Some vendors make external drives that have a numeric keypad. But how secure are they?
I’ve been looking at external hard disks recently, because some clients wanted to know what would be a good choice to give to their field salesmen for local backup and extra storage.
Their decision to try this out had overruled my loud wailing that it was entirely the wrong way of doing a backup, and that it was far better to ensure that everything was not only taken off the laptop’s hard disk but out of the hotel room, too.
At the very least, give the salesmen a large USB key to keep on the keyring that holds their house and car keys (and are unlikely to misplace); better still would be to use Dropbox or SkyDrive to move and secure the data into the cloud. Best of all would be to do both of these, ensuring that data is highly unlikely to ever get lost.
But an external hard disk drive?
Some vendors do make external drives that have a numeric keypad, because they have hard encryption built into the disk controller and a pin number needs to be entered via this keypad to unlock the drive.
You can’t just take two of these devices and swap them over either, because the encryption key pairs are unique to each chassis and drive.
But such devices don’t come cheap, which makes them tough candidates for this kind of deployment.
My clients wanted to look at some of the software encryption and lock/unlock facilities provided with these external drives, so I looked at one from a very well-known vendor.
The setup program for this feature looked suspiciously simplistic: in the screen where you enter your encryption password there was no sign of “best practice” – that is, no visible instructions that your password needs to be ten characters long, mixed case and include some numbers.
I entered “bone” and pressed enter, and that was fine! I undid that password, reset the drive and tried again. This time I tried “b” – yep, just a single letter. That was fine too.
Upon receiving this information, the clients decided that perhaps such a brain-dead and simplistic solution wasn’t appropriate for the data in their line of business.
You might be surprised to know that even the big boys can get this wrong.
I signed up to the new Outlook.com, which uses the standard Microsoft login. Here, the minimum length of your case-sensitive password must be eight characters.
So I went over to 1Password and got it to generate me a 24-character, randomised password, which is the length required to drive that security “fuel gauge” all the way to 100%.
Such a password looks like this: fNXmVnjAEBApZW3qjyvxB4PY.
But no, this wasn’t acceptable to Microsoft, because it seems you can’t actually have a password longer than 16 characters.
Now I accept that 16 is better than eight, and very much better than four, but maybe it’s about time that even Microsoft allowed for truly strong passwords in its authentication systems.