Shark watch: How safe are your online passwords?

Nut graf: Some passwords are just about useless, and they’re the most common ones online.

If your bank website password is something like 123456, you might as well hide your money under your mouse. It’s every bit as safe.


Still using that old password?

You’re probably giving someone an engraved invitation to access your website, read your information, make unilateral withdrawals from your bank account or create all sorts of havoc.

Splashdata puts together an annual list of the most common passwords, and the top three in the 2014 version are (drum roll): 123456, password, 12345.

Understand the methodology here. Splashdata equates the most common passwords with the worst, and it truly makes sense. Someone trying to break into your system is probably going to start with those.

Also you might want to consider something else. These passwords were leaked in various website attacks. Y’all, if it was leaked I already don’t want it.

Here’s Splashdata’s list of most common passwords in 2014:

Rank     Password              Change from 2013
1             123456                   … and still champion!
2              password              No Change. Better luck next time.
3              12345                     Up 17
4              12345678            Down 1
5              qwerty                    Down 1
6             123456789          No Change
7             1234                         Up 9
8              baseball                 New
9              dragon                    New
10           football                  New
11           1234567               Down 4
12            monkey                 Up 5
13            letmein                   Up 1 (You’re kidding, right?)
14            abc123                    Down 9
15           111111                    Down 8
16           mustang                  New
17           access                       New
18           shadow                   Unchanged
19           master                     New
20           michael                   New
21           superman             New (Batman’s cooler.)
22           696969                  New
23           123123                  Down 12
24            batman                 New
25           trustno1                Down 1

Yeah, the usual suspects.

Random first names show up in the top 100 or so, along with many of your favorite sports teams and cuss words.

I might mention Splashdata has a pony in this race. That company developed SplashID, a password management application.

Some gains, though. Mark Burnett, who knows enough about online security to write the book Perfect Passwords, says fewer are using those commonly weak or weakly common codes:

“The bad news from my research is that this year’s most commonly used passwords are pretty consistent with prior years. The good news is that it appears that more people are moving away from using these passwords. In 2014, the top 25 passwords represented about 2.2% of passwords exposed. While still frightening, that’s the lowest percentage of people using the most common passwords I have seen in recent studies.”

Maybe people are catching on. I guess having your information harvested or your identity stolen is a clue that something’s wrong.

My passwords tend to in the strong range. But I’m not perfect. In the do-as-I-say-not-as-I-do department, I’m guilty of some password offenses:

I’ll recycle mine, use one password for several sites. They’re strong passwords, but I really need to change some around. Fortunately, most of these recycled passwords are in low-impact sites where it’s not a killer if you get in. More important sites, such as my blogs or banking info, don’t get the recycled stuff. But still …

One of my weakest passwords is the one that gives me root access to my computer. I’m not gonna tell you what it is, but I’m really not all that worried. A guy has to a) have my physical computer, b) know what a root password is, and c) know Linux to make any use of it.

So recycling passwords is not among your best practices. See, I’m already making this difficult.

So where do I keep passwords? There are several options:

My editorial comment here is cast in stone.
My editorial comment here is cast in stone.

– In my head. Good luck with that.
– In an Evernote file. Not real secure. Not with Evernote’s search functions anyway. Some one could type “password” or “pass” into the search bar and strike gold.
– In a file on your computer. Also not real secure.
– In a notebook near the computer. Puh-leze!
– On a sticky note next to the computer. Really. I’ve seen this done an awful lot.
– In an online password keeper such as LastPass. It’s reasonably secure, creates random passwords and all that, but the data is kept online. You use a master password to get in, and I sure hope it’s not 123456. Lastpass has been attacked a few times, and it usually lets its users know it.
– An offline password keeper like KeePass. None of the stuff is kept online. Hey, it’s a whole lot harder to crack when it doesn’t exist in the cloud, right? The only real drawback I see is that KeePass won’t work with some of the niche browsers such as Seamonkey. So there’s that, but a few of the really security-conscious recommend KeePass.

Okay. How do you know if your password is strong enough?

Many websites have a little meter that will let you know if it’s a weak or strong password. Here’s the catch, though. Not all these meters are created equal. It varies by a lot.

This is how LastPass rates passwords. If this was a high-priority site I’d change it immediately.


This is according to the tech site ReadWrite, which cites a study by Concordia University:

“Confusingly enough, nearly identical passwords provided very different outcomes. For example, Paypal01 was considered poor by Skype’s standards, but strong by PayPal’s. Password1 was considered very weak by Dropbox but very strong by Yahoo!, and received three different scores by three Microsoft checkers (strong, weak, and medium). The password #football1 was also considered to be very weak by Dropbox, but Twitter rated it perfect.”

I’ve noticed that. Many of these password-strength meters use the standard indicators: Length of the password. Presence or absence of uppercase, numerals and the good ol’ @$*%^. I reckon some password meters consider whether your password shows up in a dictionary somewhere, but that’s just a guess.

In the interest of stronger passwords, some sites have their own rules. My bank requires at least one upper case letter, one numeral and one symbol. Another bank won’t let you use three of anything in a row, so “anYthing111” is out.

# # #

Personal news: I published my latest fiction work, Desert Vendetta the other day. It’s a mystery involving reporters, corrupt cops, feuding families, casinos, the Nevada and Arizona desert, casinos and the occasional dead body. It’s available on Amazon.


Whatever happened to just calling in sick?

In some parts of the country, they call it “laying out” from work. That’s about what this guy in Florida did, in a most novel way.

According to KSDK Channel 5, a Hillsborough man staged a burglary so he wouldn’t have to go to work. Said he couldn’t get his wife to agree on letting him play hooky, so he tried something else.

He called 911:

Caller: My door’s wide open, my windows to my son’s bedroom are wide open. My TVs in there on the ground.

Dispatcher: Did you see anybody when you came in or is anything missing that you you can see?

Caller: I called y’all right away. All I see is the front-door wide open. Called my wife and I asked her, we did go out the front door, right? She said yes.

Dispatcher: Did you see any vehicles driving away when you were pulling up or anything like that?

Caller: On the corner, right when I pulled up, a white kind of little Honda Civic pulling away. White, it had kind of like a black fender …

It wasn’t until the cops showed up that they caught on. They saw no signs of forced entry, so they told the guy he could get in a bunch of trouble for lying to officers …

A neighbor ended up telling a local reporter, “To me, it would have been easier just to go to work. Instead, he got a ride to jail.”



Still more sharks in the phishing hole: That PayPal email scam sure gets around

smile, you son of a b!!!!
This online phish is predatory, but it’s not that smart. Still …

I know. I’ve written about it before, but it just won’t go away.

In a blog called Miraculous Ladies I saw another account of the infamous PayPal email scam that just keeps bugging me. Here’s the gist of it:

I received an email from PayPal yesterday afternoon. It was about a restriction on my account. While reading the email and noticed two things. First, their email address was Secondly, I spotted grammar mistakes. Alarm bells rang!

I logged into my PayPal account. There were no messages about my account being restricted.

– See more at:

That’s the main stuff here. She outlines things to watch out for, which is really useful stuff.

I’ve written extensively about this myself, as I’m sure you know:

Sharks in the phishing hole: That email isn’t really from PayPal

and …

More sharks in the phishing hole: Some folks never give up

This begs the question. Just what is this card-carrying member of the Testosterone-Toting club doing on the Miraculous Ladies site?

Linkedin, of course. Got the link from there. So if you’re on LinkedIn you’ll see the discussion.

Anyway, you know the deal. Watch out when you surf. You could be sharing waves with something predatory.


Talk to me: Have you run across this email yet? Have you clicked on that link yet? What were you thinking?








[From elsewhere] Knowledge is power, but unbalanced reading can trigger things

This was posted in another one of my blogs, Good Morning Manic Depression. OK, I wrote the thing. anyway, it’s highly-recommended stuff, especially if you’re one of those bookworms:

Okay, yeah, there's also that ...
Okay, yeah, there’s also that …

I think it was some guy named A. Nonymous who said libraries were a hospital for the brain. Smart guy, that Mr. Nonymous.

By inference, this means reading. Lots of it. Reading is good for the brain, it takes you places you’ve never been and you’ll learn a lot of cool stuff. It’s also healing.

I’m reading an article by Victoria Maxwell in BPHope right now, and she touches on the same subject.

Here’s what she says:

…bibliotherapy: reading books to help to cope with and heal from mental, physical, emotional and/or social issues. The UK’s Reading Agency which runs the Books on Prescription program states there’s “strong evidence self-help reading can help people with common mental health conditions, such as anxiety and depression, sometimes on its own or with other forms of treatment”. This has been my experience …

She included her reading list, and … well, check out her post and decide for yourself …

Anyway, check the article out.




More sharks in the phishing hole: Some folks never give up


Got me another one, Ethel. Another of those notes from PayPal saying my account has been temporarily blocked.


Just for grins, let’s take a look at the email to find the obvious BS. because this stuff is getting old.


   Unfortunately , Your account is temporarily blocked   please follow the instructions below 

    Dear ΡayΡal Customer,

    ΡayΡal is constantly working to ensure security by regularly screening the accounts in our system.
We recently reνiewed your account, and we need more information to prove your ownership .
to help us to provide you with a secure serνice.
Until we can collect this information, your access to sensitiνe account features will be limited.
We would like to restore your access as soon as possible, and we apologize for the inconνenience.

    Why is my account access limited?

    we haνe reason to belieνe that your account was accessed by a third party.
Βecause protecting the security of your account is our primary concern, we haνe limited access
to sensitiνe ΡayΡal account features.
We understand that this may be an inconνenience but please understand that this temporary
limitation is for your protection.

    How can i get my account fully restored ?

     Please follow the link below and login to your account then reνiew your account information

     Confirm now

     Sincerlye ,ΡayΡal customer department!



Yeah, yeah, yeah.

A couple of things come to my attention:

Here’s the horse it rode in on email address it came from:

Got that so far? Doesn’t look like a PayPal to me.

A couple of other things that in of themselves are not deal breakers, but they’re sure red flags:

Unfortunately , Your account is temporarily blocked

   please follow the instructions below

Notice the space between Unfortunately and the comma. Again, no biggie by itself, but it’s far from what a professional operation like PayPal would produce.

There are other grammatical errors, mostly in capitalization. And it’s not “sincerlye.”

This tells me this note was written by someone who does not speak English as a first language. Russian perhaps? North Korean? One of those nations that specializes in malware and computer hijacking?

After checking my firewalls, bumping up my security and all that good junk I clicked on the link. Here’s what I got:


Reported Phishing Website Ahead!
Chromium has blocked access to This website has been reported as a phishing website.
Phishing websites are designed to trick you into disclosing your login, password or other sensitive information by disguising themselves as other websites you may trust. Learn more

* * *

In case anyone misses it, it’s on a red background.

Now, I don’t ever advocate clicking on links like that. In fact, if you click on “confirm now” in the text of the letter, you probably need to snip your Internet connection, turn in your computer and stick with something safe. Like skydiving or something. I figured I can get away with it because a) I know what I’m doing, b) my security is extremely tight and c) I’m using Linux anyway.

Oh, yeah. I forgot to mention. This email came in two of my accounts (I have several). My PayPal account is only attached to one domain name. These two email accounts are under another domain name. So as far as these senders are concerned I really don’t have a PayPal account.

Hey, y’all. Watch the sharks.

# # #

First add: I covered this issue before, and it keeps coming back. You’ll find my story here.

# # #

Second add: I also ran some precautions when I wrote that. They were pretty much off the top of my head, but the original story is here. I pasted in the list below just ’cause I like you:

  • Choose your tools carefully. If you use Internet Explorer, take that icon off your desktop right now and surf with a different browser. Chromium (an open-source version of Google Chrome) is good, as are Firefox and Opera.
  • Keep that browser updated.
  • Be careful about passwords; PayPal_Andy’s advice of having a designated password for each site is highly recommended, even though I’m guilty of using the same passwords for more than one site.
  • Don’t open any attachments if you don’t know the sender.
  • Be wary of attachments from someone you know; zap it with your virus and malware protection tools before you open it.
  • I’d also be wary of links sent by email, especially when they’re shortened through or some other service. Also be careful of links posted on your favorite social media sites; you can click on some malware real easily that way. I’ve seen malware propagate among everyone on your friends/followers lists, making them the gift that keeps on giving.
  • You do have virus protection, don’t you? You do keep it updated, don’t you? Virus protection that’s not kept up to speed is totally worthless.
  • Grab some spyware protection, too. For that I recommend Spybot Search And Destroy.
  • Be careful about using public wireless for any business involving money; it’s too easy to tap into your information that way.
  • If surfing in a public place, watch for anyone behind you or sit with your back against a wall. I know this sounds goofy, but when some lowlife is trying to grab your information the low-tech ways are often the most effective.
  • Don’t let me scare you or anything.

If you use a smartphone:

  • Guard it with your life. Even if you want to be a good neighbor and help someone in a pinch, don’t let that person “hold” your phone. It’s too easy for him to snatch it and run. Most smartphones carry way more information than you’d think, and most of it can be found in seconds.
  • Be careful about dropping or leaving your phone somewhere. Same reason.
  • I use a lanyard from an old mp3 player and attach it to my phone holster. The other end is attached to a small carabiner, which I clip onto a belt loop. The holster’s flap is closed when I’m not using the phone. That way, if the holster falls off (happens more often than I’d like to think) or someone tries to snatch it off your belt, you’d know immediately.
  • Stay aware of what’s around you, even if you’re texting or playing Angry Birds. I’ve heard of folks stealing someone’s phone while the person is using it.
  • Two words: Password protection.

# # #

Final add: For your edification and amusement, I added this video at the last minute. It seemed to fit the theme somehow. I wonder if anyone told the diver that one side of his cage is missing?

# # #









B.I.C. Cartel (Part II: Eating Your Young) is now up; free through Feb. 6

Free through Feb. 6.
Free through Feb. 6.

Grab it while you can; it’s free through Feb. 6 through Amazon.

Here’s an excerpt from the story:

“… you want us to hit what?”

“You heard me,” Robert said. “That art supply warehouse on Foothill.”

“I think you’ve been smoking too much of that funny stuff,” said his companion, a tall skinny teenager with a almost enough facial hair to grow a neckbeard. “An art supply place?”

“You heard me.”

“You found a bunch of artsy-fartsy freaks to sell the stuff to?”


“Still think you smoking too much, man.”

Robert reached in his pocket, pulled out a list and handed it to his companion.

“Man, did you write on that paper or crap on it? ‘Cause I can’t read it either way.”

“Shut up. That’s canvases.”

“Canvases? What’s that?”

“That’s what you paint on.”

“And an easel?”

“Jamal, you’ll know it when you see it.”

“Paint and brushes. That what you needing?”

“Yeah. Make it acrylic. Haven’t got around to oils yet.”

“Wait a minute,” Jamal said. “These are for you, right?”

“Maybe, maybe not.”

“I hear you draw real good.”

“Who says that?” Robert said, straightening up.

“Just people. Just hear it around. You trying to move from the outhouse to the penthouse?”

“Yeah man,” Robert said. “With real paintings on the walls. Mine. But if you tell anybody I’ll have to beat you …”

That’s it. Y’all need to grab it.

# # #



B.I.C. Cartel Part II: How to eat your young and feel good about it (free Feb. 2-6)

Part II is up ...
Part II is up …

Braden, Karen and Robert spend a few years eating their young. Murdering their darlings. Inventing new ways to sabotage themselves.

All three enjoy success, but for some reason none could sustain it. Or handle it.

  • Karen writes for a weekly newspaper, earns her state’s highest journalism award and chucks it all – to work in a casino …
  • Braden tours with two jazz bands and makes a good living at it until another wife pressures him to give it all up for her …
  • Robert impulsively paints his greatest, most awe-inspiring work on his shop wall and it takes several friends to talk him out of painting over it …

Follow these three through several cross-country moves, abusive relationships, madness and drama as they come face to face with what they really love.

Part II was uploaded just last night and undergoes some tweaks, and it will go live Feb. 2. I’ll have it free through Feb. 6, so grab it then. Or later; I don’t mind.

# # #

Rotten phish: Scams travel by text messages, too

smile, you son of a b!!!!
This online phish is predatory, but it’s not that smart. Still …

Another day, another scam.

I’ve been getting text  messages from some outfit called Contact Achieve, and when I called back I picked up some real bad smell.

It smelled like rotten phish.

It’s from some company that calls itself Achieve, and according to the Federal Trade Commission it’s pure scam. But I’m getting ahead of myself here.

On Jan. 18 I received a text from Achieve Card. Two texts that day, one at 6:51 pm and another five minutes later. Actually had at least one text before that but I chose to ignore it.

But in that pair of texts I was given a number (601-633-0010) to call. So I did, and caught a recording. Upshot was that they were the Achieve Card help desk, and my prepaid Visa debit card had limited security access due to a security error. Then they gave me  the first few digits of my card number and wanted me to punch it in on the keypad.

Uhh, no thanks. I may have been born in the dark, but it wasn’t last night.

So I wrote the information down and called that recording again to make sure I had it right. Hey, if you’re after a story you want to make sure you have it right.

A couple of red flags right away. The biggest is that I don’t have a prepaid Visa card. I do have a Visa debit card that’s attached to my bank account, but the partial number didn’t match.

I do have a prepaid debit card (which I use for a couple of jobs that pay cash), but it’s an American Express and the numbers still don’t match.

Plus I’ve never heard of that company.

Not only are they crooked, but they’re idiots.

Listen, it’s not unlike some emails I got from some outfit claiming to be PayPal. Except they kept using email addresses that are not attached to my PayPal account. I related the whole sordid tale here, and it’s worth your while to check that one out. It’s a million laughs unless you fell for it.

Let’s bring this thing forward, shall we? Just a few minutes ago (I wrote this a little after 5 pm Jan. 21) I got another text message. This one was also from Achieve, and according to my readout the text message went out at 9:18 p.m. on Jan. 17. So it must have gone into some queue, to be released at the most inopportune time.

Just because I feel like making trouble (who, me?) I tried their callback number. That’s 832-984-9427 in case you’re interested) and got a different recording. From the Federal Trade Commission, no less. Maybe it was and maybe it wasn’t, but the message was quite interesting nonetheless.

According to that recording, that callback number has been disconnected because the FTC divined that it was a scam, and a number of folks got emails and text messages in the so-called company’s trolling efforts.

They can shut it down? How interesting.

The recording went on to explain that it was an attempt at phishing, sending out bogus texts or email to talk you into giving up your valuable  banking information so they can steal your identity. Their advice: Don’t do it.

Well, duh.

In addition I was referred to a website,, which is supposed to be an FTC site on dealing with scams. I checked it and it looks pretty legit to me, enough for me to subscribe to the RSS feed.

Just for gits and shiggles I tried that first Achieve number again and got a fast busy signal. So apparently that’s been shut down too.

So scratch one scammer. But they’re like cockroaches. Kill one and a thousand more come to its funeral.

Hey, you know the deal. Don’t give out your bank card numbers online or over the phone unless you initiated the call, and even then crank up your BS detector as high as it will go. I also have some other precautions, which I listed here. Check that out while you’re at the computer reading this. That in itself is worth the price of admission.

Do I expect people to wise up?

No way. A few might if they’ve been burned often enough or if that aforementioned BS detector is fully functional. But hey, y’all be careful out there.

In the meantime, enjoy your computer. Have fun checking out Facebook, Buzzfeed and those cat videos. Feel free to read your news online (including this blog). Buy books from Amzon (including mine, heh-heh) Do your shopping online. Use the Internet to make a living. Use the online tools to run several aspects of your life by remote control (like my own use of online banking). It’s safer than it once was, it’s convenient, it’s a Godsend.

But again, be careful.

# # #

What say you? Have you run across this Achieve outfit? How about that PayPal email scam? Any other stories? Please share in the comments, and don’t spare me any of the gory details.

Part I of B.I.C. Cartel uploaded, available

This is how we roll.
This is how we roll.

Well, some last-minute things on the availability.

Still waiting on it to pass muster with Amazon so they can make sure it doesn’t advocate world conquest (which it does). But it’s new.

You can get it on Gumroad and pay what you want. Or check out my author’s selection at Amazon. Through Kindle I’m pricing it at $0.99, but that’s only because they won’t let me give it out for free.

Yeah, I know. They PP’d in my Cheerios, but I’ll live.

Here’s the basic blurb:

Braden Campbell is an amazing jazz pianist with bipolar disorder, and he gives up his talent because it’s time to grow up. As if driving a taxi is a grown-up occupation, that is.

Karen Watts writes, and has great credentials as a journalist and freelance writer. However, every novel she’s ever written is either abandoned or torched — because she thinks she isn’t good enough.

Robert Blair paints landscapes, portraits and … signs. But only the signs pay and a man has to make a living, right?

After years of false starts, marriages, abusive relationships, divorces, substance abuse, madness, frequent cross-country moves and plain old self-doubts, the three reunite with a new resolve. Karen bets them that she will be the first to “turn pro” — to take their talents seriously and act professionals instead of dabblers.

… She put her water bottle down. “Here’s the deal. Each of us decides to ourselves what becoming a pro is all about. Then we do it. I’ll tell both you hairy-legged types what. I don’t care what you think, but I’m gonna be the first to make that jump …”

To encourage and challenge one another to plant their butts in the chair and do their work, they form a support group called BIC Cartel.

They push and cajole one another and things start to happen with all three.

This work will be released in three parts. Part II will be available through Amazon 2/02/2014.

Final version should be out March 5, 2014.

Keep watching the BIC Cartel website for more details and occasional notes from the author and characters.