Tag Archives: email

The Weakest Link: “Forgot Your Password?”

Assume for a moment that I wanted to access some confidential files that belonged to you. You, having at least an ounce of sense (or an IT department that makes these decisions for you) have set a Windows password on your computer. How should I aim to access those files?

Well, there are a lot of ways. Here are a few:

  1. Install a keylogger on your system, wait a little while, then come back and search through the output looking for things that look like passwords, then try them. (Probably several hours, unless I’m really good at it.)
  2. Try to guess your password based on things I know about you, or try common passwords like ‘password1′ or ‘123456’, or look around your desk for sticky notes containing your password. (A few minutes, assuming it works—which is a comfortably low chance if you use a sensible password, but unfortunately a lot of people don’t.)
  3. Use software that will search for common passwords out of a dictionary or brute-force the password. (Probably days.)
  4. Boot up the system using a boot disc to bypass the Windows password, locate the files, and copy them to a flash drive. (About 5 minutes.)

Which do you think I’m going to pick? Obviously, the sensible choice is the one that’s the easiest, the lowest risk, and takes the least amount of time, which is number 4. If you look at these options, you’ll notice there’s something different about number 4: I have not broken the installed security system (by finding the password despite not being a legitimate user), I have bypassed it altogether. Instead of trying to find the password to the system, I’ve simply found a way to access those files that didn’t require me to know the password at all.

On web services, the bypass-the-password option comes in the form of that little link that reads “Forgot your password?” While this function is a godsend if you really have forgotten your password, without some care it makes it much easier for someone to access your account without your permission. This scenario is not the most likely way for your account to be compromised—nowadays it’s more likely that a poorly secured password database containing your information will be stolen and published on the Web. But if someone singles you out as a particular target for whatever reason (and it’s not as impossible as it seems), password resets are likely to be something they try. Fortunately, it’s not all that difficult to make password resets significantly more secure.

How Password Resets Work
Consider for a moment what happens when you use a password reset function. Usually the service does one or both of these things:

  • It sends a confirmation link to your email address, which will allow you to set a new password.
  • It asks you one or more security questions to “prove” your identity, set up when you opened the account, supposedly things that only you would know, then allows you to change the password.

I’ll look at each of these in turn.

Email Link Reset
Services that simply send a link to your email address are the simplest case. As a would-be hacker, all I have to do is gain access to your email account, and I can easily reset the password on another site that I don’t know the password to. This may not seem like a big deal—after all, I still need to access your email account—but most likely you have twenty or thirty different accounts that will all happily send password reset links to the same email address in the same day. So if I can gain access to your email account through whatever means, even if you have the best unique passwords set up on every other account, I can still access every one of them.

This is pretty simple to fix, though:

  • Never, ever reuse the password you use on your main email account for any reason. Even if you use the same password for everything else (which I don’t recommend, but if you must do it, you must), use a unique one for your email.
  • Make that password a strong one: at least 20 characters, using letters, numbers, and symbols, and nothing easily guessable, such as your phone number, spouse’s or pet’s name, zip code, birthday, and so on. (Actually, guessable things are not in themselves bad—but they need to be combined with something completely unrelated to be secure. Your birthday is a bad password; your birthday combined with a random dictionary word and the last four digits of your phone number when you were six is a good password.)
  • Set up two-factor authentication on your email account if you can. It’s extremely effective and surprisingly unobtrusive.
  • Make certain that you’ve always logged out of your email account when you’re done using it on a public computer. Not only does it help keep you secure on other websites, at least one court has ruled that it’s legal to read someone else’s email if they neglect to log out. If you ever do forget to log out, many services have an option to log out other sessions (in Gmail, if you click the “Details” link in the lower-right-hand corner of the page, there’s a button labeled “Sign out all other sessions”).
  • If you have an “alternate” email address set in your email account’s settings (for recovering the password to your email account), double-check that that account is also secured in the same way. From personal experience, I can attest that this is a “D’oh!” moment if it happens to you.

Some people recommend setting up a different email account reserved for signing up for web services (to keep password reset emails more secure). Personally, I’m too lazy to check my email at two different places (for obvious reasons, you shouldn’t have that mail forwarded to your other email address), and I’m confident enough in the security of my main email account that I’m not worried.

Security Questions
Some people think that security questions are an effective and useful security measure. They’re dead wrong.

Actually, security questions have become popular partly because of a misunderstanding of the theory behind two-factor authentication. In security theory, there are three ways to authenticate yourself: something you know (a password or something more unique like a series of pictures where you must choose the right one), something you have (a token that displays different numbers, a smart card, an RFID tag, or an encryption key on a flash drive), and something you are (a biometric reading such as a fingerprint scan, voice print,
or face recognition).

Two-factor authentication consists of using two different types of authentication (in most implementations, a password—something you know—and a token—something you have). However, people heard that two-factor authentication was good, decided that security questions were “two-factor authentication” because you had to authenticate two different ways, and “Wish-It-Was Two-Factor” authentication was born.

It is often said that “good” security questions have four characteristics:

  1. The answer cannot easily be guessed or researched.
  2. The answer doesn’t change over time.
  3. The answer is memorable.
  4. The answer is definitive/simple.

Looking at how tough those requirements (plus a fifth one, that the question needs to apply to most of your users) are, it’s no wonder that nearly all of the questions you see are bad!

Let’s look at where some common questions go wrong:

  • “What is your favorite movie?” This fails on count 2. You probably won’t need to reset your password for months if not years. By that time you’ve almost certainly forgotten what your favorite movie was at the time, if you even had a well-defined one to begin with. Even if you could somehow remember what your favorite movie was on any day during your life, you’d still have to remember when you created your account for that knowledge to be useful.
  • “What city were you born in?” This fails on count 1—it can be found easily in public records. Even if I couldn’t find it with some good research, it’s quite likely you’d give me this information if I asked you, as it doesn’t feel very sensitive.
  • “What is your date of birth?” This isn’t usually presented as a security question, but it is often used for verification. The majority of people have their birthday listed on Facebook, for one, and even if not, once again, it’s in public records. Alternatively, I could call you up and pretend to be conducting a survey or something similar and ask you for your birthday, and you’d probably give it to me.
  • “What is your favorite color?” This fails on count 1 in two different ways. First of all, there are only so many colors that people will describe as their favorite. If you simply type in “blue,” you’ll get it right a very good percentage of the time (according to one survey, a whopping 36 percent of the time averaged between genders). How many people are going to describe their favorite color as something that’s actually somewhat difficult to guess like “light chartreuse” or “burnt orange”? And when was the last time you asked someone what their favorite color was and they told you, “No, that’s private information”? If you can’t find it anywhere, you can just ask.

The Solutions

So what can you do about bad security questions? There are two options I like:

  1. Make up a fake identity of security questions, store them in a file or on a sheet of paper, and read off it anytime you need a security question. You can store it in your email account if you need to be able to access it anywhere (you made sure your email account was secure, right?). If you want to make it even more secure, you can make up answers that are completely unrelated to the question (e.g., “What is your favorite pet’s name?” / “Wal-Mart”). This takes a little while to set up, but you can feel confident that you’ll never accidentally reveal the answer to a question, and you have at least some security in the event that someone does discover the answer to one of the questions, as you don’t have to use the same one on every website. Here’s the list of 13 questions that I use (with my answers removed, of course).
  2. If that sounds too complicated for you (and for most people, it probably is), simply make up a password and enter it every time you are asked for a security question. It doesn’t matter one bit what the question is. (If you want to get a little bit more secure, you can add something to the password based on the name of the site or use two or three passwords based on the question. This password will never change (unless it’s compromised and you need to change it, of course), is always memorable and applicable to you, and is not researchable, since it’s not an answer, it’s a password.
Other options that are not as good as these but are at least better than nothing:
  • Replace letters with numbers or symbols in your answer as if it was a password you were attempting to obscure. This can usually be cracked easily by a password dictionary, but hopefully nobody will be trying a password dictionary on your security question, since it’s not supposed to be a password.
  • Even if you must use the actual question and answer with an actual answer, if you’re given the option to choose your own question, use it. But make it something good—it should pass those four guidelines at the beginning of the section for you.

I’ve had some fun in the past asking security questions like “What is 2 + 2?” and making the answer something that’s not even a number. The look on the face of a would-be hacker as he or she is informed that the answer is not 4 is priceless. (I was in the same room with a friend when she tried to access my Gmail account as part of a prank once.)

Here’s some more reading on security questions if you’re interested:

All the good security questions in the world won’t save you from social engineering. In several high-profile cases, customer service representatives have allowed unauthorized users to access accounts even though they didn’t have the answer to the security questions. Of course, there’s nothing you can do about this—just do what you can and hope that none of the things you can’t fix get you in trouble. And if you’re in charge of a web service or business, make clear security guidelines and stick to them (I highly recommend The Art of Deception by Kevin Mitnick—it’s written specifically for businesspeople looking to improve their company’s security, but it’s very enlightening reading for anyone).

So what can you do right now? Most importantly, go to your email account right now and check your security. If you have weak security questions, change them. If you have an alternate email address, make sure it’s secure (or simply remove it from your account; it’ll make it a little bit harder if you really do lose your password, but it will increase your security). And if you don’t have a strong, unique password on your email account, change it! If you can only follow good password guidelines on one account, make it your email.

As for other sites, if you don’t want to go through and change all your security questions now, at least try one of these methods the next time you’re signing up for an account.

What Email Filters Are, and Why You Should Use Them

Ever gotten repeating emails from a website that you just can’t get rid of? If you use Gmail, would you like to be able to prevent emails from a certain address from ever being marked as important? Would you like to store work orders or other requests in a separate folder automatically? Email filters give you the ability to take control of what emails get presented in your inbox and how they’re displayed to you there.

I’m going to show you how to set up a filter in Gmail, since that’s what I use (and because it has one of the more powerful and useful filter systems out there), but virtually every email client provides a filter of some sort.

Filters are essentially just a search that’s automatically applied to your incoming mail, so they’re pretty easy to understand. Here’s how to set one up:

  1. Locate the filter settings in your Preferences or Settings. In Gmail, it’s under the Filters tab in your settings (in the new layout, you have to click the gear icon in the upper-right-hand corner to get to settings).
  2. Determine criteria that match the email you want to filter out. See below for suggestions on what you might want to filter. You can typically search the subject, sender, receiver (different depending on whether it was sent only to you or to a mailing list), or body text. You can also frequently check for whether a message has an attachment.
  3. Type the criteria and test the search on emails you already have. If your email client is any good, you’ll be able to see what messages you already have that match the filter. If it looks like it’s going to work, you can set the filter.

No ideas on what you might want to filter? Here are a few ideas:

  • The most obvious is when a website is sending you spam that you can’t get rid of. For instance, I somehow wound up on a software development list that I did not sign up to be on, and no matter how I changed my preferences, I couldn’t seem to get off of it. To correct the problem, I simply went into my email settings and filtered on the search subject:([supertux OR [meta) (this matches the prefix that comes before the subject in every message from the list) and set the action to “skip inbox” and “delete.” Now I never see the messages anymore.
  • If you use Gmail, you may not know that you can use a +anything after your email address. For instance, emails sent to both john.smith@gmail.com and john.smith+spam@gmail.com land in John Smith’s inbox. Since you can filter on what address an email was sent to, you can take advantage of this to help filter spam and track the source of it when signing up for less-than-kosher websites. You can also use it to specify that certain email is important. For instance, you could opt to have email sent to john.smith+bob-urgent@gmail.com automatically starred and flagged as important if Bob’s messages are always important.
  • If you’re on a mailing list or two, it might be nice to have email from the list kept in a separate folder if you don’t always want to look at it with the rest of your email. (If you use Gmail, you can also label it without removing it from the inbox if you just want to be able to look through the archives more easily later.)
  • If you’re wondering what filters I use, here’s a screenshot (click to enlarge and make it easier to read):

My email filters. See above for suggestions if you can't see this...

In Gmail, there’s another handy way to create a filter: build a search from the ordinary search box, then click the little arrow next to the search box and choose “create a filter from this search”:

Create Filter From This Search

Email Etiquette: Summary

This is a summary of a four-part series on email etiquette.

This page is not intended to be a full guide to email etiquette: I wrote the other pages for a reason. It will probably be nice to read if you’ve read through the other posts and want a quick refresher, or if you’re lazy and just want to see what I have to say quickly. For this reason, I also haven’t put a lot of links in that I could have—if you’re interested, click the main article link and find more information there.

Part 1: Using the Cc and Bcc Fields

  • Sometimes you shouldn’t put everyone’s email addresses in the To field. The other two fields are there for a good reason.
    • The Cc field can be used to indicate that you are sending a message to a certain person and only want to notify others of this.
    • The Bcc field should be used when you are sending an announcement to many people and don’t need to share people’s email addresses with other recipients of the message.
    • You can also use the Bcc field to hide the fact that you’re sending a copy of an email to somebody else who needs to see it, or if you need to send a copy of an email to yourself and the Sent folder won’t do the trick in your present situation.
    • If your email client will not allow you to put nothing in the To field (because you want to put all the email addresses in the Bcc field), put yourself in the To field.

Part 2: Subjects and Attachments

  • Make your subject line as concise as possible without removing important meaning.
    • If you want someone to do something, make that clear in the subject line.
    • Write your subject in title case or sentence case, as appropriate, not in all lowercase.
    • If nothing else, at least put something in the subject line.
  • Before attaching files to your email, consider whether you really need attachments. Instead, could you:
    • Paste the contents of some of those files into the body of the email?
    • Remove some of the files?
    • Zip the files so the recipient doesn’t have to download a ton of files?
    • Post to a photo-sharing website? (Only applicable if you’re attaching pictures, of course.)
  • If you need to send a large file, use a service such as Dropbox to share it.
  • To avoid forgetting to attach a file to a message:
    • Attach the file as soon as you think that you need to include a file. If you do it now, you can’t forget to do it later.
    • Turn on your email client’s “undo send” feature. This way, if you remember right after sending the message that you forgot your attachment, you can still take it back.
    • Use Gmail, which provides a warning if you write “attached” in your message but don’t attach a file.
  • Don’t attach unusual file formats to emails and assume that the recipients will be able to read them. The following file formats are probably email-safe: JP(E)G, PNG, GIF, TIF(F), PDF, RTF, TXT, HTM(L), WAV, MP3, DOC, XLS, PPT.
  • To avoid emailing a document back and forth zillions of times, use Google Docs if you’re collaborating on a project.

Part 3: Replies and Formatting

  • Don’t send replies to everybody without a good reason—stop for a moment and consider who really needs to see your message. This can make using email better for everyone by eliminating unnecessary messages from everybody’s inboxes.
    • For examples on when I suggest replying to everyone and when I don’t, see the full article.
  • Avoid backgrounds, changing the font or colors, or putting unnecessary images in emails.
    • Bold or italics, links, and the occasional embedded image can improve the presentation of your emails. Anything more is probably going into the “annoying” section of the scale.

Part 4: Odds and Ends

  • Signatures are nice—just consider what information about yourself will be useful in an email signature and what won’t.
    • Putting your email address in an email signature is pretty silly unless it’s somehow different from the address that you send your email from.
    • Snippets, quotes, and similar things are fine, but:
      • Keep it clean and inoffensive to everybody, no matter what account you’re on. You never know when you might be sending formal email and forget to check what you had in your signature.
      • Change it occasionally. The point of including something witty in your email signature is to keep people interested, not to bore them by sending them the same thing for years in a row.
      • Don’t create a monstrously long signature. Four or five lines is probably plenty.
    • Remove your signature if it’s unnecessary or gets in the way of your email.
  • Don’t forward chain emails, no matter what they say. Check out Snopes to see if they might actually have some grain of truth in them.
  • Keep your email as short as possible.
    • If it has to be long, summarize your email at the top and consider apologizing for and/or explaining the length.
    • Instead of sending a single person a five-paragraph email, pick up the phone and call them.
Soren “scorchgeek” Bjornstad

If you have found an error or notable omission in this tip, please leave a comment or email me.

Copyright 2012 Soren Bjornstad.
For terms of reuse and redistribution, visit

Email Etiquette (4): Odds and Ends

This is the fourth and final part of a multi-part series. Previous posts were “Replies and Formatting,” “Subjects and Attachments,” and “Using the Cc and Bcc Fields.” There is also a summary.

This week has no particular focus except to deal with a few more things I thought of: email signatures, chain emails, and length of emails.


Email signatures are good. It’s nice to be able to easily find somebody’s name at the bottom of their email, especially if they don’t have their “from” name in their email client set to their actual name (so you get something like “From: hq723″ instead of “From: Soren Bjornstad”). If somebody might want your address, phone number, or website, those are good things to put in as well. Putting your email address is a waste of space unless you’re using a different address than normal: this is what the “reply” button and the email header are for.

If it’s not a work email (and maybe if it is, depending on the environment), creativity is always appreciated—just don’t go overboard and make it something that could potentially offend somebody. Quotes or interesting observations are always welcome. If you choose to include a quote or something similar in your signature, changing it every so often is nice; I know more than one person who has had precisely the same email signature for over five years. Even the most creative snippets tend to lose some of their luster after that long.

Don’t make your email signature more than four or five lines. HTML and images are probably unnecessary. Also don’t be cautious to strip your signature from your email if you’re responding to a mailing list that knows perfectly well who you are or you’re adding to a long chain of people adding a small amount of information to an email and sending it on. (Feel free to strip other people’s signatures and “so-and-so replied:” from those emails too; nobody will ever do it if you don’t take the initiative.)

Chain Emails

Do me a favor: Next time you get an email that ends by telling you that if you don’t send it to ten more people your computer will explode spontaneously, don’t forward it to me.

If you get an email warning you about something that actually seems important:

  1. Don’t send it to anybody.
  2. It’s probably completely fake.
  3. If you still really aren’t sure whether it might be true, check out Snopes first. (Do this even if the email claims that Snopes has confirmed the veracity of its statement—Snopes is becoming well-known enough that I’ve seen more than one chain email/Facebook post that makes a false claim.)
  4. If you really received chain mail that tells the truth, you still probably shouldn’t forward it to anybody. If there really is an email virus spreading like wildfire (which really doesn’t happen anymore anyway), then people will learn about it on the news anyway. Do you really need to send yet another email?
I realize I’m probably preaching to the choir here—most people interested in reading this blog are probably not the type to forward email indiscriminately. But please take this to heart. So much complete misinformation gets spread this way, not to mention the annoyance of the resulting flood of email.

Email Length

Try to avoid making your email more than a paragraph or two long. If it really needs to be longer, you should start worrying about structure. Include a paragraph or at least a line or two summarizing the email and explaining what you’re going to talk about in it. If it seems appropriate, you also might consider apologizing for the length and explaining why it’s as long as it is.

Why? Five-paragraph emails don’t scan well. Sometimes I get a copy of an email I don’t really need, and I like to be able to discard it quickly instead of wasting my time reading the whole thing. If I have a flood of email, it’s nice to be able to immediately determine which emails require immediate action and which ones can wait until I’ve finished sifting through emails. And besides, nobody likes reading you ramble on forever about the same thing. If it’s that complex a topic and it’s not for mass distribution, you should probably just pick up the phone and call the other person—that will be faster anyway.


I’ve compiled another post that summarizes all the main ideas in all four sections of this post. Check it out, and send it on to people who annoy you with their emailing habits. :-)

Soren “scorchgeek” Bjornstad

If you have found an error or notable omission in this tip, please leave a comment or email me.

Copyright 2012 Soren Bjornstad.
For terms of reuse and redistribution, visit

Email Etiquette (3): Replies and Formatting

This is part three of a multi-part series. Last week we had Part 2, “Subjects and Attachments.” Part 1 was “Using the Cc and Bcc Fields.”

This week I’ll first discuss when you should reply to everybody and when you should only reply to one person, then consider the problem of how much formatting in your email is too much.

Replying to Everybody

Sometimes everybody really does need to receive your reply. Other times, they really don’t. This is sometimes a difficult problem to deal with: is it better to err on the side of replying to everybody (thus sending people a bunch of spam) or the side of replying to only one person (and leaving people out of the loop)? That’s really a matter of personal preference, but usually you should be able to make a pretty good decision. Here are a few cases:

  • If somebody asked you about a meeting or similar group activity, you should reply to everybody. Otherwise other people might not realize that you’ve already replied and make plans that don’t work for you behind your back (like you just did to them!).
  • There is very rarely a sensible reason to send an email that says something like “Thanks” or “Cool, I’ll do that” to everybody. In fact, you might consider whether you really need to send that email at all—in many cases, all it will end up doing is wasting the other person’s time. (Of course, there are plenty of times when being courteous is intelligent. But it’s at least worth thinking about.)
  • If you’re on a mailing list and really only need to reply to one person, see if the mailing list allows you to see the email address of the person who sent it. If so, don’t hit reply—copy that email address, then compose a new email to that person, rather than to the entire list.
  • Consider choosing “reply to all,” then removing several people’s names from the address list. Perhaps only the person who just sent you an invitation and the person you know who just responded need to get an email, not the other three people on the original mailing as well.
  • If somebody sent you an email with two hundred names in the To: field, first of all, shame on them. Second of all, please double-check to make sure you didn’t hit “reply to all” before you send the email. If there’s something worse than getting a completely useless email from somebody, it’s getting a completely useless email from somebody you don’t even know.

I know some people will say, “Big deal! It doesn’t take that long to delete a useless email—why should I bother to think about all this before I send email?” But think about it this way: either you spend a few seconds thinking about who needs to get your email, or someone else spends a few seconds deleting your email because she didn’t need it. If all of us were polite and spent a few seconds considering who needed to receive our emails, then we would all have fewer useless messages drifting around in our inboxes (that sometimes even interrupt our work because we notice that we have a new email and go to see what it is). And we wouldn’t lose any time because of it, either—we would simply have moved those few seconds from the receiving to the sending end.

HTML and Formatting

Have you ever gotten an email that was in 18-point italic red text with a blue speckled background? I sure have. And guess what: it doesn’t make you look cool. All it does is strain people’s eyes, make them annoyed because it’s difficult to read, and make their email take longer to load. Simply put: stick with plain text unless you actually have a good reason to add formatting.

Some people dislike getting any formatting in email (mostly the technical people who use text-based email programs, for whom any formatting displays as HTML markup and random gibberish). You’ll probably know who these people are, because they’ll write you back asking you to please send them plain text-only email in the future. If you’re not dealing with one of those people, adding some bold text, a link, or maybe a relevant image to the body of your email looks professional and is perfectly acceptable. Changing the font of your entire email to Comic Sans, putting the entire thing in italics, or adding a background is obnoxious.

Soren “scorchgeek” Bjornstad

If you have found an error or notable omission in this tip, please leave a comment or email me.

Copyright 2012 Soren Bjornstad.
For terms of reuse and redistribution, visit

Email Etiquette (2): Subjects and Attachments

This is part two of a multi-part series. Last week (actually, two weeks ago) we had Part 1, “Using the Cc and Bcc Fields.”

This week I’ll discuss choosing better subjects for your email, as well as many different aspects of the complicated mess that is called “email attachments”: when you should use attachments and when you shouldn’t, how to avoid sending too many attachments, and what kinds of files most people can be counted on to be able to read.


Here are some bad subjects:

“(no subject)”
“Please walk me through…”

Your subject line should be concise, yet make it clear what the email is about. If you want someone to do something, try to make that clear in the subject. Most importantly, though, make it obvious what the email is about—if you need to find that email two months in the future, it’ll be a lot easier if the subject is sensible.

So try something like “Request for Book” or “Link to [website we were talking about]”. And for heaven’s sake, write something in the subject line. Emails with “no subject” even get filtered out by some email filters, and they make it look like you were in a hurry or didn’t know what you were doing.

A personal pet peeve of mine is when people write subjects in all lowercase. Depending on what your subject is, it’s either a title or a sentence describing the email. If it’s a title, it should be in title case; if it’s a sentence, the first letter should be capitalized (you don’t need a period, though; in fact, it looks better without).

See this Lifehacker post for more interesting tips on keeping your email a bit more efficient.


Before you attach anything to your message, consider whether you really need an attachment at all. I get a bit annoyed when people attach a Word document to an email, then I go to the trouble of downloading it and opening it in a word processor to find that it contains a five-sentence message in plain text. If your attachment is another part of the message, just copy and paste it into the body of the email. If the problem is that the formatting comes out horribly broken when you paste it in, you might choose to mention that in the email. At the very least, provide a description of what the attachment is. Many people don’t have filenames that make sense outside their folder structure and their mind, and few people remember to rename files before attaching them to emails, so describing what the attachment is really helps.

Also try to avoid attaching zillions of files to one email. If you have fifty pictures, you ought to find a better way to send them than attaching each one individually. If you send it to people who don’t have a “download all” button on their email client, you’re going to make them pretty annoyed. If you have more than three attachments, you’re probably getting a bit excessive. If you have too many attachments, you could try one of the following:

  • Do you really need all those files? Some of them may be unnecessary, could be combined, or could be posted in the body of the email.
  • If they’re all related (for instance, if you have fifteen pictures), at least put them in a zip file so the recipient only has to download the file once. If you don’t know how to zip files or the person you’re mailing them to doesn’t know how to unzip them, take a look at this Microsoft Knowledge Base article. If you’re not using Windows, a Google search for “zip files” and “Mac” or “Linux” or “BSD” or what have you ought to get you instructions. Note: “Zipping” files is sometimes known as “compressing” them, although there are other ways to compress files besides ZIP files; “unzipping” is sometimes called “extracting.” Also, for no apparent reason than being different, Microsoft likes to call zip files “Compressed (zipped) Folders.”
  • If you have more than a couple of pictures, you should post them on a photo-sharing website, Facebook, or something similar rather than attaching them to an email.

It used to be that sending someone an attachment of more than a few hundred kilobytes was considered rude; in many cases sending a 10MB attachment could cause the remainder of the recipient’s mail to bounce until he checked it and deleted the attachment. Now that free webmail services offer 7 gigabytes of storage and nearly everybody in a developed country has broadband internet, this is rarely a problem. However, most email programs will not let you send attachments larger than 25MB or so—if you need to send something larger than that, you should consider a service like Dropbox, which will let you store and sync up to 2GB of information for free (accessible with a public link if you so desire).

No discussion of attachments would be complete without a mention of the dreaded “oh crap, I forgot to attach the file” moment. I find that the best plan for avoiding this is simply to attach the file the moment you think about it. If you open an email intending to send someone a file, attach the file and then write the message. If you’re writing a message and think “oh, I should include this file,” then take a break from writing the message, attach the file, and then finish your message. Also, I find that I usually notice I’ve forgotten a file within a few seconds. If your email client has an “undo send” feature, turn it on—it’s a lifesaver. And Gmail also gives you this handy warning on occasion:

One more thing to avoid is blindly assuming that the recipient will be able to read the file format you send them. If you send someone an Adobe PageMaker file and they don’t have Adobe PageMaker, they’re going to have to write you back and tell you they can’t read the file. Also annoying is receiving a .docx file when you don’t have Word 2007. (Most word processors can now read the files, but sometimes they have difficulty with the formatting, and some people have not installed the Compatibility Pack for earlier versions of Word.)

Stick to established formats unless you know that the recipient has the same software as you (for instance, if you work in the same office). Everyone with a computer from this century should be able to read the following standard formats (among others): JP(E)G, PNG, GIF, TIF(F), PDF, RTF, TXT, HTM(L), WAV, MP3.

Nearly everyone (except a few activists who have a good point but sometimes go a bit over the top, in my opinion) can also read .DOC files. Many people can read .DOCX files, but unless you have a specific reason to send them, it’s often better to save them down to .DOC files or paste them into the email. If you need to send a spreadsheet or PowerPoint, it’s probably best to use the Microsoft Office formats (.XLS and .PPT), even though you’re contributing to and encouraging a Microsoft monopoly, simply because they’re more established and likely to be openable.

You can use Google Docs if you need to collaborate on a project; it lets you work together on one copy (at the same time) instead of mailing files back and forth. Sometimes it clobbers your formatting a bit, but most of the time it works extremely well. I personally wouldn’t use it as my regular word processor, but for working with others it does exactly what it says on the box.

Soren “scorchgeek” Bjornstad

If you have found an error or notable omission in this tip, please leave a comment or email me.

Copyright 2012 Soren Bjornstad.
For terms of reuse and redistribution, visit

Email Etiquette (1): Using the Cc and Bcc Fields

Many people probably simply fill in the “to” field in their emailer every time they need to send a message. But the other options are there for a reason. When used correctly, these options can give people useful cues and avoid leakage of information that is none of other people’s business.

Keep in mind that this (mostly) just my opinion. I don’t think that you’re using email the “wrong way”—whatever that would even mean—if you don’t follow these tips. But at the same time, I think you’ll have serious trouble finding anyone who is annoyed by them.

This is part one of a planned multi-part series on email.

Cc field

The Cc field can be used to indicate that you are sending the message to a specific person and merely want to notify someone else that you’ve done so, or if one of the recipients is less important than the others (in terms of responding to the email, of course). Many email clients automatically use the Cc field when activating “reply to all”, only filling in the To field with the name of the person to whom you’re directly replying.

Cc doesn’t actually have any impact on the way the message is delivered, except that some email addresses appear under the “Cc” heading instead of the “To” heading; it’s only a convenience to be used however you want to. For all the computer cares, you could establish guidelines in your office that if you Cc someone a message, that means you’re in trouble and they need to telephone you immediately. But the “less important” or “FYI, I sent this message to so-and-so” interpretation is pretty much universally understood among serious email users. Like putting people’s emails in the To field, every recipient of the email can see all the people you Cc’d a message to.

Sometimes you need to click a link or button marked “Add Cc” in order to see this field.
By the way, “Cc” stands for “carbon copy”, though you’ll have a difficult time finding an email program that actually says that anymore.

Bcc field

Bcc stands for “blind carbon copy”—when you use it, nobody sees the email addresses in the Bcc field except you, but everyone still gets the email.

Not using the Bcc field properly is one of the things that I actually do get annoyed with people about on occasion. This is why: say someone sends a wedding invitation to 200 people using the standard To field. Now, everyone who received that email can see the entirety of the To field. If I’m a recipient of this message, my email address has now been given to 200 people that I likely don’t even know, without my consent.

There are plenty of uses for the Bcc field, but the most important one is this: always use the Bcc field when sending email to multiple people who do not know each other and do not need to write each other back. If all you’re doing is sending an announcement to people, the only person they would possibly care to write back to is you. (If they did want to write someone else on that list, they would already have his or her email address.)

Another use is stealth: say I’m sending a message to someone that’s somewhat confidential. I may want someone else interested to see the message and what’s going on, but I don’t want the main recipient of the message to see. This can be a bit dishonest if you use it the wrong way, but there are plenty of perfectly reasonable situations in which you might want to do it.

In the old days, it was common to blind-copy yourself if you wanted to keep a copy of the email. Now any email program worth its salt will store a copy in the “sent items” folder automatically, so this use has largely fallen by the wayside. In the rare situation that you’re sending an email from someone else’s email account, you might still want to do this so that you have a copy on your own account.

Sometimes you need to click a link or button marked “Add Bcc” in order to see this field. Additionally, some email clients will not allow you to send a message with only the Bcc field filled in (nobody in the To field); if yours won’t, established practice is to put your own email address there, as this doesn’t single anybody out and doesn’t give away any information that people didn’t already know.

Soren “scorchgeek” Bjornstad

If you have found an error or notable omission in this tip, please leave a comment or email me: webmaster@thetechnicalgeekery.com.

Copyright 2012 Soren Bjornstad.
Verbatim copying and redistribution of part or all of this article
is permitted, provided this notice is preserved.