It is a commonly held impression that the strength of an encryption solution is based on the length of the Key. Indeed, though it is partially true that the longer the Key length, the stronger the encryption, this outlook focuses on the wrong area. Instead, the focus needs to be on the protection of the Key, not on the length of the Key.

All encryption can be cracked through a brute force attack. Since an Encryption Key is a string of ones and zeros, if an attacker is able to try all possible combinations, he or she could eventually crack any Key and decrypt the information. As computers become faster and faster, in order to thwart the success of a brute force attack, it is critical that Keys become longer and longer. While Key length is important, however, if the organization deploys a robust product, the algorithm and Key length will be taken care of already.

In an example situation, an executive’s briefcase, containing his laptop, was stolen. Since the executive’s organization deployed data encryption solutions that used a large Key, the organization determined that the theft was a low-risk occurrence that did not require any further action.

Based on further examination, the organization later determined that the briefcase also contained the executive’s PDA, which had no password or encryption, making any information on it easily readable. Like many people, the executive had many accounts, passwords and Keys that he believed he had stored very safely on the PDA that were, in reality, totally unprotected. Because of the full scope of the risk, the organization’s information technology department soon escalated the issue and took immediate action.

Ideally, an organization would have in place large Key lengths that are properly protected. However, if the organization had to choose between large Key lengths with unprotected Keys, or shorter Key lengths with a protected Key, the better choice is the latter.

As demonstrated by the example situation above, if an organization does not understand its risk, the organization either will not properly protect against it or, even worse, spend its limited time and energy protecting against a different, less significant risk.


Since the strength of cipher text is based on the secrecy of the Key, the methods for protecting the Key are of utmost importance. Encryption can be compared to the protection of an expensive item by placing it in a safe with a combination.

Encryption is a “virtual safe,” and the password is the combination that unlocks the Key. Though the strength of the password is not the same as the strength of the Key, if the password is weak and can easily be cracked, the attacker who succeeds in cracking the password has no need to obtain the Key. In most systems, passwords are not very robust. Strong encryption with weak passwords that could lead to the Key provides minimal protection from an attacker. Therefore, if an organization is going to provide hard-disk encryption, it is critical that it deploy multi-factor authentication prior to implementing a data encryption solution.

In an example situation, a large organization wanted to deploy data encryption to all of its systems. Since the organization already had a full Active Directory infrastructure, it decided to integrate the solution directly into its network and rely on each user’s password as the method for unlocking the Key. Now that the organization had all of its data protected with encryption, it saw no need for other protective measures and chose to stop using personal firewalls and other security measures that they had previously implemented.

After a competitor compromised all of the organization’s data, it expressed confusion in regard to what had been its point of security failure. Because the organization had neither proactive nor reactive password checks in place, many of its users, including people with privileged access, had very weak passwords. The organization had lost sight of the reality that if anyone compromised a password, that person could obtain the Key.