Today's Email Real-Life Scare Story

Earlier this year I (foolishly) made fun of the latest phishing foray I got via email, a half-literate message "from" Google's security team asking me to send all my personal details to an address somewhere in Baluchistan.

Low-skill spammers are still at work, as I see today with another attempt that is almost touching in its clumsiness. You can click for a bigger view of the screenshot below, which reveals a few tiny danger signs: (a) the salutation "Hello the pass-holder"; (b) the address line to "jfalso" and a long series of other email names starting "jfal", (c) the offer of a love match with the Rostov-on-Don Firecracker, Borislava. She is 5' 1" and 145 lbs, she has red hair and green eyes, and she is "an open minded person with a good sense of humor." How did they read my mind?!?

RussiaSpam.png


BUT. The joke goes only so far, because at about the same time I heard from a journalist friend whose Gmail account had just been taken over. It was the same operation that affected my wife's Gmail account six months ago, as I describe in the current issue. And as in her case, all of my friend's email, stretching back over the years, is now gone. This is one of the most experienced and celebrated veteran investigative reporters in Washington, accustomed to getting to the bottom of complex situations world wide, etc. And some hacker, probably in Nigeria, was able to zero out his many years' worth of email while he slept.

I've promised to do followups on password generation and other security tips, and this post is a placeholder for those as upcoming features. But for variety's sake, I also have a different -- and easier -- practical recommendation than the one I usually give.

The usual recommendation is that, if you use Gmail, you should install their "two-step authentication" system, as officially explained by Google. That's still a good idea. And if you don't use Gmail, you might start asking Yahoo, AOL, etc to ask why they're not offering this service, which virtually eliminates the risk of your account being hacked. (I have seen online references to a similar feature in Hotmail, but as I prowl around the site and examine settings I don't see any mention of it.)

Here is the simpler idea, which applies not just to Gmail but to any system you use online, and that you can do with no muss or fuss. If the password for any account that matters to you -- main email, banking, credit card, etc -- is one you have ever used, on any other site, then please change it now.

My wife probably got into trouble because she had used her Gmail password to make a comment on a site that Gawker ran -- and then last year more than a million of Gawker's username/password combos were leaked in a terrible hack. My friend the journalist probably got in trouble because he used his same Gmail password at another very popular but not-very-secure site. As explained in my article, and in an excerpt after the jump, using your password at more than one site is just like mailing copies of your housekey to anyone you're doing business with. Your security instantly becomes equal to the least-secure person or place that has a way to get in.

So, you don't have to invent a zillion passwords for the zillions of sites where we all have to log on. But each of us has a few sites that we really don't want to have hacked. For most people it's email, banking, savings or investing, perhaps tax or payroll. Whatever site it is that matters to you, if its password is one you have ever used anywhere else, please change it. If and when my friend gets his email back, I'm sure he will agree. (And maybe all the more if he doesn't...)

FYI here is a new Google basic-info site on password generation and general site security. More shortly.

From Hacked:

Finally, use different passwords. Not hundreds of different ones, for the hundreds of different places that require logins of some kind. The guide should be: any site that matters needs its own password--one you don't currently use for any other site, and that you have never used anywhere else.

"Using an important password anywhere else is just like mailing your house key to anyone who might be making a delivery," Michael Jones of Google said. "If you use your password in two places, it is not a valid password."

I asked my experts how many passwords they personally used. The highest I heard was "about a dozen." The lowest was four, and the norm was five or six. They all stressed that they managed their passwords and sites in different categories. In my own case, there are five sites whose security really matters to me: my main e‑mail account, two credit-card sites, a banking account, and an investment firm. Each has its own, good password, never used anywhere else. Next are the sites I'd just as soon not have compromised: airline-mileage accounts, Amazon and Barnes & Noble, various message boards and memberships. I have two or three semi-strong passwords I use among all of them. If you hacked one of them you might hack the others, but I don't really care. Then there is everything else, the thicket of annoying little logins we all deal with. I have one or two passwords for them too. By making it easy to deal with unimportant accounts, I can concentrate on protecting the ones that matter
Presented by

James Fallows is a national correspondent for The Atlantic and has written for the magazine since the late 1970s. He has reported extensively from outside the United States and once worked as President Carter's chief speechwriter. His latest book is China Airborne. More

James Fallows is based in Washington as a national correspondent for The Atlantic. He has worked for the magazine for nearly 30 years and in that time has also lived in Seattle, Berkeley, Austin, Tokyo, Kuala Lumpur, Shanghai, and Beijing. He was raised in Redlands, California, received his undergraduate degree in American history and literature from Harvard, and received a graduate degree in economics from Oxford as a Rhodes scholar. In addition to working for The Atlantic, he has spent two years as chief White House speechwriter for Jimmy Carter, two years as the editor of US News & World Report, and six months as a program designer at Microsoft. He is an instrument-rated private pilot. He is also now the chair in U.S. media at the U.S. Studies Centre at the University of Sydney, in Australia.

Fallows has been a finalist for the National Magazine Award five times and has won once; he has also won the American Book Award for nonfiction and a N.Y. Emmy award for the documentary series Doing Business in China. He was the founding chairman of the New America Foundation. His recent books Blind Into Baghdad (2006) and Postcards From Tomorrow Square (2009) are based on his writings for The Atlantic. His latest book is China Airborne. He is married to Deborah Fallows, author of the recent book Dreaming in Chinese. They have two married sons.

Fallows welcomes and frequently quotes from reader mail sent via the "Email" button below. Unless you specify otherwise, we consider any incoming mail available for possible quotation -- but not with the sender's real name unless you explicitly state that it may be used. If you are wondering why Fallows does not use a "Comments" field below his posts, please see previous explanations here and here.

The Blacksmith: A Short Film About Art Forged From Metal

"I'm exploiting the maximum of what you can ask a piece of metal to do."

Video

Riding Unicycles in a Cave

"If you fall down and break your leg, there's no way out."

Video

Carrot: A Pitch-Perfect Satire of Tech

"It's not just a vegetable. It's what a vegetable should be."

Video

An Ingenious 360-Degree Time-Lapse

Watch the world become a cartoonishly small playground

Video

The Benefits of Living Alone on a Mountain

"You really have to love solitary time by yourself."

Video

The Rise of the Cat Tattoo

How a Brooklyn tattoo artist popularized the "cattoo"

More in Technology

From This Author

Just In