Encryption vs Password Protection

Native encryption
Image via Wikipedia

Someone I know is currently involved in a project associated with acquisition, transfer, storing, and processing confidential data. As I have an experience with IT security, I was asked about which encryption method suits the problem the best. When I listened carefully to the problem, I asked to clarify: “Do you really need encryption? Or password should be sufficient?”

What are the difference between cryptography and password protection anyway? The following is the illustration contrasting those two. Imagine that you have a secret document that you do not want others but few number of people to read. If you put it in a box and put a padlock to seal the box, that’s password protection. If you on the other hand, translate the document into codes that only you and few others can read and then burn the original document, then that is encryption.

The next question would be: which one is safer? Is one method more secure than the other? I would say that depends on the necessity, though generally speaking encryption is the safer method. However if that makes you think it is always better to use encryption, then there are some aspects you should consider.

  • For password, size of the documents should not matter that much. Basically it does not make any difference to the padlock if you put 5 pages or 50 pages of documents into the box. While for encryption, you will need more effort to code 50 pages rather than just 5 pages. Let us not forget the one who want to read the document will also have to translate all those 50 pages, especially if there are many parties to read those. This process is called decryption by the way.
  • For data distributing, encryption should be safer. If you send a message in a locked box and then someone intentionally break that box and read your message, then you are done for. However if you are sending coded message, even when it is intercepted, the interceptor would not be able to read the message (assuming only the intended readers know the code that is).

There are also consideration of strong/weak password and strong/weak encryption, in analogy to strong/weak padlock and hard/easy code. In computer, stronger in both terms means more computational power needed.

As I learned the project requirement, I came up with this suggestion:

  • For storage, as the data amount is enormous, strong encryption will make data reading and processing slower. Therefore, good password is better than choosing a half-good encryption for instance.
  • For distribution, it turns out that the data has two parts: highly confidential (small size) and low confidentiality (large size). I recommended using encryption for the high confidential data and simply zip-password the other.

There are pros and cons of every method. By writing this, I hope this discussion can help you understand which method better suits which need. In my friend’s case, the above discussion was proven to be exceptionally handy. Just saying B-)

For more Mathematics in Layman’s terms posts from me, click here.

Advertisements

3 thoughts on “Encryption vs Password Protection

  1. Hi. I was wondering about this. There are these USB keys on the market that come with hardware chip based Encryption. Once you set it up and put some data on them, you can decrypt them only with a password. So isn’t it actually a waste having the encryption … cause if an unauthorised person is able to hack/guess/know the password, will also have broken the encryption?

    1. Okay, how much resource do you think one should spend to actually hack a password? Cracking a password is computationally hard, try it once and you’ll see how many hours it need 😀
      There’s again a big difference between encryption and password protection. If it’s just password protected, and you are able to somehow get the data without getting through the lock (see my example) through backdoor for instance, then the hacker can read the data.
      If it’s encrypted, it doesn’t mean there is no password involved. There is some sort of password, called private key. And without knowing this, it will be very hard for the hacker to read the data.

      So in short,
      Password protection: if the hacker can get your data without password then you’re doomed, if they get password then you also doomed.
      Encryption: if the hacker can get your data without your password then it is still hard for them, if they get your password you’re doomed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s