Genuine Curiosity

Author Dwayne Melancon is always on the lookout for new things to learn. An ecclectic collection of postings on personal productivity, travel, good books, gadgets, leadership & management, and many other things.

 

Should you change your password?

There have been a lot of well-publicized data breaches in the news lately, and I always wonder if I've been affected by them.  When credit card data is affected, you get a letter from your bank or card issuer (I've gotten a few), but when it comes to web site hacks that go after passwords, you never know.  Or do you?

I'd like to share a couple of resources you can use to find out whether you should be concerned, as well as a couple of things to help you increase your password effectiveness in the future.

Find out if you've been a victim

A site called "ShouldIChangeMyPassword.com" has aggregated (as of this post) 11,802,026 compromised passwords from a large number of the publicly disclosed data breaches.  If you go to the site and enter your email address, it will tell you if your email shows up in the list of compromised accounts.  In my case, I've been breached at least once, as the graphic below shows.

SICMP

My password was compromised in the Gawker Media breach but, fortunately, I used a unique password so my exposure is very limited.  I also changed my password the moment I found out (Gawker was very responsible in their notification, and I knew within a few days).

Other sites you can use to find out if your password's been compromised include:

 Stronger passwords in the future

Portable thumbnailIf you want to protect yourself better in the future, here are some tips that can help:

  • Use different passwords for each site you visit
  • Use complex passwords (mixture of upper & lower case, numbers, random characters that aren't in the dictionary, etc.)
  • Don't write your passwords down

The challenge with this is that it makes it nearly impossible to remember what password belongs to which site.  To make it easier, I recommend using a "password vault" that can generate complex passwords for you and then help you remember them.  The best ones are multi-platform, never store your data in an unencrypted form, and allow you to share your password data securely across multiple devices.

I've tried quite a few of them and the one I like best is called "1Password."  It works on Mac, Windows, Android, iPhone, iPad, and I've been using it faithfully for a couple of years.  It stores an encrypted data file on your system (the makers of 1Password don't store your passwords on their own systems), and it easily shares your encrypted password data using Dropbox as the conduit.

1Password also has the ability to store other information such as credit card numbers, software license keys, and more.  It can also generate and stores secure passwords for you, which makes it easy to satisfy the tips I mention above.

If you want to take a more manual approach, there is a good "personal algorithm" method using Steve Gibson's "Password Haystacks" model, detailed on the Gibson Research Corp. site.  This is also a great educational site on how longer passwords offer exponentially more security.

Effective metrics drive the results you want

This week I attended the Gartner Security & Risk Management Summit in Washington, D.C.  I attended a lot of very good sessions, but the one that left the biggest mark on me was a session called "Metrics That Matter," delivered by Jeffrey Wheatman.529 3218902

I went to this session because I've had a lot of conversations with information security executives this year, and a common question is "What should I really be measuring?," or they make comments like "I report on a lot of things, but I am not sure what the top indicators are that I should roll up to my executive team."

My initial reason for attending this session was for my "day job" as the CTO of a tech company, but I feel like I can "generify" Wheatman's guidelines to apply to anything that needs to be measured & tracked.

  1. Effective metrics must support the business's goals, and the connection to those goals should be clear.
  2. Effective metrics must be controllable. (In other words, don't report on things that "just happen" - report on things you can drive up or down with your own, direct actions).
  3. Effective metrics must be quantitative, not qualitative.  If you need to measure something "softer" like customer satisfaction, find a way to make it quantitative, such as with a method like Net Promoter Score.
  4. Effective metrics must be easy to collect and analyze. (Wheatman says "If it takes 3 weeks to gather data that you report on monthly, you should find an easier metric to track.")
  5. Effective metrics are subject to trending.  (Tracking progress and setting targets is vital to get people to pay attention)

This set of guidelines really resonated with me, and I am going to run my metrics through this regimen to make my own metrics better.  If you're a Gartner client, there is a detailed research report from Wheatman on this topic, and I suggest you grab a copy.

I've also learned that it helps to simplify how you report on metrics.  When dealing with executives, stick with small numbers and primary colors - and when you get senior enough, try to boil it down to up/down, happy/sad.

What about you - do you have any best practices to share around metrics?  Could you apply these to your own individual metrics or self-improvement goals?

Cheat codes for your real life

I was just reading an interesting compilation of "cheat codes" for real life on Reddit.  I play quite a few video games, and I'm familiar with cheat codes there - you can use them to gain access to special weapons, gain super strength, open up hidden challenges, and things like that.  I've used them a few times myself.

257 2878811

The list on Reddit is similar - special commands, sequences, etc. you can use in real life to gain advantages.

The full list or real life cheats is very entertaining (be warned, there is some adult language in there!) - here are a few I really liked from the list:

 #1. Stop: Stop: Play. Skip advertisements in movies and go straight to the movie.

#17. Can't find your car in a parking lot? hitting the lock button trying to get it to beep? Extend the distance of key-less entry by putting the key under your chin. The signal will resonate in your skull increasing the range dramatically. I swear to god this works, and I'm told it's safe because the radiation is non-ionizing.

#23. To peel a boiled egg, roll it around on your plate for a while until all of the eggshell is cracked evenly. Then it's easy to remove the complete shell at once. After you boil eggs immediately place them in ice cold water for a few minutes. No vinegar or salt or oil or whatever people use. Shells slip right off

#53. On flights, if you are fighting for an arm rest with a stranger. bring your arm (the one thats on the same side the arm rest you want) up to your mouth and sneeze/cough. Then place it by the armrest. The other person will move their arm. Has had 100% success rate.

There are a bunch more.  I can't vouch for whether they all work, but some of them are things I want to try (#53, for example).

Also, on #23 for peeling boiled eggs, I have my own little tricks for boiling eggs:  

  • When you are going to boil eggs, put them in the water while it is still cold and let them warm up with the water - this greatly reduces the likelihood that the shells will crack during the cooking process. (You can further reduce the chances of cracking by letting the eggs warm up for 15-30 minutes after you take them out of the fridge.
  • To make them easier to peel, add 1-2 tablespoons of baking soda (not baking powder) to the water before you boil them.  It doesn't affect the taste of the eggs at all, but it definitely makes it easier to peel the eggs - particularly if you peel them while their still warm.
  • Also, the fresher your eggs are, the easier they are to peel.

Got any real-life "cheats" of your own?

Go pitch yourself

I get a lot of calls from various technology vendors in my day job.  Some of the "pitches" are good, but most are mediocre.  This week I got one I found to be particularly lousy - and it was a voice mail, which was intended to get me interested enough about the vendor to call them back.

KnuckleBall

What do you do?

Here are some of the problems I found with this particular message:

  • I have no idea who this company is.  Their name was "cool sounding" but absolutely not descriptive.  This in itself is not a problem - the problem is that I listened to the pitch but it never told me anything about why I should call back.
  • I have no idea what this company does.  The description - and this is a direct quote - was, "We deliver powerful capabilities through our platform, using  patented technology."  What?

I played this message for my wife and we laughed at how ridiculously vague this statement is.

Needless to say, they didn't get me to call back, which was their desired result.

At least you got that right...

Granted, they did get a few things right on the call:

  • They did say their company name, clearly enough for me to understand it.
  • They did provide their name and contact number, and even repeated the number slowly so I could write it down.
But that wasn't enough.

What's your pitch?

That got me thinking - when I leave messages about my company, am I any better?  I came up with a good little "exercise" that I'd like to share here:

  • Call and leave yourself a voice mail, as if you were "cold calling" someone about your business, with the goal of having them call you back to find out more.
  • Listen to the message and see if you would call yourself back.  
    • Is it clear what you have to offer?
    • Is the message short and to the point?
    • Is it clear why what you do would be valuable to someone who doesn't know about your company?
    • Is it clear who you are and how to get back in touch with you?
    • Bonus points: Did you give them the option of calling you back or emailing you?
  • If you missed the mark, adjust your pitch, call back, and try again until you are happy with your message.
  • Now that you're happy with it, recruit a friend or relative that isn't "close" to your business, and ask them to critique your message based on the same kind of criteria.  Once again, use their input to adjust and tune your message.
I found some rough edges in my own pitch, for sure.  Not as bad as that guy who told me, "We deliver powerful capabilities through our platform, using  patented technology," but I had some room for improvement.

 Give it a try - pitch yourself - and see what you learn.

Accountability and granularity

Lately, I've been involved in a debate about accountability  What's at the heart of the debate? Clarity regarding how much detail is required  for someone to feel like they have enough information to hold another person accountable.285 2765566  

In my particular debate, the question revolves around accountability for some longer term goals.  The person making the commitment, let's call them Mr. Committer,  has made some bold declarations (more directional in nature, although there are some measurable aspects that are clear enough to give a "pass / fail" grade).  These declarations won't be complete for at least a year.

Starting with these bigger picture goals, Mr. Committer created a sort of "work back" list - in other words, they began to break the larger commitment down into smaller steps and arranging them in a sensible order, to create an execution plan.

When this person presented their plan to two other people for review, there was a lot of consternation from one of the managers (let's call her Ms. Stickler) along the lines of, "Hey, I don't have enough here to hold you accountable," or "I don't know what to hold you accountable for."  

Break down the breakdown

As we began to disect the situation, we discovered that the issue was primarily one of detail:

  • Ms. Stickler wanted a fully-fleshed out plan with way more detail than had been presented.
  • Mr. Committer complained that he wanted to be held accountable for his results - the "big commit" - and not the specific steps followed to achieve the results.
  • Ms. Stickler asked, "How can I hold you accountable over the next few months if I don't have a specific set of steps you'll be following?"
  • Mr. Committer retorted, "A lot can change as I learn along the way and I don't want to be locked in - how can I innovate with you bearing down on me about specific steps so early in the process?!?"
  • and so forth…

Shift the focus

So how can we break this conflict?  In our case, we are trying to focus less on the detailed steps along the way and, instead, have been brainstorming some interim indicators that must be met regardless of the detailed steps we choose to follow.

This, in itself, is still a difficult discussion, but it is far more productive (and far less stifling) than a debate about what specific steps will be taken.  In other words, I think we've successfully shifted the emphasis away from the activity, and toward a focus on the desired results.

This transition has been difficult, because we are fighting human nature and personalities in the process (detailed/control-oriented personalities vs. big picture/don't micromanage me personalities).

Any tips or techniques I can steal from you?

I'm sure we didn't get to this point in the easiest way possible.  Have you seen this kind of situation before?  Have you cracked the code (or at least come up with best known methods to make this easier)?

I'd love to hear your proven techniques for dealing with this kind of issue - please share!