A field guide to crypto

A brief note on shop safety...

I somehow doubt anyone who didn't grow up watching The New Yankee Workshop will recognize that line, but those of you who did probably got a chuckle. For those who didn't, we're about to talk about the most important rule in crypto - strong passwords.

A strong password is not your mother's name. It is not your dog, your friend, your uncle bob or your address. It is not your phone number or birth date. So when you set up your passwords, remember the following:

• Make it a minimum of 8 characters no matter what, 12 if you can,
  
• Intersperse letters and numbers to make words (like l33t sp34k),
  
• If special characters or caps are allowed, use them both (they increase your strength by an order of magnitude),
  
• The weaker the encryption, the stronger the password has to be - refer to my list on page 3. A strong AES password can be 6-8 characters, but TKIP should be at least 13.

If you have ever cared to calculate out how strong your password is, here's a simple rule. The number of possible answers in anything equals the number of possibilities for each character, multiplied. To determine efficiency, a rough estimate is as follows: For each lowercase letter, use 26. For each capital, use 52. For each random number, use 36 - but for each number within a date, phone number or address use 10. For each special char, use 84. Anything brute-force will use dictionary words, dates, and a combination of the two first long before combination words.

For example, let's compare three passwords:

• fido = 26 * 26 * 26 * 26 = 4.57 x 10^5
  
• Brett2007 = 52 * 26 * 26 * 26 * 26 * 10 *10 *10 *10 = 2.38 x 10^11
  
• Br3tt*i5*dum! = 52 * 26 * 36 * 26 *26 * 84 * 26 * 36 * 84 * 26 * 26 * 26 * 84 = 3.21 x 10^20

I'm sure you see where I'm going with this.

(If you want to generate passwords so secure they'll likely blow up any computer trying to decrypt, check out GRC).

Wrapping it all up...

Of course, the greatest key to actually making use of all of this encrypted mumbo-jumbo is ease of use. Privacy will always take a back seat to laziness, so long as there is the possibility of nothing happening to you is greater than the possibility of something bad happening. But even then, all is far from lost - the software illustrated here today is all freeware, almost all open-source, and (best of all) cross-OS compatible.

Why does that matter so much? Well, because every program on here can run off of a USB key on any computer you come across, meaning that you can truly take your private data securely with you wherever you go. Back up the USB key at home on a nightly basis and you'd have a completely mobile suite to turn any computer into your safe haven, and you won't even sweat it if the disk gets stolen.

The true feather in the cap of a setup like this would be a truly portable desktop, and there's even a recommendation for that. Those of you who haven't had the privilege yet, check out DSL (Damn Small Linux), a linux derivative that is under 50MB and runs handily straight off of a USB key. The best part is, you don't even need to reset the computer for it - One of the distros runs right inside Windows via the free emulator Qemu.

Since all of these programs come with Linux variants, it is possible to set up an entire portable OS for on-the-go travel, designed to protect your privacy and keep your data safe. Since you'd be running a mini-OS from the USB key, you wouldn't even need to worry about installing any of the software - just run the emulator from the drive itself and you're all set. I would recommend the highest read/write speed available, however...running an OS inside another can get a little bogged down.

...and putting a bow on it.

I hope you've enjoyed my short little field guide to cryptography, and that I've given you a better understanding as well as some ideas on ways to keep your own data a little more secure. As we move more and more towards "home systems" and "dumb terminals," our computing needs are going to force us to have more of an eye for privacy.

Seagate recently broke the announcement of a big move for laptops and data centers - hard drives with built-in encryption. With Vista packing its own version of whole-disk encryption, it's clear that the industry sees a need to move. It might not be all that long before we have white-listed and black-listed boxes for various types of data, and personal info may just not have much space on computers other than your own.

At the same time as companies and public terminals grow more wary and lock down features, more things are coming out that allow us as users to carry our lives with us in the palm of our hand (or on the ring of our keys, anyway). With a few SSH tunnels on a DSL install, it's possible to carry your entire online existence from web-surfing to mail to chatting and never have a single thing visible to anything but your router, where you can control the logs. Add a darknet ISP and you can become a complete black hole.

In the meantime, fire up a couple of these programs and give privacy (and cryptography in general) a try. You'll probably find it's a lot less inconvenient than you think, and the little added piece of mind may just be worth the while. After all, it's not like you have to do magic or save the Prime Minister.