Your Password and You

By Jon Tanguy - 2015-09-30

Micron has been manufacturing self-encrypting drives (SEDs) for more than half a decade.  The onboard 256-bit encryption engine featured in all of our SEDs is state-of-the-art and provides the best available protection for your stored data in case your laptop is lost or stolen.  However, even the very best encryption technology available is only as secure as your password.  As they say, if your password is “password,” all the encryption in the world won’t help.

Strong Passwords

The rules for strong passwords, as outlined by the National Cyber Security Alliance, are well understood these days: Choose passwords longer than eight characters, with a mix of letter cases, numerals and special characters; avoid words that can be found in a dictionary, your kids’ names, or anything familiar that might be guessed; change your password frequently.  This is very much common sense, but all too often, unless forced by a system administrator’s policy, we tend to ignore the sage advice.

Modern Alternatives to Passwords

In data security parlance, a password is actually just a specific type of authentication. It is an explicit means to deliver an authentication key to a locked and encrypted storage device in order to access to the stored data.  Nowadays there are several different means of authentication.  Many laptops, especially professional-grade ones, have fingerprint readers available. These provide a very secure means of authentication without having to remember a password.  Smart cards provide another good method; these have the added benefit of allowing an employer to control access to a laptop in addition to the employee. In the most recent versions of Windows, even more advanced user authentication methods are available.  Picture passwords allow the user to tap out a pattern on a screen image to gain access to the computer.  Voice and facial recognition tools are becoming widely available to allow easy authentication without having to remember a password that could be forgotten or cracked.

Cracking That Password

There have been many amazing advances in cryptography over the past few years, but it is still widely believed that a 256-bit encryption key is unbreakable for all practical purposes.  You’d think that would be the end of it.  It turns out that the password ends up being the weak link and the attack vector that a data thief might exploit.  Today, there are tools that a determined data thief could use to set up what is known as a brute-force attack on your password if he can get a hold of your laptop or storage device.  A traditional brute-force password attack would rely on the ability of a person to sit at a keyboard and type in password guesses iteratively.  Obviously, this would be a really long process if the password wasn’t guessable, as outlined above.  However, new tools are coming to market which allow an automated attack that can make millions of password guesses in a short time.  These tools really have legitimate purposes, such as when an authorized user loses a password, or if a computer has to be accessed when an employee leaves a company.  But, legitimate tools can always be used for illegitimate purposes, which can leave your data at risk.

What Micron Is Doing to Help

Our SSD engineers were well-aware of the vulnerability of a brute-force password attack, and took a very simple countermeasure to at least make such an attack prohibitively time-consuming.  Micron’s SSD firmware is designed in such a way that after every five incorrect password attempts, the drive will require a reset.  Essentially, you have to turn power off to the drive and turn it back on before the next password attempt is allowed.  Hopefully, for most users, five attempts will be enough to finally remember that real password. If not, the few seconds it takes to reset the drive won’t be terribly inconvenient.  However, to a password attacker who is using a device to make millions of password guesses, that power cycle and few extra seconds boot time can suddenly make the brute-force attack take a very, very long time, and hopefully cause him to move on from your device. It’s just not worth the time to complete the attack!

October is National Cyber Security Awareness Month in the United States. We will be exploring more data storage security topics each week during the month so stay tuned. You can also follow us on Twitter @MicronStorage where we discuss data storage and other technology related topics. 

Jon Tanguy

Jon Tanguy

Jon is a Senior Technical Marketing Engineer for Micron's Storage Business Unit, with a focus on client solid state drives.