Internet Security

Encryption: What You Need to Know

By Joe Gervais, a Symantec employee

We all use encryption, often without realizing it. In fact, it’s an essential part of our digital lives.

Consider its role: Encryption helps keep you safe while doing things like browsing the Web, shopping online, and reading email on your computer or mobile device. It’s critical to computer security, helps to protect data and systems, and helps to protect you against identity theft.

Understanding encryption can help you better protect your information, but few people know how it really works.

That's not your fault. Most descriptions of encryption seem to be written for mathematicians and security specialists, and they probably already know all about it, anyway.

Wouldn't it be nice to read something about encryption that didn't require a semester of math at your local community college? Well, let's give it a try.

First, we'll learn a little about encryption, then we'll look at how your own choices can make a real difference to the security of your data.

How encryption works (meet Bob and Alice)

Encryption is a way of preventing people from reading information you want to keep private. It does this by using math and procedures to turn your data into a scrambled mess that doesn't make any sense.

If someone tries to read your encrypted data, they won't have much luck. Only the people who know the secret—a "key" or password—can unlock and read the data inside. Unlocking encryption is called "decryption." It reverses the encryption of the scrambled data and restores it to its original form. Because only you and your friend know the password that can do this, your encrypted message is safe even if someone steals it along the way.

Pretty useful, right?

The basic encryption process goes something like this: Bob wants to send a message to Alice, and he only wants Alice to be able to read it. Encryption to the rescue! First, Bob needs to encrypt the message using a password that only he and Alice know. He feeds the message and the password into an encryption software program. That program then does a lot of math to turn the message into something completely unrecognizable.

Bob then sends the encrypted message to Alice, knowing that if anyone along the way manages to steal a copy, all they'll have is a bunch of unrecognizable data. When Alice receives the encrypted message, she feeds the encrypted message and the password into the same program that Bob used. If the password matches the one Bob used to encrypt the message, out comes the original message for Alice to read. This same process is how your Web browser talks to secure websites.

That all sounds great, and, of course, it's all done automatically when you're doing your online tasks such as shopping and banking. The only difference is that as a user you play the role of Bob, and the site you're logging into is Alice.

Good enough. But a few things can go wrong. Knowing about them will help keep you secure. Here are four topics worth learning about.

1. Watch out for weak passwords

Hacking passwords is a common way for attackers to access your accounts. If Bob chooses a password that's easy to guess, then anyone who steals a copy of the encrypted message can just try to guess the password and decrypt the message.

In the case of data breaches, sometimes the stolen data includes the password itself that's encrypted (mathematically "hashed," in nerd terms). That’s why, when companies suffer computer breaches, they're supposed to tell you if your passwords were also stolen, and whether or not the passwords were encrypted.

Time to put yourself in the role of the attacker. If you had a stolen, protected password, where would you start guessing? A few of the guesses you’d come up with might be "password", "password123", or "Password123!".

Well, if those passwords don’t seem like top-notch security, it gets worse. Real attackers are going to use computers to do all the guessing, and that lets them make a lot of guesses. How many?

Well, consider this: I work as a security specialist, and in my own lab, I built a system that can make more than 4 billion guesses every second. That's 240 billion guesses every minute. That’s a lot of guesses.

Most people create their passwords by choosing a word and adding a number and a special character, ending up with something like "Beaches2017!". My password-guessing computer creates its guesses the same way. And, remember, it's making 240 billion guesses every minute, using every word in the dictionary. I also add in song lyrics, movie titles, band names, every Pokemon, every Transformer. The computer does the rest.

2. Learn how to create strong passwords

So how do you make a strong password?

Long, random passwords—using uppercase and lowercase letters, numbers, and special characters—are the strongest. But unless you're a robot, you're not going to be able to keep those in your head.

Programs called password managers help take care of that for you. The password manager creates long random passwords for each of your accounts, and many will auto-fill them into your login pages when you need them. But password managers take time to set up, and, unfortunately, most people won't end up using them.

So what can you do if "Cheeseburger1985$" is the best you usually come up with? Good news. Here’s a simple trick to help you be more secure: Build your password out of five or more random, unrelated words. It sounds simple and it is. Mathematically, it's much harder to attack than a single word that's been modified. But it's probably still easy enough for you to keep in your head.

Remember, in order for this to work, the words you choose must be random, unrelated words. "Iloveyoutoo" and "returnofthejedi" don't count. Password-cracking computers use common sayings, movie titles, band names, lyrics, and more when they attack your password.

Instead, examples to aim for would look like "shavingBlarneykneeSkybbq" or "OatBendgroutSqueezedLynx". And, of course, don't use either of those examples because they're now on the Internet for everyone to see.

But it’s a good idea to look for a reputable password manager application and use it, instead, to keep your password, well, managed.

3. Lower the risk of stolen passwords

Even the most secure password isn't secure at all if someone steals it from you. Malicious links in phishing email and text messages can lure you into fake login pages, where criminals could capture your username and password.

But writing your password on a sticky note and placing it on your computer screen (or under your keyboard) is also a serious problem. Plenty of crime involves someone known to the victim. And, in the case of offices, sometimes just looking through a window is enough to see a password written down somewhere.

So keep your passwords to yourself. Never share your account password with other people. If you do, you'll have to accept that they may misuse your account, or fail to protect the password and allow others to get their hands on it, too.

A big problem with someone stealing your password is that you're probably reusing that password all over the place. Again, you aren't a computer. It's not realistic to expect you to memorize 80 different passwords for your 80 accounts and devices. (Remember those password manager applications we talked about?)

If someone steals the password for your online video service, is it the same password you use for your bank? Your retirement account? Your online personal photos? If you don't have unique passwords for all of your accounts, please at least make sure your critical accounts have their own passwords, including your email account.

4. Know the hazards of weak encryption

This isn't something you would normally be able to control. Instead, it's usually a problem with the company that's storing your data. Remember all the procedures and math we were talking about earlier? Well, just like the math you did in school, some problems are really easy and some are really, really hard.

For encryption to be secure, it needs to use math that is really, really hard to solve. Remember my password-hacking computer? It can make 240 billion guesses per minute only when the data is encrypted using easy math.

Unfortunately, some companies that store passwords and other data use that easy math for protection. If that data is stolen in a computer breach, the attackers will have a much easier time. However, when data is protected using really, really hard math, my password-guessing computer may only be able to make around 50,000 guesses per minute, because it takes a (relatively) long time for the computer to calculate the math for each guess.

Sure, 50,000 guesses is still a lot of guesses, but if you made a strong password using the tips above, it could take more than 100 years for my computer to guess your password—instead of a few hours.

Good guys, bad guys, encryption, and you

Encryption is just a tool, and like roads and phones, everybody gets to use it. This includes the bad guys, and online criminals have found ways to do exactly that.

Hello, ransomware.

Ransomware relies on encryption to scramble all of your data, using the criminals' own secret key. The attackers then demand a ransom for the secret key that will unlock your scrambled data.

Some criminals take your money and run without sending you the key; others make mistakes in the encryption and can't restore your data even if they wanted to. And sometimes security researchers are able to attack the passwords of some ransomware campaigns and publish them for victims to use for free.

It’s a nice twist: Ransomware turns our "defender/attacker" discussion on its head, since now the good guys are attacking the encryption.

So that's encryption. There's a lot more to it than that, but hopefully this gave you the big picture along with some useful tips to help keep you safer out there.

Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.

Start your protection,
enroll in minutes.