Community
Your document password shouldn’t be the weak link in your secure communication chain
In the first post of our security blog series, Linda Misauer spoke about the importance of key length to avoid brute force attacks on the key itself. She stated that 128-bit encryption is sufficient for most applications due to the exponential time needed to try all possible keys. In the second part of this series, I will be focusing on the importance of effective password protection when dealing with encrypted, offline documents. As with all encryption, it is important to consider the length and complexity of the password or phrase that is used to generate the key. A short, simple secret becomes the weak link in the chain to an effective secure communication. Attackers can simply brute force attack the document.
Brute force - what it entails and how to combat it
To understand how brute force works, consider a real world example: your ATM card. Most banks require a PIN code consisting of 4 digits (0-9) and allow numbers to be repeated. This simply allows only 9,999 combinations which is secure enough for an ATM (which only allows 3 attempts) because a thief, on average would have to traverse through at least half (4,999) of the possible numbers before guessing correctly. But what if only 3 numbers were allowed? This significantly reduces the number of possible PIN codes by a factor of 10. Only 2 numbers? Suddenly it becomes possible to guess within a few minutes (if unlimited tries are allowed). Replace the thief with a computer…
When this concept is translated into a virtual world and a computer (or multiple distributed computers) is guessing the combinations, the strength of the password becomes significantly more important. As a test, I ran a benchmark of how many passwords my laptop can guess per second. The results: For a 128bit password to open a secure PDF, just fewer than 30,000 different combinations could be tested per second. So, it's obvious that a 4 digit PIN code is not sufficient if the data contained in the PDF is highly confidential as my PC can run through every 4 digit numeric combination in less than a second. However it gets a little more complicated as there are 2 factors that influence password strength:
Combinations of multiple pieces of data, preferably including more than one data set, i.e. both numbers and characters are recommended. The table after this post shows the number of combinations by the length of the password and the type of data being used.
It's clear that complex passwords should be used to protect confidential documents to ensure a high level of security. But let’s consider that in conjunction with ease of use. Nobody wants to remember a password like <1h4Tep4sSw0rDs!> The middle ground:
In must also be noted that even when someone gains access to a document and manages to successfully brute force the password, the algorithm itself has not been broken. They will still only have access to a single document - won't be able to decode any more documents encrypted with different passwords.
Key points to remember:
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Alexander Boehm Chief Executive Officer at PayRate42
05 September
Alexander Saleh Head of Partnerships at Coincover
02 September
Alex Kreger Founder & CEO at UXDA
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.