Reply to post: Encryption Regulation

TalkTalk attack: 'No legal obligation to encrypt customer bank details', says chief

Headley_Grange Silver badge

Encryption Regulation

I'm not an expert in data protection and encryption methods, but I have a slight concern that regulation regarding encryption might not necessarily make things better. An analogy is the password problem. Ideally I'd like a completely free-form password with no limitation on length, type of character, etc. This makes it easy for me to generate gobbleygook passwords that I can easily remember. As soon as a site says "must be 6-8 characters, have at least one capital letter and one number" then it's a PITA and you can bet dollars to doughnuts that for many users the first letter will be a capital and the last letter will be a "1". This must make it easier to attack.

Clearly, organizations which collect details which might allow me to be robbed or scammed should protect those details. They can do this in a number of ways - which might or might not include encryption, but if the government passes regulatory standards the risk is that companies will emerge to sell off-the-shelf, standard solutions and I fear that this could make them easier to crack because the crims will know what to look for. Also, once cracked, then all the users of a particular system will be cracked.

I guess some basic principles along the lines of "don't keep your bank card and cheque book in the same wallet" might help, but I'd be wary of anything too prescriptive in terms of technology.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021