Encrypting Data Doesn't Do Much Good If You Tape The Password To The Storage Device…

from the just-saying... dept

In the early days of large scale data leaks online, the mantra one heard over and over again was “encryption, encryption, encryption!” Yet, encryption alone doesn’t do much good, if you tape the passwords to decrypt the data to the storage device itself (found via Michael Scott). Yet, whaddaya know? That’s exactly what happened in a recent data breach in the UK, though I’m sure similar breaches happen all over the world. This is what happens when someone preaches a specific action in security, rather than actual secure thinking and planning.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Encrypting Data Doesn't Do Much Good If You Tape The Password To The Storage Device…”

Subscribe: RSS Leave a comment
18 Comments
Bettawrekonizesays:

I forget my passwords all the time. I often end up writing them down and stuff, taping a password to the storage device sounds like something I’ll do. I used to be paranoid with security but I forgot my passwords so often that I kinda just gave up. I figure if a malicious person really has enough access to get a hold of a password I wrote down it’s already too late.

manosays:

Re: Re:

The KeyPass site has this to say:

“Also, you should use different passwords for each account. Because if you use only one password everywhere and someone gets this password you have a problem… A serious problem. The thief would have access to your e-mail account, homepage, etc. Unimaginable.”

But losing the KeyPass master password can cause much more trouble! Atleast, when you are using the same password for all accounts, a person getting hold of the password will have a tough time figuring out where all you have login accounts and what the user names are. But in the case of KeyPass, even that info is available to the bad guy!!

IMO, writing down a really strong password in a small insignificant scrap of paper and secreting it inside ones wallet or a safety locker at home is not a bad idea. It is much more secure than having john/john as u/p!

regds

Re:

just use really long passwords. they are easy to remember and nearly impossible to guess or crack.

a 32 character password that’s all lowercase takes waaaay longer to guess/crack than an 8 character password composed of upper/lowercase characters, numbers, and symbols.

the problem of course is that many systems have a maximum length for passwords.

the best recommendation that i have heard is to take a line from a favorite song or quote from a favorite novel and switch out one word, or flip a pair of words, for example:

it was the best of times, it was the burp of times
it best the was of times, it was the worst of times
it was the best of worst, it was the times of times
was it the best of times, was it the worst of times

zcatsays:

How about PKI?

This would be pretty easy to solve really. The backup facility generates a keypair and emails their public key to the agency, who then encrypt the data using the public key. Nobody has a password, so nothing needs to be (or could be) taped to anything. If they feel like it they can tape the public key to the USB stick and it still wouldn’t be a problem.

(For recovering backups, you do the same thing in reverse; the agency generates a keypair and sends the public key to the backup facility)

Bettawrekonizesays:

Re: How about PKI?

Uhm… encrypting the data with a public key would be a SLOW SLOW processor intensive process. You use a pre shared key and you use public key cryptography to share the pre shared key. Then you use a symmetric algorithm, like AES, to encrypt the data with the pre – shared key. That’s how it’s always done.

Bettawrekonizesays:

Re: How about PKI?

So are you saying that every time someone wants to look at the data, unencrypted, they have to communicate with the backup facility (and have them send the data over)? With your method, having the data encrypted on my computer doesn’t do me any good when I need it since I can’t decrypt it. This almost defeats the purpose of keeping the data on me (unless the data, and not the private key, gets corrupt at the backup facility. Then your copy might help restore it in the long run). The purpose is to have the data on my computer encrypted in a manner that only I can quickly decrypt from my computer. The solution is simple, as the OP says, (use a strong symmetric algorithm and) don’t put the decryption password on the drive with the encrypted info.

Encryption

Thanks to all for visiting my site. Healthcare has a lot to learn and with all the new devices coming out, it’s scary too. I cover a lot of them, and now they came out with a blue tooth connected inhaler that sends data, as well as defibrillators that send email and text messages too!

http://ducknetweb.blogspot.com/2009/05/smart-inhaler-with-blue-tooth-and.html

http://ducknetweb.blogspot.com/2009/04/biotronik-home-monitoring-cardio.html

Anyway, just thought I would share a couple geeky healthcare devices and there’s more, so when it comes to devices transmitting data, I am really concerned over security! An off the cuff story too where they equip elephants with SIM cards to text when the killer elephants get near.

http://ducknetweb.blogspot.com/2008/10/elephant-texting-yes-elephants-are-now.html

Thanks again for the visits!

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
13:40 It's Great That Winnie The Pooh Is In The Public Domain; But He Should Have Been Free In 1982 (Or Earlier) (35)
12:06 Norton 360 Now Comes With Crypto Mining Capabilities And Sketchy Removal Process (28)
10:45 Chinese Government Dragnet Now Folding In American Social Media Platforms To Silence Dissent (14)
10:40 Daily Deal: The 2022 Ultimate Cybersecurity Analyst Preparation Bundle (0)
09:29 A Fight Between Facebook And The British Medical Journal Highlights The Difficulty Of Moderating 'Medical Misinformation' (9)
06:29 Court Ruling Paves The Way For Better, More Reliable Wi-Fi (4)
20:12 Eighth Circuit (Again) Says There's Nothing Wrong With Detaining Innocent Minors At Gunpoint (15)
15:48 China's Regulatory War On Its Gaming Industry Racks Up 14k Casualties (10)
13:31 Chinese Government Fines Local Car Dealerships For Surveilling While Not Being The Government (5)
12:08 Eric Clapton Pretends To Regret The Decision To Sue Random German Woman Who Listed A Bootleg Of One Of His CDs On Ebay (29)
10:44 ICE Is So Toxic That The DHS's Investigative Wing Is Asking To Be Completely Separated From It (29)
10:39 Daily Deal: The 2022 Complete Raspberry Pi And Arduino Developer Bundle (0)
09:31 Google Blocked An Article About Police From The Intercept... Because The Title Included A Phrase That Was Also A Movie Title (24)
06:22 Wireless Carriers Balk At FAA Demand For 5G Deployment Delays Amid Shaky Safety Concerns (16)
19:53 Tenth Circuit Denies Qualified Immunity To Social Worker Who Fabricated A Mother's Confession Of Child Abuse (35)
15:39 Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust' (34)
13:32 Federal Court Tells Proud Boys Defendants That Raiding The Capitol Building Isn't Covered By The First Amendment (25)
12:14 US Courts Realizing They Have A Judge Alan Albright Sized Problem In Waco (17)
10:44 Boston Police Department Used Forfeiture Funds To Hide Purchase Of Surveillance Tech From City Reps (16)
10:39 Daily Deal: The Ultimate Microsoft Excel Training Bundle (0)
09:20 NY Senator Proposes Ridiculously Unconstitutional Social Media Law That Is The Mirror Opposite Of Equally Unconstitutional Laws In Florida & Texas (25)
06:12 Telecom Monopolies Are Exploiting Crappy U.S. Broadband Maps To Block Community Broadband Grant Requests (7)
12:00 Funniest/Most Insightful Comments Of 2021 At Techdirt (17)
10:00 Gaming Like It's 1926: Join The Fourth Annual Public Domain Game Jam (6)
09:00 New Year's Message: The Arc Of The Moral Universe Is A Twisty Path (33)
19:39 DHS, ICE Begin Body Camera Pilot Program With Surprisingly Good Policies In Place (7)
15:29 Remembering Techdirt Contributors Sherwin And Elliot (1)
13:32 DC Metro PD's Powerful Review Panel Keeps Giving Bad Cops Their Jobs Back (6)
12:11 Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers (39)
10:48 Oversight Board Overturning Instagram Takedown Of Ayahuasca Post Demonstrates The Impossibility Of Content Moderation (10)
More arrow
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it