Building a Better Password
20 views
Skip to first unread message
Ali, Saqib
Oct 10, 2009, 12:07:06 AM10/10/09
to squar...@googlegroups.com
What drives William Cheswick, an ATT researcher, and other researchers
particularly nuts is that the "dictionary" attacks that these
complicated passwords are supposed to repel have been largely
supplanted by "phishing," which tricks users through deceptive e-mails
and look-alike Web sites into unwittingly handing over passwords
directly to hackers. For all the hoops the users have to jump through,
researchers say they're mostly fighting the last war. "Users have this
secret feeling that they don't need these rules, and they're right,"
says Cheswick, who is known as one of the fathers of Internet
security.
particularly nuts is that the "dictionary" attacks that these
complicated passwords are supposed to repel have been largely
supplanted by "phishing," which tricks users through deceptive e-mails
and look-alike Web sites into unwittingly handing over passwords
directly to hackers. For all the hoops the users have to jump through,
researchers say they're mostly fighting the last war. "Users have this
secret feeling that they don't need these rules, and they're right,"
says Cheswick, who is known as one of the fathers of Internet
security.
Read more:
http://www.newsweek.com/id/217014/page/1
Youngquist, Jason R.
Nov 24, 2009, 11:18:32 AM11/24/09
to squar...@googlegroups.com
Currently we are using PGP's whole disk encryption software on our laptops, but are looking at moving toward Windows 7 sometime in near future. As I understand, Windows 7 Enterprise comes with BitLocker and BitLocker To Go. I was wondering if anyone has looked at the differences between PGP WDE and BitLocker. If I remember correctly, some dataloss laws state that an organization doesn't have to disclose a breach (ie. if a laptop was stolen with PII) if whole disk encryption was used at the time. BitLocker on Windows 7 doesn't appear to be "true" whole disk encryption because it creates a hidden boot partition, but BitLocker creates a hash of the partition and if the partition is modified, an 48 digit recovery key is needed in order to boot up the laptop. So, my question is, would an organization have to disclose a data breach if a laptop had BitLocker installed on it?
For example, " As part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which comes into effect from 23 September, health organizations in the US that use encryption will no longer be obliged to notify clients of breaches."
http://www.theregister.co.uk/2009/09/17/healthcare_breach_disclosure/
If one does a bit of googling the term "whole disk encryption" is used quite a bit when talking about Windows 7 BitLocker.
PGP WDE is a good product, but every year we have to pay for maintenance and support, and perform upgrades on both the PGP Universal Server as well as the PGP Desktop client. Since we are an educational institution we get Windows 7 Enterprise as part of our licensing agreement. So if Windows 7 Enterprise with BitLocker is a viable alternative to PGP, it would save us money and time when we deploy Windows 7, we could "Bitlock" the machines (both laptop and desktop) at the same time.
Appreciate any thoughts one might be able to provide.
From http://www.microsoft.com/windows/enterprise/products/windows-7/features.aspx#bitlocker
Easier to set up. Whether you need to protect internal or removable drives, BitLocker in Windows 7 makes that protection easy because it works with almost any drive. Windows 7 simplifies the encryption of internal drives by automatically creating the hidden boot partition necessary to use BitLocker to protect the OS volume, eliminating the need to manually select that option during installation or to repartition the drive afterward. Best of all, BitLocker can be enabled on drives running Windows 7 with a simple right-click.
From http://www.pcmag.com/article2/0,2817,2335346,00.asp
BitLocker To Go
Vista sailed in with a fleet of new security features, among them BitLocker, a whole-disk encryption tool designed to protect your data even after a malefactor makes off with your laptop. BitLocker reaches its full potential on computers that include a chip called a Trusted Platform Module (TPM). The TPM transparently decrypts the drive, but only after you've authenticated yourself with a password or smart card. A laptop thief can't break into the locked drive even by booting to a different OS or moving the drive to another computer.
Thanks.
Jason Youngquist
Information Technology Security Engineer, Security+
Technology Services
Columbia College
1001 Rogers Street, Columbia, MO 65216
(573) 875-7334
jryoun...@ccis.edu
http://www.ccis.edu
For example, " As part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which comes into effect from 23 September, health organizations in the US that use encryption will no longer be obliged to notify clients of breaches."
http://www.theregister.co.uk/2009/09/17/healthcare_breach_disclosure/
If one does a bit of googling the term "whole disk encryption" is used quite a bit when talking about Windows 7 BitLocker.
PGP WDE is a good product, but every year we have to pay for maintenance and support, and perform upgrades on both the PGP Universal Server as well as the PGP Desktop client. Since we are an educational institution we get Windows 7 Enterprise as part of our licensing agreement. So if Windows 7 Enterprise with BitLocker is a viable alternative to PGP, it would save us money and time when we deploy Windows 7, we could "Bitlock" the machines (both laptop and desktop) at the same time.
Appreciate any thoughts one might be able to provide.
From http://www.microsoft.com/windows/enterprise/products/windows-7/features.aspx#bitlocker
Easier to set up. Whether you need to protect internal or removable drives, BitLocker in Windows 7 makes that protection easy because it works with almost any drive. Windows 7 simplifies the encryption of internal drives by automatically creating the hidden boot partition necessary to use BitLocker to protect the OS volume, eliminating the need to manually select that option during installation or to repartition the drive afterward. Best of all, BitLocker can be enabled on drives running Windows 7 with a simple right-click.
From http://www.pcmag.com/article2/0,2817,2335346,00.asp
BitLocker To Go
Vista sailed in with a fleet of new security features, among them BitLocker, a whole-disk encryption tool designed to protect your data even after a malefactor makes off with your laptop. BitLocker reaches its full potential on computers that include a chip called a Trusted Platform Module (TPM). The TPM transparently decrypts the drive, but only after you've authenticated yourself with a password or smart card. A laptop thief can't break into the locked drive even by booting to a different OS or moving the drive to another computer.
Thanks.
Jason Youngquist
Information Technology Security Engineer, Security+
Technology Services
Columbia College
1001 Rogers Street, Columbia, MO 65216
(573) 875-7334
jryoun...@ccis.edu
http://www.ccis.edu
Garrett M. Groff
Nov 24, 2009, 9:02:30 PM11/24/09
to squar...@googlegroups.com
Both PGP WDE and BitLocker maintain a relatively small portion of the disk
that is unencrypted. This is unavoidable (for all software-based FDE/WDE
solutions), else the machine would not be bootable.
BitLocker really shines when machines are equipped with TPM chips (chips
must be 1.2 compliant and enabled in the BIOS). Else, using USB sticks is
the only way to authenticate. With TPM chips, you can use "basic" mode
(transparent operation... machine boots normally if no boot components have
been modified), or various authentication options (PIN, USB, or PIN+USB).
PGP might be worth it if you are already familiar with it, if you don't have
TPM chips, if you use other features (like email encryption), etc.
Windows 7 Enterprise and Ultimate editions have BitLocker. The other
versions, including the Professional edition, do not have BitLocker.
---
Just to correct something below, the TPM chip does not "decrypt the drive."
The TPM chip is a chip that securely stores cryptographic information, such
as keys required to decrypt data on the hard disk, as well as hashes of boot
components (PCRs).
--------------------------------------------------
From: "Youngquist, Jason R." <jryoun...@ccis.edu>
Sent: Tuesday, November 24, 2009 11:18 AM
To: <squar...@googlegroups.com>
Subject: PGP WDE vs. Windows 7 Bitlocker
> --
>
> You received this message because you are subscribed to the Google Groups
> "Encryption and Cryptography Mailing List" group.
> To post to this group, send email to squar...@googlegroups.com.
> To unsubscribe from this group, send email to
> squareroot+...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/squareroot?hl=en.
>
>
>
that is unencrypted. This is unavoidable (for all software-based FDE/WDE
solutions), else the machine would not be bootable.
BitLocker really shines when machines are equipped with TPM chips (chips
must be 1.2 compliant and enabled in the BIOS). Else, using USB sticks is
the only way to authenticate. With TPM chips, you can use "basic" mode
(transparent operation... machine boots normally if no boot components have
been modified), or various authentication options (PIN, USB, or PIN+USB).
PGP might be worth it if you are already familiar with it, if you don't have
TPM chips, if you use other features (like email encryption), etc.
Windows 7 Enterprise and Ultimate editions have BitLocker. The other
versions, including the Professional edition, do not have BitLocker.
---
Just to correct something below, the TPM chip does not "decrypt the drive."
The TPM chip is a chip that securely stores cryptographic information, such
as keys required to decrypt data on the hard disk, as well as hashes of boot
components (PCRs).
--------------------------------------------------
From: "Youngquist, Jason R." <jryoun...@ccis.edu>
Sent: Tuesday, November 24, 2009 11:18 AM
To: <squar...@googlegroups.com>
Subject: PGP WDE vs. Windows 7 Bitlocker
>
> You received this message because you are subscribed to the Google Groups
> "Encryption and Cryptography Mailing List" group.
> To post to this group, send email to squar...@googlegroups.com.
> To unsubscribe from this group, send email to
> squareroot+...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/squareroot?hl=en.
>
>
>
Reply all
Reply to author
Forward
0 new messages