Encryption Is Only as Strong as Your Password

In recent months, the encryption debate has heated up once again. Most recently, some shock waves were sent across the industry when ThreatWire reported a new tool, known as GrayKey, which could decrypt the latest versions of the iPhone. Fortunately, that tool is only available to law enforcement agencies… for now.

The point to be noted is that if the technology exists to break encryption, then we must increase our efforts to teach better security awareness as well as good password security.

I have previously written about how fear of the government is not the reason to encrypt your data. Also, as accurately observed by XKCD, it is not too difficult for someone in your personal space to “convince” you to give up your password. Encryption and strong passwords are designed to protect you when you are targeted from afar. We all know that our biggest threats come from compromises usually hosted in far-away lands, not by person-to-person encounters.

I have often cautioned friends and family to resist the urge to use their fingerprint as a security mechanism. Not only is there no way to get a fingerprint back if its image is stolen, but more importantly, there seems to be no uniform legal agreement as to whether compelling a person to give up a fingerprint is the same as the utterance of a password, which is protected by the rule against self-incrimination. Alternatively, perhaps, a fingerprint is protected as a property right, as considered in a recent seizure of the fingerprint of a deceased individual; however, here too is another undecided legal test.

We now know that cell phones are susceptible to brute force attacks, courtesy of the GrayKey system. What about attacks against other hardware? I inquired with a favorite pen tester about the ability (Read more...)