Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Its incredible how there's all this email related stuff in the press and not one word about email encryption. Pretty much everything supports S/MIME, yet almost no one uses it. The DNC hack could have been avoided if those emails were encrypted, for example. Hackers would then also have to get private keys on top of data. That's another layer to get through.

I suspect baby boomer led management think memorizing passphrases and using encryption is "too hard" and are calling the shots right now and we're all paying the price for it. We should be teaching each other and the younger generation that email encryption should be seen the same way we look at https now. Not too long ago https was regarded as for just 'credit card stuff only' because it 'cost time and resources.'

Its sad that something as critical as email doesn't have end to end encryption.



memorizing passphrases and using encryption is "too hard"

It's not just baby boomers, it's most people outside HN unfortunately.


The worst part of this is that memorizing passphrases is far easier than passwords. Compare:

mydog'snameisAliceandsheiscute

to

P@ssw0rd

The latter is harder to memorize (what letters did I substitute with symbols again?) and far easier to crack.

I suspect until regulators make people use encrypted email we'll keep using plain-text.


I'm a big fan of passphrases for important sites. For most sites I use a randomly generated pw that's stored in a password manager. I use separate pw managers for home (1password) and work (lastpass).

Since a pw manager can be cracked, for important sites (financial , email, etc), I make up a sentence that describes my feelings about the site. These I keep memorized. As a bonus, as my feelings about the site change, it's a great prompt to update my password.

I'd like to throw a layer of physical security into the mix (eg one of those usb keys), but it seems like there still aren't universally accepted options. Anyone have suggestions for this?


LastPass supports 2FA (Yubikey, Google Authenticator, etc.) and it's pretty seamless and works well.


It's not highly relevant because in both corporate and government, your email can be legally reviewed as part of a legal case or investigation, where the security employed isn't material.


That's fine. In fact you want that. Encryption would still stop outside hackers, which is the preferred outcome.


I'm not saying encryption isn't a good idea. I'm just saying people haven't discussed it much in this thread because it's not really relevant to the primary concerns of the people talked about in this article.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: