This isn’t a commentary on the Apple case. I’m not following that very carefully. I’ve been frustrated for quite some time by silly encryption talk, and it’s just now boiling over. So I’m going to share, in layman’s terms, what modern encryption means and how it works. After that, I’ll explain why the encryption debate is like a bad joke gone too far.

Politicians, Republican and Democrat alike, frame the conversation in a completely misleading way that exploits the public’s ignorance of the underlying technology. I pray this is just a result of their own ignorance, and not a more cynical, informed duping of the American public.

Washington seems to treat encryption like Democrats treat guns. They think it’s controllable, can be regulated, and will somehow stop “the bad guys.” We, on the other hand, know there’s no stopping the inevitable. Better that the good guys have access, too.

So, what is encryption?

Modern encryption is based on something called RSA encryption. RSA stands for Rivest, Shamir, and Adleman, the three brilliant mathematicians who discovered a truly beautiful mathematical insight, one that keeps our credit cards safe, our passwords secure, our health records confidential, and our correspondence private.

Before we dive into RSA, a short recent history of encryption. Until RSA, the best encryption methodologies were just exceedingly complex cipher machines, or one-time pads. You may be familiar with a simple cipher from a puzzle book. For example: “A becomes P, B becomes N, etc.” The famous German Enigma machine added complexity by changing the letter mappings each time a letter was keyed into the machine. (Note that it did this in a predetermined way.) The key to cracking the Enigma code was figuring out the initial mapping; from there, if you knew the pattern in which subsequent mappings changed, you could decrypt any intercepted message. In tech lingo, if you can decrypt a message with the same information used to encrypt it, it’s symmetric encryption.

Even older than the Enigma, and more rudimentary, is the one-time pad. In a sense, it’s a cipher as well. Even though it’s older and lower-tech, to this day it remains, under the right circumstances, the only truly unbreakable form of encryption. The key is “under the right circumstances.” More on that later.

A perfect one-time pad is a series of truly random numbers (true randomness is really hard, if not impossible, to get). The person sending the message has one copy of these numbers; the recipient has the other. The sender uses these random numbers to translate his or her message letter by letter, usually just incrementing each letter by the corresponding number. After the pad is used once, it should never be used again. Hence the name one-time pad. If it were to be used again, an attacker could infer the original numbers from their repetition.

Like the Enigma, this is symmetric encryption; that is, the material used to encrypt the message is used to decrypt the message as well. If ever the pad is lost, stolen, or intercepted (worst case), the system fails completely. The beauty is that if everything goes completely according to plan, the one-time pad is the only known method of perfect encryption. Unfortunately, it’s quite difficult to get real randomness, and very hard secretly to get the same pad to both the sender and receiver (this is the clandestine work of spies, dead drops, and tradecraft).

So it’s already clear that these methods are already available to good guys and bad guys alike. Nothing the government could do would stop the spread of these forms of encryption. There’s absolutely no back door to a one-time pad, short of seizing property and Orwellian eavesdropping. Things would still slip through.

Back to RSA. It’s foundation is a simple observation about factoring numbers (as in, the number 6 has the factors 1, 2, 3, and 6). While it’s easy to factor small numbers, it gets exponentially more difficult to do as the numbers get larger. In fact, it gets so difficult that if it’s a reasonably large number, the best-known algorithms for factoring would need to run through more iterations than there are atoms in the universe to solve it.

You may think, “Well, of course, but that number would need to be enormous, right?” But don’t forget, the problem is exponential. The number really doesn’t need to be all that large. To put it in perspective, this post would take up more space in a computer’s memory than that number.

So it’s time-consuming and hard to find factors of a big number. So hard that even the NSA and their supercomputers probably couldn’t find them in any reasonable amount of time.

What about going the other way? Well, the most beautiful thing about this system is that going the opposite direction is actually really fast. If we already know two of the factors, it’s quite easy and speedy for a computer to multiply them to get the large number.

Using all these numbers and a dusting of mathematical sorcery, it’s possible to come up with two random really big numbers. One of those numbers works kind of like our friend, the one-time pad. Instead of using the numbers to map letters, like A -> P, we do it a little differently. First, every letter in the secret message is assigned a number. It can be really obvious, too, like A -> 1 and B -> 2; it doesn’t matter. Now our secret message is just a really big number, too! What can computers do well with really big numbers? Multiply them. The product is our encrypted message.

You can send that to whomever you wish. But only the person with the other original random number can decrypt it. In tech lingo, that’s the private key.

This, as you may have inferred, implies a public key.

The public key is the number we combined in our secret message. Because it’s so difficult to factor large numbers, I can confidently publish my public key in tomorrow’s paper. You could take that number, combine it with a secret message, then post it here on Ricochet for all the world to see. I would be the only one able to decrypt it with my private key. This is known as asymmetric encryption because the material needed to decrypt a message is not the same as that needed to encrypt it.

I know it’s a lot to wrap your head around, but trust me when I say it’s based on relatively simple mathematics. It amounts to something so damn near unbreakable that it’s not even worth trying to crack. By the time anyone gets close, we’ll all be six feet under. In fact, I’m so confident of this that I’ll give you the password to my bank account in the bottom of this message. It’ll just be encrypted using my public key.

What does this mean for the so-called encryption debate?

Well, there isn’t one. It’s purely about an invasion of your typical citizen’s privacy. Unbreakable, strong encryption is so readily available to anyone who wants it that it won’t stop a terrorist or a dedicated crook for a minute. When the US first tried to block the export of encryption technology, computer scientists copied the source code of an encryption library into an academic paper and published it in an academic journal. It all just boils down to simple math.

If you think these things don’t apply to you, please look up in your browser’s URL bar. Do you see that little green lock? That’s encryption, and it’s been keeping your credit card details and your passwords safe from prying eyes for years.

So next time you hear someone mention a backdoor, or even a front door, read it as, “We want a super-secret, really big number that we promise to keep super-secret.” Then laugh, because now you know that if that super-secret number ever gets lost, we’re all in for it. Criminals will have the keys to the kingdom. And that super-secret number will get lost. It’s the government, after all.

Hereas promised, is my bank password: Enjoy it.

—–BEGIN PGP MESSAGE—– hQEMA8U6m0wF95yNAQf9EwWkSiOYjUXlplE9TlX5auG2TJ8Ewfpr7FgXLW70tngw 9Rh6U+Uv7pRmn8jrepmUI/sk8neOcTVRHGzMIEXg2Duxju9DU/nT5Zfv3QD2PQAM opkQMc5L/vGHJhq+t1EXpn/nEhimK0YBZnYOWs96P2onf0BaDKrJOzYouTU0SVUP cRvmg2yuH48d2gOSJFm2kqAWEClRZpcx9znwBxxxX2tu+0yp/ZbMCY3g/SOkACrh +TJsRlCCYYJz69WdJtrK/HtyT613BnUyPnMZb/5bsYzc/yWvaTd3lXwrIuHsz82c 6y5IEWM7uiyVYiXJaSSd3zxzOq8KolZ//5Gbshq/B4UCDAMAcEZ6M6graAEP/2i4 s8KngyvDBKlF5p2R1SyzYizfVw5aZqJ4V1NL7QLi8e8/AbBvTjW9yPlPnqH3vnSd n9GSzOMUF/200P31td1ckYDHd2VGPSA3wK8IijEk/A4gW+7l6vEQy5k+PECLEg72 MMspTZ6XESKKe4sFp5EVoOFLhxSvszDjqhXgsDXKL/ukDHwmtUv42V6j9TfhEZjG jIgg4P7retYn/sFyCbT1y/mLRmrXfsotS2XhNvA8FJL3f8rgBC/wd1R3gN08QIzh R2gSlywPiYQAPATaJ9e2dMfSvZX/yPpOtpEIyWmkL8YzcosI6UnbEQBWX/cpiCpi hSM4EP+Us8ou+X65nRM63ayPn4vx7GnRJozUMzO206BR23F2vgy7NengLIG6RcxY EO/2/+XKzrHPvltvni+iVHiR5i2t1cwNeOitqAQCPBFAlIYTJns3hynQ8tyDN9Fu toqyO3JLt8SxihQ/75yaPb6Gv9dHKids8PPQaIXdd32bMiDVr+Nnw59FRzdKHSTl Mt+08xdEP/xNB6vFTypLp4NCfW1gjpPc/ft6+ZpjOmC4ydG5wPrYq0hZ6dLW1P70 9Ht98DumHnTfAtsLp+TMvAbOZwgPvfEc/RUZulvIKYcdIJik1jxtmd6o7hTJeuOW h6WEieeYJgHhToSi5JkJgwU4pwknI1SIPpJ6iCFxhQIMAyjnI65ZV691ARAAqXuO qhzgO2wgPWUsyKBMVK3TiMqMTyevCetos2TWY/lrE5M+I07hKHETsZzxQnm+Rdu0 4bvNdiXLotQ8CfsnPevTnJjobT63XU5xc7NJKoVvf4gaX593WlL9wd/urG5flktm GgjfOvsAUiK8V9Cdg+RMkjvUUHStjiIUsLb2SIhvZ8s8ld5qeXIF9vlJa3YUb2/j FWcRqO4Hva6Fbx5Gpp3GNxdJh0km50EQlQg+pVAYyA25PrQbaaKa+2mAu9giTINo fm5CH5MUQ5g0exU/nv7JKjNZ3S46wLznurCsxWQD00W0bYMs0kZCCFWkU9Fv+y4g rwg1VHLmleTZwlOaXXfE/8ufaetK0QBjcy0y3k0byY0IlCT61UrMX/zTUGph3UVX lH0F2Op+uQ7zDSEaIp6P2qnpIMLQbf1PHD9OO+7f5bFpFBcK41I/vJGrpZsg8f8F RivKgOFIjPB5enB4847tr/AYafYduoxzHUunXeegXN8h45dolC1xSrhL7pHEyLfM 8S//yphyIrUe5bXF2qZS2Wsk3E8ham5tD4c2Hb7W3rTOLgG2p/r2to8boJkRQ8On uvzNkQXHwI5tZRNIUOPP/XqdhudDMWGXXbNSttZDVjZ5+3OLqM0bQ03sFZbqlob8 0AOUgj0QlgfPNMtA5e9LPrDRuTmD5Kup2oRcuHjSRAEl8iMryZhCFPV2P0+nQuJF tIo6opefJEobtRZ63nLmmNxWb14vmjW5srX9HHjIJ7KxzPRusbQPgHm6sxLyEFyH PoTa =swiM —–END PGP MESSAGE—–

Like this post? Want to comment? Join Ricochet’s growing community of conservatives and be part of the conversation. Get your first month free.

1. 1
2. 2
1. Inactive

• #1
• March 2, 2016, at 2:01 AM PDT
• Like
2. Inactive

Gabriel, thank you for the well-written, well-argued post. I submit that this is a few typos away from a front page post.

“Encryption is far too important to be left in the hands of the government.”
(Schneier?)

• #2
• March 2, 2016, at 2:03 AM PDT
• Like
3. Member

Gabriel, very interesting and clever. Very much like!

• #3
• March 2, 2016, at 3:02 AM PDT
• Like
4. Inactive

Great piece!! I was a cryppie (as they are called) in the Navy. I never got anywhere near this far into the gig, but I find it wonderfully fascinating. By the way, thanks for the bank info….;-)

• #4
• March 2, 2016, at 3:29 AM PDT
• Like
5. Thatcher

I agree with your post. The real argument here is not about encryption, because as far as I know, once encrypted in a good public key encryption system, (not all qualify as good) it is very likely no-one except the private key holder can with finite resources crack the code. And even if they did, at immense cost, in time, resources, and money crack that message, the next message starts the problem all over again, so they get hopelessly behind. If it takes a month to crack one message, what can you do with a trillion messages per day, continuing? Not much.

No the argument isn’t about encryption, its about creating a back door, or another private key to not just one user’s encryption, but to everyone’s, oh and by the way, it likely won’t work to create back doors into only some accounts (the truly bad guys, trust us, we are the government at we are here to help you!) but that door will have to exist into everyone’s account, so when the bad guys get it, and they will, no ones encryption will be any good. Side question, can we believe the government is a “Good Guy” Human history suggests that is a bad bet.

One immediate problem with this, once it is known that such a door exists, any sensible person will use someone else’s encryption system, say not made by our favorite American company, who has been coopted by our friendly government, but rather by some other company, foreign, so not subject to our law, and because our government will then ban the use of non-approved encryption, read encryption lacking the back door, all lawful citizens will be left with only the risky, bad idea, government tool, and all the bad guys will get their non-back doored system from their own in house, bad guy techies.

Result, criminals will have unbreakable good encryption and the rest of us will be stuck with government issue eye-candy.

Government predictably will try progressively tougher restrictions to keep control, they will fail, or they will transform the first amendment into a joke, You have freedom of speech, as long as you get it approved by you favorite, local bureaucrat.

Welcome to newspeak.

• #5
• March 2, 2016, at 4:00 AM PDT
• Like
6. Thatcher

What bank do you use? What is your username at the bank?

• #6
• March 2, 2016, at 4:28 AM PDT
• Like
7. Member

Great explanation. But, how does all this Chinese hacking occur (or any hacking for that matter?)

• #7
• March 2, 2016, at 4:34 AM PDT
• Like
8. Inactive

Egg Man:Great explanation. But, how does all this Chinese hacking occur (or any hacking for that matter?)

Failure to protect keys. Failure to close other routes in. Failure to use no-kidding encryption and rely instead on “kid-sister” encryption, which is mere obfuscation.

• #8
• March 2, 2016, at 5:48 AM PDT
• Like
9. Inactive

Most “hacking” that you read about is people guessing weak passwords. Frankly you should be ashamed, not proud, if you guessed a “0000” pin or [email protected]!

• #9
• March 2, 2016, at 5:49 AM PDT
• Like
10. Inactive

A few points:

• Practical asymmetric encryption still relies on symmetric ciphers, which do the bulk of actual crypto work. For example, in the PGP message you posted the unencrypted data is first encrypted using a symmetric cipher, and then the symmetric key is encrypted using the asymmetric key of whoever you are sending the message to and is signed using your own asymmetric key, to verify that you are the sender.
• TLS is used to secure communication between clients and servers. (That’s the lock icon in your browser address bar.) However, TLS suffers from some pretty big shortcomings on the authentication side of things. The core problem is TLS usually relies on centralized authorities for authentication. Right now, your browser probably has built in root certificates for multiple governments, including the U.S. government and the Chinese government. Anyone who has a built-in root certificate can impersonate any site on the Internet, and there’s not a lot right now to stop it. (For more popular sites there are some ad hoc measures meant to prevent egregious falsification, but it’s not a great system.)
• The issue of government keeping keys secret is probably less of an issue than people assume. The U.S. government already has lots of encryption keys whose exposure would be a disaster. The same is true for a number of private companies and foreign governments.
• None of this is particularly relevant to the FBI/Apple discussion, as the FBI isn’t asking Apple to build a global cryptographic backdoor. They’re asking Apple to create a custom version of iOS which will disable certain security features so they can brute force the PIN on the iPhone that was in the possession of one of the San Bernardino terrorists.
• #10
• March 2, 2016, at 7:00 AM PDT
• Like
11. Inactive

Great job. It is posts like this one, both helpful and fascinating, that make Ricochet so valuable and amazing. Ricochet is the best deal on the internet. I now have a much deeper understanding and appreciation for Apple’s position in this matter.

• #11
• March 2, 2016, at 7:53 AM PDT
• Like
12. Member

If Apple creates the backdoor wouldn’t the tech community, not being onboard with this at all, make a super secure version of android, and then the true baddies would just download that version. Then the government has no throat to choke.

And do we start a pool on how long this super secret special OS version not end up on wikileaks?

• #12
• March 2, 2016, at 8:00 AM PDT
• Like
13. Member
Gabriel Sullice Post author

Ball Diamond Ball:And your public key?

https://github.com/gabesullice/public-keys/blob/bc5af25045616c6e8e1d70553f6eae10a056e25f/galaxy.gpg.pub.asc

Fake John/Jane Galt:What bank do you use? What is your username at the bank?

Wells Fargo. I’ll leave my username to simple social engineering ;)

M.P.:A few points:

@M.P. We mostly agree, and let’s suffice it to say that my post is a vast simplification. As I said, “Layman’s terms.” I also did open with saying that I’m not directly commenting on the Apple case. I don’t know enough about it to speak intelligently.

I can’t help but indulge you a little bit though ;)

To you PGP point: I think one of the downfalls of PGP is its flexibility and huge set of options. There’s many ways to use it and thus it’s not easily accessible to most people.

To your point on TLS: Yes, it relies on central authentication, but all encryption is based on some form of trust. With TLS, that trust is established and derived from the same mathematical underpinnings. Once trust is established, TLS then uses a Diffie-Helman key exchange to agree upon the symmetric key using the math I described again so that the symmetric key is only known to the sender and receiver. Much like a one-time pad.

• #13
• March 2, 2016, at 8:23 AM PDT
• Like
14. Member
Gabriel Sullice Post author

Egg Man:Great explanation. But, how does all this Chinese hacking occur (or any hacking for that matter?)

There are lots of “attack vectors” that a hacker can use. The simplest, and often most effective is “social engineering.” That happens when an attacker uses our human instincts against us. Like guessing a password based on birthdays or names. It might also look like leaving a flash drive somewhere in the open labelled “Family Photos.” A less paranoid government worker might be curious and put that flash drive into their laptop, injecting a virus.

Then, there’s “brute force.” That means trying many, many passwords until you find a match.

You can also attack someone via software. For example, that virus loaded from the flash drive might try to steal someone’s private key off their computer.

Another is through software bugs. There have been a number of big flaws found in one of the software implementations of RSA, openssl. Those bugs usually “leak” information. That may be by leaking parts of the private key if you’re computer is talking to a computer controlled by an attacker, or by incorrectly “padding” secret messages. That is, and this is a simplification, if your message isn’t large enough, you still want a “really big number” so one should try to generate random garbage to fill that space up. If you do that in a predictable way, one can start to discern what the private key may be.

• #14
• March 2, 2016, at 8:31 AM PDT
• Like
15. Inactive

Gabriel Sullice: To your point on TLS: Yes, it relies on central authentication, but all encryption is based on some form of trust. With TLS, that trust is established and derived from the same mathematical underpinnings. Once trust is established, TLS then uses a Diffie-Helman key exchange to agree upon the symmetric key using the math I described again so that the symmetric key is only known to the sender and receiver. Much like a one-time pad.

I’m not referring to the cryptographic aspects of TLS, but rather the Public Key Infrastructure. The PKI is horribly flawed because it relies on centralized Certificate Authorities vouching for the identity of a particular site. Since at a practical level, any CA can sign a cert for any domain*, this means every CA has enormous power.

Now, consider that the U.S. government and Chinese government, among others, have CA certs that are recognized by most browsers and you get to the root (ahem) of the problem: any CA can impersonate pretty much any site and stage a man-in-the-middle attack. So you might think TLS is securing your connection to your bank or webmail provider or what-have-you, but it’s quite possible the connection has been compromised by someone with a CA cert. (e.g. the Feds or the Chinese government)

(*There are some rudimentary methods of protecting big sites like Facebook and Paypal by hard-coding their certs into the client. This was started by Google with Chrome and Firefox does it, too. However, it’s not a really scalable or universal solution to the problem of rogue CAs.)

• #15
• March 2, 2016, at 8:51 AM PDT
• Like
16. Thatcher

Fake John/Jane Galt:What bank do you use? What is your username at the bank?

Wells Fargo. I’ll leave my username to simple social engineering ;)

Seriously? That is all you have in those accounts. After seeing the state of your finances I just do not have the heart to take your money.

• #16
• March 2, 2016, at 8:55 AM PDT
• Like
17. Member
Gabriel Sullice Post author

M.P.:

I’m not referring to the cryptographic aspects of TLS, but rather the Public Key Infrastructure. The PKI is horribly flawed because it relies on centralized Certificate Authorities vouching for the identity of a particular site. Since at a practical level, any CA can sign a cert for any domain*, this means every CA has enormous power.

Now, consider that the U.S. government and Chinese government, among others, have CA certs that are recognized by most browsers and you get to the root (ahem) of the problem: any CA can impersonate pretty much any site and stage a man-in-the-middle attack. So you might think TLS is securing your connection to your bank or webmail provider or what-have-you, but it’s quite possible the connection has been compromised by someone with a CA cert. (e.g. the Feds or the Chinese government)

(*There are some rudimentary methods of protecting big sites like Facebook and Paypal by hard-coding their certs into the client. This was started by Google with Chrome and Firefox does it, too. However, it’s not a really scalable or universal solution to the problem of rogue CAs.)

Agreed.

Seriously? That is all you have in those accounts. After seeing the state of your finances I just do not have the heart to take your money.

And I thought software paid well ;)

• #17
• March 2, 2016, at 9:03 AM PDT
• Like
18. Thatcher

Unrelated to encryption, but related to personal security, what is your suggestion for Password storage. Every thing I log into has its own password and log in. A piece of paper next to my desktop is not a great solution. Is there a good solution that is mostly secure that is cross platform? I just cannot remember every log in and password for everything I log into.

Bryan

• #18
• March 2, 2016, at 9:53 AM PDT
• Like
19. Thatcher

Building on the title, frankly, I’d love a secret decoder ring I wore that worked with a password for it, so I had one password that I remembered and it stored the rest.

• #19
• March 2, 2016, at 9:54 AM PDT
• Like
20. Editor

By the way — you “pray this is just a result of their own ignorance, and not a more cynical, informed duping of the American public.” I sort of pray the reverse: Don’t you find it comforting to think maybe they’re just pretending not to understand this? That they’re more competent than they sound? I don’t know if I could sleep at night if I thought they really had absolutely no idea how any of this worked.

• #20
• March 2, 2016, at 10:01 AM PDT
• Like
21. Member
Gabriel Sullice Post author

Bryan G. Stephens:Unrelated to encryption, but related to personal security, what is your suggestion for Password storage. Every thing I log into has its own password and log in. A piece of paper next to my desktop is not a great solution. Is there a good solution that is mostly secure that is cross platform? I just cannot remember every log in and password for everything I log into.

Bryan

I personally use pass (passwordstore.org), but I wouldn’t recommend it for a non-technical person. For the average consumer, 1Password and LastPass are great tools. Essentially they will let you create random, secure passwords for every site you use. They encrypt and store these for you and you simply need to remember a single password to unlock them. Both have plugins for most browser to pre-fill login forms on the sites you visit as well as iPhone/Android apps to do the same.

Using those, your phone becomes your secret decoder ring! Just promise me that you’ll use a pass phrase for you “password of passwords.” E.g. A pass phrase like “jumping yogurt horse wing” is a lot better than “987u3frae**”. It’s easy to remember so that you will NOT write it down and it’s actually quite a bit longer, making it more secure against a brute force attack.

• #21
• March 2, 2016, at 10:46 AM PDT
• Like
22. Member
Gabriel Sullice Post author

Claire Berlinski, Ed.:By the way — you “pray this is just a result of their own ignorance, and not a more cynical, informed duping of the American public.” I sort of pray the reverse: Don’t you find it comforting to think maybe they’re just pretending not to understand this? That they’re more competent than they sound? I don’t know if I could sleep at night if I thought they really had absolutely no idea how any of this worked.

Not when they’re advocating breaking and limiting access to strong encryption. If they’re just ignorant, they might be convinced otherwise and experts might prevail. If they know what they are talking about, then they’re actively deceiving the American public with ill-intent.

• #22
• March 2, 2016, at 10:46 AM PDT
• Like
23. Inactive

Hey Gabriel what’s your home address. We’d like to try a rubber hose attack…..just kidding great article.

• #23
• March 2, 2016, at 10:55 AM PDT
• Like
24. Member

Claire Berlinski, Ed.:By the way — you “pray this is just a result of their own ignorance, and not a more cynical, informed duping of the American public.” I sort of pray the reverse: Don’t you find it comforting to think maybe they’re just pretending not to understand this? That they’re more competent than they sound? I don’t know if I could sleep at night if I thought they really had absolutely no idea how any of this worked.

Encryption is a fact of our technology. Since most people hear the word “computer” and zone out, I’m fine with public officials not understanding how it works.

Just so long as they leave it to the people who actually know what they are doing.

• #24
• March 2, 2016, at 1:26 PM PDT
• Like
25. Coolidge

M.P.: They’re asking Apple to create a custom version of iOS which will disable certain security features so they can brute force the PIN

Thanks for the reminder. I heard that early on and forgot it.

• #25
• March 2, 2016, at 1:28 PM PDT
• Like
26. Member

Gabriel, have you messed with keybase.io?

Just promise me that you’ll use a pass phrase for you “password of passwords.” E.g. A pass phrase like “jumping yogurt horse wing” is a lot better than “987u3frae**”. It’s easy to remember so that you will NOT write it down and it’s actually quite a bit longer, making it more secure against a brute force attack.

The explanation for the above is as follows. If you have 26 letters you can choose to make a password, you have 26^n possible passwords, where n is the number of keys you press to get your password. If you expand that to the special characters, the 10 at the top of your keyboard, you have 36^n possible combinations, but they are now harder to remember.

If you pick a short password with special characters, let’s say 10 characters, you have 36^10 or 3656158440062976 possible passwords. If you pick a longer password, 20 characters, but stick with easy sets of words (ideally 4 or more words to prevent dictionary attacks), you get 26^20 possible passwords: 19928148895209409152340197376.

A passphrase like above, “jumping yogurt horse wing” has 26 characters, out of a set of 27 (lowercase and spacebar). 27^26: 16423203268260658146231467800709255289 possible passwords. “987u3frae” is from a set of 46 (numbers, special characters, and lowecase letters), and is 9 letters long. 46^9: 922190162669056 possible passwords.

One of these is harder to discover by guessing.

• #26
• March 2, 2016, at 1:38 PM PDT
• Like
27. Thatcher

Bryan G. Stephens:Unrelated to encryption, but related to personal security, what is your suggestion for Password storage. Every thing I log into has its own password and log in. A piece of paper next to my desktop is not a great solution. Is there a good solution that is mostly secure that is cross platform? I just cannot remember every log in and password for everything I log into.

Bryan

I use an algorithm, so each site has a unique password and it is never written down.

• #27
• March 2, 2016, at 1:44 PM PDT
• Like
28. Coolidge

I secure my passwords using a program called KeePass. My password file is secured with both a certificate and a strong password. I’m confident enough in it that I store my password file in the cloud so that I can access it from any device. I prefer this to using cloud services. My reasoning is:

• It’s harder to defeat even mediocre encryption than it is to exploit many other vulnerabilities.
• All systems, including KeePass, have other vulnerabilities.
• The bigger the target, the more likely a vulnerability is to be identified.
• Companies that store millions of credentials are big targets.

I’m far more concerned that one of my devices will get compromised than I am that the encryption will be cracked.

• #28
• March 2, 2016, at 2:29 PM PDT
• Like
29. Inactive

M.P.: None of this is particularly relevant to the FBI/Apple discussion, as the FBI isn’t asking Apple to build a global cryptographic backdoor. They’re asking Apple to create a custom version of iOS which will disable certain security features so they can brute force the PIN on the iPhone that was in the possession of one of the San Bernardino terrorists.

Exactly this.

• #29
• March 2, 2016, at 2:47 PM PDT
• Like
30. Inactive

Chuck Enfield:I secure my passwords using a program called KeePass. My password file is secured with both a certificate and a strong password. I’m confident enough in it that I store my password file in the cloud so that I can access it from any device. I prefer this to using cloud services. My reasoning is:

• It’s harder to defeat even mediocre encryption than it is to exploit many other vulnerabilities.
• All systems, including KeePass, have other vulnerabilities.
• The bigger the target, the more likely a vulnerability is to be identified.
• Companies that store millions of credentials are big targets.

I’m far more concerned that one of my devices will get compromised than I am that the encryption will be cracked.

I also use KeePass. The application will also run off a USB drive without having to install, so you can keep your decoder in your pocket.

Bryan, here is your decoder ring.

• #30
• March 2, 2016, at 3:01 PM PDT
• Like
1. 1
2. 2