# 100 things my kids need to know (according to me)

### Chapter 42: Encryption

Encryption means scrambling information so that it can only be read by someone has a secret (such as password). Accessing the information without the secret is “breaking” the encryption.

Until the last quarter of the 20th century, encryption was not really bullet proof.

But advances in mathematics and computer power have made encryption very strong now.

However, you need to know how it works, to make sure you can take advantage.

The first point is that modern encryption falls to only one type of attack: brute force. This means guessing every possible password. Computers make this really easy…they are good at repetition. An attacker can do billions of these per second (since if you had the money, you could split the work over as many computers as you have: ok computer 1, you guess all passwords that start with the letter “A”. Computer 2, you do “B”. And so on.

Every encryption scheme will eventually fall to brute force. Given enough time, the password will be guessed. The trick is to make the time needed very long. Years or even centuries. This is the other side of modern encryption: we know how to make encryption so complex that it blunts even the incredible speed of thousands of computers working together.

This comes down to a few factors. The most important one is the password you choose. Consider the example above, where computer 2 is working on all passwords that start with “B”. But how many letters should it guess? Should it guess letters and numbers? The attacker doesn’t know. So probably it will ask one computer to do all passwords starting with B and taking up to 6 characters, and another one to do B but up to 8 characters, etc. Already the amount of work the attacker needs to do is getting very big. One thing is certain: the computer doing the short passwords will finish guessing every combination much faster. So you don’t want short passwords.

I was partially wrong above when I said there is no role for humans in cracking codes. Humans know the most common passwords, and dictionaries of real words (these are called “dictionary attacks”). If someone is specifically targeting you, they will do research: your birthday, your dog’s birthday,…

So: choose a complex password. The best thing is to choose a long password. A long password, say four words combined, is just as good as a short password with a M1x @F funny letters. I like to mix words from different languages. Another good one is brand names, which are often easy to remember but which are not real words. Place names are good too. So kitkatglustikjaune would be good. I just made that up.

A good way to measure the security of a password is how many bits of entropy it has. This is a measure for how much complexity is in the password. That password is a “strong” password with 68 bits of entropy. Many websites will reject it because it doesn’t mix upper case, lower case and numerals. This just shows that popular understanding about passwords and encryption is not very good.

The website https://howsecureismypassword.net/ says that password I just made up would take more than 200 million years to guess, at an incredible 4 billions guesses per second.

• Length: 18 characters
• Character Combinations: 26
• Calculations Per Second: 4 billion
• Possible Combinations: 29 septillion

So every password must be selected while expecting brute force attacks. And this is easy.

In 2016, a lot of people got a nasty shock. A popular mobile phone, the Apple iPhone, gave people a false sense of security Apple said “We will encrypt your phone. WIthout your password, no one can read your data”. Apple uses really good encryption, because really good encryption is freely available.

But as always, encryption only works until the attacker guesses your password. So far, this is standard encryption. It is easy to make a password which takes 1 millions years to guess.

But then Apple said: After ten incorrect guesses of your password, your phone will be wiped. This is “lockout” security. So many people concluded that even a weak password will be ok, such as 4 digits (e.g. 1784).

The problem is that the lockout mechanism is just an operating system feature. It can be turned off by putting a modified operating system on the device, re-enabling unlimited password attempts. Apple can do this on any phone it wants. The FBI will force Apple to do this; legal precedent allows this.

So all of sudden, a 4 digit password is really weak. You need at most 10000 guesses. The particular version of the iPhone concerned can brute force 12 passwords per second (much slower than the 4 billion a second used above). Every single combination of 4 digits takes less than 15 minutes. 6 digits takes about a day.

But complexity grows quickly. Even a sadly weak 6 letter password with upper and lower case (such as OneTwo) brings complexity to about 10 years of effort (on this phone).

So do not be distracted. Choose a complex password, which means a long password.

### More …

What is the math of encryption based on?

Something simple, but hard to do. What two numbers multiply to make a big number? This is a problem with no known shortcuts. It belongs to the hardest type of problem in Computer Science, which means it is easy to make it much harder.

Well, we think it belongs to this type of problem (called NP Complete). Factoring has not actually been proven to be NP Complete, but everyone thinks it is. There is a chance that somewhere in the world, a very clever person has worked out a shortcut and that this method is not a secure as the world believes.

#### Even More…

The theory of encryption is pretty simple. However, there are a lot of ways to mistakes implementing it (such as Apple’s 10-try lockout promise). Also, it’s important to know where encryption begins. For example, the data on the hard drive of my computer is encrypted, but it is unlocked when I log in, and it is not encrypted while in the computer’s memory.