Web Passwords

Passwords can be a pain. There are thousands of websites across the Internet that require passwords. Traditional advice has been to use different passwords for different applications. This is plainly impossible. A typical user of the Internet probably has passwords for their MSN, Gmail, YahooMail, Flickr, Picassa, Facebook, MySpace, Bebo accounts, as well as for their bank, mobile phone company, energy company, and innumerable other sites, some of which they've probably forgotten that they signed up for.

So, instead of saying each account should have a different password, I'd suggest that the best thing to do is to have a few passwords, but to have some rules around the ones that you use regularly.

1. Always pick a good password. There's a guide here that offers some ideas.
   
2. Don't use the same password for a mail account that you used to set up a social networking account with. For example, if you use the same password for Hotmail as you do Facebook, and one or the other gets "broken in to", it's likely the other will, too. And then it's incredibly difficult to regain control of either.
   
3. Do change them occasionally.
   
4. Consider what you're protecting. Don't use the same password for all your important accounts (e.g. bank, email) and use a separate password for account for sites you're not overly bothered about (e.g. that Fraggle Rock appreciation site you signed up to)
   
5. Don't share them! I know this sounds obvious but don't let anyone else have your password – think about what you're giving the access to. This is especially true for passwords at university or in the workplace – the risk is much greater than simply to your data as it could impact the whole organisation.
   

These aren't simply theoretical risks. In the last few months, I have dealt with situations including the hijacking of a Facebook and related Hotmail account – believe me when I say that this is not easy to resolve – and several instances where people have sent their usernames and passwords to scammers.

The reason scammers want your username and password in a place like a university is because they want to send spam through the universities mail system. Unfortunately, this can lead to the whole university being blacklisted as a spammer and no-one will be able to send or receive email.

Please take care of your passwords.

Trouble with unsolicited email

Many organisations have policies that state that it is unacceptable to send emails to large numbers of users either inside or outside the organisations if you don't have the recipients' consent. Mass emails present their own problems, especially with attachments. Here's a quick run down as to why.

Spam

The general term for mass unsolicited emails is "spam". The sorts of emails typically associated with spam are those for dodgy investments ("pump and dump" schemes), growth pills, religious messages, phishing attempts, viruses and everything in between. Many organisations have invested in anti-spam filtering technologies to reduce the amount of junk that they receive (see my previous posting relating to scam/phishing emails for some statistics). The technologies to identify spam is always a "best guess", using a variety of techniques, which means that some spam gets through and some legitimate emails get blocked.

At a very basic level, there are two main methods for preventing spam. Firstly, there are blacklists where servers who are known to send spam are prevented from sending any emails whatsoever to the organisation protected by anti-spam filtering. Secondly, emails that are received from "clean" servers have their content assessed to see if it matches the profile of known spam. If the score from this assessment is higher than the threshold decided upon by the protected organisation, it won't get through and, in many cases, the sender's servers are automatically added to the blacklist (or "greylist"). Rules vary for different products, but may include:

• Sending to a large number of people
  
• BCC'ing instead of sending to explicit addresses
  
• Not including a standard greeting ("Dear Sue," for example)
  
• Having a reply-to set differently to the sender's address
  

Organisation impact

A key point is that black-and greylists are shared and so if an organisation gets blacklisted it won't be able to communicate with any organisation using that black- or greylist. Members of an organisation can, quite unwittingly, get their organisation blacklisted, thereby causing a lot of inconvenience to their colleagues.

Which is why organisations take it seriously.

Data Protection

All of the discussion above is quite apart from whether the email addresses should have been collected in the first place and then used for the purpose of sending emails. If in doubt, talk to your data protection manager.

Disk Space

I also have to put a short note in here about disk space. While most modern email systems will store a single copy of an email destined for multiple recipients on an email server, as soon as the email is copied off, forwarded or archived, a copy is made and the amount of space it takes up doubles. So, mass emails that have 1MB attachments can take up significant amounts of space if sent to a large number of people. And disk space is not free.

LSE resources

If you're at the LSE and do want to send emails to large numbers of people, please see the LSE's policy on internal email communications and the Conditions of Use for IT Facilities.