Many years ago I was working with a client who traveled a lot with his laptop computer. We had already set his computer to require his user password whenever it started up or woke from sleep. He asked, "What if someone steals my laptop? Can they get past that password?" I told him there were at least three ways a technically inclined thief could access his data after stealing his computer:
- They could use special "password cracking" software, which starts his computer up from a CD and tries billions of passwords, with a good chance of eventually guessing his, probably within minutes.
- They could use special "password reset" software, which also starts up from a CD, to simply change his password to something else or just remove it.
- They could take his laptop apart, remove his hard drive, and plug it into another computer as a secondary drive. Since that other computer starts up from its own hard drive (not the stolen one), my client's start-up password wouldn't even be needed.
All of these methods are available to break into Windows machines as well as Macintoshes, regardless of whether they're desktop or laptop machines.
At the time I didn't have a good solution to recommend, but since then I've learned that the best defense against all
of the above possibilities (and more) is to use encryption to protect your data.
Encryption may also be important to implement on your computer as another step toward becoming compliant with the new Massachusetts Data Security law.A simple example
Do you remember playing with "secret codes" when you were a child? The message "HI THERE!" becomes "IJ UIFSF!" using a simple code that says "change A to B, B to C, C to D, etc., but don't change spaces and punctuation." Thus, H becomes I, I becomes J, T becomes U, etc. To decode such a secret message (if you know the code) you reverse the process (B becomes A, etc.). You could call this a "letter-shifting" code that shifts by 1 letter.
A letter-shifting code that shifts by 2 letters would change A to C, B to D, C to E, etc.
What if you didn't know the code? If you knew that the secret message was probably in English, since the most frequent letter in the coded message is "F," you might guess (correctly) that it probably represents the letter "E," which is a good start towards deciphering the message.
More generally you could describe this type of code as a "letter-shifting" code that shifts by "n" letters, where "n" is a number from 1 to 25. (Shifting by 26 letters would turn A into A, B into B, so it wouldn't change the message.)What is encryption?
Encryption turns information into gibberish in order to prevent unauthorized people from being able to use that information, while also preserving the ability to decode it back into its original form.
In general, encryption has two important parts:
- an "encoding algorithm," a mechanical method that turns readable data into unreadable data, like shifting letters, and
- a password, a small piece of data which the algorithm folds into its method and affects the outcome, like the number of letters to shift.
So, encryption software takes your data (e.g., a single Word file, your entire Documents folder, your entire computer, etc.) plus a password and turns your data into something unreadable to someone who doesn't know (or can't guess) both
the encryption method and
Here's an analogy: Instead of putting your (readable) sensitive papers in a locked file cabinet, where picking or breaking the lock gives a thief complete access to all of those (unchanged) papers, encryption changes
the information on those papers into nonsense. So, whether you locked them in a file cabinet (certainly a good idea) or simply left them out for all to see, a thief would have to decode them in order to get that information. The tougher the code, the stronger the password, the better protected your data will be.Weak encryption--bad!
Many older encryption algorithms have been "broken." There are now well-known methods that easily decode them, much like older skeleton-key locks or pin-and-tumbler locks won't stop an experienced thief.
Examples of weak computer encryption include:
- WEP (Wired Equivalent Privacy) and TKIP (Temporal Key Integrity Protocol), older wireless security algorithms, broken in 2001; unfortunately many wireless routers still use these
- Certain document types permit you to "add a password," but they use weak encryption: ZIP files, Quicken & QuickBooks files, Word & Excel documents
The best modern (and currently unbroken) algorithms I've seen are:
- "AES 256-bit," the Advanced Encryption Standard, adopted by the U.S. government, and
- "Blowfish," another complex encryption method.
Examples of strong encryption:
You're already using encryption
- WPA and WPA2 (Wi-Fi Protected Access for wireless networks and routers): use AES
- Adobe Acrobat: recent versions support AES
- TrueCrypt (Windows and Macintosh): use AES by default
- 7-Zip (Windows and Macintosh): uses AES
- WinZip (Windows) version 14 or later: can use AES
- Acronis True Image backup software (Windows): can use AES
- Macintosh .dmg files (disk image files): can be created using AES
- SplashID password manager software (Windows and Macintosh): uses Blowfish
- KeePass password manager software (Windows and Macintosh): uses AES
- 1Password password manager software (Windows and Macintosh): uses AES
Certain programs you use every day already use encryption:
Choosing strong passwords
- Web browsers: When you visit a web site whose address starts with "https://", that "s" (along with a corresponding "padlock icon" on the edge of the window) indicates that you've got a secure connection to that site using "SSL" (Secure Sockets Layer) encryption. This is used to protect your credit card information when placing an online order, for online banking, secure email, etc.
- Your email program may also be using SSL, which is good because it encrypts your username and password between your computer and your email server. However, it can't protect the content of your outgoing messages once you click Send.
Even the best encryption algorithms won't protect your data very well if you choose weak passwords (short, simple, easy-to-guess, involving personal information about you, or common English words). Strong passwords are at least 8 characters long, use a variety of characters (lowercase, uppercase, digits, and punctuation), and avoid personal information and common words.Another important use of encryption: Protect your backup
If you use an external hard drive or flash drive to back up your data, would that data be secure if your backup drive were lost or stolen? If your backup were encrypted with (say it with me) a strong password, then the answer is Yes!
If you're using an online service for your backup, they probably use encryption to transmit your data over the internet to their computers. However, unless you
choose the encryption password before
your data leaves your computer, the employees working at the service can probably access your data. What if they don't wipe their old computers before replacing them? What if a thief (or an employee) broke into or stole one of their computers? I'm not convinced an online backup service is the best choice when it comes to encryption, unless you encrypt your data before the service backs it up.What's it like to actually use encryption?
Here's one way I've put encryption into practice in my daily work:
I have a number of documents relating to certain clients. I used to keep these files in a regular folder called Clients, with a subfolder for each active client. A few months ago I encrypted it:
- I downloaded and installed the free TrueCrypt software.
- I ran the TrueCrypt program, created a "file container" (a big file that acts like a virtual disk), and assigned it a strong password. Unlike a regular folder whose size isn't restricted, a TrueCrypt file container must have a fixed size, probably because it functions like a disk, and this probably also made the software simpler. So, I measured the size of my Clients folder and created a file container three times larger, leaving plenty of expansion room.
- I opened this file container and supplied the password. A new (blank) "virtual disk" appeared, just like I had plugged in an external disk.
- I copied my Clients folder (including all subfolders) into the container, tested it to make sure it worked, then closed the container. The "disk" disappeared, just like I had unplugged an external disk.
- After doing one last backup, I (gulp!) deleted the regular Clients folder from my computer.
Now, whenever I need to work on any of those client files:
- I open that file container and supply the password. The "virtual disk" appears.
- I open the "disk," open the appropriate subfolder, and then open the particular files I need to work on, exactly as I did before.
- When I'm done, I close and save the files I've changed, close the folders I've opened, then close the file container. The virtual disk disappears.
So, with some one-time setup and a couple of simple extra steps, my data is now secure from theft using modern encryption software, with no noticeable difference in speed. As an added bonus, my backup is also encrypted with no extra effort on my part.Can someone still crack my encryption and access my data?
There are many methods that thieves may use to successfully decode your encrypted data, including:
Where to go from here
- Brute force, i.e., using software to try every combination of passwords -- Your defense? Use strong passwords.
- Personal information about you -- Your defense? Don't use your birthday or daughter's name for your password.
- Searching your papers near your computer (and unencrypted documents on your computer) -- Your defense? Don't keep your passwords on post-it notes or in a document called "passwords."
- Putting "keylogger" software (or hardware) on your computer that captures every keystroke you type (or find some other way to spy on you), which they may then use to identify your passwords -- Your defense? Keep your computer protected against viruses and spyware, and away from unauthorized users.
- Encryption methods like AES and Blowfish are considered unbreakable by today's standards, but in the future some brilliant person may come up with a way to defeat them -- Your defense? Periodically review your encryption software and whether it's become out-of-date.
- It's important to restrict access to your computer (for example, using user and start-up passwords). However, if you also encrypt your data with a strong method and password, then even if your computer is lost or stolen, it will be nearly impossible for anyone to decode your data.
- Evaluate your need for encryption (securing documents on your computer? securing your backups? secure communication with others?), then look for solutions that use AES or Blowfish or some other currently unbreakable method.
- If you encrypt your data, delete the originals, and later forget the password, you may risk losing that data. Proceed carefully.
If you know someone who might find this helpful, please feel free to forward it.
If you have any comments about this article, send me a reply!
If you have a topic that you'd like me to write about, I'd love to hear about it!