The University of Pennsylvania Health System (UPHS) is contacting people to alert them that an encrypted backup tape was lost in transit. The tape contains personal information such as names, addresses and checking account numbers. The tape was being transported by an outside carrier—my guess is to a “safe” location. The important thing is that encryption software like AlertBoot was used to secure the information. So, barring any foolishness on the part of the UPHS, the tape’s disappearance shouldn’t be a cause of alarm.
What types of foolishness? Well, if they had stuck a post?it with the password to the tape. Or, if they had used a short or weak password. When it comes to encryption, there are two ways of breaking it: figuring out the password or figuring out the encryption key. The key tends to be a really long string of characters, whereas the password is usually much, much shorter. Hence, no surprise that people try to figure out the password.
There are two ways to figuring out the password: 1) find out the actual password via devious methods, such as social engineering, keystroke?logging, or just looking for a possibly?existing post?it note (unfathomable that such things exist from a data security standpoint) or 2) trying out all possible password combinations: start with “a” and move on to b, c, d, e…aa, ab, ac, ad…aaa, aab, aac…and so on. This latter way of figuring out the password is known as a “brute force attack.” Obviously, the longer the password, the longer it will take to figure it out. However, length is not the only factor when it comes to ensuring a password’s security.
There are twenty?six letters in the English alphabet. If you add numbers to the mix, you’ve got thirty?six individual placeholders, which means even more password combinations: once you reach “az” there’s still “a1” through “a0.” It’s a small change initially, but as the password become longer overall, it contributes significantly to the total number of different passwords one can have. Add special characters, make the password capital and lowercase sensitive, and the number of different available passwords increases exponentially.
There are caveats, of course. If you use a word that can be found in a dictionary, chances are it doesn’t matter how long that password happens to be: pneumonoultramicroscopicsilicovolcanoconiosis is long, and it would take forever to figure out if you were to try to guess each letter one by one: it’d probably take over one trillion tries. However, the above being a real word, one could also get an electronic dictionary and try all words listed to see if there is a match. And that brings down the number of guesses, since there are approximately three quarters of a million words in the English language.