Password versus Encryption

[Bonnee Peebles]

HELLO.


I got my girlfriend a 512 MEG memory drive that you put in your one of
the sockets on the front of the computer. She said it has something
on it that would encrypt her stuff on the memory drive. It was a San
Disk by the way. I though this was pretty good because the stuff that
she kept on the thing would be protected if it got lost or stolen at
work.
Last week she told me she needed something bigger and since I really
do not know much about them, I let her pick one. We got a San Disk
Cruzer micro 2.0 GB. She says it has more room but it looks smaller
then the first one. Any way , this one did not have something to
encrypt the stuff on it. She said it just has a password. I was
wondering what was the difference between a password and encryption?

Also, I am very new to the world of computers. I am a college
educated professional so I am not stupid. However, as I said, I don't
know about computers.

If someone could help I would very much appreciate it.

Bonnee

 

[Jim]

HELLO.


I got my girlfriend a 512 MEG memory drive that you put in your one of
the sockets on the front of the computer. She said it has something
on it that would encrypt her stuff on the memory drive. It was a San
Disk by the way. I though this was pretty good because the stuff that
she kept on the thing would be protected if it got lost or stolen at
work.
Last week she told me she needed something bigger and since I really
do not know much about them, I let her pick one. We got a San Disk
Cruzer micro 2.0 GB. She says it has more room but it looks smaller
then the first one. Any way , this one did not have something to
encrypt the stuff on it. She said it just has a password. I was
wondering what was the difference between a password and encryption?

She can use TrueCrypt ( http://www.truecrypt.org/ ) to add password and
encryption protection to ANY drive, whether its a USB flash drive, hard
drives, etc.

As far as password vs. encryption, if something requires a password to gain
access, it doesn't necessarily mean that something being accessed is
encrypted (may be, but doesn't HAVE to be). OTOH, something that's
encrypted almost always requires a password since the whole point of
encryption is to prevent unauthorized access. You usually need a password
to indicate to the software that YOU are such an authorized person. At
which point, access is permitted and the data is decrypted for your use.

Something like TrueCrypt provides for encryption of data and a password to
gain authorization for access. Try it, you'll like it and it's completely
FREE.

Jim

 

[Paul]

HELLO.


I got my girlfriend a 512 MEG memory drive that you put in your one of
the sockets on the front of the computer. She said it has something
on it that would encrypt her stuff on the memory drive. It was a San
Disk by the way. I though this was pretty good because the stuff that
she kept on the thing would be protected if it got lost or stolen at
work.
Last week she told me she needed something bigger and since I really
do not know much about them, I let her pick one. We got a San Disk
Cruzer micro 2.0 GB. She says it has more room but it looks smaller
then the first one. Any way , this one did not have something to
encrypt the stuff on it. She said it just has a password. I was
wondering what was the difference between a password and encryption?

Also, I am very new to the world of computers. I am a college
educated professional so I am not stupid. However, as I said, I don't
know about computers.

If someone could help I would very much appreciate it.

Bonnee

At its weakest, all a password is controlling, is allowing a
device driver to access the device. All of the data could be
stored in plain-text inside the memory chip. Without more
details, we don't know what additional measures are implemented
or tied to the password.

Encryption implies the data in the memory chip is in encrypted
form. If you were to look at the bits under a microscope, they
would be jumbled and unreadable unless you know the encryption
algorithm and key. If the contents of the memory chip are encrypted,
then even if examined under a "magic microscope", the examiner
would not be able to read the files. The examiner would need to
know the encryption algorithm used and the key, to read the files.

Encryption can be done in hardware or in software. Both can
be effective if done right.

A question for your girlfriend would be whether her employer
knows she is hauling valuable data around in this way. The need
for a 2GB device implies she is hauling too much stuff around,
and should use the device purely for transport and not for
archiving. At my previous employer, I could probably haul all
of the companies intellectual property assets around in a
1GB stick. It would be especially embarrassing, for example,
if the only copy of her work related files were on the stick,
and the stick were to fail. So the stick should be limited to
usage as a transport device, and not as a sole copy of
whatever she is working on. The primary copy should be at work,
and the work computer hard drive backed up automatically by her
IT staff.

At the very least, she should be discussing the nature and
need to move data between work and home, with the IT staff
of her employer. The IT staff at my last job were
knowledgable and helped set up a secure VPN connection, so I
could access files electronically with at least a
modicum of security. You still need to delete any temporary
files from the home computer, if you want to be as hygienic
as possible, so you still have to exercise care and attention
to avoid endangering company assets.

There have been too many tales of important files being lost
or ending up in the wrong hands, due to working like this.
If your girlfriend wants to keep her job, she should at least
be consulting with someone about what she is doing.

There are hard drives that encrypt all data at the hardware
level. You could use one of these on your girlfriends home
computer, so any files transported to the home computer, cannot
be stolen if the computer is taken in a breakin. But storing
the files at home should still be done with the knowledge and
approval of her manager. And of course the home copy should
not be the only copy of any file, due to the danger of a
breakin. Using a drive with encryption is covering the
hygiene issue a bit better.

(full disk encryption FDE on Momentus drives)
http://www.seagate.com/products/notebook

With either encryption or with passwords, if the password
or key is lost or forgotten, the data is gone. Effectively,
it makes the storage media less reliable, which is
why the primary copy of the file should be stored some
place where they do regular backup copies.

Another thing to note about data protection methods, is they
should be proven to be effective. I had one fellow employee
come to me, and she said she had lost the password to a
password protected device. When I examined the device, I
discovered that the password was stored in plaintext, with
only the hex digits of each ascii character being reversed
(i.e. 30 hex became 03 hex). It was a cinch to break the
password and get her data back. The hard part, was telling
other people not to rely on that product any more

Paul

 

[John Doe]

A question for your girlfriend would be whether her employer
knows she is hauling valuable data around in this way.

At the very least, she should be discussing the nature and
need to move data between work and home,

If your girlfriend wants to keep her job,

Woah. It's possible, but I didn't read anything in the original post
that suggested she was keeping work related files on her USB flash
drive.

I keep the files from my computer on a flash drive and take it with
me when I leave, that's probably why so many come on a keychain.
Naturally it can get lost or stolen at work when you are there eight
hours per day.

For what it's worth. I have mine zipped and encrypted. Then copy the
zip file to the flash drive. I definitely don't want some police
department easily going through my files in some unlikely but always
possible awkward situation, or having my files looked at by some Joe
if it gets lost. Encryption is highly recommended if you carry a
flash drive with your personal files.

Good luck and have fun.

 

[Mitochondrion]

OK, with all due respect an explanation of encryption;



to encrypt data is to scramble it for example;

we have three 8-digit variables each digit can be a 1 or 0
we have IN(Input Data), Key(Key Data), OUT(Output Data)

IN: 11011000
KEY 10010011

OUT:01001011



I K O

1 1 = 0
1 0 = 1
0 1 = 1
0 0 = 0



OUT does not resemble IN, well it kinda did in this combination but,
it works in reverse as well (unscramble)

So Encryption actually uses Key(Password Data) to scramble and
unscramble the information No Key No INFO, mere password protection
just denies access to the unscrambled data without the password (a
mechanism that is easily subverted)


I hope this was some help to you

 

[Bonnee Peebles]

A question for your girlfriend would be whether her employer
knows she is hauling valuable data around in this way. The need
for a 2GB device implies she is hauling too much stuff around,
and should use the device purely for transport and not for
archiving.

Paul,
I don't mean to be offensive but I never mentioned that the data on
the "Thumb Drive" was her work data. However when I asked her about
the fact she found it very funny. The material she gathers at work is
disseminated to the public. I will not mention the organization but
that is what they do. However, the fact remains that this is not what
she puts on the Thumb Drive. She says she has personal information
and NON WORK RELATED Passwords and PINs on there. Before you make
the argument that her job may not allow her to use the device on their
computers if it is non work related, her employer is ok with that.

Also, I do not think my GF is the kind of person that would have the
ONLY set of NORAD launch codes hanging from the rear view mirror in
her new Thumb Drive. But I have heard the stories about government
HDs full of data disappearing.
Please don't take that the wrong way. You were not at all nasty in
your response so please do not think I am. Even though I almost never
post a message, I do read a lot. I never understand why when someone
posts a question they get many response but very little addressing the
question. Your initial response was informative, but I don't
understand why you digressed into the "company policy" information.
Perhaps you inferred that it was company data which would explain it.

My GF posted a question once about putting Nitrous Oxide in her Mini
Cooper S ( we have a matching pair ). A few responses were
informative but several were of the type with comments like:
"Speed Kills", or "It is against the law to exceed the speed limit."
Even "Mini Coopers are pieces of #$@$@ and you should never own one."
I could never figure out why those people even responded.

But anyway thanks for the information. The data on her thumb drive is
her's or something meant for the general public. Really the question
was a cut and dry "Password v/s Encryption."
Bon






At my previous employer, I could probably haul all

 

[Paul]

Paul,
I don't mean to be offensive but I never mentioned that the data on
the "Thumb Drive" was her work data. However when I asked her about
the fact she found it very funny. The material she gathers at work is
disseminated to the public. I will not mention the organization but
that is what they do. However, the fact remains that this is not what
she puts on the Thumb Drive. She says she has personal information
and NON WORK RELATED Passwords and PINs on there. Before you make
the argument that her job may not allow her to use the device on their
computers if it is non work related, her employer is ok with that.

Also, I do not think my GF is the kind of person that would have the
ONLY set of NORAD launch codes hanging from the rear view mirror in
her new Thumb Drive. But I have heard the stories about government
HDs full of data disappearing.
Please don't take that the wrong way. You were not at all nasty in
your response so please do not think I am. Even though I almost never
post a message, I do read a lot. I never understand why when someone
posts a question they get many response but very little addressing the
question. Your initial response was informative, but I don't
understand why you digressed into the "company policy" information.
Perhaps you inferred that it was company data which would explain it.

My GF posted a question once about putting Nitrous Oxide in her Mini
Cooper S ( we have a matching pair ). A few responses were
informative but several were of the type with comments like:
"Speed Kills", or "It is against the law to exceed the speed limit."
Even "Mini Coopers are pieces of #$@$@ and you should never own one."
I could never figure out why those people even responded.

But anyway thanks for the information. The data on her thumb drive is
her's or something meant for the general public. Really the question
was a cut and dry "Password v/s Encryption."
Bon

At my previous employer, I could probably haul all

It sounds like you passed on the advice. My work is done

If you came to my desk at work, and I had a 2GB portable
storage device, and I had questions about passwords and
encryption, what would you assume I was up to ? Even if
I gave you a plausible cover story.

Say we had three scenarios:

1) Carry information protected with password
2) Carry information protected by encryption
3) Don't carry information in the first place

Which is the strongest solution ? Why (3) of course.

Passwords are typically short and some storage
devices have known compromises (like bypassing
the stage that protects the data). Encryption
still has issues, but if implemented well, there
may be fewer means to circumvent the encryption.
(Even if data on disk is read with a separate data
recovery device, you need the key to decrypt
the data. The Seagate Momentus is an example
of a device like that.) Of course, both
encryption and passwords require trust on
the part of the user, that the implementer
of the encryption or password method, has not
left a "back door". And that is where a good
"tin foil hat" comes in handy.

http://en.wikipedia.org/wiki/Encryption

In the event that your girlfriend loses the 2GB
device, she still has to take action to protect
whatever those stored passwords and PINs accessed.
In that sense, the protection method used is
immaterial, because no matter how small the exposure,
you still have to do the same things in response.
(Change passwords and PINs).

Only a cryptography expert knows how worried to be.

Paul