Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Is sending an encrypted attachment a reasonable approach to email security?

Question:

I liked your article on secure email last week, but I think really secure
email is too complex for most folks. In the family, we increase security by
sending messages as password-protected Word documents. In the actual email, we
can easily hint the password like your first pet’s name and of course, these
Word documents can broken with a proprietary computer program, but for daily use
they’re sufficient and simple. What do you think?

In this excerpt from
Answercast #78
, I look at ways to secure sensitive email by sending
encrypted attachments.

]]>

Encrypted attachments in email

What I think is that for daily use most people don’t need encryption at all. Most of what we talk about via email, to be honest, isn’t that sensitive, isn’t that interesting.

If you find yourself in a situation where you really do need to send something securely (because for whatever reason if it were discovered by somebody, if it were intercepted by somebody at any time, there would be some consequences) then yea – encryption makes sense.

Password protecting Word documents

I’m not a huge fan of password protected Word documents. Partially because, I guess, I don’t trust them.

In the past, as you’ve pointed out, there are definitely programs available that can crack a Word document that’s been password protected without too much trouble.

Your first pet’s name, for example, is a problematic choice because it’s typically going to be something short – unless you have a pet’s name that is like 12, 14, 20 characters long. Even a brute force attack, where every possible password is tried against the Word document, can succeed in a reasonable amount of time (if of course it’s worth it for the attacker.)

So, I’m not really a big of fan of Word documents. But if you do use Word documents, do make sure you’re using a sufficiently strong password to lock it.

Encrypting for email

What I actually suggest in general for encryption is software that is specifically designed for encryption.

What I usually end up recommending for individual files (if you’ve got a single filee that you are attempting to send to somebody in an encrypted form) is I would use either AxCrypt which will literally just encrypt a file. Or use a utility like 7Zip, or WinZip, or any of the Zip alternatives; and make sure to specify a password when you create the zip file.

Of course, you can include multiple files at that point, but the idea is it may be a tool you already have – and it does have fairly robust encryption in it these days.

Long passwords

Once again, it all goes back to picking a secure password.

I strongly suggest you actually think of it as a “pass phrase” so it’s multiple words long, to make sure that things are secure.

When we get into places like a true business environment, or a government environment, where there is highly confidential information going on, things that have significant consequences, that’s when I start thinking about even higher levels of encryption or more complex systems.

Email encryption is difficult

Now, I agree with you completely. Email encryption for the average user is fundamentally broken; it’s just too hard to do and too hard to do right.

So, in general, the right solution is pretty much what you’ve described – take a document; write what you want in that document; encrypt that document and then send that document as an attachment.

That’s secure. That’s probably the most practical secure mechanism that you might want to use at a personal level – as long as you’re using an appropriately secure tool to encrypt the document – and most important of all, you’re using an appropriately secure password to lock that document down.

But like I said, for day to day use, I don’t use encryption. In fact, I can probably count on the fingers of one hand the number of times I’ve bothered to encrypt any email in maybe the last ten years. It’s just not something that comes up that often.

I understand that many people are in situations, sensitive situations, where that’s not an option. They really do need to secure what is they send, and who it is they send it to. But like I said, sending an encrypted attachment is typically the most practical approach.

(Transcript lightly edited for readability.)

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.