3 Comments

Passwords, Data encryption, and the underutilized file format

When it comes to data security, a holistic approach is always best. From the use of only secured connections on closed networks and changing the default passwords on wireless routers to shutting down computers when not in use and password protecting everything. The fact still remains that with enough time and the proper program, anyone can gain access to anything. All they need is the desire to get in and the only way to be 100% secure is to be 100% disconnected to the internet.

The best we, those connected to the internet, can hope for is to store our information on servers that are not as high of a target and make it as difficult as possible to access and read the information contained. The former can be attained by hosting our own cloud servers (see The Personal Cloud), through encrypted Content Management Systems, and FTP sites; the latter can be achieved by password protecting our machines, files and folders. Now, when I refer to passwords, I do not mean your favorite pet’s name or the city you live in, or even a simple combination of intelligible letter combinations and a number of significance. Hold on to your hats, kids, it’s time to do some math.

Passwords

Because of the minimum requirements established for a lot of websites, most passwords are about eight case-sensitive alphanumeric characters long allowing for 628 possible permutations or 218.3 trillion which seems like a lot; however, consider that commercially-available password cracking software for a regular desktop environment available five years ago could try 2.8 billion passwords per second, it would take a regular off the shelf computer with the cracking software about 22 hours to crack an 8 character password by brute force alone (literally checking every possible combination). Performing a brute force crack would be more time consuming than, say, a dictionary attack, pattern checking, word list substitutions, et cetera.

The most secure passwords are randomized and composed of at least 25 case-sensitive, alphanumeric characters ([A-Z] [a-z] \d). With this setup, there are 6225 or 645.3 quattuordecillion possible permutations and with that many possible combinations, it would take the Tianhe-2 (The fastest supercomputer in the world at 33.86 quadrillion keys per second) about 614 quintillion years to crack. As a counter example of how long cracking these passwords take based on length, if we took a case sensitive alphanumeric password that was 15 characters long, the Tianhe-2 could crack it in about 267 days (less than a year). Clearly, for security purposes, you would want to have a password where any computer would take more than a human lifetime to crack in order to feel somewhat safe.

So now that we have established parameters for what a secure password is, we will move on to where we can and should use these passwords (aside from our personal accounts: social media, e-mail, banking, etc.).

Password protecting PDFs

Portable Document Format documents, or PDFs, allow you to password protect the document on two levels. The first will require a password to open the document. This is the most useful for data security as it restricts others from viewing the content; however, it is the most impractical because of the way most of us use the PDF format. The other level will allow anyone to view the document, but will restrict the level at which they can interact with the data contained. This process is outlined in my previous post with the process explained by Alaina Brantner, this post is entitled, On “Lying through their teeth: Identifying Translation Scams” in the section on “Translators: stop sending out your CV in editable document format.”

.ize files

The second place where we can use these passwords to protect our information is the .ize file. I feel .ize files are an underutilized file format in our industry. And if you think sending the packages that are exported from CAT tools are secure, all you have to do is change the file extension from .sdlppx (for example) to .zip and you can access, view, and modify the contents of the exported package.

Passwords1

So, if you wanted to encrypt the file contained within a zip file, you will need a tool called izarc that you can download from izarc.org (you can also use this to encrypt your exported CAT tool packages).

Say you have your zip file that you want to encrypt before sending out. In izarc, you will click on Tools > encrypt.

Passwords2 passwords3

Izarc will present you with the standard file (.zip) and the encrypted file (.ize). as long as the file paths are okay, click on “encrypt” and it will prompt you for a password.

passwords4

Type in your password and click ok.

passwords5 passwords6

You will be asked to re-enter the password. Do so and click OK.

passwords7

After the program works its magic, a new .ize file will be created at the pre-determined destination.

passwords8

When you try to open it, the window will pop up, but you will need to decrypt the file before opening it.

Click on “Decrypt”

passwords9

Enter your password and click ok.

passwords10

Let the program work, and in the predetermined destination, a new .zip file will appear.

passwords11

Now, it should go without saying that you should not send the password to decrypt the .ize file in the same correspondence as the one you are using to send the file itself. I would not even recommend sending the password along via the same method. If you send the file by e-mail, send the password to decrypt it via phone or text message.

For more information on brute force password cracking based on keys per second, visit Foundstone’s Open Security Research Brute Force Calculator. And please feel free to contact me if you have any questions regarding this and other issues regarding internet security in the Translation industry.

Advertisements

3 comments on “Passwords, Data encryption, and the underutilized file format

  1. Another great article, Joe! Thanks for the mention. I’m curious about your thoughts on password storage applications like “LastPass”. Do you have any advice for password management?

    The advice on file encryption should be required reading for project managers, who often “blast” clients’ intellectual property out to any number of vendors when trying to assign a job. I’ll keep these strategies in mind in my work for sure!

    Liked by 1 person

  2. It all depends on how much you trust the holder of the information. You can equate it to childcare. I quote Robert DeNiro in Meet the Parents, “Can you ever really trust another human being? … The answer is no, Greg. No, you cannot.”

    Liked by 1 person

  3. Really nice blog. When I started my company I was really concerned about the security and I have consulted the cyber security solutions NCI (http://nci.ca/) for doing the encryption, authentication etc. I was not aware about the password security and all. It will be a good information to all those who fear about website and data security.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: