Using the Junk E-mail folder to your advantage


So, when I said that I don’t use folders to manage email, that was a small fib. Truth be told, I do use the Junk E-mail folder. Here’s why:

Even with all my filters and categories (a.k.a. tags), I still receive more email than I care to triage. For example, now that I’m working with my new team, I get email about all of the support tickets that are sent to the team – even though I’m not capable of responding to any of them.

When I first joined the team, these messages were appearing in my “Important” category because all mail sent to the team DL was flagged as important. I soon realized that some of the mail was not as important to me as it might be to the rest of the team. So…

I tried demoting that mail (mostly from bots) to “Interesting.” This gave me better visibility into my “Important” mail, but simultaneously clouded my view of my “Interesting” mail – mail from executives and my favorite distribution lists. So…

I demoted these messages again, to “Neither Important nor Interesting.” This allowed me to focus on the really important and interesting things. But, it still meant that I had to either flag them as complete, or delete them to get them out of my Triage folder so I could experience that tiny little peacefulness that comes over you when you reach Inbox Zero. So…

I made the decision that I should just delete these messages when they arrive since I never read them anyway. But, since I’m always afraid that a rule will delete something I don’t want deleted, I chose to send these messages to my Junk E-mail folder, instead of deleting them.

This has worked out incredibly well. As the messages arrive, they are automatically triaged out of my triage folder. So, I can completely ignore them until the number on that handy little icon gets uncomfortable, at which point I quickly check the folder to make sure there’s nothing important, then delete my Junk E-mail. (Usually, around 30 messages hits my personal threshold.)

From Password Strength to Privacy

At it’s core, password strength is about privacy. Well, that and theft prevention.

One of the blogs I follow had a thought provoking piece on privacy in the age of the Internet, today. I wanted to blog about it. But, I couldn’t put it any better than Tweetage Wasteland already did.

And, yes. I read the Confessions of an Internet Superhero.

Inbox Zero!

Last year, about this time, I described my personal system for dealing with the large volumes of email that I saw at Microsoft. As hard as I try, I’m not always successful at keeping my Inbox (or in my case, my Triage folder) at zero, even though the volume of email I receive here now is significantly lower. On occasion, however, I do get to see what it looks like, so I thought I’d share:


There’s a couple of things to point out here:

  1. My Triage folder is empty. (Inbox Zero!)
  2. My To-Do Bar is full of scheduled tasks. (I use flags to schedule things.)
  3. My tasks are color coded, as follows:
    • Red = Important
    • Orange = Interesting
    • Yellow = Neither
    • Green = Personal
  4. My tasks for Today are sorted in priority order (by manually dragging them around).

The one weakness I have with this system is that I sometimes drop tasks that people give me verbally – like in meetings. My system works best for me when I have an email trigger to remind me to go do something. I’ve been trying to be more proactive about asking folks to send me reminders. But, maybe I should just email them to myself.

Coding Standards

One of the original practices of Extreme Programming was coding standards. Back in 2000, when I read my first XP book, I tensed up a bit at the thought of having to make my code look like everyone else’s. But, over the years, I’ve come to see the wisdom of it: once all the code follows the same standard, it becomes much easier to read.

In fact, now a days, I often reformat a block of code to meet a coding standard before I try to figure out what it’s doing. (But, only when I have strong unit tests!) Long story short, I haven’t had a good knock-down-drag-out argument about curly braces in nearly ten years! (Anyone want to have one for old time’s sake?)

With that in mind, I needed to look up Microsoft’s latest guidelines for .NET class libraries, today. Specifically, I knew they said something about using abbreviations and acronyms when naming things. But, I couldn’t remember exactly what the recommendation was. So, I looked it up. Turns out, Microsoft has done a rather nice job of structuring their design guidance on the web.

It’s not something you’ll need to refer to everyday. But, it’s good to know it’s out there…

An Agile Approach to Mission Control

NASA’s Cassini spacecraft has been studying Saturn, it’s rings and moons for nearly six years, despite the original mission being slated to expire after only four years. But, due to better than expected performance and lower than expected fuel consumption, NASA has extended the mission for an additional seven years, to 2017.

In order to negotiate the flight path for the next seven years, the engineers in charge of planning the orbital maneuvers consulted with the five science teams affiliated with the project. Each team is assigned to study different things: Saturn, Titan (Saturn’s largest moon), the rings, the icy satellites, and the magnetosphere. Each team presented their wish list for the places they’d like to see over the next seven years, and the engineers got busy running the numbers:

The first time [the engineers] met with the discipline teams, they offered three possible tours. The next time, they offered two, and, in January 2009, the scientists picked one of them. Last July, after six months of tweaking by [the engineers], the final “reference trajectory” was delivered. It now includes 56 passes over Titan, 155 orbits of Saturn in different inclinations, 12 flybys of Enceladus, 5 flybys of other large moons — and final destruction.*

In essence, this team of engineers had to balance the wishes of the five research teams with the remaining fuel and gravity boosts available. The approach they took was to present alternatives and iterate on them until they found the best solution, given the requirements and the constraints:

“It’s not like any problem set you get in college, because you have so many factors pulling in different directions,” Mr. Seal said. “The best way to measure it is to look at how much better the next iteration is than the previous one” until “you’re only making slight improvements.” Then you stop.*

I can’t think of a better way to describe the iterative development process espoused by most agile software development methodologies, including Scrum and XP. You know when to stop when the remaining improvements are no longer worth the investment.

I wonder how many of our customers would like to see three options, then two, then one…


iPhone OS 4 News

As I prepare for the iPhone training and conference next week, I’ve been paying close attention to all the news I can find about the recently announced iPhone OS 4. Here are some relevant (and not so relevant) links from my news reader:

  • iPhone in Business (teaser from Apple re: iPhone OS 4)
  • What iPhone 4.0 means for IT (MacWorld speculation re: iPhone OS 4)
  • iPhone Developer Program (Apple page with link to compare different developer programs)
    • Individual ($99) – Must distribute apps via AppStore, cannot create development teams
    • Company ($99) – Must distribute apps via AppStore, can create development teams
    • Enterprise ($299) – Must distribute apps in-house, can create development teams

And, then there’s this:


The NativeUnion MM01H not only works with the iPhone, BlackBerry and other mobile phones, but can (with an adapter sold separately), be used as a USB headset for use with Skype and other VOIP services on your computer. It looks like the iBatPhone. Of course, I want one.

Time Tracking

Having spent much of my career as a consultant, I’m used to tracking my time against customer and project codes. But, in that environment, there is a tangible value associated with entering my time. If I don’t enter it, I don’t get paid.

But, corporate IT time tracking systems don't usually offer users anything tangible in return for their participation. Sure, I could run a report to see where I’m spending my time. But, how much value does that provide me as an individual contributor? (Okay, I suppose it might be helpful during my annual review. Maybe.)

What I’d really like to see is a system that gives me something in exchange for the time it takes me to use the system. For example, I know of a consulting company that implemented a 360 degree project and peer review system on top of their time tracking system. Their inspiration was the product rating system. It worked like this:

When an employee entered their time into the tracking system (which by the way had a very strong search mechanism for finding the right customer and project codes), they were asked to answer a few generic questions about the project, like this:

  • How do you feel about this customer? (very good, good, not good, bad)
  • How do you feel about this project? (very good, good, not good, bad)
  • How do you feel about this team? (very good, good, not good, bad)

Next, the employee was asked how they felt about working with each of the individuals who’d recently billed time to that same project code, using the same scale: very good, good, not good, bad.

Finally, every question also provides space for comments. These were optional as well. Typically they were used to give out kudos. Though sometimes people used it for “constructive” criticism, as well.

Once the user completed their survey, they were taken to a summary page that displayed the current week’s results, including: (Users were not allowed to see the current week’s results until they completed their survey.)

  • Your personal weekly peer review rating
  • Your personal comments from the weekly peer review
  • Your personal peer review rating trend (a graph of your rating over time)
  • Weekly ratings for every customer, team and project you worked with/on during the week
  • Comments for every customer, project and team you worked with/on during the week
  • Rating trends for every customer, project and team you worked with/on during the week

All data in the system was treated anonymously, but all data in the system was available to everyone in the company. So, people felt safe venting, but also knew that everyone could see what they were typing. This kept the comments civil – if not always 100% constructive.

The end result – it took a little longer to use the system, but everyone got something out of it:

  • The accountants got the billing information they needed.
  • Management got valuable insight into how well their projects were going (way before a traditional status reporting system would’ve provided that information).
  • Management got valuable insight into which customers were not worth the trouble, and were able to take proactive steps to disengage from those unhealthy relationships.
  • Management got valuable insight into which employees were truly admired (or reviled) by their peers and could take action (bonuses!) accordingly.
  • And, individual employees got weekly feedback on their performance.

Why haven't more companies leveraged the eyeballs they're putting on their corporate time tracking systems?

How can I handle password overload?

Now that I’ve scared your pants off, you’re probably wondering how in the world you’re going to manage all of those passwords for all of your various surfing needs. In this post, I’m going discuss several options for managing strong passwords. I’ll also discuss the approach I’m planning to take, now that I know better.


Most of us tend to reuse the same password all over the place. But, if you’ve read my previous posts – especially the one that talked about how a cracker can use your personal email address password to gain access to other web accounts – you now realize that this is not a very secure strategy.

But, security may not always be your highest priority. Convenience might rank higher in some cases. If that describes you, then just allow me to point out a few things you may not have considered:

Corporate domain account passwords should be unique. 

To reuse this password elsewhere would put corporate data at risk, potentially including any customer or employee PII that you can access. Disclosure of this information could have seriously negative ramifications for the company – and your job.

Personal email account passwords should be unique. 

Sharing these passwords puts your entire Internet-hosted life at risk.

Financial account passwords should be unique. 

 No sense taking the risk that someone smart enough to break into Bank of America can also access your 401(k), credit union accounts, and home equity line.

Any account where you post content should be unique. 

Do you review products on Do you use Facebook or Twitter? Do you comment on videos at Hulu? If so, those posts are all a part of your online persona. If a prospective employer or significant other were to Google you and read those posts, would they want to hire or date you? Would you want to give some random cracker the ability to post in your name? I didn’t think so.

What’s left? 

Not much. And, that’s my point. You need to use unique passwords just about everywhere.


A significantly stronger approach is to make up a unique pass-phrase for each site. But, how can you remember them all? It’s actually easier than you might think. Instead of trying to remember all of the passwords for all your sites, come up with a formula for creating unique passwords, and remember the formula. Here are a few to get you thinking:

I love Facebook

Adding the web site name to a short password significantly strengthens the password, and makes it unique to the site. This pass-phrase, which contains 15 characters, including upper case letters, lower case letters and spaces, is extremely strong against brute force attacks. Though, it seems like it would be a whole lot less strong against a dictionary attack or a random guess.

Facts About Crime

This pass-phrase was created using the first three letters of the website name: FACebook. It contains 17 characters, including upper and lower case letters and spaces, which makes it even stronger against brute force attacks than the previous password. This pass-phrase also seems stronger against a dictionary attack.

4 the <3 of Facebook

Using “text” shortcuts, like “4” instead of “for” and “<3” instead of “heart” or “love”, significantly increases the strength of a pass-phrase against brute force attacks because it introduces numbers and symbols. Though, as with the first pass-phrase, this one seems a bit easy to guess.


Can you see the pattern here? This is Facebook spelled out using this pattern: Upper, Lower, Number, Symbol, separated with periods. Replace the “c” with a 3, since it’s the third letter. Replace the “k” with an underscore – the eleventh symbol on the keyboard. Granted this would be incredibly slow to type. But, it’s probably also the most secure against dictionary attacks. (The third password is actually stronger against brute force attacks due to it’s length.)

There is one caveat here, though. Finding a single formula that works across all the different web sites out there is probably not possible. So, you may need multiple different formulas. And, then you’re back to where you started.

Password Vaults (or Password Managers)

Don’t think you can remember all those passwords? Why bother when a password vault can remember your passwords for you? Password vaults are nothing more than encrypted databases for your passwords. In order to access the passwords in the vault, you need to enter a master password – to unlock the vault. Some even offer mobile or web-based solutions, so you can always access your passwords, where ever you are.

The key things to consider with password vaults are:

How strong is the encryption used to protect the vault?

You’ll want to make sure that the passwords are encrypted using an industry standard encryption algorithm.

How strong is your master password for the vault?

Remember to create a strong pass-phrase for opening your vault. It’s got the keys to your online kingdom in it, after all.

Can I access the vault when I’m away from my computer?

Some vault programs let you take your vault with you when you hit the road – either on your cell phone or via the web.

Personally, I use a password vault called 1Password, both at home and at work. I store my vault in my Dropbox, so it is automatically synced to all of my computers. Plus, because I can access my Dropbox from the web, and because 1Password builds a web interface into the vault itself, I can access my passwords from just about any web connected device. There’s even an iPhone app (which I don’t use yet).

I’m less familiar with other vault software. But, a quick Google search for “password manager” turned up several, including LastPass, which I’ve heard good things about.

One final note on password managers: Many of them come with strong password generators. Before using them, make sure that their algorithms are “cryptographically random”. Otherwise, they’re susceptible to dictionary attacks targeted at that specific generator.

In conclusion

Once I discovered how weak my personal passwords were, I went on a quest to inform myself. These posts are my way of remember everything I learned. I hope you find them useful, as well.

How strong should my passwords be?

Allow me to turn that question around: “How valuable is the information that you are trying to protect with a specific password?” The more valuable the data, the stronger the password you should use. Let’s take a look at a few examples:

Your Corporate Domain Account Password

At my company, policy dictates that my password be at least 7 characters. But, I am not required to use complex passwords (with both upper and lower case, or numbers, or symbols). So, in theory, I could use a short, simple password. But, as we learned in my previous post, short, simple passwords are trivial to crack, taking less than an hour of a computer’s time.

Of course, our corporate policy also requires me to change your password every 60 days. So, I might feel safe enough with an 8 letter password containing lower case letters, numbers and symbols, which would take an average of 1 year to crack.

That said, the advice from the author of the open-source Jack the Ripper password cracking software is to use pass-phrases rather than pass-words, whenever possible:

“Yes, for operating systems, applications, etc. which do not have a low limit on the length of passwords they accept, I recommend the use of passphrases instead of passwords. For even better security and/or to have fewer characters to type, both approaches can be combined: separate some words with punctuation rather than spaces, embed numbers and other characters, etc. Ideally, the passphrase should be something you can remember or derive again, but it must not be based on information that is known to others (e.g., your name, a quotation, a piece of the output of a Unix shell command, etc. - those are all to be avoided).”

Your Personal Email Account Password

As I mentioned in an earlier post, reusing your personal email account password across the web is a gigantic hole in your personal information security – not because your email with your Mom about her casserole recipe is particularly valuable, but because your personal email account can be leveraged by a cracker to change your passwords on other systems. In other words, the “information” you are trying to secure with your email account password is every password to every account you have. For that reason alone, I recommend using the longest, most complex password (or passphrase) possible under your email provider’s authentication mechanism.

And, whatever you do, NEVER reuse your email account password on other systems!

I was guilty of this until recently. Never again!

NOTE: Google Gmail requires 8 letter passwords and provides some good advice regarding how to create strong passwords. Microsoft Live only requires 6 letters. Who do you think values your security more?

Your Other Web Passwords

So, what about all those other passwords you have to create for use across the Internet? Well, as with Gmail and, policies differ wildly from site to site. For example, here are the password policies for four sites I use frequently:,,, and (Can you guess which is which?)

Strongest Password Policy

  • Do not use the same password that you use for other online accounts.
  • Your new password must be at least 6 characters in length.
  • Use a combination of letters, numbers, and punctuation.
  • Passwords are case-sensitive. Remember to check your CAPS lock key.

Strong Password Policy

  • Be tricky!
  • Your password should be at least 6 characters.
  • Your password should not be a dictionary word or common name.
  • Change your password on occasion.

Weak Password Policy

  • 8-15 characters
  • Not case sensitive
  • Aa-Zz, 0-9, ( - ), and ( _ ) only
  • At least 1 letter and 1 number
  • No spaces

Extremely Weak Password Policy

  • Contain 6 to 8 characters
  • Contain at least one letter and one number
  • Not case sensitive
  • Contain no spaces or special characters (e.g., &, >, *, $, @)
  • Be different from your User ID and your last Password

I ordered the sites in the order I consider to be the the strongest password policy to the weakest.

Note that the first two, while only requiring six characters, both allow you unlimited flexibility in the characters you choose. So, while they allow short passwords (insecurely short, in my opinion), they don’t prevent you from using longer, more complex passwords. (I prefer the first one because it recommends using letters, numbers and symbols – the green line on my graph.)

The third policy is fairly week due to the lack of case sensitivity or the ability to use most symbols.

That final policy is extremely weak. It has me seriously considering my options there. Either I’ll need to start changing that password regularly. Or, I’ll need to take my web browser elsewhere. Fortunately, the site takes other precautions with my data – such as only displaying the last four digits of sensitive numbers, and asking a series of personal questions before allowing me to change my password.

So, which of these organizations values my personal information most?

One more post to come…