By Dennis O’Reilly A line at the bottom of the Gmail window indicates when your account was last used and also links to more-complete usage info.
You can use this activity log to determine whether someone has guessed your password and taken over your account.
In the Aug. 6 Top Story, “Gmail flaw shows value of strong passwords,” WS contributing editor Becky Waring explained how to create strong passwords that are easy to remember. Her story was inspired by the disclosure of a Gmail weakness that allows hackers to test thousands of passwords per day and take over poorly defended accounts.
Insider tips, how-tos, best security practices, and more
Subscribe to Windows Secrets — free!
The Windows Secrets Newsletter brings you essential tricks for running Windows XP, Vista, 7, Internet Explorer, Firefox, Windows Update, and more — weekly, free.
Bonus: get this free download when you subscribe
Interested in Windows 8 but don't know where to start? You have a friendly guide in My Windows 8 Consumer Preview: A Sneak Peek at the Windows 8 Public Beta, by Katherine Murray. This month, all subscribers can download Chapter 1 and Chapter 5. In this excerpt you will learn about the new look of Windows 8, how to make things happen in it, how to use the apps that come with it, and how to get more apps.
We guarantee your privacy: We will never sell, rent, or give away your address to any outside party, ever. We will never send you any unrequested e-mail. Unsubscribe requests are honored within one business day. Privacy Policy
A reader named James points out that the Gmail activity log can alert you to unauthorized use of your account:
- “As a result of [reading] Becky Waring’s article — which I have rated as superb, by the way — I went back to Scott Spanbauer’s articles about the earlier Gmail flaws. [See Scott's April 23 story, "Gmail accounts hacked via unpatched hole," and his May 7 follow-up, "Google silently corrects Gmail CSRF hole."]
“I help run a bulletin board that uses the commercial Invision Power IP.Board software. In recent months, we have been bombarded with spammers, mostly coming from Gmail accounts. So I can confirm that these exploits — both patched and unpatched — have been and are being used by the bad guys.
“If you’re a Gmail user and are concerned as to whether your account password has been compromised, there’s a link at the bottom of the screen that shows when your account was used and from where.
“At the bottom is a message Last account activity: xx minutes ago at IP xxx.xxx.xxx.xxx [or on this computer] and a link: Details. Click the Details link, and a pop-up window shows all sign-ins over the last couple of days, together with other useful info and a button to Sign out all other sessions.“
Figure 1. View recent activity on your Gmail account to determine whether someone other than you has signed in. (All IP addresses are obscured in this image.)
If you find unfamiliar IP addresses or activity recorded when you weren’t using the account, reset your password immediately and notify Google of the breach.
| UPDATE 2009-08-20: In the Aug. 20, 2009, Known Issues column, reader Dan Juroff describes how he used Gmail’s activity log to detect an attack on his company’s network. |
Microsoft’s ambiguous advice on strong passwords
When it comes to crafting strong passwords, it can be difficult to know whom to believe, especially when the same source offers conflicting advice. A reader who goes by the name of RockDoc was befuddled by contradictory information on Microsoft’s site:
- “Waring discussed the usual caveats and solutions to designing better passwords and provided a link to [Microsoft's] Windows password checker, which also links to a document in which Microsoft discusses password design.
“In that latter document, Microsoft properly notes that passwords with obvious substitutions are less safe than otherwise:
Avoid using only look-alike substitutions of numbers or symbols. Criminals and other malicious users who know enough to try and crack your password will not be fooled by common look-alike replacements, such as to replace an ‘i’ with a ’1′ or an ‘a’ with ‘@’ as in ‘M1cr0$0ft’ or ‘P@ssw0rd.’ But these substitutions can be effective when combined with other measures, such as length, misspellings, or variations in case, to improve the strength of your password.
“In a deliciously ironic (and most certainly inadvertent) piece of engineering, however, Microsoft’s own password checker rates the poorly designed password M1cr0$0ft as strong! Gotta love ‘em!”
- “Password Checker does not collect, store, or transmit information beyond the computer that you use to access Password Checker. The image works on your computer desktop until you navigate away from the page.”
If anyone has evidence that Microsoft transmits across the Internet the passwords entered into this browser app, let us know immediately using the Windows Secrets contact page.
Bill McGarry reports that Microsoft’s app rates an entered password as “strong” if it is merely eight or more characters in length and has two out of three of the following: both uppercase and lowercase letters, one or more numerals, and some punctuation mark. To be sure, those are good rules of thumb, but Password1 (one of the first strings an attacker would try) would receive a “strong” rating.
Several people told us about other password-strength checkers. One that goes to greater lengths than Microsoft in explaining what constitutes a weak or strong password is Password Meter. It’s available as an online password checker and also as a downloadable freeware program. You can find both at the Password Meter site.
No matter how strong a password you select, it won’t remain secret if you enter it on a machine that’s infected with a keylogger. For this reason, you shouldn’t sign in to online banking sites at random Internet cafés or any place without good antivirus protection.
Ensure passwords remain useful to your heirs
Becky’s article recommends that you avoid writing your passwords on sticky notes or saving them in an unencrypted text file on your PC. However, there’s one instance when this otherwise-sound advice doesn’t apply, as Allan Treadwell explains:
- “Although I agree with the article on strong passwords, there’s one small-but-important thing left out. I had a friend who died recently of a brain tumour (he was 59) and, of course, he had many passwords that were not stored on the computer, only in his head.
“As his memory went very rapidly, he forgot them, so his wife could not access some sites/programs easily, and others not at all.
“So I would add to the article: Do write down your passwords and tell your next of kin where they are or how to access them.”
For the ultimate — and I do mean ultimate — in online security, check out a service such as Legacy Locker, which promises to “grant access to online assets for friends and loved ones in the event of loss, death, or disability.” A free trial account lets you protect three assets, assign one beneficiary, and create one “legacy letter.”
For U.S. $30 a year or a one-time fee of $300, you can protect an unlimited number of assets, assign any number of beneficiaries, create as many legacy letters as you wish, back up important documents, and even upload a “good-bye” video.
Can I leave my folder full of corrupted Office files to Steve Ballmer?
| Readers James, RockDoc, Bill, and Allan will each receive a gift certificate for a book, CD, or DVD of their choice for sending comments we printed. Send us your tips via the Windows Secrets contact page. |
The Known Issues column brings you readers’ comments on our recent articles. Dennis O’Reilly is technical editor of WindowsSecrets.com.
Related posts:
