. Quickly responding to phone calls and e-mails, completing assignments on time, and being proactive in communications with managers and co-workers all go a long way to making the arrangement work well. Where remote work is failing us lies in the loss of some of the intangible benefits that come from people being together in real-time. Kicking around ideas and building on them together, quickly moving new ideas and initiatives forward, and attending to ad hoc requests for assistance from others that can be handled quickly (but slow the requestor down when not handled). Let's call these Synergy, Momentum and Flow.

Synergy. I have conversations every day with my co-workers that involve an open give and take of ideas that nearly always produces a better result than any of us working on our own. With a peer, a quick brainstorming session produces better results than I would likely achieve on my own. And in a mentoring situation, these conversations are critical as they help connect vision to tactics. If the person that can help you shape that rough idea into something better isn't around or is not connected, the conversation doesn't happen when it's fresh on your mind – and the idea doesn't reach its full potential. Worse, it doesn't happen at all.

Momentum. As time passes, energy and enthusiasm for an idea can naturally fade. Other things always come up, and we have trouble getting back to that one thing that sounded so great but we really needed some input or support from a co-worker to move forward. When a team is scattered and not connected, these ideas get lost. Loss of momentum seems to be tolerated because losing these ideas is hard to measure and can't always be immediately connected to the team's mission. It may be difficult to see how they are adding value to a particular initiative, but they almost always do.

Flow. By this I mean simply the normal day-to-day flow of doing business, not “Flow”. Someone needs a quick answer to a question to complete a report, a piece of information to make a decision, process a payment, fix something that's broken – and the person with the answer is not connected (physically not present or not otherwise available in real-time). The cost of interrupted flow doesn't register with most companies either, because it's very hard to measure, it's incurred sporadically and most often at a micro level. Drawing attention to it can appear to be swimming against the strong current of “remote work is the new paradigm”.

In an office setting where some workers are remote and some are not, there's no denying that the loss of synergy, momentum and flow has an impact on the satisfaction and morale of those who cannot avail themselves of the work at home situation for one reason or another. Sometimes this is hidden, sometimes it's not. Could these losses contribute to turnover? Maybe. Are they a significant impediment to the company or team realizing its full potential? Definitely.

If you've read this far, you might think I'm opposed to remote work. But I'm not. Organizations just need to pay more attention to these hidden costs and do what they can to address them.

So what's the fix? Here are a few ideas, but basically it's this: Stay connected to your team in real-time. “Remote” should refer to your physical proximity only.

1. Use something other than e-mail to keep people connected and able to share thoughts and ideas in real-time. An entire new set of applications designed for team collaboration in real-time has arisen over the past few years, and many of them are quite good. Check out BaseCamp, Hall, HipChat, Flowdock and others. At my company, we use an application that is integrated with our telephone system to chat, share files, and collaborate in real-time. Some of us are now using Slack.
2. If you are a manager, establish an expectation that team members will respond to their co-workers quickly whenever possible, and lead by example in this area.
3. If someone you have worked with face-to-face has moved to a telecommuting arrangement or works one part-time, don't be afraid to reach out to them. I often hear “Where's Jane? Working at home? Oh, I'll just wait until tomorrow.” That's a loss of synergy, momentum or flow – guaranteed, and it should not be tolerated. Be open with your remote colleagues about what works and what doesn't.
4. If you are a remote worker, don't take it for granted. Over communicate with your boss, show up at the office whenever you can, proactively schedule face time (meals or whatever works) with your co-workers. Be available, and reach out to anyone you think might be hesitant to contact you. It's up to you to make your remote work arrangement work – not your co-workers. Think about how you can minimize the loss of synergy, momentum and flow and discuss with your team. Again, be open about what works and what doesn't.

The flexibility that comes with remote work has revolutionized the way we look at work, and gives us unprecedented freedom to work when/where we can be most effective and productive. To live richer, more fulfilling lives essentially. We just have to remember that we are humans after all – and connecting, sharing and being there for each other is really what it's all about.

JA in a Day

A couple weeks ago,I responded to a call for volunteers for “JA in a Day”, an effort to provide a day-long blitz of Junior Achievement economic and business curriculum at five Indianapolis Public Schools (IPS). I went for a one hour training session, picked up a packet of materials and was assigned to a school.

I was paired up with a second grade class at IPS school 31, not far from the Fountain Square area of Indianapolis. I arrived at the school, and attended a brief thank you and orientation session provided by the school staff and the JA person assigned to the school. The kids had made “Welcome JA Volunteers!” signs for us, and a representative from each class came to the library to escort the volunteers to their assigned classrooms.

I spent the next five hours or so working through the lessons provided by JA and trying my best to handle any curve balls the kids threw my way. What stood out to me immediately was how well behaved and cooperative the kids were, how they remained focused throughout the day, and how open and honest they were. Some engaged in my discussions and activities more than others, but they were all attentive and polite. For the entire day.

I learned a lot that day. I learned that parent involvement in the school was basically non-existent. I learned that in second grade you can enter a class as a non-English speaker and be doing surprisingly well in just a few months. I learned that some families literally pack up and move in the spring to avoid having a child not move on to the next grade at the end of the year.  I was surprised at how many kids knew what their parents/guardians did for a living.

When I mentioned that hospitals are important elements of a community (part of the prescribed lesson), several of the children put up their hands eager to relate his or her own story of being hospitalized due to personal trauma. One boy had been struck by a car (twice), some had broken arms, and one very openly began relating a story of physical abuse.

The contrast between their world and that of the kids in my own community (including my own) remains stark. I wondered about role models, discipline at home, nutrition, safety...love, essentially. Some of these kids have been through pretty rough times already, and most will face significant obstacles ahead. Still, their exuberance that day was downright contagious.

I witnessed first hand the challenges faced by the teachers and administrators, and the professionalism and effort with which they do their jobs. Some pretty amazing people, facing a ton of pressure and not receiving a ton of support.

I don't know if the kids in that 2^nd grade class will remember much about what we learned that day, but hopefully a little bit of it stuck. I really hope they remember the other messages I tried to work in: you can get paid for solving puzzles and working on building cool stuff (shameless STEM plug); it takes lots of different jobs to make a community work; and that staying in school is really, really important.

There are a number of ways to get involved with Junior Achievement of Central Indiana including volunteering in a classroom, at its facility or at a special event. The time commitment of a JA volunteer can vary depending on the program. If you are interested but unsure how you might fit, get in touch with the JA staff - they'll be happy to help.