Category Archives: security

How to choose a strong encryption password

When it comes to security, it’s only as strong as its weakest link. File security is no exception. You may choose the largest encryption key and the strongest encryption algorithm known to the mankind, yet if your password is weak, your files may become easily accessible.

Selecting a good encryption password is not easy. On the one hand, it should be non-and complex obvious enough to be hard to guess for others. At the same time, it should be sufficiently simple to remember (rather than write it down) for you.

What complicates the matter is that there are quite a few misconceptions around that make choosing a good password rather confusing.

For instance, whenever you are prompted to create a password, the system usually informs you about the minimum length of the password that it requires. It may create the impression that the longer the password, the more secure it is. This is not always true! It would be true if you were choosing a random combination of characters for the password, such as “lalskdue”, or “sdlifwelfkel”, or whatever other combination you might produce by typing arbitrary keys. The problem is, however, that more likely than not, you are selecting an existing word (a.k.a, a dictionary word), like “apple” or “orange” for the password. In such a case, if someone would try the dictionary attack on your encrypted data, it would make virtually no difference whether the word is short or long. It takes the same amount of time (give or take a few nanoseconds) for the computer to try “abc” or “antidisestablishmentarianism” as the password.

That’s why most systems insist that your password should contain a combination of the uppercase and lowercase letters, numbers, and special characters: such additions make the dictionary attacks much harder. However, they make remembering the passwords harder, too. What should you do?

There are several methods available for creating strong passwords that are easier to remember. One of them is the “first letters of a phrase” technique. Think of a phrase that contains several words, that you could remember. For example, it could be a line from your favorite Eagles song, like “Welcome to the Hotel California, Such a lovely place, Such a lovely face.” Take the first letter of each word, and combine them together: WttHC,Salp,Salf. Note that we’ve preserved the capitalization of the letters, and also kept the commas in the middle. The resultant password is almost as strong as a random combination of 16 characters, yet you should be able to remember it easily, as long as you remember the original phrase.

Another method is by creating artificial passphrases (rather than passwords), by combining random words from a dictionary. Take a dictionary book, open it on a random page, and write down a random word you like on that page. Open the dictionary on another page, write down another word. Repeat several times, then move the words around to create a phrase. (The phrase does not have to make sense!). For example, I just tried it and came up with: “Antisocial Pomegranate holds back Blue Herring” (Sounds fun, doesn’t it?) If you can remember such a phrase (including the capitalization of the words), you’ve got yourself a rather strong passphrase.

Yet another approach is to create complex and long passwords for each situation, and use some password management software to keep track of them, such as KeePass. When using a software password manager, you only have to remember the master password. Of course, the inconvenience of this method is that you always have to use the password manager to recall the passwords for you, but if you need to have many strong passwords, that’s a small price to pay for the security. And, of course, don’t forget to backup your password database, because if you lose it, you lose them all!

USB Combination Lock – a security joke?

One large nation-wide retailer is selling the following item on its web site:

USB Combination lock of sale

(click on the image to enlarge)

The web site urges you to get the device to “… keep your files safe”. Yet the combination lock contains only 2 digits (or just 100 possible combinations, from 00 to 99). How long would it take for someone to discover the combination, two minutes or maybe three???

For real security, consider a software encryption solution such as our USBCrypt. It lets you encrypt any USB drive (even those without any combination locks!) with strong AES encryption and thus make sure that no one would be able to get to your important files without the correct password.