Encrypting Data Doesn't Do Much Good If You Tape The Password To The Storage Device...

from the just-saying... dept

In the early days of large scale data leaks online, the mantra one heard over and over again was "encryption, encryption, encryption!" Yet, encryption alone doesn't do much good, if you tape the passwords to decrypt the data to the storage device itself (found via Michael Scott). Yet, whaddaya know? That's exactly what happened in a recent data breach in the UK, though I'm sure similar breaches happen all over the world. This is what happens when someone preaches a specific action in security, rather than actual secure thinking and planning.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Bettawrekonize, May 28th, 2009 @ 7:15pm

    I forget my passwords all the time. I often end up writing them down and stuff, taping a password to the storage device sounds like something I'll do. I used to be paranoid with security but I forgot my passwords so often that I kinda just gave up. I figure if a malicious person really has enough access to get a hold of a password I wrote down it's already too late.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    USBman, May 28th, 2009 @ 7:48pm

    Re:

    You really should try KeePass. It's a free, open source secured password storage solution. It encrypts and stores all your passwords, unlocking them for use with only one master password - much easier to remember, and MUCH more secure than simply writing on a piece of paper!

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, May 28th, 2009 @ 7:52pm

    Re: Re:

    Thanks.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, May 28th, 2009 @ 8:05pm

    Re: Re:

    I second this.
    KeePass works wonders.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Joel Coehoorn, May 28th, 2009 @ 8:09pm

    Reminds me of when I used to do network consulting. I would put a sticky note on the bottom of routers and switches with critical information, but in that case it wasn't a big deal. If you get physical access to a switch it's already game over.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    jd, May 28th, 2009 @ 8:48pm

    The (not so) counter-intuitive result is that the more ridiculous the password requirement, the more likely it needs to be written down and thus more vulnerable.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    pwb, May 28th, 2009 @ 8:48pm

    The (not so) counter-intuitive result is that the more ridiculous the password requirement, the more likely it needs to be written down and thus more vulnerable.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    zcat, May 28th, 2009 @ 9:17pm

    How about PKI?

    This would be pretty easy to solve really. The backup facility generates a keypair and emails their public key to the agency, who then encrypt the data using the public key. Nobody has a password, so nothing needs to be (or could be) taped to anything. If they feel like it they can tape the public key to the USB stick and it still wouldn't be a problem.

    (For recovering backups, you do the same thing in reverse; the agency generates a keypair and sends the public key to the backup facility)

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    mano, May 28th, 2009 @ 11:47pm

    Re: Re:

    The KeyPass site has this to say:

    "Also, you should use different passwords for each account. Because if you use only one password everywhere and someone gets this password you have a problem... A serious problem. The thief would have access to your e-mail account, homepage, etc. Unimaginable."

    But losing the KeyPass master password can cause much more trouble! Atleast, when you are using the same password for all accounts, a person getting hold of the password will have a tough time figuring out where all you have login accounts and what the user names are. But in the case of KeyPass, even that info is available to the bad guy!!

    IMO, writing down a really strong password in a small insignificant scrap of paper and secreting it inside ones wallet or a safety locker at home is not a bad idea. It is much more secure than having john/john as u/p!

    regds

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Bettawrekonize, May 28th, 2009 @ 11:54pm

    Re: How about PKI?

    Uhm... encrypting the data with a public key would be a SLOW SLOW processor intensive process. You use a pre shared key and you use public key cryptography to share the pre shared key. Then you use a symmetric algorithm, like AES, to encrypt the data with the pre - shared key. That's how it's always done.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Bettawrekonize, May 29th, 2009 @ 12:06am

    BTW, I think health insurance companies have a huge incentive to get a hold of health data. So perhaps they were behind it? I don't know. Who else might have an incentive? Perhaps employers?

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Bettawrekonize, May 29th, 2009 @ 12:16am

    Re: How about PKI?

    So are you saying that every time someone wants to look at the data, unencrypted, they have to communicate with the backup facility (and have them send the data over)? With your method, having the data encrypted on my computer doesn't do me any good when I need it since I can't decrypt it. This almost defeats the purpose of keeping the data on me (unless the data, and not the private key, gets corrupt at the backup facility. Then your copy might help restore it in the long run). The purpose is to have the data on my computer encrypted in a manner that only I can quickly decrypt from my computer. The solution is simple, as the OP says, (use a strong symmetric algorithm and) don't put the decryption password on the drive with the encrypted info.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Medical Quack, May 29th, 2009 @ 1:03am

    Encryption

    Thanks to all for visiting my site. Healthcare has a lot to learn and with all the new devices coming out, it's scary too. I cover a lot of them, and now they came out with a blue tooth connected inhaler that sends data, as well as defibrillators that send email and text messages too!

    http://ducknetweb.blogspot.com/2009/05/smart-inhaler-with-blue-tooth-and.html

    http://ducknetw eb.blogspot.com/2009/04/biotronik-home-monitoring-cardio.html

    Anyway, just thought I would share a couple geeky healthcare devices and there's more, so when it comes to devices transmitting data, I am really concerned over security! An off the cuff story too where they equip elephants with SIM cards to text when the killer elephants get near.

    http://ducknetweb.blogspot.com/2008/10/elephant-texting-yes-elephants-are-now.html

    Thank s again for the visits!

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    Cap'n Jack (profile), May 29th, 2009 @ 3:02am

    Re:

    If that's your problem, it doesn't seem like a difficult one to solve. Write down ONE password somewhere safe, and a password you're likely to remember. Use that password to encrypt a .doc file with all your other passwords. It's a lot safer than leaving your passwords in plain site.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Wesha, May 29th, 2009 @ 10:59am

    Re: Re:

    Yeah yeah. Password managers were helpfully invented so the malicious person can conveniently steal all your passwords at once, and remotely, too.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    TheStupidOne, May 29th, 2009 @ 1:24pm

    Re:

    Especially when your IT department requires you to change all of your passwords every 90 days

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    chris (profile), May 31st, 2009 @ 10:57am

    Re:

    just use really long passwords. they are easy to remember and nearly impossible to guess or crack.

    a 32 character password that's all lowercase takes waaaay longer to guess/crack than an 8 character password composed of upper/lowercase characters, numbers, and symbols.

    the problem of course is that many systems have a maximum length for passwords.

    the best recommendation that i have heard is to take a line from a favorite song or quote from a favorite novel and switch out one word, or flip a pair of words, for example:

    it was the best of times, it was the burp of times
    it best the was of times, it was the worst of times
    it was the best of worst, it was the times of times
    was it the best of times, was it the worst of times

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This