In recent months, the encryption debate has heated up once again. Most recently, some shock waves were sent across the industry when ThreatWire reported a new tool, known as GrayKey, which could decrypt the latest versions of the iPhone. Fortunately, that tool is only available to law enforcement agencies... for now. The point to be noted is that if the technology exists to break encryption, then we must increase our efforts to teach better security awareness as well as good password security. I have previously written about how fear of the government is not the reason to encrypt your data. Also, as accurately observed by XKCD, it is not too difficult for someone in your personal space to “convince” you to give up your password. Encryption and strong passwords are designed to protect you when you are targeted from afar. We all know that our biggest threats come from compromises usually hosted in far-away lands, not by person-to-person encounters. I have often cautioned friends and family to resist the urge to use their fingerprint as a security mechanism. Not only is there no way to get a fingerprint back if its image is stolen, but more importantly, there seems to be no uniform legal agreement as to whether compelling a person to give up a fingerprint is the same as the utterance of a password, which is protected by the rule against self-incrimination. Alternatively, perhaps, a fingerprint is protected as a property right, as considered in a recent seizure of the fingerprint of a deceased individual; however, here too is another undecided legal test. We now know that cell phones are susceptible to brute force attacks, courtesy of the GrayKey system. What about attacks against other hardware? I inquired with a favorite pen tester about the ability to remotely access encrypted data on a server or a workstation without using login credentials. A very rare misconfiguration error could potentially allow a criminal access raw data without the need to log into a system. However, most criminals find it much easier to compromise a password than to await the unlikely misconfiguration event. The lesson here is that passwords still are the keys to the kingdom. There are a couple of emerging technologies that promise to do away with passwords, yet the demonstrations I have attended seem to cause more confusion. It is far easier to teach someone how to create a strong password and how to stay safe from phishing scams than it is to use one of the “password-less” products. (I will not mention those products by name, as my aim here is not to damage those companies. Their products are fascinating, and their intent is correct, but they just need a bit more acceptance testing.) All of this leaves us with the same mission, which is to continue to impress the need for better passwords and greater awareness among those we serve. From a theoretical and regulatory perspective, encryption is a magnificent protection mechanism, but it is ultimately only as secure as the password used to protect it. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
