Unraveling Encryption: How It Works and Why It Matters
You change your password every week. You create complex passwords with letters, numbers, and symbols. When it comes to good ‘password hygiene,’ you’re the bee’s knees. But then one day, you get a notification. There’s been a data breach, exposing your password and other sensitive information.
But you’re not worried – well, you’re not freaking out at least. That’s because you know your password was encrypted.
Encryption might sound like a super technical concept, but the fundamental idea is actually quite simple. Let’s talk about what encryption is, the different kinds of encryption, and the role encryption plays in a strong cybersecurity posture.
What Is Encryption?
Simply put, encryption is a way to safely store your passwords. Through computer algorithms, encryption scrambles your password into something completely different and seemingly unrelated.
For example, let’s say your password is “FreshTitanExcellentSpoon” (a pretty solid password for reasons we’ll get to shortly). An encryption algorithm takes that password, and turns it into something like this: dg782h6ab4e09b613fg6c8a946a407736111cx9205c5c3ee17.
So, if a hacker with bad intentions were to locate your stored password on your computer or server, they wouldn’t be able to see your actual password, just the encrypted version – that is, unless they had the decryption key.
A decryption key is – you guessed it – the secret code that turns scrambled (encrypted) data back into its original form. Cryptographic keys are an important part of encryption, so let’s talk some more about what they are and why they matter.
The Keys to Encryption
A cryptographic key is a special code used to scramble (encrypt) or unscramble (decrypt) your data. You can think of it like a password for your passwords.
Keys are in fact the key to understanding the three main types of encryption: what they involve and how they differ.
Symmetric encryption, also known as “secret key encryption,” uses a single key to encrypt and decrypt data. As with a master key, you’ll want to guard this all-purpose code as fiercely as a magician guards their secrets. If a bad actor gets their hands on your master key, they can decrypt your data and use it to log in to your accounts and wreak havoc on your life.
Asymmetric encryption, or “public key encryption,” uses two keys – the first encrypts, the second decrypts. The first key is made public, while the second key – the decryption key – is private. It’s similar to a public mailbox. Anyone can send letters (put data in, which is then encrypted). However, only you can extract that data (make it readable by decrypting it). Only you have the key to taking things out of the mailbox.
Hybrid encryption combines both methods by first encrypting data with a symmetric key (our master key). That key is then encrypted by an asymmetric public key. Finally, this encrypted master key is sent along with its data to a trusted recipient who uses their private key to decrypt the master key and then uses that master key to decrypt the data. Does your head hurt yet?
This Over That
While you may not care about all these technical details, you probably would like to know: Which option is best?
While there’s no easy answer to this question (it depends on a lot of factors and the specific needs of your organization), your decision ultimately rests on two considerations: Speed vs Security.
Encryption takes computing power – and lots of it. And more keys = more power = more time. If you want the most secure solution, you’ll have to make sure your network can handle the processing time.
Breaking everything down, we have:
Symmetric for speed at the cost of security
Asymmetric for security at the cost of speed
Hybrid for maximum security at the greatest cost of speed
Symmetric encryption is typically all you’ll need for password storage in a small to medium-sized business (SMB). Sure, it may not be as secure as asymmetric or hybrid encryption, but any encryption is far better than no encryption. That said, we recommend reaching out to your IT or managed service provider (MSP) department, as they should be able to help determine which kind of encryption will work best for you.
Encryption Best Practices
Like anything in cybersecurity, encryption isn’t foolproof. That’s why it’s important to follow encryption best practices. Doing so will help you keep hackers at bay and your sensitive information safe.
Secure Your Key
We just mentioned this, but we can’t stress its important enough. Keep your encryption keys secure! This can be done automatically with the help of a password manager (more on those soon). But password manager or not, you’ll want to make sure your keys are stored separately from the data they’re encrypting/decrypting.
Restrict Key Access
Only a select few should have access to important encryption keys – this is especially true with symmetric encryption. Normally, your IT administrator will be in charge of any keys outside of a password manager and should be the first to consult regarding anything encryption-related.
Encrypt Sensitive Data
An obvious tip, but no less important. This article has focused on password protection, but encryption should be used for all forms of sensitive information. If you’ve spent any time on the internet, you’ve probably seen reports of massive data breaches because of poor data encryption. Don’t cut corners when your sensitive data is at stake.
Manage Your Keys
Password managers help immensely with encryption-related tasks. Not only do they automatically encrypt your passwords, but they also keep your passwords and encryption keys organized. Outside of password managers, your IT administrator will be in charge of replacing any old encryption keys and updating them as needed.
Encryption Isn’t Enough
Encryption is great, but you’re still going to need passwords strong enough to fend off savvy cybercriminals. That’s because modern hackers use incredibly powerful software to crack credentials. They won’t need to decrypt your password if they can simply guess it directly! As with all security tools and methods, encryption is just one part of a much larger cybersecurity plan.
If you’re struggling to create that perfect password, we’ve got some tips for you…
Go Long!
A strong password can take literally thousands of years to guess. Cybercriminals use brute force attacks to smash their way into your carefully curated password, trying virtually every possible character combination until they stumble upon the correct one. The more characters, the more combinations they have to work through.
Longer password = Longer hack
Complicate Things
When we said a strong password could keep a hacker busy for thousands of years, we weren’t being hyperbolic. A password made of sixteen complex characters takes 33,000 years to crack! Just take a look at this 2024 password-cracking chart.
Your password benefits tremendously from complexity. We’re talking alternating upper-case and lower-case letters, numbers, and symbols. Here are a few examples:
Password #1
- 1299531329 = 1 hour to crack
Password #2
-
- 1W@v$9a\?2 = 33,000 years to crack
Crafty hackers will try to guess your password. But remember, they’re only human. Once they realize your password isn’t easily guessable, there’s a good chance they’ll move on in search of an easier target.
Keep It Impersonal
Don’t include anything like your birthday, name, pets, email address, etc. Any information that is publicly available is information that can be dug up and used against you. TomF1985!! may satisfy some of our tips, but it won’t take much research to figure that one out.
Manage Your Passwords
Using a password manager – which we highly recommend – can help you generate and organize all of your passwords. And you should be using different passwords for different accounts. Many password managers even have helpful copy + paste functions so you don’t have to type out those 10+ character passwords. There are various password managers out there, so consult with your IT team or MSP to find one that best suits your company’s needs.
One Key of Many
Encryption is important. But so is password hygiene – and multi-factor authentication, data backups, firewalls, etc. If you haven’t already, by all means, get encrypting! But also, talk to you IT team/MSP to determine your overall security needs. In today’s world, you want defense in layers, because nothing else will keep your data safe in the long run.
Need Help?
Struggling with cybersecurity? On the verge of pulling out your hair because it feels like protecting your company’s data requires breaking the bank?
Take a breath and do not touch that hair. Instead, get in touch with The 20 MSP. We can have your cyber defenses up to speed and under budget in no time.
Get in touch today to find out more.