When it comes to the use of disk encryption, there’s one crucial weak link: the selection of passwords. And as the New York Times has noted, “if you password is 12345, just make it HackMe.”
RockYou Breach Allows Analysis
The Times story is based on the data breach that occurred late last year at RockYou. In that particular breach, 32 million passwords were exposed by a hacker. This has allowed security researchers to download the passwords and analyze them.
Among the findings (which are not surprising at all): one in five (20%) users still use easy-to-guess passwords such as “iloveyou,” “password,” and “abc123.” The most popular one was “123456.”
(Ironically enough, the Times has got it wrong. “HackMe” is a more secure password than 123456: it uses a combination of uppercase and lowercase numbers, which, when compared to a string of plain numbers, arguably offers more resistance to hacking–but not by much).
Guessing passwords is a time-consuming process. Hence, hackers try to find workarounds to shorten it. One of those methods is to try popular passwords. Hackers know that there’s someone out there using such passwords, they just don’t know who.
So, hackers will try the passwords on one account; if the pool of passwords doesn’t work, they move to the next user. At some point they’re going to hit their mark.
Freezing Accounts, Locking People Out
A method of countering such hacking attempts is to lock people out after a certain number of incorrect guesses. After how many guesses, though?
And, as the Times has noted, locking accounts is not an option for certain companies. eBay, for example, notes that someone could be “hacking into an account” in order to prevent competitors from bidding on a particular auction: once the account is frozen, they can’t place higher bids.
How It Affects Encryption Software
Guessing passwords in order to reveal encrypted content is a real threat when it comes to computers with full disk encryption.
Why would hackers prey on the password? Because it’s the weakest link: the encryption key, which is what actually protects data when encrypted, is too long, complicated, and random to guess at. Since hackers are looking for an easy way in, the only option they’ve got is to try cracking the password.
What this means is that data encryption software like AlertBoot must also be mindful not just of protecting data, but coming up with ways of minimizing the chances of someone hacking a password.
Thankfully, locking out a user after repeated incorrect attempts is an option for disk encryption software, unlike eBay.
Also in the department of minimizing password hacks are password policy controls, where an administrator can establish what types of passwords are not allowed, specifying that uppercase and lowercase, numbers, and special characters be used, for example, or that the passwords have to be at least a minimum set length.
At the same time, there must be a way to recover the encrypted data in the even the user’s access is not allowed, yet the computer has been found. Otherwise, recovering the information becomes a complicated effort–but not an impossible one, since the encryption keys are still present in AlertBoot’s protected console.
Related Articles and Sites: