Encryption perversity

As computing continually becomes cheaper, and as encryption becomes more efficient, it also becomes easier to guess passwords. That’s the takeaway from this security note by John Landwehr of Adobe.

Acrobat 9 features stronger passwords — longer passwords, Unicode characters — yet opens encrypted documents much more quickly than before. That’s a good thing.

But the speed increase also means it takes hackers less time to scan through a dictionary of common passwords… the faster decryption helps crack marketers. That’s not a good thing.

The implications for us?

  • If you’re choosing a password, it should be more secure than a few years ago. It’s getting cheaper to guess simple passwords.

  • And if you’re creating a system which requires a password, and if you can’t use server-based authentication for that local file, then requiring some complexity in the reader’s password can help protect that document from unauthorized reuse.

A self-contained file which is distributed is difficult to completely protect. Digital encryption helps make it more expensive to crack, but can’t protect to the same degree as if that file communicates with your servers before opening. Standalone files can’t offer the same security as server-connected files.

But even the difference between an eight-character password and a nine-character password can determine whether it’s worth the time of someone to attempt to guess the password which the file includes.

Some tips on password strategy:

  • Choose longer passwords, or even entire pass-phrases. (Reader 9 can use up to 127 7-bit characters.)

  • Avoid words found in dictionaries, common names, etc.
  • Mix alphabetics with numerics and punctuation.
  • Remember longer passwords by using a long phrase, interspersed with other characters in a memorable pattern.
  • Writing passwords on paper is safer with some kind of coding: something you can understand, but which someone who finds the paper cannot.
  • CERT has more tips, as do others.

It makes sense that faster decryption of documents would be used by hackers too. The passwords we used ten years ago aren’t as secure as they were. Perverse, but that’s the way it is.